# Title Goes Here An Introduction to Modern Cryptography. Mike Reiter

Save this PDF as:

Size: px
Start display at page:

## Transcription

1 Title Goes Here An Introduction to Modern Cryptography Mike Reiter 1 Cryptography Study of techniques to communicate securely in the presence of an adversary Traditional scenario Goal: A dedicated, private connection Alice Reality: Communication via an adversary Bob 2 1

2 Adversary s Goals 1. Observe what Alice and Bob are communicating Attacks on confidentiality or secrecy 2. Observe that Alice and Bob are communicating, or how much they are communicating Called traffic analysis 3. Modify communication between Alice and Bob Attacks on integrity 4. Impersonate Alice to Bob, or vice versa 5. Deny Alice and Bob from communicating Called denial of service Cryptography traditionally focuses on preventing (1) and detecting (3) and (4) 3 Adversary s Goals in Perspective Detecting modification and impersonation attacks is determining who could have sent a communication s In terms of previous lectures: Bob receives s on a channel C (i.e., C says s), and must determine if Alice says s Preventing attacks on confidentiality is limiting who can possibly receive a communication s Not utilized in previous lectures We will cover these topics in this order, unlike most treatments of cryptography First one builds on what we ve already covered Reordering emphasizes independence of two types of goals 4 2

3 Who is the Adversary? For our study, we don t really care who the attacker is, but we do care about his resources The adversary s computational power The resources in the adversary s environment at his disposal Alice and Bob are resources for the adversary How the adversary can interact with them is a core component of the resources available to him Modern cryptography is based on exploiting a gap between Efficient algorithms for Alice and Bob Computationally infeasible algorithms for the adversary to achieve his goals 5 Computational Resources Alice, Bob and the adversary are (usually) modeled as probabilistic polynomial-time (PPT) Turing machines For some fixed polynomial p, machine halts in p( x ) steps on input x Machine can flip coins, i.e., select from a set of possible transitions randomly Cryptographic algorithms typically specified in terms of a security parameter that specifies the length of inputs So, we want cryptographic algorithms such that Alice and Bob can compute efficiently, i.e., in time p( ) for some polynomial p No (PPT) adversary can defeat with more than negligible probability for sufficiently large 6 3

4 Negligible Probability A function : N R is negligible if for every positive polynomial p there exists an N such that for all > N: Examples is negligible is not Any event that occurs with negligible probability would still occur with negligible probability if the experiment were repeated polynomially many times (in ) 7 One-Way Functions Called preimage resistant in previous lectures A collection of one-way functions is a set { f i : Domain i Range i } i I such that for every PPT A there is a negligible A where Pr[ f i (z) = y : i R I {0,1} ; x R Domain i ; y f i (x) ; z A(i, y) ] A ( ) for all large enough. 8 4

5 A Candidate One-Way Function Candidate one-way function (collection): f g,p (x) = g x mod p where p is a prime number g is a generator of Z p* = {1, 2, p-1}, i.e., {g 1 mod p, g 2 mod p, } = Z * p This one-way function underlies numerous important cryptographic algorithms Notably Diffie-Hellman and ElGamal 9 Trapdoor One-Way Functions A collection of trapdoor one-way functions is a set { f i } i I that is one-way, but for which there is an efficient algorithm B and trapdoor t i for each i I such that x B(i, t i, f i (x)) Intuition: Trapdoor t i permits f i to be inverted efficiently (i.e., in time polynomial in ), but otherwise { f i } i I is one-way 10 5

6 A Candidate Trapdoor One-Way Function Candidate one-way function (collection): f n,e (x) = x e mod n where n = pq where p, q are primes with p = q gcd(e, (p 1)(q 1)) = 1 and the trapdoor for <n,e> is <p,q>,so that Algorithm B(<n,e>, <p,q>, y): return y d mod n where ed mod (p 1)(q 1) = 1 Why does it work? y d mod n = x ed mod n = x ed mod (p 1)(q 1) mod n = x 1 mod n = x This is the famous RSA trapdoor function 11 Why Candidate? Because there is no proof that these functions are one-way They just seem to be Best known algorithm for inverting f g,p runs in expected time proportional to inverting f n,e (without the trapdoor) runs in expected time proportional to In fact, there is no proof that one-way functions exist! Though it is widely believed that they do 12 6

7 Applications We have already seen applications for one-way functions To make a public identifier for private information What about applications for trapdoor functions? One application is a digital signature Let K be i (the index of f i ) and K 1 be the trapdoor t i To sign a message x, create = f 1 (x) using the trapdoor Signer verifies signature by checking that f i ( ) = x (This is just for illustration. This is not a secure signature scheme.) 13 Practice Security has been defined for large enough In practice, must be chosen How big should p or n be when used in practice? It depends on numerous factors, including Life span: How long the information must be protected Security margin: Computational and financial power of the attacker Cryptanalysis: Algorithmic progress during lifetime of information 14 7

8 An Analysis for Commercial Systems (1) [Lenstra & Verheul 1999] Based their analysis on four hypotheses MIPS Years (MY) was an adequate security margin for commercial applications up to MY = one year of computation on a VAX 11/ hours on a 450 MHz P-II MY 14,000 months on a 450 MHz P-II 2 months on 7000 such processors This number was derived from the assumption that the Data Encryption Standard was sufficient for commercial apps in The amount of computing power and RAM one gets for a dollar doubles every 18 months. A slight variation of Moore s law One expects 2 10 (12/18) 100 times more power and RAM for the same cost every 10 years. 15 An Analysis for Commercial Systems (2) [Lenstra & Verheul 1999] 3. The budgets of organizations (i.e., attackers) doubles every 10 years. Derived from the trend that the U.S. Gross National Product doubles every ten years (measured in contemporary dollars). Illustration of combining hypotheses 1 3 If MY was infeasible to break in 1982 then ( MY) = 10 8 MY infeasible in 1992 then (10 8 MY) = MY infeasible in 2002 then ( MY) = MY infeasible in The computational effort required to invert f p,g or f n,e halves every 18 months. Consistent with cryptanalytic progress from 1970 to

9 Lenstra & Verheul [1999] Recommendations Year n or p Year n or p Year n or p Year n or p Selected CAs in Firefox 24 Verisign, Inc. Valid until: October 24, 2016 Key length: 1024 bits (vs. 1664) RSA Public Root CA v1 Valid until: April 30, 2019 Key length: 1024 bits (vs. 1825) TWCA Root Certification Authority Valid until: December 31, 2030 Key length: 2048 bits (vs. 2493) 18 9

10 Oracles in the Adversary s Environment The adversary does not work in a vacuum Trivial example: Adversary may be able to sign a message as Bob by tricking Bob into signing it for him The environment of the adversary can be augmented with oracles that compute certain functions for the adversary Formally, a PPT adversary is augmented with new query and response tapes for each oracle Notation: if A is an adversary, then A f is an adversary with access to an oracle for function f 19 Recall Informal Definition of a Digital Signature A digital signature scheme is a triple G, S, V of efficiently computable algorithms G outputs a public key K and a private key K -1 K, K -1 G( ) S takes a message m and K -1 as input and outputs a signature S K -1(m) V takes a message m, signature and public key K as input, and outputs a bit b b V K (m, ) If S K -1(m) then V K (m, ) outputs 1 ( valid ) Given only K and message/signature pairs { m i, S K -1(m i ) } i, it is computationally infeasible to compute m, such that V K (m, )= 1 any new m m i 20 10

11 Attacks Against Digital Signature Schemes Types of attacks Key-Only Attack: Adversary knows only K Known Signature Attack: The adversary knows K and has seen m, pairs made by S K -1, but not chosen by the adversary Chosen Message Attack: The adversary knows K and is given an oracle for S K -1 When does the adversary succeed? Existential Forgery: Adversary succeeds in forging the signature of one message, not necessarily of his choice. Selective Forgery: The adversary succeeds in forging the signature of some message of his choice. Universal Forgery: The adversary is able to forge the signature of any message. Total Break: The adversary computes the signer s secret key. 21 Example Definition A signature scheme secure against existential forgery under chosen message attack is a triple G, S, V such that for every PPT A there is a negligible A where Pr[ V K (m, ) = 1 : K, K -1 G(1 ); m, A S K -1 (K); S K -1(m) not queried ] A ( ) for all large enough

12 Vanilla RSA Signature Scheme Algorithm G(1 ): p, q R { /2-bit primes} n pq Choose e:gcd(e,(p 1)(q 1)) = 1 Compute d : ed = 1 mod (p 1)(q 1) Return n, e, n, d Algorithm S n, d (m), m Z n : return m d mod n Algorithm V n, e (m, ): m e mod n if m = m return 1 else return 0 How secure is this? 23 Security of Vanilla RSA Signatures Vanilla RSA is existentially forgeable under a known message attack. Given m 1, 1 and m 2, 2, consider m 1 m 2 mod n, 1 2 mod n : ( 1 2 ) e mod n = ((m 1 ) d (m 2 ) d ) e mod n = m 1 m 2 mod n Vanilla RSA is universally forgeable under a chosen message attack

13 RSA in Practice Other measures are taken to strengthen RSA Versions are used that are existentially unforgeable under chosen message attack, under reasonable assumptions One approach is called hash-then-sign Let h be a collision-resistant hash function Algorithm S n, d (m): return h(m) d mod n Algorithm V n, e (m, ): m e mod n if h(m) = m return 1 else return 0 Fully specified RSA signatures can be found in PKCS #1 25 Pseudorandom Functions Intuitively, a pseudorandom function is a function f: Keys Domain Range that is indistinguishable from a random function to anyone not knowing the key (the first input) A useful primitive for a range of higher level crypto functions Notation: Let f K (x) = f(k,x) To define this precisely, let F(Domain Range) denote the set of all functions from Domain to Range 26 13

14 Adversary for Pseudorandom Functions Adversary participates in one of two experiments K R Keys g R F(Domain Range) f K g x f K (x) x g(x) Adversary queries oracle on inputs of its choice At end of experiment, adversary outputs a guess (0 or 1) as to which experiment he was participating in 27 Rough Definition of Pseudorandom Functions A collection of pseudorandom functions is a set { f : Keys( ) Domain( ) Range( )} N such that for every PPT A there is a negligible A where for all large enough, where the probabilities are taken over the choices of K R Keys( ) g R F(Domain( ) Range( )) 28 14

15 Application of Pseudorandom Functions Friend or foe identification r R Domain y f(k,r) r z z f(k,r) y = z? If friendly aircraft know K, then they can be challenged to respond with f(k,r). Requires Domain and Range to be large 29 Recall Informal Definition of a MAC A message authentication code (MAC) scheme is a triple G, T, V of efficiently computable functions G outputs a secret key K K G( ) T takes a key K and message m as input, and outputs a tag t t T K (m) V takes a message m, tag t and key K as input, and outputs a bit b b V K (m, t) If t T K (m) then V K (m, t) outputs 1 ( valid ) Given only message/tag pairs { m i, T K (m i ) } i, it is computationally infeasible to compute m, t such that V K (m, t)= 1 for any new m m i 30 15

16 Pseudorandom Functions Make Good MACs Let f be a pseudorandom function (for an appropriate ) Select K R Keys Define T K (m) = f K (m) for m Domain Define 31 MACs for Longer Messages Creating a suitable MAC is trickier than you might think Suppose Domain = {0,1} L, Range = {0,1} L Proposal (where denotes concatenation) Algorithm T K (m): let m 1 m n = m, m i {0,1} L for i = 1 n do y i f K (m i ) t y 1 y n return t Algorithm V K (m, t): let m 1 m n = m, m i {0,1} L for i = 1 n do y i f K (m i ) t y 1 y n if t = t return 1 else return 0 Is this secure? 32 16

17 Two Simple Attacks Attack #1 Attack #2 : Choose m {0,1} L t T K (m) Output (m m, 0 L ) : Choose m 1, m 2 {0,1} L t T K (m 1 m 2 ) Output (m 2 m 1, t ) 33 Another Proposal Algorithm T K (m): let m 1 m n = m, m i {0,1} L l for i = 1 n do y i f K ( i m i ) t y 1 y n return t Algorithm V K (m, t): let m 1 m n = m, m i {0,1} L l for i = 1 n do y i f K ( i m i ) t y 1 y n if t = t return 1 else return 0 Is this secure? 34 17

18 An Attack No! : Choose m 1,m 1 {0,1} L, m 1 m 1 Choose m 2,m 2 {0,1} L, m 2 m 2 t 1 T K (m 1 m 2 ) t 2 T K (m 1 m 2 ) t 3 T K (m 1 m 2 ) Output (m 1 m 2, t 1 t 2 t 3 ) 35 A Third Proposal Algorithm T K (m) outputs t = r, s where r R {0,1} l 1 s f K (0 r) f K (1 1 m 1 ) f K (1 2 m 2 ) f K (1 n m n ) Is this secure? Yes, but we will not prove it here Intuition: since can invoke only T K and not f K, cannot recover f K (0 r) 36 18

19 MACs from Cryptographic Hash Functions Creating MACs using only hash functions is desirable since Popular hash functions (SHA-1, MD5) are faster than implementations of (thought-to-be) pseudorandom functions Implementations of hash functions are readily and freely available, and are not subject to export controls of U.S. and other countries The HMAC algorithm is an example Described in Internet RFC 2104 Mandatory to implement for Internet security protocols 37 HMAC Let h be a cryptographic hash function (preimage resistant, 2 nd preimage resistant, collision resistant) Algorithm T K (m): let ipad = the byte 0x36 repeated 64 times let opad = the byte 0x5C repeated 64 times t h((k opad) h((k ipad) m)) return t Security can be shown under non-standard but plausible assumptions about the hash function 38 19

20 Informal Definition of Symmetric Encryption A symmetric encryption scheme is a triple G, E, D of efficiently computable functions G outputs a secret key K K G( ) E takes a key K and plaintext m as input, and outputs a ciphertext c E K (m) D takes a ciphertext c and key K as input, and outputs or a plaintext m D K (c) If c E K (m) then m D K (c) If c E K (m), then c should reveal no information about m 39 Example: Counter Mode Encryption Let f: Keys {0,1} l {0,1} L be a pseudorandom function Algorithm G(): K R Keys return K Algorithm E K (m): let m 1 m n = m : m i {0,1} L let r R {0,1} l for i = 1 n do c i f K (r+i mod 2 l ) m i return r c 1 c n Algorithm D K (c): let r c 1 c n = c : r {0,1} l and c i {0,1} L for i = 1 n do m i f K (r+i mod 2 l ) c i return m 1 m n r r m 1 c 1 r+1 m 2 r+2 r+n f K f K m n c n f K c

21 What Does No Information Mean? Option 1: Adversary cannot recover m from E K (m)? What if adversary can get first bit of m? Option 2: Adversary cannot recover any bit of m from E K (m)? What if adversary can get sum of bits in m? Here we will define security in terms of indistinguishability 41 Chosen Plaintext Attack (CPA) Suppose the adversary is given two oracles An encryption oracle E K A test oracle T K (m 0, m 1 ) that can be called only once Oracle T K (m 0, m 1 ): if m 0 m 1 then return b R {0,1} return E K (m b ) The adversary must guess whether b = 0 or b =

22 Rough Definition of a CPA-Secure Scheme An CPA-secure encryption scheme is a triple G, E, D such that for every PPT A there is a negligible A where Pr[ A E K,T K = 0 : b 0 ] Pr[ A E K,T K = 0 : b 1 ] A ( ) for all large enough, where the probabilities are taken over K G(1 ). 43 Example: ECB Encryption ECB = Electronic Code Book Let f: Keys {0,1} L {0,1} L be a pseudorandom permutation f K 1 exists and can be computed efficiently if k is known Algorithm E K (m): let m 1 m n = m : m i {0,1} L for i = 1 n do c i f K (m i ) return c 1 c n m 1 f K c 1 m 2 f K c 2 Algorithm D K (c): let c 1 c n = c : c i {0,1} L for i = 1 n do m i f K 1 (c i ) return m 1 m n m n f K c n Is this CPA-secure? 44 22

23 CPA Security ECB is not CPA-secure In fact, if E K is deterministic and stateless, then it is not CPA secure To be CPA secure, E K must be either nondeterministic or stateful Example of nondeterministic: Counter encryption Counter encryption also has a deterministic, stateful version 45 Example: Stateful Counter Mode Encryption Let f: Keys {0,1} l {0,1} L be a pseudorandom function Algorithm E K (m): let m 1 m n = m : m i {0,1} L if r = then r R {0,1} l for i = 1 n do c i f K (r+i mod 2 l ) m i c r c 1 c n r r + n mod 2 l return c Algorithm D K (c): let r c 1 c n = c : r {0,1} l and c i {0,1} L for i = 1 n do m i f K (r+i mod 2 l ) c i return m 1 m n 46 23

24 Example: Cipher Block Chaining Encryption Let f: Keys {0,1} L {0,1} L be a pseudorandom permutation Algorithm E K (m): let m 1 m n = m : m i {0,1} L c 0 R {0,1} L for i = 1 n do c i f K (c i 1 m i ) return c 0 c 1 c n c 0 c 0 m 1 f K c 1 Algorithm D K (c): let c 0 c 1 c n = c : c i {0,1} L for i = 1 n do m i f K 1 (c i ) c i 1 return m 1 m n m 2 c 2 f K m n f K c n 47 Chosen Ciphertext Attack (CCA) Suppose the adversary is given three oracles An encryption oracle E K A test oracle T K (m 0, m 1 ) that can be called only once Oracle T K (m 0, m 1 ): if m 0 m 1 then return b R {0,1} return E K (m b ) A decryption oracle D K The adversary must guess whether b = 0 or b = 1, but if c T K (m 0, m 1 ) then adversary cannot query D K (c) CCA is powerful enough to break all standard modes of operation (Counter, CBC, ) 48 24

25 Informal Definition of Public Key Encryption A public key encryption scheme is a triple G, E, D of efficiently computable functions G outputs a public key K and a private key K -1 K, K -1 G( ) E takes public key K and plaintext m as input, and outputs a ciphertext c E K (m) D takes a ciphertext c and private key K -1 as input, and outputs or a plaintext m D K 1(c) If c E K (m) then m D K 1(c) If c E K (m), then c and K should reveal no information about m 49 Vanilla RSA Encryption Scheme Frequently, K is made public Therefore, CPA security is mandatory Defined precisely as for a symmetric cipher Consider Vanilla RSA encryption Algorithm G(1 ): p, q R { /2-bit primes} n pq Choose e:gcd(e,(p 1)(q 1)) = 1 Compute d : ed = 1 mod (p 1)(q 1) Return n, e, n, d Algorithm E n, e (m), m Z n : return m e mod n Algorithm D n, d (c): return c d mod n Is this CPA secure? 50 25

26 CCA-Security Can Be Achieved PKCS #1 specifies RSA encryption that is secure against chosen ciphertext attacks under plausible assumptions Let G: {0,1} k 0 {0,1} n k 0 Let H: {0,1} n k 0 {0,1} k 0 Algorithm E n, e (m), m = n k 0 k 1 : r R {0,1} k 0 a m 0 k 1 G(r) b r H(a) return (a b) e mod n Algorithm D n, d (c): a b c d mod n : a {0,1} n k 0, b {0,1} k 0 r H(a) b y G(r) a if y = m 0 k 1 then return m, else return CCA-secure only for single block 51 26

### Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the

### Cryptographic Hash Functions Message Authentication Digital Signatures

Cryptographic Hash Functions Message Authentication Digital Signatures Abstract We will discuss Cryptographic hash functions Message authentication codes HMAC and CBC-MAC Digital signatures 2 Encryption/Decryption

### Digital Signatures. Prof. Zeph Grunschlag

Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each

### Introduction. Digital Signature

Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

### 1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

### 1 Signatures vs. MACs

CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures

### Introduction to Cryptography CS 355

Introduction to Cryptography CS 355 Lecture 30 Digital Signatures CS 355 Fall 2005 / Lecture 30 1 Announcements Wednesday s lecture cancelled Friday will be guest lecture by Prof. Cristina Nita- Rotaru

### Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

### CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash

### Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a

### Digital signatures. Informal properties

Digital signatures Informal properties Definition. A digital signature is a number dependent on some secret known only to the signer and, additionally, on the content of the message being signed Property.

### Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Network Security Gaurav Naik Gus Anderson, Philadelphia, PA Lectures on Network Security Feb 12 (Today!): Public Key Crypto, Hash Functions, Digital Signatures, and the Public Key Infrastructure Feb 14:

### 1 Domain Extension for MACs

CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures Katz-Lindell Ÿ4.34.4 (2nd ed) and Ÿ12.0-12.3 (1st ed).

MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and

### Lecture 15 - Digital Signatures

Lecture 15 - Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations - easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.

### Authentication requirement Authentication function MAC Hash function Security of

UNIT 3 AUTHENTICATION Authentication requirement Authentication function MAC Hash function Security of hash function and MAC SHA HMAC CMAC Digital signature and authentication protocols DSS Slides Courtesy

### 1 Message Authentication

Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

### Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

Digital Signatures Murat Kantarcioglu Based on Prof. Li s Slides Digital Signatures: The Problem Consider the real-life example where a person pays by credit card and signs a bill; the seller verifies

### Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

### Message Authentication Codes

2 MAC Message Authentication Codes : and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 28 October 2013 css322y13s2l08, Steve/Courses/2013/s2/css322/lectures/mac.tex,

### Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Outline CSc 466/566 Computer Security 8 : Cryptography Digital Signatures Version: 2012/02/27 16:07:05 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian

### Network Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest

### Message Authentication Code

Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44

### Authentication and Encryption: How to order them? Motivation

Authentication and Encryption: How to order them? Debdeep Muhopadhyay IIT Kharagpur Motivation Wide spread use of internet requires establishment of a secure channel. Typical implementations operate in

### 1 Construction of CCA-secure encryption

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.

### Hash Functions. Integrity checks

Hash Functions EJ Jung slide 1 Integrity checks Integrity vs. Confidentiality! Integrity: attacker cannot tamper with message! Encryption may not guarantee integrity! Intuition: attacker may able to modify

### Cryptography and Network Security Chapter 12

Cryptography and Network Security Chapter 12 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 12 Message Authentication Codes At cats' green on the Sunday he

### CIS 5371 Cryptography. 8. Encryption --

CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.

### Talk announcement please consider attending!

Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically

### Digital Signatures. What are Signature Schemes?

Digital Signatures Debdeep Mukhopadhyay IIT Kharagpur What are Signature Schemes? Provides message integrity in the public key setting Counter-parts of the message authentication schemes in the public

### Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

### Introduction to Computer Security

Introduction to Computer Security Hash Functions and Digital Signatures Pavel Laskov Wilhelm Schickard Institute for Computer Science Integrity objective in a wide sense Reliability Transmission errors

### Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Network Security Abusayeed Saifullah CS 5600 Computer Networks These slides are adapted from Kurose and Ross 8-1 Public Key Cryptography symmetric key crypto v requires sender, receiver know shared secret

### Lecture 3: One-Way Encryption, RSA Example

ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require

### lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

Symmetric Crypto Pierre-Alain Fouque Birthday Paradox In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal N=365, about 23 people are

### Computer Security: Principles and Practice

Computer Security: Principles and Practice Chapter 20 Public-Key Cryptography and Message Authentication First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Public-Key Cryptography

### CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a one-round Feistel cipher

### DIGITAL SIGNATURES 1/1

DIGITAL SIGNATURES 1/1 Signing by hand COSMO ALICE ALICE Pay Bob \$100 Cosmo Alice Alice Bank =? no Don t yes pay Bob 2/1 Signing electronically Bank Internet SIGFILE } {{ } 101 1 ALICE Pay Bob \$100 scan

### Lecture 7: Hashing III: Open Addressing

Lecture 7: Hashing III: Open Addressing Lecture Overview Open Addressing, Probing Strategies Uniform Hashing, Analysis Cryptographic Hashing Readings CLRS Chapter.4 (and.3.3 and.5 if interested) Open Addressing

### Signature Schemes. CSG 252 Fall 2006. Riccardo Pucella

Signature Schemes CSG 252 Fall 2006 Riccardo Pucella Signatures Signatures in real life have a number of properties They specify the person responsible for a document E.g. that it has been produced by

### Authenticated encryption

Authenticated encryption Dr. Enigma Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu October 16th, 2013 Active attacks on CPA-secure encryption

### CS 758: Cryptography / Network Security

CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html

### Message Authentication Codes. Lecture Outline

Message Authentication Codes Murat Kantarcioglu Based on Prof. Ninghui Li s Slides Message Authentication Code Lecture Outline 1 Limitation of Using Hash Functions for Authentication Require an authentic

### Lecture 13: Message Authentication Codes

Lecture 13: Message Authentication Codes Last modified 2015/02/02 In CCA security, the distinguisher can ask the library to decrypt arbitrary ciphertexts of its choosing. Now in addition to the ciphertexts

### CSCE 465 Computer & Network Security

CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Public Key Cryptogrophy 1 Roadmap Introduction RSA Diffie-Hellman Key Exchange Public key and

### Overview of Public-Key Cryptography

CS 361S Overview of Public-Key Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.1-6 slide 2 Public-Key Cryptography public key public key? private key Alice Bob Given: Everybody knows

### SECURITY IN NETWORKS

SECURITY IN NETWORKS GOALS Understand principles of network security: Cryptography and its many uses beyond confidentiality Authentication Message integrity Security in practice: Security in application,

### Symmetric Crypto MAC. Pierre-Alain Fouque

Symmetric Crypto MAC Pierre-Alain Fouque Birthday Paradox In a set of D elements, by picking at random D elements, we have with high probability a collision two elements are equal D=365, about 23 people

### Network Security. Security Attacks. Normal flow: Interruption: 孫 宏 民 hmsun@cs.nthu.edu.tw Phone: 03-5742968 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室

Network Security 孫 宏 民 hmsun@cs.nthu.edu.tw Phone: 03-5742968 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室 Security Attacks Normal flow: sender receiver Interruption: Information source Information destination

### Digital Signature. Raj Jain. Washington University in St. Louis

Digital Signature Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/

### Provable-Security Analysis of Authenticated Encryption in Kerberos

Provable-Security Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 30332-0765

### Digital Signatures. (Note that authentication of sender is also achieved by MACs.) Scan your handwritten signature and append it to the document?

Cryptography Digital Signatures Professor: Marius Zimand Digital signatures are meant to realize authentication of the sender nonrepudiation (Note that authentication of sender is also achieved by MACs.)

### CS155. Cryptography Overview

CS155 Cryptography Overview Cryptography Is n A tremendous tool n The basis for many security mechanisms Is not n The solution to all security problems n Reliable unless implemented properly n Reliable

### Improved Online/Offline Signature Schemes

Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion

6.857 Computer and Network Security Fall Term, 1997 Lecture 4 : 16 September 1997 Lecturer: Ron Rivest Scribe: Michelle Goldberg 1 Conditionally Secure Cryptography Conditionally (or computationally) secure

### The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) Hugo Krawczyk Abstract. We study the question of how to generically compose symmetric encryption and authentication

### Network Security. HIT Shimrit Tzur-David

Network Security HIT Shimrit Tzur-David 1 Goals: 2 Network Security Understand principles of network security: cryptography and its many uses beyond confidentiality authentication message integrity key

### Designing Hash functions. Reviewing... Message Authentication Codes. and message authentication codes. We have seen how to authenticate messages:

Designing Hash functions and message authentication codes Reviewing... We have seen how to authenticate messages: Using symmetric encryption, in an heuristic fashion Using public-key encryption in interactive

### Message Authentication

Message Authentication message authentication is concerned with: protecting the integrity of a message validating identity of originator non-repudiation of origin (dispute resolution) will consider the

### IT Networks & Security CERT Luncheon Series: Cryptography

IT Networks & Security CERT Luncheon Series: Cryptography Presented by Addam Schroll, IT Security & Privacy Analyst 1 Outline History Terms & Definitions Symmetric and Asymmetric Algorithms Hashing PKI

### Cryptography Lecture 8. Digital signatures, hash functions

Cryptography Lecture 8 Digital signatures, hash functions A Message Authentication Code is what you get from symmetric cryptography A MAC is used to prevent Eve from creating a new message and inserting

### MAC. SKE in Practice. Lecture 5

MAC. SKE in Practice. Lecture 5 Active Adversary Active Adversary An active adversary can inject messages into the channel Active Adversary An active adversary can inject messages into the channel Eve

### MTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu

MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic

### Lecture 5 - CPA security, Pseudorandom functions

Lecture 5 - CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.

### Proofs in Cryptography

Proofs in Cryptography Ananth Raghunathan Abstract We give a brief overview of proofs in cryptography at a beginners level. We briefly cover a general way to look at proofs in cryptography and briefly

### Cryptography. Jonathan Katz, University of Maryland, College Park, MD 20742.

Cryptography Jonathan Katz, University of Maryland, College Park, MD 20742. 1 Introduction Cryptography is a vast subject, addressing problems as diverse as e-cash, remote authentication, fault-tolerant

### Chapter 12. Digital signatures. 12.1 Digital signature schemes

Chapter 12 Digital signatures In the public key setting, the primitive used to provide data integrity is a digital signature scheme. In this chapter we look at security notions and constructions for this

### Crittografia e sicurezza delle reti. Digital signatures- DSA

Crittografia e sicurezza delle reti Digital signatures- DSA Signatures vs. MACs Suppose parties A and B share the secret key K. Then M, MAC K (M) convinces A that indeed M originated with B. But in case

1 Introduction to Cryptography and Data Security 1 1.1 Overview of Cryptology (and This Book) 2 1.2 Symmetric Cryptography 4 1.2.1 Basics 4 1.2.2 Simple Symmetric Encryption: The Substitution Cipher...

### Network Security. Modes of Operation. Steven M. Bellovin February 3, 2009 1

Modes of Operation Steven M. Bellovin February 3, 2009 1 Using Cryptography As we ve already seen, using cryptography properly is not easy Many pitfalls! Errors in use can lead to very easy attacks You

### Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract

Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart

### Practice Questions. CS161 Computer Security, Fall 2008

Practice Questions CS161 Computer Security, Fall 2008 Name Email address Score % / 100 % Please do not forget to fill up your name, email in the box in the midterm exam you can skip this here. These practice

### In this paper a new signature scheme and a public key cryptotsystem are proposed. They can be seen as a compromise between the RSA and ElGamal-type sc

Digital Signature and Public Key Cryptosystem in a Prime Order Subgroup of Z n Colin Boyd Information Security Research Centre, School of Data Communications Queensland University of Technology, Brisbane

### EXAM questions for the course TTM4135 - Information Security May 2013. Part 1

EXAM questions for the course TTM4135 - Information Security May 2013 Part 1 This part consists of 5 questions all from one common topic. The number of maximal points for every correctly answered question

### Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015 Chapter 2: Introduction to Cryptography What is cryptography? It is a process/art of mangling information in such a way so as to make it

### Common security requirements Basic security tools. Example. Secret-key cryptography Public-key cryptography. Online shopping with Amazon

1 Common security requirements Basic security tools Secret-key cryptography Public-key cryptography Example Online shopping with Amazon 2 Alice credit card # is xxxx Internet What could the hacker possibly

### Cryptography and Network Security Digital Signature

Cryptography and Network Security Digital Signature Xiang-Yang Li Message Authentication Digital Signature Authentication Authentication requirements Authentication functions Mechanisms MAC: message authentication

### Message Authentication Codes 133

Message Authentication Codes 133 CLAIM 4.8 Pr[Mac-forge A,Π (n) = 1 NewBlock] is negligible. We construct a probabilistic polynomial-time adversary A who attacks the fixed-length MAC Π and succeeds in

### CS3235 - Computer Security Third topic: Crypto Support Sys

Systems used with cryptography CS3235 - Computer Security Third topic: Crypto Support Systems National University of Singapore School of Computing (Some slides drawn from Lawrie Brown s, with permission)

### Principles of Network Security

he Network Security Model Bob and lice want to communicate securely. rudy (the adversary) has access to the channel. lice channel data, control s Bob Kai Shen data secure sender secure receiver data rudy

### Network Security (2) CPSC 441 Department of Computer Science University of Calgary

Network Security (2) CPSC 441 Department of Computer Science University of Calgary 1 Friends and enemies: Alice, Bob, Trudy well-known in network security world Bob, Alice (lovers!) want to communicate

### Developing and Investigation of a New Technique Combining Message Authentication and Encryption

Developing and Investigation of a New Technique Combining Message Authentication and Encryption Eyas El-Qawasmeh and Saleem Masadeh Computer Science Dept. Jordan University for Science and Technology P.O.

### Public Key Cryptography and RSA. Review: Number Theory Basics

Public Key Cryptography and RSA Murat Kantarcioglu Based on Prof. Ninghui Li s Slides Review: Number Theory Basics Definition An integer n > 1 is called a prime number if its positive divisors are 1 and

### MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

### Ch.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis

Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography

### Symmetric Key cryptosystem

SFWR C03: Computer Networks and Computer Security Mar 8-11 200 Lecturer: Kartik Krishnan Lectures 22-2 Symmetric Key cryptosystem Symmetric encryption, also referred to as conventional encryption or single

### Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm

Error oracle attacks and CBC encryption Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm Agenda 1. Introduction 2. CBC mode 3. Error oracles 4. Example 1 5. Example 2 6. Example 3 7. Stream ciphers

### Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012

Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database

Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

### Chapter 7: Network security

Chapter 7: Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice: application layer: secure e-mail transport

### CS 393 Network Security. Nasir Memon Polytechnic University Module 11 Secure Email

CS 393 Network Security Nasir Memon Polytechnic University Module 11 Secure Email Course Logistics HW 5 due Thursday Graded exams returned and discussed. Read Chapter 5 of text 4/2/02 Module 11 - Secure

### Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53

Cryptography and Network Security, PART IV: Reviews, Patches, and Theory Timo Karvi 11.2012 Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53 Key Lengths I The old

### Public Key Cryptography. c Eli Biham - March 30, 2011 258 Public Key Cryptography

Public Key Cryptography c Eli Biham - March 30, 2011 258 Public Key Cryptography Key Exchange All the ciphers mentioned previously require keys known a-priori to all the users, before they can encrypt

### The Misuse of RC4 in Microsoft Word and Excel

The Misuse of RC4 in Microsoft Word and Excel Hongjun Wu Institute for Infocomm Research, Singapore hongjun@i2r.a-star.edu.sg Abstract. In this report, we point out a serious security flaw in Microsoft

### One-Way Encryption and Message Authentication

One-Way Encryption and Message Authentication Cryptographic Hash Functions Johannes Mittmann mittmann@in.tum.de Zentrum Mathematik Technische Universität München (TUM) 3 rd Joint Advanced Student School

### Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense

### Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures

Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures Department of Computer Science and Information Engineering, Chaoyang University of Technology 朝 陽 科 技 大 學 資 工