SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1


 Noah Short
 1 years ago
 Views:
Transcription
1 SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1
2 Syntax A symmetric encryption scheme SE = (K,E,D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
3 Correct decryption requirement Formally: For all K and M we have Pr[D K (E K (M)) = M] = 1, where the probability is over the coins of E Mihir Bellare UCSD 3
4 Block cipher modes of operation E : {0,1} k {0,1} n {0,1} n a block cipher Notation: x[i] is the ith nbit block of a string x, so that x = x[1]...x[m] if x = nm. Always: Alg K K $ {0,1} k return K Mihir Bellare UCSD 4
5 Block cipher modes of operation Block cipher provides parties sharing K with M E K C which enables them to encrypt a 1block message. How do we encrypt a long message using a primitive that only applies to nbit blocks? Mihir Bellare UCSD 5
6 ECB: Electronic Codebook Mode SE = (K,E,D) where: Alg E K (M) for i = 1,...,m do C[i] E K (M[i]) return C Alg D K (C) for i = 1,...,m do M[i] E 1 K (C[i]) return M Correct decryption relies on E being a block cipher, so that E K is invertible Mihir Bellare UCSD 6
7 Security of ECB Weakness: M 1 = M 2 C 1 = C 2 Why is the above true? Because E K is deterministic: M 1 [1] M 1 [m] M 2 [1] M 2 [m] E K... E K E K... E K C 1 [1] C 1 [m] C 2 [1] C 2 [m] Why does this matter? Mihir Bellare UCSD 7
8 Security of ECB Suppose we know that there are only two possible messages, Y = 1 n and N = 0 n, for example representing FIRE or DON T FIRE a missile BUY or SELL a stock Vote YES or NO Then ECB algorithm will be E K (M) = E K (M). M E K C Mihir Bellare UCSD 8
9 Security of ECB Votes M 1,M 2 {Y,N} are ECB encrypted and adversary sees ciphertexts C 1 = E K (M 1 ) and C 2 = E K (M 2 ) M 1 M 2 E K E K C 1 C 2 Adversary may have cast the first vote and thus knows M 1 ; say M 1 = Y. Then adversary can figure out M 2 : If C 2 = C 1 then M 2 must be Y Else M 2 must be N Mihir Bellare UCSD 9
10 Is this avoidable? Let SE = (K,E,D) be ANY encryption scheme. Suppose M 1,M 2 {Y,N} and Sender sends ciphertexts C 1 E K (M 1 ) and C 2 E K (M 2 ) Adversary A knows that M 1 = Y Adversary says: If C 2 = C 1 then M 2 must be Y else it must be N. Does this attack work? Mihir Bellare UCSD 10
11 Is this avoidable? Let SE = (K,E,D) be ANY encryption scheme. Suppose M 1,M 2 {Y,N} and Sender sends ciphertexts C 1 E K (M 1 ) and C 2 E K (M 2 ) Adversary A knows that M 1 = Y Adversary says: If C 2 = C 1 then M 2 must be Y else it must be N. Does this attack work? Yes, if E is deterministic. Mihir Bellare UCSD 11
12 Randomized encryption For encryption to be secure it must be randomized That is, algorithm E K flips coins. If the same message is encrypted twice, we are likely to get back different answers. That is, if M 1 = M 2 and we let then $ $ C 1 E K (M 1 ) and C 2 E K (M 2 ) Pr[C 1 = C 2 ] will (should) be small, where the probability is over the coins of E. Mihir Bellare UCSD 12
13 Randomized encryption There are many possible ciphertexts corresponding to each message. If so, how can we decrypt? We will see examples soon. C 1 C 2 M E K D K M C s Mihir Bellare UCSD 13
14 Randomized encryption A fundamental departure from classical and conventional notions of encryption. Clasically, encryption (e.g., substitution cipher) is a code, associating to each message a unique ciphertext. Now, we are saying no such code is secure, and we look to encryption mechanisms which associate to each message a number of different possible ciphertexts. Mihir Bellare UCSD 14
15 CBC$: Cipher Block Chaining with random IV mode SE = (K,E,D) where: Alg E K (M) $ C[0] {0,1} n for i = 1,...,m do C[i] E K (M[i] C[i 1]) return C Alg D K (C) for i = 1,...,m do M[i] E 1 K (C[i]) C[i 1] return M Correct decryption relies on E being a block cipher. Mihir Bellare UCSD 15
16 CTR$ mode If X {0,1} n and i N then X +i denotes the nbit string formed by converting X to an integer, adding i modulo 2 n, and converting the result back to an nbit string. Alg E K (M) $ C[0] {0,1} n for i = 1,...,m do P[i] E K (C[0]+i) C[i] P[i] M[i] return C Alg D K (C) for i = 1,...,m do P[i] E K (C[0]+i) M[i] P[i] C[i] return M Mihir Bellare UCSD 16
17 CTR$ mode Alg E K (M) $ C[0] {0,1} n for i = 1,...,m do P[i] E K (C[0]+i) C[i] P[i] M[i] return C Alg D K (C) for i = 1,...,m do P[i] E K (C[0]+i) M[i] P[i] C[i] return M D does not use E 1 K! So one can run CTR$ with a PRF that is not a blockcipher. Encryption and Decryption are parallelizable. Mihir Bellare UCSD 17
18 Voting with CBC$ Suppose we encrypt M 1,M 2 {Y,N} with CBC$. M 1 M 2 E K E K {0,1} n $ C 1 [0] C 1 [1] {0,1} n $ C 2 [0] C 2 [1] Adversary A sees C 1 = C 1 [0]C 1 [1] and C 2 = C 2 [0]C 2 [1]. Suppose A knows that M 1 = Y. Can A determine whether M 2 = Y or M 2 = N? Mihir Bellare UCSD 18
19 Voting with CBC$ Suppose we encrypt M 1,M 2 {Y,N} with CBC$. M 1 M 2 E K E K {0,1} n $ C 1 [0] C 1 [1] {0,1} n $ C 2 [0] C 2 [1] Adversary A sees C 1 = C 1 [0]C 1 [1] and C 2 = C 2 [0]C 2 [1]. Suppose A knows that M 1 = Y. Can A determine whether M 2 = Y or M 2 = N? NO! Mihir Bellare UCSD 19
20 Assessing security So CBC$ is better than ECB. But is it secure? CBC$ is widely used so knowing whether it is secure is important To answer this we first need to decide and formalize what we mean by secure. Mihir Bellare UCSD 20
21 Security requirements Suppose sender computes $ $ C 1 E K (M 1 ); ; C q E K (M q ) Adversary A has C 1,...,C q What if A Retrieves K Bad! Retrieves M 1 Bad! But also we want to hide all partial information about the data stream, such as Does M 1 = M 2? What is first bit of M 1? What is XOR of first bits of M 1,M 2? Something we won t hide: the length of the message Mihir Bellare UCSD 21
22 What we seek We want a single master property MP of an encryption scheme such that MP can be easily specified We can evaluate whether a scheme meets it MP implies ALL the security conditions we want: it guarantees that a ciphertext reveals NO partial information about the plaintext. Mihir Bellare UCSD 22
23 Intuition for definition of INDCPA The master property MP is called INDCPA (indistinguishability under chosen plaintext attack). Consider encrypting one of two possible message streams, either or M 1 0,...,Mq 0 M 1 1,...,M q 1 Adversary, given ciphertexts and both data streams, has to figure out which of the two streams was encrypted. Mihir Bellare UCSD 23
24 Games for indcpaadvantage of an adversary A Let SE = (K,E,D) be an encryption scheme Game Left SE procedure Initialize K $ K procedure LR(M 0,M 1 ) Return C $ E K (M 0 ) Game Right SE procedure Initialize K $ K procedure LR(M 0,M 1 ) Return C $ E K (M 1 ) Associated to SE, A are the probabilities [ ] Pr Left A SE 1 [ ] Pr Right A SE 1 that A outputs 1 in each world. The (indcpa) advantage of A is ] ] Adv indcpa SE (A) = Pr [Right A SE 1 Pr [Left A SE 1 Mihir Bellare UCSD 24
25 The measure of success Adv indcpa SE (A) 1 means A is doing well and SE is not indcpasecure. Adv indcpa SE (A) 0 (or 0) means A is doing poorly and SE resists the attack A is mounting. Adversary resources are its running time t and the number q of its oracle queries, the latter representing the number of messages encrypted. Security: SE is INDCPAsecure if Adv indcpa SE (A) is small for ALL A that use practical amounts of resources. Insecurity: SE is not INDCPAsecure if we can specify an explicit A that uses few resources yet achieves high indcpaadvantage. Mihir Bellare UCSD 25
26 ECB is not INDCPAsecure Let E : {0,1} k {0,1} n {0,1} n be a block cipher. Recall that ECB mode defines symmetric encryption scheme SE = (K,E,D) with Can we design A so that is close to 1? E K (M) = E K (M[1])E K (M[2]) E K (M[m]) ] ] Adv indcpa SE (A) = Pr [Right A SE 1 Pr [Left A SE 1 Mihir Bellare UCSD 26
27 ECB is not INDCPAsecure Let E : {0,1} k {0,1} n {0,1} n be a block cipher. Recall that ECB mode defines symmetric encryption scheme SE = (K,E,D) with Can we design A so that is close to 1? E K (M) = E K (M[1])E K (M[2]) E K (M[m]) ] ] Adv indcpa SE (A) = Pr [Right A SE 1 Pr [Left A SE 1 Exploitable weakness of SE: M 1 = M 2 implies E K (M 1 ) = E K (M 2 ). Mihir Bellare UCSD 27
28 ECB is not INDCPAsecure Let E K (M) = E K (M[1]) E K (M[m]). adversary A C 1 LR(0 n,0 n ); C 2 LR(1 n,0 n ) if C 1 = C 2 then return 1 else return 0 Mihir Bellare UCSD 28
29 Right game analysis E is defined by E K (M) = E K (M[1]) E K (M[m]). adversary A C 1 LR(0 n,0 n ); C 2 LR(1 n,0 n ) if C 1 = C 2 then return 1 else return 0 Game Right SE procedure Initialize K $ K procedure LR(M 0,M 1 ) Return E K (M 1 ) Then [ ] Pr Right A SE 1 = Mihir Bellare UCSD 29
30 Right game analysis E is defined by E K (M) = E K (M[1]) E K (M[m]). adversary A C 1 LR(0 n,0 n ); C 2 LR(1 n,0 n ) if C 1 = C 2 then return 1 else return 0 Game Right SE procedure Initialize K $ K procedure LR(M 0,M 1 ) Return E K (M 1 ) Then [ ] Pr Right A SE 1 = 1 because C 1 = E K (0 n ) and C 2 = E K (0 n ). Mihir Bellare UCSD 30
31 Left game analysis E is defined by E K (M) = E K (M[1]) E K (M[m]). adversary A C 1 LR(0 n,0 n ); C 2 LR(1 n,0 n ) if C 1 = C 2 then return 1 else return 0 Game Left SE procedure Initialize K $ K procedure LR(M 0,M 1 ) Return E K (M 0 ) Then [ ] Pr Left A SE 1 = Mihir Bellare UCSD 31
32 Left game analysis E is defined by E K (M) = E K (M[1]) E K (M[m]). adversary A C 1 LR(0 n,0 n ); C 2 LR(1 n,0 n ) if C 1 = C 2 then return 1 else return 0 Game Left SE procedure Initialize K $ K procedure LR(M 0,M 1 ) Return E K (M 0 ) Then [ ] Pr Left A SE 1 = 0 because C 1 = E K (0 n ) E K (1 n ) = C 2. Mihir Bellare UCSD 32
33 ECB is not INDCPA secure adversary A C 1 LR(0 n,0 n ); C 2 LR(1 n,0 n ) if C 1 = C 2 then return 1 else return 0 Adv indcpa SE (A) = = 1 1 { [ }} ]{ { [ }} ]{ Pr Right A SE = 1 Pr Right A SE = 1 And A is very efficient, making only two queries. Thus ECB is not INDCPA secure. 0 Mihir Bellare UCSD 33
34 Exercise Let SE = (K,E,D) be any symmetric encryption scheme for which E is deterministic. Show that SE is not INDCPA secure by giving pseudocode for an efficient adversary A that achieves Adv indcpa SE (A) = 1. Assume the message space is some nonempty subset of {0,1} with the property that if M is a legitimate message then so is any other string of length M. Mihir Bellare UCSD 34
35 Exercise: Setup Let K be the keygeneration algorithm that returns a random 128bit string as the key K. Define Alg E K (M) R $ {0,1} 128 ; M[1]...M[m] M; C[0] R for i = 1,...,m do W[i] (R +i) mod ; C[i] AES K (M[i] W[i]) C C[0]C[1]...C[n]; Return C Above W[i] (R +i) mod means we regard R as an interger, add i to it, take the result modulo 2 128, view this as a 128bit string, and assign it to W[i]. The message space is the set of all strings whose length is a positive multiple of 128. Mihir Bellare UCSD 35
36 Exercise: Questions 1. Specify a decryption algorithm D such that SE = (K,E,D) is a symmetric encryption scheme satisfying the correct decryption condition. 2. Show that this scheme is insecure by presenting a practical adversary A such that Adv indcpa SE (A) is high. State the value of the advantage achieved by your adversary and the number of oracle queries it makes. Your adversary for 2. should as usual be specified in clear pseudocode, not in a text description. There should be a succinct analysis justifying the claimed advantage. Mihir Bellare UCSD 36
37 Why is INDCPA the master property? We claim that if encryption scheme SE = (K,E,D) is INDCPA secure then the ciphertext hides ALL partial information about the plaintext. $ $ For example, from C 1 E K (M 1 ) and C 2 E K (M 2 ) the adversary cannot get M 1 get 1st bit of M 1 get XOR of the 1st bits of M 1,M 2 etc. Exercise: State and prove such claims formally. This could be a quiz question! Mihir Bellare UCSD 37
38 Birthday attack on CTR$ Let E : {0,1} k {0,1} n {0,1} n be a blockcipher and SE = (K,E,D) the corresponding CTR$ symmetric encryption scheme. Suppose 1block messages M 0,M 1 are encrypted: $ $ C 0 [0]C 0 [1] E(K,M 0 ) C 1 [0]C 1 [1] E(K,M 1 ) Let us say we are lucky If C 0 [0] = C 1 [0]. If so: C 0 [1] = C 1 [1] if and only if M 0 = M 1 So if we are lucky we can detect message equality and violate INDCPA. Mihir Bellare UCSD 38
39 Birthday attack on CTR$ Let 1 q < 2 n be a parameter and let i be integer i encoded as an nbit string. adversary A for i = 1,...,q do C i [0]C i $ [1] LR( i, 0 ) S {(j,l): C j [0] = C l [0] and j < l} If S, then (j,l) S $ If C j [1] = C l [1] then return 1 return 0 Mihir Bellare UCSD 39
40 Birthday attack on CTR$: Right game analysis adversary A for i = 1,...,q do C i [0]C i $ [1] LR( i, 0 ) S {(j,l): C j [0] = C l [0] and j < l} If S, then (j,l) S $ If C j [1] = C l [1] then return 1 return 0 Game Right SE procedure Initialize K $ K procedure LR(M 0,M 1 ) $ C[0] {0,1} n P E(K,C[0]+1) C[1] P M 1 Return C[0]C[1] If C j [0] = C l [0] (lucky) then C j [1] = 0 E K (C j [0]+1) = 0 E K (C l [0]+1) = C l [1] so [ ] Pr Right A SE 1 = Pr[S ] = C(2 n,q) Mihir Bellare UCSD 40
41 Birthday attack on CTR$: Left game analysis adversary A for i = 1,...,q do C i [0]C i $ [1] LR( i, 0 ) S {(j,l): C j [0] = C l [0] and j < l} If S, then (j,l) S $ If C j [1] = C l [1] then return 1 return 0 Game Left SE procedure Initialize K $ K procedure LR(M 0,M 1 ) $ C[0] {0,1} n P E(K,C[0]+1) C[1] P M 0 Return C[0]C[1] If C j [0] = C l [0] (lucky) then C j [1] = j E K (C j [0]+1) l E K (C l [0]+1) = C l [1] so [ ] Pr Left A SE 1 = 0. Mihir Bellare UCSD 41
42 Birthday attack on CTR$ ] ] Adv indcpa SE (A) = Pr [Right A SE 1 Pr [Left A SE 1 = C(2 n,q) q(q 1) 2 n Conclusion: CTR$ can be broken (in the INDCPA sense) in about 2 n/2 queries, where n is the block length of the underlying block cipher, regardless of the cryptanalytic strength of the block cipher. Mihir Bellare UCSD 42
43 Exercise The above attack on CTR$ uses 1block messages. Letting SE be the same scheme, give an adversary A that makes q LRqueries, each consisting of two mblock messages, and achieves ( Adv indcpa m 2 q 2 ) SE (A) = Ω The running time of A should be about O(mqn log(mqn)). 2 n Mihir Bellare UCSD 43
44 Security of CTR$ So far: A qquery adversary can break CTR$ with advantage q2 2 n+1 Question: Is there any better attack? Mihir Bellare UCSD 44
45 Security of CTR$ So far: A qquery adversary can break CTR$ with advantage q2 2 n+1 Question: Is there any better attack? Answer: NO! We can prove that the best qquery attack short of breaking the block cipher has advantage at most σ 2 2 n where σ is the total number of blocks encrypted. Example: If q 1block messages are encrypted then σ = q so the adversary advantage is not more than q 2 /2 n. For E = AES this means up to 2 64 blocks may be securely encrypted, which is good. Mihir Bellare UCSD 45
46 Security of CTR$ Theorem: [BDJR98] Let E : {0,1} k {0,1} n {0,1} n be a block cipher and SE = (K, E, D) the corresponding CTR$ symmetric encryption scheme. Let A be an indcpa adversary against SE that has running time t and makes at most q LR queries, these totalling at most σ blocks. Then there is a prfadversary B against E such that Adv indcpa SE (A) 2 Adv prf σ2 E (B)+ 2 n Furthermore, B makes at most σ oracle queries and has running time t +Θ(σ n). Mihir Bellare UCSD 46
47 Intuition and proof We first give some intuition for the proof and then the proof itself. We assume for simplicity that A makes q = σ/m LR queries in each of which both messages are m blocks long. Extending the proof to the general case is an exercise. We let C i = C i [0]C i [1]...C i [m] denote the response of the LR oracle to A s ith query. Mihir Bellare UCSD 47
48 Intuition for INDCPA security of CTR$ Consider the CTR$ scheme with E K replaced by a random function Fn. Alg E Fn (M) $ C[0] {0,1} n for i = 1,...,m do P[i] Fn(C[0]+i) C[i] P[i] M[i] return C Analyzing this is a thought experiment, but we can ask whether it is INDCPA secure. If so, the assumption that E is a PRF says CTR$ with E is INDCPA secure. Mihir Bellare UCSD 48
49 CTR$ with a random function Let E be the event that the points C 1 [0]+1,...,C 1 [0]+m,...,C q [0]+1,...,C q [0]+m, on which Fn is evaluated across the q encryptions, are all distinct. Case 1: E happens. Then the encryption is a onetimepad: ciphertexts are random, independent strings, regardless of which message is encrypted. So A has zero advantage. Case 2: E doesn t happen. Then A may have high advantage but it does not matter because Pr[E] doesn t happen is small. (It is the small additive term in the theorem.) Mihir Bellare UCSD 49
50 Alternative formulation of advantage Let SE = (K,E,D) be a symmetric encryption scheme and A an adversary. Game Guess SE procedure Initialize K $ K; b $ {0,1} procedure LR(M 0,M 1 ) return C $ E K (M b ) procedure Finalize(b ) return (b = b ) ] Proposition: Adv indcpa SE (A) = 2 Pr [Guess A SE true 1. Proof: Observe Pr [ b = 1 b = 1 ] [ ] = Pr Right A SE 1 Pr [ b = 1 b = 0 ] [ ] = Pr Left A SE 1 Mihir Bellare UCSD 50
51 Proof of Proposition, continued [ ] Pr Guess A SE true = Pr [ b = b ] = Pr [ b = b b = 1 ] Pr[b = 1]+Pr [ b = b b = 0 ] Pr[b = 0] = Pr [ b = b b = 1 ] 1 2 +Pr[ b = b b = 0 ] 1 2 = Pr [ b = 1 b = 1 ] 1 2 +Pr[ b = 0 b = 0 ] 1 2 = Pr [ b = 1 b = 1 ] 1 2 +( 1 Pr [ b = 1 b = 0 ]) 1 2 = (Pr [ b = 1 b = 1 ] Pr [ b = 1 b = 0 ]) 2 = ( [ ] [ ]) 2 Pr Right A SE 1 Pr Left A SE 1 = Advindcpa SE (A). Mihir Bellare UCSD 51
52 A gameplaying proof The proof uses a sequence of games and invokes the fundamental lemma of game playing [BR96]. The games have the following Initialize and Finalize procedures: Initialize // G 0 b $ {0,1}; S K $ {0,1} k Initialize // G 1,G 2,G 3 b $ {0,1}; S Finalize // All games Return (b = b ) For brevity we omit writing these procedures explicitly in the games, but you should remember they are there. Also for brevity if G is a game and A is an adversary then we let Pr[G A ] = Pr[G A true] Mihir Bellare UCSD 52
53 Games G 0,G 1 for the proof Game G 0 procedure LR(M 0,M 1 ) $ C[0] {0,1} n for i = 1,...,m do P C[0]+i if P S then T[P] E K (P) C[i] T[P] M b [i] S S {P} return C Then [ ] Adv indcpa SE (A) = 2 Pr G0 A 1 Game G 1 procedure LR(M 0,M 1 ) $ C[0] {0,1} n for i = 1,...,m do P C[0]+i $ if P / S then T[P] {0,1} n C[i] T[P] M b [i] S S {P} return C Mihir Bellare UCSD 53
54 Analysis Clearly Pr[G A 0 ] = Pr[GA 1 ]+( Pr[G A 0 ] Pr[GA 1 ]). Claim 1: We can design prfadversary B so that Claim 2: Pr[G A 1 ] σ2 2 n+1 Given these, we have Adv indcpa SE (A) 2 Pr[G A 0 ] Pr[GA 1 ] Advprf E (B) ( ) σ2 2 n Adv prf E (B) = σ2 2 n +2 Advprf E (B) which proves the theorem. It remains to prove the claims. Mihir Bellare UCSD 54
55 Proof of Claim 1 adversary B b $ {0,1}; S b $ A LRSim if (b = b ) then return 1 else return 0 subroutine LRSim(M 0,M 1 ) $ C[0] {0,1} n for i = 1,...,m do P C[0]+i if P / S then T[P] Fn(P) C[i] T[P] M b [i] S S {P} return C Pr ] Pr [Real B E 1 ] [Rand B {0,1} n 1 [ ] = Pr G0 A [ ] = Pr G1 A Subtracting, we get Claim 1. Mihir Bellare UCSD 55
56 Where we are It remains to prove: Claim 2: Pr[G A 1 ] σ2 2 n+1 Mihir Bellare UCSD 56
57 Introducing the bad flag Game G 1 procedure LR(M 0,M 1) $ C[0] {0,1} n for i = 1,...,m do P C[0] +i If P / S then $ T[P] {0,1} n C[i] T[P] M b [i] S S {P} return C Game G 2, G 3 procedure LR(M 0,M 1) $ C[0] {0,1} n for i = 1,...,m do P C[0]+i $ C[i] {0,1} n If P S then bad true; C[i] T[P] M b [i] T[P] C[i] M b [i] S S {P} return C Pr[G A 1 ] = Pr[GA 2 ] = Pr[GA 3 ]+ ( Pr[G A 2 ] Pr[GA 3 ] ) Mihir Bellare UCSD 57
58 Analysis of G 3 Game G 3 procedure LR(M 0,M 1) $ C[0] {0,1} n for i = 1,...,m do $ P C[0] +i; C[i] {0,1} n If P S then bad true T[P] C[i] M b [i]; S S {P} return C Ciphertext C in G 3 is always random, independently of b, so [ ] Pr G3 A = 1 2. Mihir Bellare UCSD 58
59 Fundamental Lemma of game playing Games G, H are identicaluntilbad if their code differs only in statements following the setting of bad to true. Lemma: [BR96] If G,H are identicaluntilbad, then for any adversary A and any y [ ] [ ] [ ] Pr G A y Pr H A y Pr H A setsbad Mihir Bellare UCSD 59
60 Using the fundamental lemma Game G 2, G 3 procedure LR(M 0,M 1) $ C[0] {0,1} n for i = 1,...,m do $ P C[0] +i; C[i] {0,1} n If P S then bad true; C[i] T[P] M b [i] T[P] C[i] M b [i]; S S {P} return C G 2 and G 3 are identicaluntilbad, so Fundamental Lemma implies [ ] [ ] [ ] Pr G2 A Pr G3 A Pr G3 A setsbad. Mihir Bellare UCSD 60
61 Bounding the probability that G 3 sets bad Game G 3 procedure LR(M 0,M 1) $ C[0] {0,1} n for i = 1,...,m do $ P C[0] +i; C[i] {0,1} n If P S then bad true T[P] C[i] M b [i]; S S {P} return C ] Pr [G3 A setsbad q m i=1 = m2 q(q 1) 2 n+1 σ2 2 n+1 m(i 1) 2 n Mihir Bellare UCSD 61
62 Security of CTR$ Theorem: [BDJR98] Let E : {0,1} k {0,1} n {0,1} n be a block cipher and SE = (K, E, D) the corresponding CTR$ symmetric encryption scheme. Let A be an indcpa adversary against SE that has running time t and makes at most q LR queries, these totalling at most σ blocks. Then there is a prfadversary B against E such that Adv indcpa SE (A) 2 Adv prf σ2 E (B)+ 2 n Furthermore, B makes at most σ oracle queries and has running time t +Θ(σ n). Mihir Bellare UCSD 62
63 Security of CBC$ Let E : {0,1} k {0,1} n {0,1} n be a block cipher and SE = (K,E,D) the corresponding CBC$ symmetric encryption scheme. Exercise: Give an adversary A that makes q LRqueries, each consisting of two 1block messages, and achieves ( ) Adv indcpa q 2 SE (A) = Ω The running time of A should be about O(qn log(qn)). Can you generalize this to mblock messages? What is the best advantage you can get? 2 n Mihir Bellare UCSD 63
64 Security of CBC$ Theorem: [BDJR98] Let E : {0,1} k {0,1} n {0,1} n be a block cipher and SE = (K, E, D) the corresponding CBC$ symmetric encryption scheme. Let A be an indcpa adversary against SE that has running time t and makes at most q LR queries, these totalling at most σ blocks. Then there is a prfadversary B against E such that Adv indcpa SE (A) 2 Adv prf σ2 E (B)+ 2 n Furthermore, B makes at most σ oracle queries and has running time t +Θ(σ n). Exercise: Prove the above theorem. Mihir Bellare UCSD 64
Chapter 4. Symmetric Encryption. 4.1 Symmetric encryption schemes
Chapter 4 Symmetric Encryption The symmetric setting considers two parties who share a key and will use this key to imbue communicated data with various security attributes. The main security goals are
More informationProvableSecurity Analysis of Authenticated Encryption in Kerberos
ProvableSecurity Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 303320765
More informationASYMMETRIC (PUBLICKEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLICKEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A nontechnical account of the history of publickey cryptography and the colorful characters
More informationLecture 5  CPA security, Pseudorandom functions
Lecture 5  CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.
More informationCryptography CS 555. Topic 3: Onetime Pad and Perfect Secrecy. CS555 Spring 2012/Topic 3 1
Cryptography CS 555 Topic 3: Onetime Pad and Perfect Secrecy CS555 Spring 2012/Topic 3 1 Outline and Readings Outline Onetime pad Perfect secrecy Limitation of perfect secrecy Usages of onetime pad
More informationChapter 11. Asymmetric Encryption. 11.1 Asymmetric encryption schemes
Chapter 11 Asymmetric Encryption The setting of publickey cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret
More informationTalk announcement please consider attending!
Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically
More information1 Message Authentication
Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions
More informationCS 6903 Modern Cryptography February 20th, 2010
CS 6903 Modern Cryptography February 20th, 2010 Lecture 5: Constructions of Symmetric Encryption Scheme Instructor: Nitesh Saxena Scribe: SherinSyriac, AvisDsouza, SaiTeja Can we use the Pseudo Random
More informationAuthenticated Encryption: Relations among notions and analysis of the generic composition paradigm
An extended abstract of this paper appears in Tatsuaki Okamoto, editor, Advances in Cryptology ASIACRYPT 2000, Volume 1976 of Lecture Notes in Computer Science, pages 531 545, Kyoto, Japan, December 3
More informationLecture 9  Message Authentication Codes
Lecture 9  Message Authentication Codes Boaz Barak March 1, 2010 Reading: BonehShoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,
More informationAuthenticated encryption
Authenticated encryption Dr. Enigma Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu October 16th, 2013 Active attacks on CPAsecure encryption
More informationLecture 3: OneWay Encryption, RSA Example
ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: OneWay Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require
More informationCSA E0 235: Cryptography (29/03/2015) (Extra) Lecture 3
CSA E0 235: Cryptography (29/03/2015) Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Mayank Tiwari Review From our discussion of perfect secrecy, we know that the notion of perfect secrecy has
More informationLecture 9. Lecturer: Yevgeniy Dodis Spring 2012
CSCIGA.3210001 MATHGA.2170001 Introduction to Cryptography Macrh 21, 2012 Lecture 9 Lecturer: Yevgeniy Dodis Spring 2012 Last time we introduced the concept of Pseudo Random Function Family (PRF),
More informationLecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture  PRGs for one time pads
CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs
More informationUniversal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure PublicKey Encryption
Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure PublicKey Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical publickey
More informationAdvanced Cryptography
Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.
More informationVictor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract
Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart
More informationAuthenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre
Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense
More information1 Pseudorandom Permutations
Theoretical Foundations of Cryptography Lecture 9 Georgia Tech, Spring 2010 PRPs, Symmetric Encryption 1 Pseudorandom Permutations Instructor: Chris Peikert Scribe: Pushkar Tripathi In the first part of
More informationOverview of Cryptographic Tools for Data Security. Murat Kantarcioglu
UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the
More informationContents. Foundations of cryptography
Contents Foundations of cryptography Security goals and cryptographic techniques Models for evaluating security A sketch of probability theory and Shannon's theorem Birthday problems Entropy considerations
More informationShift Cipher. Ahmet Burak Can Hacettepe University. Substitution Cipher. Enigma Machine. How perfect secrecy can be satisfied?
One Time Pad, Block Ciphers, Encryption Modes Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr Basic Ciphers Shift Cipher Bruteforce attack can easily break Substitution Cipher Frequency analysis
More informationOn the Security of the CCM Encryption Mode and of a Slight Variant
On the Security of the CCM Encryption Mode and of a Slight Variant PierreAlain Fouque 1 and Gwenaëlle Martinet 2 and Frédéric Valette 3 and Sébastien Zimmer 1 1 École normale supérieure, 45 rue d Ulm,
More information1 Construction of CCAsecure encryption
CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of secure encryption We now show how the MAC can be applied to obtain a secure encryption scheme.
More informationSecurity Analysis of DRBG Using HMAC in NIST SP 80090
Security Analysis of DRBG Using MAC in NIST SP 80090 Shoichi irose Graduate School of Engineering, University of Fukui hrs shch@ufukui.ac.jp Abstract. MAC DRBG is a deterministic random bit generator
More informationStream Ciphers. Example of Stream Decryption. Example of Stream Encryption. Real Cipher Streams. Terminology. Introduction to Modern Cryptography
Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block Ciphers Stream Ciphers Start with a secret key ( seed ) Generate a keying stream ith bit/byte of keying stream is a function
More informationMidterm Exam Solutions CS161 Computer Security, Spring 2008
Midterm Exam Solutions CS161 Computer Security, Spring 2008 1. To encrypt a series of plaintext blocks p 1, p 2,... p n using a block cipher E operating in electronic code book (ECB) mode, each ciphertext
More informationError oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm
Error oracle attacks and CBC encryption Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm Agenda 1. Introduction 2. CBC mode 3. Error oracles 4. Example 1 5. Example 2 6. Example 3 7. Stream ciphers
More informationModes of Operation of Block Ciphers
Chapter 3 Modes of Operation of Block Ciphers A bitblock encryption function f: F n 2 Fn 2 is primarily defined on blocks of fixed length n To encrypt longer (or shorter) bit sequences the sender must
More informationMACs Message authentication and integrity. Table of contents
MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and
More informationIdentityBased Encryption from the Weil Pairing
Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages
More informationCryptographic Agility and its Relation to Circular Encryption
Cryptographic Agility and its Relation to Circular Encryption Tolga Acar 1 Mira Belenkiy 2 Mihir Bellare 3 David Cash 4 Abstract We initiate a provablesecurity treatment of cryptographic agility. A primitive
More informationMAC. SKE in Practice. Lecture 5
MAC. SKE in Practice. Lecture 5 Active Adversary Active Adversary An active adversary can inject messages into the channel Active Adversary An active adversary can inject messages into the channel Eve
More informationT Cryptology Spring 2009
T79.5501 Cryptology Spring 2009 Homework 2 Tutor : Joo Y. Cho joo.cho@tkk.fi 5th February 2009 Q1. Let us consider a cryptosystem where P = {a, b, c} and C = {1, 2, 3, 4}, K = {K 1, K 2, K 3 }, and the
More informationCryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53
Cryptography and Network Security, PART IV: Reviews, Patches, and Theory Timo Karvi 11.2012 Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53 Key Lengths I The old
More informationIntroduction to Security Proof of Cryptosystems
Introduction to Security Proof of Cryptosystems D. J. Guan November 16, 2007 Abstract Provide proof of security is the most important work in the design of cryptosystems. Problem reduction is a tool to
More informationMTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic
More informationMessage Authentication Codes 133
Message Authentication Codes 133 CLAIM 4.8 Pr[Macforge A,Π (n) = 1 NewBlock] is negligible. We construct a probabilistic polynomialtime adversary A who attacks the fixedlength MAC Π and succeeds in
More informationSymmetric Crypto MAC. PierreAlain Fouque
Symmetric Crypto MAC PierreAlain Fouque Birthday Paradox In a set of D elements, by picking at random D elements, we have with high probability a collision two elements are equal D=365, about 23 people
More informationThe Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)
The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) Hugo Krawczyk Abstract. We study the question of how to generically compose symmetric encryption and authentication
More informationChapter 12. Digital signatures. 12.1 Digital signature schemes
Chapter 12 Digital signatures In the public key setting, the primitive used to provide data integrity is a digital signature scheme. In this chapter we look at security notions and constructions for this
More informationConcrete Security of the BlumBlumShub Pseudorandom Generator
Appears in Cryptography and Coding: 10th IMA International Conference, Lecture Notes in Computer Science 3796 (2005) 355 375. SpringerVerlag. Concrete Security of the BlumBlumShub Pseudorandom Generator
More informationLecture 13: Message Authentication Codes
Lecture 13: Message Authentication Codes Last modified 2015/02/02 In CCA security, the distinguisher can ask the library to decrypt arbitrary ciphertexts of its choosing. Now in addition to the ciphertexts
More informationCryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs
Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a
More informationAuthentication and Encryption: How to order them? Motivation
Authentication and Encryption: How to order them? Debdeep Muhopadhyay IIT Kharagpur Motivation Wide spread use of internet requires establishment of a secure channel. Typical implementations operate in
More informationDiscrete Mathematics and Probability Theory Fall 2009 Satish Rao,David Tse Note 11
CS 70 Discrete Mathematics and Probability Theory Fall 2009 Satish Rao,David Tse Note Conditional Probability A pharmaceutical company is marketing a new test for a certain medical condition. According
More informationCiphertext verification security of symmetric encryption schemes
www.scichina.com info.scichina.com www.springerlink.com Ciphertext verification security of symmetric encryption schemes HU ZhenYu 1, SUN FuChun 1 & JIANG JianChun 2 1 National Laboratory of Information
More informationMultiRecipient Encryption Schemes: Efficient Constructions and their Security
This is the full version of the paper with same title that appeared in IEEE Transactions on Information Theory, Volume 53, Number 11, 2007. It extends the previously published versions Ku, BBS. MultiRecipient
More informationNetwork Security. Modes of Operation. Steven M. Bellovin February 3, 2009 1
Modes of Operation Steven M. Bellovin February 3, 2009 1 Using Cryptography As we ve already seen, using cryptography properly is not easy Many pitfalls! Errors in use can lead to very easy attacks You
More informationChapter 7. Message Authentication. 7.1 The setting
Chapter 7 Message Authentication In most people s minds, privacy is the goal most strongly associated to cryptography. But message authentication is arguably even more important. Indeed you may or may
More informationlundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal
Symmetric Crypto PierreAlain Fouque Birthday Paradox In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal N=365, about 23 people are
More informationStandard Security Does Not Imply Security Against SelectiveOpening
Standard Security Does Not mply Security Against SelectiveOpening Mihir Bellare, Rafael Dowsley, Brent Waters, Scott Yilek (UCSD, UCSD, UT Austin, U. of St. Thomas) Full version on ACR eprint archive
More informationKey Privacy for Identity Based Encryption
Key Privacy for Identity Based Encryption Internet Security Research Lab Technical Report 20062 Jason E. Holt Internet Security Research Lab Brigham Young University c 2006 Brigham Young University March
More informationOn the Security of CTR + CBCMAC
On the Security of CTR + CBCMAC NIST Modes of Operation Additional CCM Documentation Jakob Jonsson * jakob jonsson@yahoo.se Abstract. We analyze the security of the CTR + CBCMAC (CCM) encryption mode.
More informationReconsidering Generic Composition
Reconsidering Generic Composition Chanathip Namprempre Thammasat University, Thailand Phillip Rogaway University of California, Davis, USA Tom Shrimpton Portland State University, USA 1/24 What is the
More informationEfficient Constructions of VariableInputLength Block Ciphers
Efficient Constructions of VariableInputLength Block Ciphers Sarvar Patel 1, Zulfikar Ramzan 2 and Ganapathy S. Sundaram 1 1 Lucent Technologies {sarvar, ganeshs}@belllabs.com 2 DoCoMo Communications
More informationMultiInput Functional Encryption for Unbounded Arity Functions
MultiInput Functional Encryption for Unbounded Arity Functions Saikrishna Badrinarayanan, Divya Gupta, Abhishek Jain, and Amit Sahai Abstract. The notion of multiinput functional encryption (MIFE) was
More informationCryptography and Network Security Chapter 6
Cryptography and Network Security Chapter 6 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 6 Block Cipher Operation Many savages at the present day regard
More informationComputer Science A Cryptography and Data Security. Claude Crépeau
Computer Science 308547A Cryptography and Data Security Claude Crépeau These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308647A)
More informationCIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives
CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; DH key exchange; Hash functions; Application of hash
More informationRoadmap on symmetric ciphers
Roadmap on symmetric ciphers Lecture 01: Historical ciphers (badly broken) Lecture 02: OTP (the One Time Pad cipher) Perfect Secrecy (first notion of security) Stream ciphers (making OTP practical) PRG
More informationStronger Security Bounds for OMAC, TMAC and XCBC
Stronger Security Bounds for OMAC, MAC and XCBC etsu Iwata Kaoru Kurosawa Department of Computer and Information Sciences, Ibaraki University 4 1 1 Nakanarusawa, Hitachi, Ibaraki 3168511, Japan {iwata,
More informationDIGITAL SIGNATURES 1/1
DIGITAL SIGNATURES 1/1 Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob 2/1 Signing electronically Bank Internet SIGFILE } {{ } 101 1 ALICE Pay Bob $100 scan
More information1 Domain Extension for MACs
CS 127/CSCI E127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures KatzLindell Ÿ4.34.4 (2nd ed) and Ÿ12.012.3 (1st ed).
More informationMessage Authentication Code
Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBCMAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44
More informationNonceBased Symmetric Encryption
NonceBased Symmetric Encryption Phillip Rogaway Dept. of Computer Science, University of California, Davis, CA 95616, USA, and Dept. of Computer Science, Fac. of Science, Chiang Mai University, Chiang
More information1 Signatures vs. MACs
CS 120/ E177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. KatzLindell 10 1 Signatures vs. MACs Digital signatures
More informationSecurity Analysis for Order Preserving Encryption Schemes
Security Analysis for Order Preserving Encryption Schemes Liangliang Xiao University of Texas at Dallas Email: xll052000@utdallas.edu Osbert Bastani Harvard University Email: obastani@fas.harvard.edu ILing
More information1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.
1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks
More informationAnnouncements. CS243: Discrete Structures. More on Cryptography and Mathematical Induction. Agenda for Today. Cryptography
Announcements CS43: Discrete Structures More on Cryptography and Mathematical Induction Işıl Dillig Class canceled next Thursday I am out of town Homework 4 due Oct instead of next Thursday (Oct 18) Işıl
More informationOrderPreserving Encryption Revisited: Improved Security Analysis and Alternative Solutions
A preliminary version of this paper appears in Advances in Cryptology  CRYPTO 0, 3st Annual International Cryptology Conference, P. Rogaway ed., LNCS, Springer, 0. OrderPreserving Encryption Revisited:
More informationOverview of Symmetric Encryption
CS 361S Overview of Symmetric Encryption Vitaly Shmatikov Reading Assignment Read Kaufman 2.14 and 4.2 slide 2 Basic Problem   ? Given: both parties already know the same secret Goal: send
More informationNetwork security and all ilabs
Network security and all ilabs Modern cryptography for communications security part 1 Benjamin Hof hof@in.tum.de Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität
More informationCSC474/574  Information Systems Security: Homework1 Solutions Sketch
CSC474/574  Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a oneround Feistel cipher
More informationAESCOPA v.2. Designers/Submitters: Elena Andreeva 1,2, Andrey Bogdanov 3, Atul Luykx 1,2, Bart Mennink 1,2, Elmar Tischhauser 3, and Kan Yasuda 1,4
Submission to the CAESAR competition AESCOPA v.2 Designers/Submitters: Elena Andreeva 1,2, Andrey Bogdanov 3, Atul Luykx 1,2, Bart Mennink 1,2, Elmar Tischhauser 3, and Kan Yasuda 1,4 Affiliation: 1 Dept.
More informationHomework 7. Using the monoalphabetic cipher in Figure 8.3, encode the message This is an easy problem. Decode the message rmij u uamu xyj.
Problems: 1 to 11. Homework 7 Question: 1 Using the monoalphabetic cipher in Figure 8.3, encode the message This is an easy problem. Decode the message rmij u uamu xyj. This is an easy problem. > uasi
More informationLecture 2: Universality
CS 710: Complexity Theory 1/21/2010 Lecture 2: Universality Instructor: Dieter van Melkebeek Scribe: Tyson Williams In this lecture, we introduce the notion of a universal machine, develop efficient universal
More informationCapture Resilient ElGamal Signature Protocols
Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department
More informationIntroduction. Digital Signature
Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology
More informationDeveloping and Investigation of a New Technique Combining Message Authentication and Encryption
Developing and Investigation of a New Technique Combining Message Authentication and Encryption Eyas ElQawasmeh and Saleem Masadeh Computer Science Dept. Jordan University for Science and Technology P.O.
More informationPostQuantum Cryptography #4
PostQuantum Cryptography #4 Prof. Claude Crépeau McGill University http://crypto.cs.mcgill.ca/~crepeau/waterloo 185 ( 186 Attack scenarios Ciphertextonly attack: This is the most basic type of attack
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Karagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Karagpur Lecture No. #06 Cryptanalysis of Classical Ciphers (Refer
More information14.1 Rentorbuy problem
CS787: Advanced Algorithms Lecture 14: Online algorithms We now shift focus to a different kind of algorithmic problem where we need to perform some optimization without knowing the input in advance. Algorithms
More informationSimulationBased Security with Inexhaustible Interactive Turing Machines
SimulationBased Security with Inexhaustible Interactive Turing Machines Ralf Küsters Institut für Informatik ChristianAlbrechtsUniversität zu Kiel 24098 Kiel, Germany kuesters@ti.informatik.unikiel.de
More informationReading 13 : Finite State Automata and Regular Expressions
CS/Math 24: Introduction to Discrete Mathematics Fall 25 Reading 3 : Finite State Automata and Regular Expressions Instructors: Beck Hasti, Gautam Prakriya In this reading we study a mathematical model
More informationIEEE P Wireless Sensor Interface Working Group. Security Proposal Revision 1.10
Document number: P1451.5Prop1_V1 IEEE P1451.5 Wireless Sensor Interface Working Group Security Proposal Revision 1.10 Updated 4/8/03 Prepared by: R. K. Coleman 3e Technologies International, Inc. 700
More informationFinite and discrete probability distributions
8 Finite and discrete probability distributions To understand the algorithmic aspects of number theory and algebra, and applications such as cryptography, a firm grasp of the basics of probability theory
More informationA Survey and Analysis of Solutions to the. Oblivious Memory Access Problem. Erin Elizabeth Chapman
A Survey and Analysis of Solutions to the Oblivious Memory Access Problem by Erin Elizabeth Chapman A thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. #01 Lecture No. #10 Symmetric Key Ciphers (Refer
More informationChair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 13
Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 13 Some More Secure Channel Issues Outline In the course we have yet only seen catastrophic
More informationSecurity Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012
Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database
More informationPublic Key Cryptography: RSA and Lots of Number Theory
Public Key Cryptography: RSA and Lots of Number Theory Public vs. PrivateKey Cryptography We have just discussed traditional symmetric cryptography: Uses a single key shared between sender and receiver
More informationLecture 15  Digital Signatures
Lecture 15  Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations  easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.
More informationThe Advanced Encryption Standard (AES)
The Advanced Encryption Standard (AES) All of the cryptographic algorithms we have looked at so far have some problem. The earlier ciphers can be broken with ease on modern computation systems. The DES
More informationCodeBased GamePlaying Proofs and the Security of Triple Encryption
CodeBased GamePlaying Proofs and the Security of Triple Encryption Mihir Bellare Phillip Rogaway February 27, 2006 (Draft 2.2) Abstract The gameplaying technique is a powerful tool for analyzing cryptographic
More informationCryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur
Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Module No. # 01 Lecture No. # 05 Classic Cryptosystems (Refer Slide Time: 00:42)
More informationCS 161 Computer Security
Song Spring 2015 CS 161 Computer Security Discussion 11 April 7 & April 8, 2015 Question 1 RSA (10 min) (a) Describe how to find a pair of public key and private key for RSA encryption system. Find two
More informationData Encryption A B C D E F G H I J K L M N O P Q R S T U V W X Y Z. we would encrypt the string IDESOFMARCH as follows:
Data Encryption Encryption refers to the coding of information in order to keep it secret. Encryption is accomplished by transforming the string of characters comprising the information to produce a new
More information