# 1 Pseudorandom Permutations

Save this PDF as:

Size: px
Start display at page:

## Transcription

1 Theoretical Foundations of Cryptography Lecture 9 Georgia Tech, Spring 2010 PRPs, Symmetric Encryption 1 Pseudorandom Permutations Instructor: Chris Peikert Scribe: Pushkar Tripathi In the first part of this lecture we will discuss pseudorandom permutations. A function f : {0, 1} n {0, 1} n is said to be a permutation if and only if it is a bijection. Note that the PRFs considered in the previous lecture may not be permutations. (Exercise: construct a secure PRF family where the functions are not permutations.) 1.1 Definition Definition 1.1 (Pseudorandom permutation). A family of permutations {f s : {0, 1} n {0, 1} n } is a strong PRP family (also known as block cipher ) if it is: Efficiently computable: there is a deterministic polynomial-time algorithm F such that F (s, x) = f s (x) for all choices of seed s and input x {0, 1} n. Pseudorandom: For every n.u.p.p.t. A, [ ] Pr A f,f 1 (1 n ) = 1 f {f s} Pr F P({0,1} n ) [ A F,F 1 (1 n ) = 1] = negl(n). Here P({0, 1} n ) is the set of all permutations from {0, 1} n to {0, 1} n, and A f,f 1 denotes that the algorithm A has oracle access to both the function f and its inverse. Written more succinctly using oracle indistinguishability, f {fs } : f, f 1 c F P({0, 1} n ) : F, F 1. We say that the family is a weak PRP family if it is pseudorandom in the forward direction, i.e., if the pseudorandomness condition holds when the adversary is given oracle access to only f (or F ), and not their inverses. 1.2 Feistel Construction Perhaps surprisingly, a PRP family can be obtained from any PRF family (even though the functions in the PRF family may not themselves be permutations!). To accomplish this, we first show a way to obtain a permutation from any (length-preserving) function f; this process is called a Feistel round, after its inventor. (One can think of f as being drawn from a PRF family, though the Feistel construction makes no complexity assumption on f.) Definition 1.2. For a function f : {0, 1} n {0, 1} n, the Feistel function D f defined as follows: D f (L, R) = (R, L f(r)). : {0, 1} 2n {0, 1} 2n is Figure 1.2 gives a pictorial representation of this construction. 1

2 Note that for L and R as defined above, we have L = f(l ) R and R = L. Thus the function D f is invertible, and hence defines a bijection. Formally, we can write D 1 f = ρ D f ρ, where ρ(l, R) = (R, L). However, D f by itself does not define a PRF. This is because LEFT(D f (L, R)) = R for any L, R, which is rarely be the case for a truly random permutation. But what happens if we use two Fesitel rounds, each with a (possibly different) round function (see Figure??)? Unfortunately, two Feistel rounds also does not yield a PRP family. Consider arbitrary L 1, L 2, R {0, 1} n with L 1 L 2, and any function f : {0, 1} n {0, 1} n. We have RIGHT(D f (L 1, R)) = L 1 f(r) and RIGHT(D f (L 2, R)) = L 2 f(r). Taking the exclusive-or of both equations, we get RIGHT(D f (L 1, R)) RIGHT(D f (L 2, R)) = L 1 L 2. On the other hand, for a truly random permutation P, P(L 1, R) P(L 2, R) is the exclusive-or of two distinct random strings and its right half would equal L 1 L 2 with only negligible probability. Fortunately, all is not lost: we have the following theorem of Luby and Rackoff. Theorem 1.3 (Luby-Rackoff Theorem). Three rounds of the Feistel construction, each with a round function drawn independently from a PRF family, yields a weak PRP family. Moreover, four rounds yields a strong PRP family. 2

3 1.3 Historical Notes The Data Encryption Standard (DES) from 1977 is a Feistel construction, but with dependent and only weakly pseudorandom round functions. The Feistel idea predates any rigorous definitions or analysis. A large fraction of fast block ciphers use a Feistel network, though more recently designers have started using other structures. For example, the Advanced Encryption Standard (AES) is not based on a Feistel network. 2 Security for Shared-Key Encryption We now take the first steps towards building a secure shared-key (symmetric) encryption system. Before we proceed, recall the model for a shared-key cryptosystem, which is represented by a triple of algorithms (Gen, Enc, Dec), where Gen is a randomized algorithm that takes no input (aside from the implicit security parameter 1 n ), and outputs a key k in some (finite) set K. Enc k (m) = Enc(k, m) takes a key k K and message m M, and outputs a ciphertext c C. Dec k (c) = Dec(k, c) takes a key k K and ciphertext c C, and outputs a message m M. Also recall the definition of perfect secrecy. Definition 2.1. A shared-key encryption scheme (Gen, Enc, Dec) with message space M and ciphertext space C is perfectly secret if for all m 0, m 1 M and all c C, Pr [Enc k(m 0 ) = c] = Pr [Enc k(m 1 ) = c]. k Gen k Gen That is, the distributions of Enc k (m 0 ) and Enc k (m 1 ) are identical, over the choice of the key k Gen. 2.1 A Computational Analogue of Perfect Secrecy The definition of perfect secrecy suggests a natural analogue for the computational setting. Definition 2.2 (Single-message indistinguishability). An encryption scheme satisfies single-message indistinguishability if for all messages m 0, m 1 M, The following lemma follows immediately. {k Gen : Enc k (m 0 )} c {k Gen : Enc k (m 1 )}. Lemma 2.3. For a symmetric encryption scheme SKC, if {k Gen : Enc k (m)} is pseudorandom over C for every m M, then the scheme is single-message indistinguishable. Proof. Fix any two messages m 0, m 1 M. Using the definition of pseudorandomness, we have {Enc k (m 0 )} c {U(C)} c {Enc k (m 1 )}. By the hybrid lemma we have {Enc k (m 0 )} c {Enc k (m 1 )}, as desired. 3

4 Now we describe a symmetric encryption scheme, and use Lemma 2.3 to prove its one-message security. Let K = {0, 1} n be the keyspace, and let M = {0, 1} l(n) be the message space, where l(n) is a polynomial in n. Let G be a PRG with output length l(n). The following algorithms specify the encryption scheme. Gen outputs a uniformly random k {0, 1} n. Enc k (m) = Enc(k, m) outputs c = m G(k). Dec k (c) = Dec(k, c) outputs m = c G(k). Claim 2.4. For any m {0, 1} l(n), the distribution of ciphertexts {k Gen : Enc k (m)} produced by the above scheme is pseudorandom. Proof. {k Gen : Enc k (m)} {k {0, 1} n : m G(k)} (2.1) c { x U l(n) : m x } (2.2) { U l(n) }. (2.3) Equation (2.1) is by definition of the scheme. Equation (2.2) is true because G is a PRG, and by a trivial simulation. Equation (2.3) is by basic probability. Note that the scheme constructed above is good for encrypting only one message; it would fail completely if we encrypt two different messages using the same key. For example, consider m 0, m 1 M that are encrypted using the above scheme with the same key k K. Then we have Enc k (m 0 ) = m 0 G(k) and Enc k (m 1 ) = m 1 G(k). Taking the exclusive-or of these two ciphertexts, we get m 0 m 1. In many cases (such as when the two messages are English prose), this is enough information to recover the two messages completely! A possible way to counter the problem is to encrypt every message with a different key. But this would require the two communicating parties to have a large set of predecided secret keys. Alternatively, we might modify the encryption algorithm to append to its message a fresh key that would be used to encrypt the subsequent message (note that this is possible because the message length is longer than the key length, which is something we could not achieve with perfect secrecy). But this method also suffers from a drawback: the encryption and decryption algorithms are stateful. If even a single message fails to reach the receiver, it might cause the entire scheme to become out of sync. More fundamentally, though, before thinking about ways to securely encrypt multiple messages, we first need a definition of security that captures this intended mode of usage. 2.2 Multiple-Message Indistinguishability Definition 2.5 (Multi-message indistinguishability). An encryption scheme is multi-message indistinguishable if for tuples (m 0, m 1 m q ) M q and ( m 0, m 1 m q) M q where q = poly(n), we have (Enc k (m 0 ), Enc k (m 1 ) Enc k (m q )) c ( Enc k (m 0), Enc k (m 1) Enc k (m q) ), where both tuples are taken over k Gen and any randomness of Enc. Remark 2.6. For multi-message indistinguishability, if Enc is stateless, then it must be randomized. Otherwise, it would be trivial to distinguish between the encryptions of a tuple with identical messages and one without, since Enc k (m) would always produce the same ciphertext given the same message. 4

### 1 Message Authentication

Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

### Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and

### Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract

Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart

### Post-Quantum Cryptography #4

Post-Quantum Cryptography #4 Prof. Claude Crépeau McGill University http://crypto.cs.mcgill.ca/~crepeau/waterloo 185 ( 186 Attack scenarios Ciphertext-only attack: This is the most basic type of attack

### Lecture 5 - CPA security, Pseudorandom functions

Lecture 5 - CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.

### Talk announcement please consider attending!

Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically

### 1 Construction of CCA-secure encryption

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.

### Computational Soundness of Symbolic Security and Implicit Complexity

Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 3-7, 2013 Overview

### Provable-Security Analysis of Authenticated Encryption in Kerberos

Provable-Security Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 30332-0765

### Lecture 3: One-Way Encryption, RSA Example

ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require

### MAC. SKE in Practice. Lecture 5

MAC. SKE in Practice. Lecture 5 Active Adversary Active Adversary An active adversary can inject messages into the channel Active Adversary An active adversary can inject messages into the channel Eve

6.857 Computer and Network Security Fall Term, 1997 Lecture 4 : 16 September 1997 Lecturer: Ron Rivest Scribe: Michelle Goldberg 1 Conditionally Secure Cryptography Conditionally (or computationally) secure

### The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) Hugo Krawczyk Abstract. We study the question of how to generically compose symmetric encryption and authentication

### Message Authentication Codes 133

Message Authentication Codes 133 CLAIM 4.8 Pr[Mac-forge A,Π (n) = 1 NewBlock] is negligible. We construct a probabilistic polynomial-time adversary A who attacks the fixed-length MAC Π and succeeds in

Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

### Message Authentication Code

Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44

### SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K,E,D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2 Correct

### Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012

Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database

### Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

### Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense

### Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives

Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives Olivier Pereira Université catholique de Louvain ICTEAM Crypto Group B-1348, Belgium olivier.pereira@uclouvain.be

### Cryptography. Jonathan Katz, University of Maryland, College Park, MD 20742.

Cryptography Jonathan Katz, University of Maryland, College Park, MD 20742. 1 Introduction Cryptography is a vast subject, addressing problems as diverse as e-cash, remote authentication, fault-tolerant

### Lecture 11: The Goldreich-Levin Theorem

COM S 687 Introduction to Cryptography September 28, 2006 Lecture 11: The Goldreich-Levin Theorem Instructor: Rafael Pass Scribe: Krishnaprasad Vikram Hard-Core Bits Definition: A predicate b : {0, 1}

### Chapter 11. Asymmetric Encryption. 11.1 Asymmetric encryption schemes

Chapter 11 Asymmetric Encryption The setting of public-key cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret

### Lecture 15 - Digital Signatures

Lecture 15 - Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations - easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.

### 1 Domain Extension for MACs

CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures Katz-Lindell Ÿ4.34.4 (2nd ed) and Ÿ12.0-12.3 (1st ed).

### Yale University Department of Computer Science

Yale University Department of Computer Science On Backtracking Resistance in Pseudorandom Bit Generation (preliminary version) Michael J. Fischer Michael S. Paterson Ewa Syta YALEU/DCS/TR-1466 October

### Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical public-key

### Introduction. Digital Signature

Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

### 1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

### Security Analysis of DRBG Using HMAC in NIST SP 800-90

Security Analysis of DRBG Using MAC in NIST SP 800-90 Shoichi irose Graduate School of Engineering, University of Fukui hrs shch@u-fukui.ac.jp Abstract. MAC DRBG is a deterministic random bit generator

### Proofs in Cryptography

Proofs in Cryptography Ananth Raghunathan Abstract We give a brief overview of proofs in cryptography at a beginners level. We briefly cover a general way to look at proofs in cryptography and briefly

### Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. #01 Lecture No. #10 Symmetric Key Ciphers (Refer

### Efficient Constructions of Variable-Input-Length Block Ciphers

Efficient Constructions of Variable-Input-Length Block Ciphers Sarvar Patel 1, Zulfikar Ramzan 2 and Ganapathy S. Sundaram 1 1 Lucent Technologies {sarvar, ganeshs}@bell-labs.com 2 DoCoMo Communications

### Security Analysis for Order Preserving Encryption Schemes

Security Analysis for Order Preserving Encryption Schemes Liangliang Xiao University of Texas at Dallas Email: xll052000@utdallas.edu Osbert Bastani Harvard University Email: obastani@fas.harvard.edu I-Ling

### Fuzzy Identity-Based Encryption

Fuzzy Identity-Based Encryption Janek Jochheim June 20th 2013 Overview Overview Motivation (Fuzzy) Identity-Based Encryption Formal definition Security Idea Ingredients Construction Security Extensions

### Overview of Symmetric Encryption

CS 361S Overview of Symmetric Encryption Vitaly Shmatikov Reading Assignment Read Kaufman 2.1-4 and 4.2 slide 2 Basic Problem ----- ----- -----? Given: both parties already know the same secret Goal: send

### Ch.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis

Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography

### Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm

Error oracle attacks and CBC encryption Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm Agenda 1. Introduction 2. CBC mode 3. Error oracles 4. Example 1 5. Example 2 6. Example 3 7. Stream ciphers

### Lecture 2: Universality

CS 710: Complexity Theory 1/21/2010 Lecture 2: Universality Instructor: Dieter van Melkebeek Scribe: Tyson Williams In this lecture, we introduce the notion of a universal machine, develop efficient universal

### Authentication and Encryption: How to order them? Motivation

Authentication and Encryption: How to order them? Debdeep Muhopadhyay IIT Kharagpur Motivation Wide spread use of internet requires establishment of a secure channel. Typical implementations operate in

### Lecture 13: Message Authentication Codes

Lecture 13: Message Authentication Codes Last modified 2015/02/02 In CCA security, the distinguisher can ask the library to decrypt arbitrary ciphertexts of its choosing. Now in addition to the ciphertexts

### CryptoVerif Tutorial

CryptoVerif Tutorial Bruno Blanchet INRIA Paris-Rocquencourt bruno.blanchet@inria.fr November 2014 Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 1 / 14 Exercise 1: preliminary definition SUF-CMA

### Cryptography and Network Security

Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 3: Block ciphers and DES Ion Petre Department of IT, Åbo Akademi University January 17, 2012 1 Data Encryption Standard

### MTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu

MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic

### Lecture 5 - Cryptography

CSE497b Introduction to Computer and Network Security - Spring 2007 - Professors Jaeger Lecture 5 - Cryptography CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/

### Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a

### The Data Encryption Standard (DES)

The Data Encryption Standard (DES) As mentioned earlier there are two main types of cryptography in use today - symmetric or secret key cryptography and asymmetric or public key cryptography. Symmetric

### Department Informatik. Privacy-Preserving Email Forensics. Technical Reports / ISSN 2191-5008. Frederik Armknecht, Andreas Dewald

Department Informatik Technical Reports / ISSN 2191-5008 Frederik Armknecht, Andreas Dewald Privacy-Preserving Email Forensics Technical Report CS-2015-03 April 2015 Please cite as: Frederik Armknecht,

### Cryptography. Lecture Notes from CS276, Spring 2009. Luca Trevisan Stanford University

Cryptography Lecture Notes from CS276, Spring 2009 Luca Trevisan Stanford University Foreword These are scribed notes from a graduate course on Cryptography offered at the University of California, Berkeley,

### Key Privacy for Identity Based Encryption

Key Privacy for Identity Based Encryption Internet Security Research Lab Technical Report 2006-2 Jason E. Holt Internet Security Research Lab Brigham Young University c 2006 Brigham Young University March

### VERIFIABLE SEARCHABLE SYMMETRIC ENCRYPTION

VERIFIABLE SEARCHABLE SYMMETRIC ENCRYPTION BY ZACHARY A. KISSEL B.S. MERRIMACK COLLEGE (2005) M.S. NORTHEASTERN UNIVERSITY (2007) SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF

### Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz Abstract We propose simple and efficient CCA-secure public-key encryption schemes (i.e., schemes

### Lecture 17: Re-encryption

600.641 Special Topics in Theoretical Cryptography April 2, 2007 Instructor: Susan Hohenberger Lecture 17: Re-encryption Scribe: Zachary Scott Today s lecture was given by Matt Green. 1 Motivation Proxy

### CS 758: Cryptography / Network Security

CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html

### Identity-Based Encryption from the Weil Pairing

Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages

### Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53

Cryptography and Network Security, PART IV: Reviews, Patches, and Theory Timo Karvi 11.2012 Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53 Key Lengths I The old

### Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks

Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks Tsz Hon Yuen - Huawei, Singapore Ye Zhang - Pennsylvania State University, USA Siu Ming

### Breaking An Identity-Based Encryption Scheme based on DHIES

Breaking An Identity-Based Encryption Scheme based on DHIES Martin R. Albrecht 1 Kenneth G. Paterson 2 1 SALSA Project - INRIA, UPMC, Univ Paris 06 2 Information Security Group, Royal Holloway, University

### MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

### Lecture 13 - Basic Number Theory.

Lecture 13 - Basic Number Theory. Boaz Barak March 22, 2010 Divisibility and primes Unless mentioned otherwise throughout this lecture all numbers are non-negative integers. We say that A divides B, denoted

### CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a one-round Feistel cipher

### Factoring & Primality

Factoring & Primality Lecturer: Dimitris Papadopoulos In this lecture we will discuss the problem of integer factorization and primality testing, two problems that have been the focus of a great amount

### Developing and Investigation of a New Technique Combining Message Authentication and Encryption

Developing and Investigation of a New Technique Combining Message Authentication and Encryption Eyas El-Qawasmeh and Saleem Masadeh Computer Science Dept. Jordan University for Science and Technology P.O.

### Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Lecture No. # 11 Block Cipher Standards (DES) (Refer Slide

### Lecture 2: Complexity Theory Review and Interactive Proofs

600.641 Special Topics in Theoretical Cryptography January 23, 2007 Lecture 2: Complexity Theory Review and Interactive Proofs Instructor: Susan Hohenberger Scribe: Karyn Benson 1 Introduction to Cryptography

### 1 Signatures vs. MACs

CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures

### Multi-Input Functional Encryption for Unbounded Arity Functions

Multi-Input Functional Encryption for Unbounded Arity Functions Saikrishna Badrinarayanan, Divya Gupta, Abhishek Jain, and Amit Sahai Abstract. The notion of multi-input functional encryption (MI-FE) was

### Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Karagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Karagpur Lecture No. #06 Cryptanalysis of Classical Ciphers (Refer

### The application of prime numbers to RSA encryption

The application of prime numbers to RSA encryption Prime number definition: Let us begin with the definition of a prime number p The number p, which is a member of the set of natural numbers N, is considered

### CIS 5371 Cryptography. 8. Encryption --

CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.

### Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the

### Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

### lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

Symmetric Crypto Pierre-Alain Fouque Birthday Paradox In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal N=365, about 23 people are

### Ciphertext verification security of symmetric encryption schemes

www.scichina.com info.scichina.com www.springerlink.com Ciphertext verification security of symmetric encryption schemes HU ZhenYu 1, SUN FuChun 1 & JIANG JianChun 2 1 National Laboratory of Information

### Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Module No. # 01 Lecture No. # 05 Classic Cryptosystems (Refer Slide Time: 00:42)

### Block encryption. CS-4920: Lecture 7 Secret key cryptography. Determining the plaintext ciphertext mapping. CS4920-Lecture 7 4/1/2015

CS-4920: Lecture 7 Secret key cryptography Reading Chapter 3 (pp. 59-75, 92-93) Today s Outcomes Discuss block and key length issues related to secret key cryptography Define several terms related to secret

### 8.1 Makespan Scheduling

600.469 / 600.669 Approximation Algorithms Lecturer: Michael Dinitz Topic: Dynamic Programing: Min-Makespan and Bin Packing Date: 2/19/15 Scribe: Gabriel Kaptchuk 8.1 Makespan Scheduling Consider an instance

### Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm

An extended abstract of this paper appears in Tatsuaki Okamoto, editor, Advances in Cryptology ASIACRYPT 2000, Volume 1976 of Lecture Notes in Computer Science, pages 531 545, Kyoto, Japan, December 3

### Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Introduction to Cryptography What is cryptography?

### Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak

Non-Black-Box Techniques In Crytpography Introduction Thesis for the Ph.D degree Boaz Barak A computer program (or equivalently, an algorithm) is a list of symbols a finite string. When we interpret a

### Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz June 13, 2006 Abstract We propose simple and efficient CCA-secure public-key encryption schemes

### SECURITY EVALUATION OF EMAIL ENCRYPTION USING RANDOM NOISE GENERATED BY LCG

SECURITY EVALUATION OF EMAIL ENCRYPTION USING RANDOM NOISE GENERATED BY LCG Chung-Chih Li, Hema Sagar R. Kandati, Bo Sun Dept. of Computer Science, Lamar University, Beaumont, Texas, USA 409-880-8748,

### Network Security: Cryptography CS/SS G513 S.K. Sahay

Network Security: Cryptography CS/SS G513 S.K. Sahay BITS-Pilani, K.K. Birla Goa Campus, Goa S.K. Sahay Network Security: Cryptography 1 Introduction Network security: measure to protect data/information

### a Course in Cryptography

a Course in Cryptography rafael pass abhi shelat c 2010 Pass/shelat All rights reserved Printed online 11 11 11 11 11 15 14 13 12 11 10 9 First edition: June 2007 Second edition: September 2008 Third edition:

### Improved Online/Offline Signature Schemes

Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion

### Multi-Recipient Encryption Schemes: Efficient Constructions and their Security

This is the full version of the paper with same title that appeared in IEEE Transactions on Information Theory, Volume 53, Number 11, 2007. It extends the previously published versions Ku, BBS. Multi-Recipient

### Discrete Mathematics and Probability Theory Fall 2009 Satish Rao,David Tse Note 11

CS 70 Discrete Mathematics and Probability Theory Fall 2009 Satish Rao,David Tse Note Conditional Probability A pharmaceutical company is marketing a new test for a certain medical condition. According

### Simulation-Based Security with Inexhaustible Interactive Turing Machines

Simulation-Based Security with Inexhaustible Interactive Turing Machines Ralf Küsters Institut für Informatik Christian-Albrechts-Universität zu Kiel 24098 Kiel, Germany kuesters@ti.informatik.uni-kiel.de

### Digital Signatures. What are Signature Schemes?

Digital Signatures Debdeep Mukhopadhyay IIT Kharagpur What are Signature Schemes? Provides message integrity in the public key setting Counter-parts of the message authentication schemes in the public

### On the Security of CTR + CBC-MAC

On the Security of CTR + CBC-MAC NIST Modes of Operation Additional CCM Documentation Jakob Jonsson * jakob jonsson@yahoo.se Abstract. We analyze the security of the CTR + CBC-MAC (CCM) encryption mode.

### Continued Fractions and the Euclidean Algorithm

Continued Fractions and the Euclidean Algorithm Lecture notes prepared for MATH 326, Spring 997 Department of Mathematics and Statistics University at Albany William F Hammond Table of Contents Introduction

### Cryptography and Network Security: Summary

Cryptography and Network Security: Summary Timo Karvi 12.2013 Timo Karvi () Cryptography and Network Security: Summary 12.2013 1 / 17 Summary of the Requirements for the exam The advices are valid for

### Lecture 3: Finding integer solutions to systems of linear equations

Lecture 3: Finding integer solutions to systems of linear equations Algorithmic Number Theory (Fall 2014) Rutgers University Swastik Kopparty Scribe: Abhishek Bhrushundi 1 Overview The goal of this lecture

### Digital Signatures. Prof. Zeph Grunschlag

Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each

### U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009. Notes on Algebra

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009 Notes on Algebra These notes contain as little theory as possible, and most results are stated without proof. Any introductory

### Lecture 1: Introduction. CS 6903: Modern Cryptography Spring 2009. Nitesh Saxena Polytechnic University

Lecture 1: Introduction CS 6903: Modern Cryptography Spring 2009 Nitesh Saxena Polytechnic University Outline Administrative Stuff Introductory Technical Stuff Some Pointers Course Web Page http://isis.poly.edu/courses/cs6903-s10