# 1 Construction of CCA-secure encryption

Save this PDF as:

Size: px
Start display at page:

## Transcription

2 she already knows the answer), so without loss of generality, we shall be able to assume that Eve never makes such a query. Theorem 1. If (Enc, Dec) is (s, ε) CPA-secure and (T ag, V er) is (s, ε/s) strongly secure against chosen message attack, then (Enc, Dec ) is (Ω(s/mt), 3ε) -secure, where t is the circuit size of Enc and T ag and m is the message length. Proof. Let s = s/cmt where C is a sufficiently large constant. For contradiction, suppose (Enc, Dec ) is not -secure. Then there is a circuit A of size s and messages M, M such that Pr[A Enc,Dec (Enc (K, M)) = 1] Pr[A Enc,Dec (Enc (K, M )) = 1] > 3ε. (1) Here we abuse notation a bit and use Dec for the decryption algorithm that is allowed to query every ciphertext except for the challenge provided as input to A. We first replace A by an adversary that never queries its decryption oracle on an output of the encryption oracle. This can be done by maintaining a table of all the queries and answers that A makes to its encryption oracle and consulting this table before the decryption oracle is queried. The new adversary will have size O(s m) (with a careful implementation). Abusing notation we ll call this adversary A also. We now want to use A to design an adversary A that breaks CPA encryption. We will make A simulate A, but every time A calls the decryption oracle, A will pretend that the decryption oracle returns error. More formally, A? is the following randomized oracle circuit: A E : On input C, choose a random key K MAC and simulate A E,D CPA (C, T ag(k MAC, C)), where E is an oracle that on input M returns (E(M), T ag(k MAC, E(M))), and D always returns error. Notice that A? makes at most O(s m) calls to the tagging algorithm and so it has circuit size O(s mt) s. By construction, A Enc(KCPA, ) behaves exactly like A Enc (K, ),Dec (K, ), except that the decryption oracle always returns error. (To simplify notation from now on we omit the private keys.) We want to argue that if A Enc behaves very differently from A Enc,Dec then A breaks the unforgeability of (T ag, V er), and otherwise A breaks the CPA security of (Enc, Dec). Formally, by (1), at least one of the following three conditions must hold: Pr[A Enc,Dec (Enc (M)) = 1] Pr[A Enc (Enc(M)) = 1] > ε or Pr[A Enc,Dec (Enc (M )) = 1] Pr[A Enc (Enc(M )) = 1] > ε or Pr[A Enc (Enc(M )) = 1] Pr[A Enc (Enc(M)) = 1] > ε. The last inequality cannot occur because Enc is (s, ε) CPA-secure. So let us assume that the first inequality holds (the second one is symmetric). Since A Enc,Dec (Enc (M)) and A Enc (Enc(M)) are identically distributed conditioned on the decryption oracle never returning error, it follows that the probability of Dec returning something other than error in AEnc,Dec (Enc (M)) is greater than ε. 2

3 By the union bound, there exists a query round i so that the decryption oracle returns error in rounds up to i 1 but not in round i is at least ε/s. If the decryption oracle does not return error in round i, then it must have been called on a query (C i, T i ) such that V er(k MAC, C i, T i ) = 1. Now consider the following adversary A MAC that implements a chosen message attack on (T ag, V er): A T MAC : Choose a random key K CPA and simulate A E,D (Enc(K CPA, M), T (Enc(K CPA, M)), where E is the oracle (Enc(K CPA, ), T (Enc(K CPA, ))) and D returns error for the first i 1 queries. Output the ith query (C i, T i ) made to D. We claim that A T MAC is a chosen message attack on (T ag, V er) that succeeds with probability at least ε/s. Notice that A MAC only calls its tagging oracle when A calls its encryption oracle, in which case A stores the answer (C, T ) in a lookup table. When A makes the ith query (C i, T i ) to the decryption oracle, we know that (C i, T i ) must be different from all such (C, T ), for otherwise A would have just looked up the answer instead of querying the oracle. So with probability at least ε/s, A T MAC produces a weak forgery (C i, T i ) for (T ag, V er). Since A? MAC has size O(s mt) s, (T ag, V er) cannot be (s, ε/s) strongly secure against message attack, contradicting our assumption. 2 How not to combine encryption and authentication The design of the -secure authentication scheme in the last section came about naturally as we attempted to resolve the malleability issue in the original, CPA-secure encryption scheme. The malleability of the original scheme allowed an active adversary to take the encryption of any message M and turn it into an encryption of another message M. To prevent this problem, we realized that it is sufficient to authenticate the ciphertext. We then abstracted the problem of authentication for general messages, gave a solution to it, and proved that authenticated CPA-secure encryption provides a -secure scheme. But isn t it possible to combine encryption and authentication in other ways that achieve security? We will now see that some natural-looking combinations are in fact insecure not only do they fail to achieve -security, but they may even break the CPA-security of the original encryption scheme. Encrypt-and-authenticate. The goal of encryption is to provide security, while the goal of authentication is to provide message integrity. This suggests that together, encryption and authentication should provide both security and integrity. Specifically, if (Enc, Dec) is CPA-secure and (T ag, V er) is unforgeable against chosen message attack, will the following scheme be CPA-secure and unforgeable against chosen message attack? Enc (K, M) = (Enc(K CPA, M), T ag(k MAC, M)) In general, such a scheme is not only CPA-insecure, but could be insecure even against single message encryption! The fact that a MAC can be deterministic (in particular, the construction we gave was a deterministic ones), while CPA-secure encryption requires randomness already indicates that something is fishy. Suppose we want to CPA distinguish messages M and M. We query the CPA oracle on M and compare the tag provided by the oracle with the tag provided to the 3

4 distinguisher. If the tag is the same, the distinguisher can be confident that it is looking at an encryption of M and not of M. In fact, if the MAC we used was a bit different, this scheme would be even insecure for a single encryption. It could be that the tag of a message completely gives away the message: In fact, the scheme T ag(k, M) = (M, F K (M)) is a perfectly valid MAC as long as F K is a pseudorandom function, but it completely reveals the message! In this case there is clearly no security of any kind in the encryption. Authenticate-then-encrypt. What if instead of authenticating the encryption, we first authenticate the message, and then encrypt the authenticated message? Enc (K, M) = Enc(K CPA, (M, T ag(k MAC, M))) { Dec M part of Dec(K CPA, C), if V er(k MAC, Dec(K CPA, C)) = 1 (K, C) = error, otherwise. It is not difficult to see that if (Enc, Dec) is CPA-secure, then so is (Enc, Dec ). Intuitively, applying any function to a message (in particular, a MAC) should not affect indistinguishability of encryptions, since the ciphertext of a CPA-secure scheme gives negligible information about what was encrypted. More formally, if we can break the CPA-security of (Enc, Dec ) then we can also break the CPA-security of (Enc, Dec) by having the new adversary/encryption oracle apply a tag before simulating the old adversary/encryption oracle. It is a good exercise to work out the details. In general, however, (Enc, Dec ) will not be -secure. 1 Here is an example. Suppose (Enc, Dec) is a modified CPA-secure encryption scheme where Enc always applies a zero at the end of the ciphertext, and Dec ignores this zero in the decryption. It is easy to see that the resulting scheme is still CPA-secure. However, an adversary can now mount a chosen ciphertext attack: On a challenge ciphertext C, change the last bit of C from 0 to 1 and call the decryption oracle. This attack will reveal the original message (and its tag). While this attack is contrived, one can imagine practical scenarios where the ciphertext contains some extra information that is ignored in the decryption an end of file symbol, routing information, the header of an . On the other hand the ciphertext attack sounds a bit unnatural: Why would a decryption algorithm agree to decode an incorrectly formatted ciphertext? There are more natural examples, where by merely obtaining the knowledge that a ciphertext was incorrectly formatted, the adversary can completely decrypt its challenge ciphertext. Encryption and authentication with the same key. In our construction of -secure encryption it was very important that we used different private keys for encryption and authentication. Using the same key for both can make the scheme insecure. It is possible to give an example where our method for constructing -secure encryption becomes insecure when the encryption key and the authentication keys are identical, but I don t know of a simple construction. Here is a direct construction that is based on similar ideas. This construction 1 (Enc, Dec ) may be -secure for specific implementations of the CPA-secure scheme and the MAC used in the construction. However, it will not be so in general, which means that it is unsafe to use this design methodology for combining encryption and authentication. 4

5 is -secure when instantiated with independent keys, but not even CPA-secure when the same key is reused twice: Enc((K 1, K 2 ), M) = (S, F K1 (S) + M, F K2 (S + M)) where S is a random string { C + F K1 (S), if F K2 (S + C + F K1 (S)) = T Dec((K 1, K 2 ), (S, C, T )) = error, otherwise. In conclusion: Cryptographic components (in particular, encryption and authentication) cannot be combined in arbitrary ways. Such combinations may sometimes even be harmful and destroy the security properties of the original components. 3 Authenticating messages of arbitrary length One annoying aspect of our definition of authentication is that it only works for messages of a given length m. What if the length of the message is not known in advance? This is not merely a technical issue. To explain, let us go back to our original construction of MACs. To tag a message of length m, we used the scheme T ag m (M) = F K (M), where F K : {0, 1} m {0, 1} k is a pseudorandom function. Now suppose we want to tag a message M 1 M 2 of length 2m (where M 1 are the first m bits and M 2 are the last m bits). To tag this message, we need a pseudorandom function F K that takes 2m bits of input. Suppose F K was obtained by the GGM construction from some pseudorandom generator G. We can get F K by extending the construction F K for another m levels, namely F K(x 1... x 2m ) = G x2m (... G x1 (K)... ). In particular, F K (M 1M 2 ) = F FK (M 1 )(M 2 ). Then the scheme T ag 2m (M 1 M 2 ) = F K (M 1M 2 ) (with the appropriate verification procedure) is certainly a secure MAC (against chosen message attack) for messages of length 2m. But what happens if we use T ag m and T ag 2m together? Consider the following attack: I first use the tagging oracle for T ag m to obtain a tag F K (M) for some message M {0, 1} m. Now I can produce the tag F K (MM) = F F K (M)(M), which is a forgery for T ag 2m! So it is possible to use short message tags in order to produce forgeries for long message tags. One possible solution would be to use this scheme with an independently chosen key for every input length. However this is quite cumbersome. Without an a priori length on the messages that Alice and Bob want to authenticate, Alice and Bob will need infinitely long keys. We will show an alternative solution which will allow authentication of arbitrarily long messages using private keys f fixed length. Before doing so, let us discuss the changes in the definition of MAC that need to be implemented to handle the variable-length case. In the functionality part, we now allow T ag and V er to take arbitrary length messages as inputs that is, they now have type T ag : {0, 1} k {0, 1} {0, 1} t and V er : {0, 1} {0, 1} t {0, 1}. The security part of the definition doesn t change. However, the change in the functionality does have an effect on security, because an adversary that tries to produce a forgery of length m is now allowed to invoke the tagging oracle on messages that are shorter or longer than m. Since we already have a fixed-length message MAC, it makes sense to turn it into a variable-length message one. For simplicity, let s suppose we start with a MAC (T ag, V er) for message length 5

6 k (that also produces tags of length k). Now say we want to authenticate a message of length m > k. A natural thing to try is to split this message into l = m/k blocks M 1... M l of length k and authenticate each block separately: 2 T ag (K, M) = (T ag(k, M 1 ),..., T ag(k, M l )) Is this MAC secure against chosen message attack? A moment s thought shows that it isn t in fact it is not even secure as a fixed-length scheme: Given the tag of M 1 M 2, we can produce the tag of M 2 M 1 by rearranging the blocks. This attack suggests including some additional information that fixes the order of the blocks, like T ag(k, M) = (T ag(k, (1, M 1 )),..., T ag(k, (l, M l ))) Now it is not possible to reorder blocks from the same message anymore. However, we can do an attack where we combine blocks from two different messages: If we see the tags of M 1 M 2 and M 1 M 2, we can produce the tag of M 1M 2. To guard against this type of attack, we introduce a random identifier: T ag (K, M) = (S, T ag(k, (S, 1, M 1 )),..., T ag(k, (S, l, M l ))) where S is random. Under this scheme, it appears difficult to combine the tags of different messages. However there is still a type of attack that can be done: The tag of M 1 M 2 reveals the tag of M 1! To prevent this attack, we want to mark the last block of M with a special end of message symbol. One way to achieve this is to include an extra bit in each block which is set to 1 if this is the last block in the message, and 0 otherwise. We have arrived at our candidate scheme for encryption of variable length messages. Let (T ag, V er) be a MAC for message length m = 3k + 1. We construct a variable-length MAC (T ag, V er ) as follows: T ag (K, M) = (S, T ag(k, (S, 1, M 1, 0)), T ag(k, (S, 2, M 2, 0)),..., T ag(k, (S, l, M l, 1))) where S {0, 1} k is random. 1, if V er(k, (S, i, M i, 0)) = 1 for 1 i l 1 V er (K, M 1... M l, (S, T 1,..., T l )) = and V er(k, (S, l, M l, 1)) = 1 error, otherwise. Here S, i, and M i as represented by k bit strings. 3 Claim 2. If (T ag, V er) is a (O(s t), ε /s s /2 k ) secure against chosen message attack, then (T ag, V er ) is (s, ε ) secure against chosen message attack, where t is the size of the tagging circuit T ag. Proof. Let s assume (T ag, V er ) is not (s, ε ) secure, so there exists an oracle circuit A? of size s such that A T ag produces a forgery with probablity ε. Consider the following circuit A? 2 We ll assume m divides k; this can be handled at the message level by padding. 3 Technically, this means T ag can only be used to sign messages up to length 2 k, but this is not a practical limitation. 6

7 A T : Simulate the circuit A?. Whenever A? calls its tagging oracle on input M, choose a random string S and answer its query by (S, T (S, 1, M 1, 0), T (S, 2, M 2, 0),..., T (S, l, M l, 1)). when A? outputs a possible forgery (M 1... M l, (S, T 1,..., T l )), choose a random i between 1 and l and output ((S, i, M i, 0), T i ) if i < l and ((S, i, M i, 1), T i ) if i = l. Then A has size O(s t). We now show that A T ag produces a forgery with probability at least ε. Let S j be the random string that A? chooses when the jth oracle call of A? is made. We will show that Pr[A T ag outputs a forgery] 1 ag Pr[A T outputs s a forgery and all S j are different]. To see this, assume that A T ag outputs a forgery F = (M 1... M l, (S, T 1,..., T l )) and all S j are different. Since F is a forgery, A? must not have queried its oracle on M 1... M l. We claim that A? must not have queried its oracle on at least one of (S, 1, M 1, 0),..., (S, l 1, M l 1, 0), (S, l, M l, 1). For if A? has made all these queries, then S must equal S j for some j and because this S j is unique, all these queries were made in the same round, and A? must have queried M 1... M l in that round. It follows that at least one of ((S, 1, M 1, 0), T 1 ),..., ((S, l 1, M l 1, 0), T l 1 ), ((S, l, M l, 0), T l ) is a forgery, so A T ag must output a forgery with probability at least 1/l 1/s under these conditions. To finish the proof, we calculate that T ag Pr[A outputs a forgery and all S j are different] T ag Pr[A outputs a forgery] Pr[not all S j are different]. By assumption, the first probability is at least ε. We bound the second one as follows: Pr[not all S j are different] Pr[S j S j for some j j ] ( ) s Pr[S j S j ] 2 k 2 j j because there are at most ( s 2) pairs (j, j ). Putting all the inequalities together we have that Pr[A T ag outputs a forgery] 1 ( ) s (ε s )2 k ε 2 s + s 2 k. 7

### 1 Message Authentication

Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

### Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

### Message Authentication Code

Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44

### Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

### Message Authentication Codes 133

Message Authentication Codes 133 CLAIM 4.8 Pr[Mac-forge A,Π (n) = 1 NewBlock] is negligible. We construct a probabilistic polynomial-time adversary A who attacks the fixed-length MAC Π and succeeds in

MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and

### Talk announcement please consider attending!

Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically

### Lecture 5 - CPA security, Pseudorandom functions

Lecture 5 - CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.

### Authentication and Encryption: How to order them? Motivation

Authentication and Encryption: How to order them? Debdeep Muhopadhyay IIT Kharagpur Motivation Wide spread use of internet requires establishment of a secure channel. Typical implementations operate in

### MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

### Provable-Security Analysis of Authenticated Encryption in Kerberos

Provable-Security Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 30332-0765

### Lecture 13: Message Authentication Codes

Lecture 13: Message Authentication Codes Last modified 2015/02/02 In CCA security, the distinguisher can ask the library to decrypt arbitrary ciphertexts of its choosing. Now in addition to the ciphertexts

### MAC. SKE in Practice. Lecture 5

MAC. SKE in Practice. Lecture 5 Active Adversary Active Adversary An active adversary can inject messages into the channel Active Adversary An active adversary can inject messages into the channel Eve

### CS558. Network Security. Boston University, Computer Science. Midterm Spring 2014.

CS558. Network Security. Boston University, Computer Science. Midterm Spring 2014. Instructor: Sharon Goldberg March 25, 2014. 9:30-10:50 AM. One-sided handwritten aid sheet allowed. No cell phone or calculators

### Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a

### Lecture 3: One-Way Encryption, RSA Example

ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require

### The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) Hugo Krawczyk Abstract. We study the question of how to generically compose symmetric encryption and authentication

### Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense

### Computational Soundness of Symbolic Security and Implicit Complexity

Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 3-7, 2013 Overview

### 1 Domain Extension for MACs

CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures Katz-Lindell Ÿ4.34.4 (2nd ed) and Ÿ12.0-12.3 (1st ed).

### 1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

### 1 Signatures vs. MACs

CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures

### Authenticated encryption

Authenticated encryption Dr. Enigma Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu October 16th, 2013 Active attacks on CPA-secure encryption

### Introduction. Digital Signature

Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

### Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

### Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract

Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart

### Chapter 3. Network Domain Security

Communication System Security, Chapter 3, Draft, L.D. Chen and G. Gong, 2008 1 Chapter 3. Network Domain Security A network can be considered as the physical resource for a communication system. This chapter

### Lecture 15 - Digital Signatures

Lecture 15 - Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations - easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.

### Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks

Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks Tsz Hon Yuen - Huawei, Singapore Ye Zhang - Pennsylvania State University, USA Siu Ming

### Certificate Based Signature Schemes without Pairings or Random Oracles

Certificate Based Signature Schemes without Pairings or Random Oracles p. 1/2 Certificate Based Signature Schemes without Pairings or Random Oracles Joseph K. Liu, Joonsang Baek, Willy Susilo and Jianying

### Symmetric Crypto MAC. Pierre-Alain Fouque

Symmetric Crypto MAC Pierre-Alain Fouque Birthday Paradox In a set of D elements, by picking at random D elements, we have with high probability a collision two elements are equal D=365, about 23 people

### Cryptography. Lecture Notes from CS276, Spring 2009. Luca Trevisan Stanford University

Cryptography Lecture Notes from CS276, Spring 2009 Luca Trevisan Stanford University Foreword These are scribed notes from a graduate course on Cryptography offered at the University of California, Berkeley,

### YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 1 (rev. 1) Professor M. J. Fischer September 3, 2008 1 Course Overview Lecture Notes 1 This course is

### Chapter 12. Digital signatures. 12.1 Digital signature schemes

Chapter 12 Digital signatures In the public key setting, the primitive used to provide data integrity is a digital signature scheme. In this chapter we look at security notions and constructions for this

Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

### CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a one-round Feistel cipher

### Yale University Department of Computer Science

Yale University Department of Computer Science On Backtracking Resistance in Pseudorandom Bit Generation (preliminary version) Michael J. Fischer Michael S. Paterson Ewa Syta YALEU/DCS/TR-1466 October

### Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives

Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives Olivier Pereira Université catholique de Louvain ICTEAM Crypto Group B-1348, Belgium olivier.pereira@uclouvain.be

### Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm

An extended abstract of this paper appears in Tatsuaki Okamoto, editor, Advances in Cryptology ASIACRYPT 2000, Volume 1976 of Lecture Notes in Computer Science, pages 531 545, Kyoto, Japan, December 3

### SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K,E,D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2 Correct

### CryptoVerif Tutorial

CryptoVerif Tutorial Bruno Blanchet INRIA Paris-Rocquencourt bruno.blanchet@inria.fr November 2014 Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 1 / 14 Exercise 1: preliminary definition SUF-CMA

### Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. #01 Lecture No. #10 Symmetric Key Ciphers (Refer

### Ch.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis

Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography

### Overview of Symmetric Encryption

CS 361S Overview of Symmetric Encryption Vitaly Shmatikov Reading Assignment Read Kaufman 2.1-4 and 4.2 slide 2 Basic Problem ----- ----- -----? Given: both parties already know the same secret Goal: send

### Delegation of Cryptographic Servers for Capture-Resilient Devices

ACM, 2001. This is the authors' version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version is available at http://doi.acm.org/10.1145/501983.501986.

### Fuzzy Identity-Based Encryption

Fuzzy Identity-Based Encryption Janek Jochheim June 20th 2013 Overview Overview Motivation (Fuzzy) Identity-Based Encryption Formal definition Security Idea Ingredients Construction Security Extensions

### CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash

### Lecture 5 - Cryptography

CSE497b Introduction to Computer and Network Security - Spring 2007 - Professors Jaeger Lecture 5 - Cryptography CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/

### CIS 5371 Cryptography. 8. Encryption --

CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.

### Digital Signatures. What are Signature Schemes?

Digital Signatures Debdeep Mukhopadhyay IIT Kharagpur What are Signature Schemes? Provides message integrity in the public key setting Counter-parts of the message authentication schemes in the public

### Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz Abstract We propose simple and efficient CCA-secure public-key encryption schemes (i.e., schemes

### Information Theory and Coding Prof. S. N. Merchant Department of Electrical Engineering Indian Institute of Technology, Bombay

Information Theory and Coding Prof. S. N. Merchant Department of Electrical Engineering Indian Institute of Technology, Bombay Lecture - 17 Shannon-Fano-Elias Coding and Introduction to Arithmetic Coding

### Key Privacy for Identity Based Encryption

Key Privacy for Identity Based Encryption Internet Security Research Lab Technical Report 2006-2 Jason E. Holt Internet Security Research Lab Brigham Young University c 2006 Brigham Young University March

### Security Analysis of DRBG Using HMAC in NIST SP 800-90

Security Analysis of DRBG Using MAC in NIST SP 800-90 Shoichi irose Graduate School of Engineering, University of Fukui hrs shch@u-fukui.ac.jp Abstract. MAC DRBG is a deterministic random bit generator

### First Semester Examinations 2011/12 INTERNET PRINCIPLES

PAPER CODE NO. EXAMINER : Martin Gairing COMP211 DEPARTMENT : Computer Science Tel. No. 0151 795 4264 First Semester Examinations 2011/12 INTERNET PRINCIPLES TIME ALLOWED : Two Hours INSTRUCTIONS TO CANDIDATES

### Computational Complexity: A Modern Approach

i Computational Complexity: A Modern Approach Draft of a book: Dated January 2007 Comments welcome! Sanjeev Arora and Boaz Barak Princeton University complexitybook@gmail.com Not to be reproduced or distributed

### Ciphertext verification security of symmetric encryption schemes

www.scichina.com info.scichina.com www.springerlink.com Ciphertext verification security of symmetric encryption schemes HU ZhenYu 1, SUN FuChun 1 & JIANG JianChun 2 1 National Laboratory of Information

### Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Lecture No. # 11 Block Cipher Standards (DES) (Refer Slide

### Sample or Random Security A Security Model for Segment-Based Visual Cryptography

Sample or Random Security A Security Model for Segment-Based Visual Cryptography Sebastian Pape Dortmund Technical University March 5th, 2014 Financial Cryptography and Data Security 2014 Sebastian Pape

### Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53

Cryptography and Network Security, PART IV: Reviews, Patches, and Theory Timo Karvi 11.2012 Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53 Key Lengths I The old

### Key Agreement from Close Secrets over Unsecured Channels Winter 2010

Key Agreement from Close Secrets over Unsecured Channels Winter 2010 Andreas Keller Contens 1. Motivation 2. Introduction 3. Building Blocks 4. Protocol Extractor Secure Sketches (MAC) message authentication

### Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the

### Digital Signatures. Prof. Zeph Grunschlag

Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each

### Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm

Error oracle attacks and CBC encryption Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm Agenda 1. Introduction 2. CBC mode 3. Error oracles 4. Example 1 5. Example 2 6. Example 3 7. Stream ciphers

### Cryptography. Jonathan Katz, University of Maryland, College Park, MD 20742.

Cryptography Jonathan Katz, University of Maryland, College Park, MD 20742. 1 Introduction Cryptography is a vast subject, addressing problems as diverse as e-cash, remote authentication, fault-tolerant

### Designing Hash functions. Reviewing... Message Authentication Codes. and message authentication codes. We have seen how to authenticate messages:

Designing Hash functions and message authentication codes Reviewing... We have seen how to authenticate messages: Using symmetric encryption, in an heuristic fashion Using public-key encryption in interactive

### Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Network Security Abusayeed Saifullah CS 5600 Computer Networks These slides are adapted from Kurose and Ross 8-1 Public Key Cryptography symmetric key crypto v requires sender, receiver know shared secret

### Message Authentication Codes

2 MAC Message Authentication Codes : and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 28 October 2013 css322y13s2l08, Steve/Courses/2013/s2/css322/lectures/mac.tex,

### Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Outline CSc 466/566 Computer Security 8 : Cryptography Digital Signatures Version: 2012/02/27 16:07:05 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian

### Chapter 7. Message Authentication. 7.1 The setting

Chapter 7 Message Authentication In most people s minds, privacy is the goal most strongly associated to cryptography. But message authentication is arguably even more important. Indeed you may or may

### MTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu

MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic

### Cryptography: Authentication, Blind Signatures, and Digital Cash

Cryptography: Authentication, Blind Signatures, and Digital Cash Rebecca Bellovin 1 Introduction One of the most exciting ideas in cryptography in the past few decades, with the widest array of applications,

### Encryption for Cloud Services Security: Problem or Panacea? @Zulfikar_Ramzan / CTO / www.elastica.net

Encryption for Cloud Services Security: Problem or Panacea? @Zulfikar_Ramzan / CTO / www.elastica.net Tectonic Shift in the Market SaaS On-Premise Many pieces to Buy, Assemble & Operate No visibility /

6.857 Computer and Network Security Fall Term, 1997 Lecture 4 : 16 September 1997 Lecturer: Ron Rivest Scribe: Michelle Goldberg 1 Conditionally Secure Cryptography Conditionally (or computationally) secure

### QUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University

QUANTUM COMPUTERS AND CRYPTOGRAPHY Mark Zhandry Stanford University Classical Encryption pk m c = E(pk,m) sk m = D(sk,c) m??? Quantum Computing Attack pk m aka Post-quantum Crypto c = E(pk,m) sk m = D(sk,c)

### Secure Deduplication of Encrypted Data without Additional Independent Servers

Secure Deduplication of Encrypted Data without Additional Independent Servers Jian Liu Aalto University jian.liu@aalto.fi N. Asokan Aalto University and University of Helsinki asokan@acm.org Benny Pinkas

### Cryptographic Hash Functions Message Authentication Digital Signatures

Cryptographic Hash Functions Message Authentication Digital Signatures Abstract We will discuss Cryptographic hash functions Message authentication codes HMAC and CBC-MAC Digital signatures 2 Encryption/Decryption

### On-Line/Off-Line Digital Signatures

J. Cryptology (996) 9: 35 67 996 International Association for Cryptologic Research On-Line/Off-Line Digital Signatures Shimon Even Computer Science Department, Technion Israel Institute of Technology,

### Cryptography and Network Security

Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 9: Authentication protocols, digital signatures Ion Petre Department of IT, Åbo Akademi University 1 Overview of

### Cryptography Lecture 8. Digital signatures, hash functions

Cryptography Lecture 8 Digital signatures, hash functions A Message Authentication Code is what you get from symmetric cryptography A MAC is used to prevent Eve from creating a new message and inserting

### Block encryption. CS-4920: Lecture 7 Secret key cryptography. Determining the plaintext ciphertext mapping. CS4920-Lecture 7 4/1/2015

CS-4920: Lecture 7 Secret key cryptography Reading Chapter 3 (pp. 59-75, 92-93) Today s Outcomes Discuss block and key length issues related to secret key cryptography Define several terms related to secret

### Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak

Non-Black-Box Techniques In Crytpography Introduction Thesis for the Ph.D degree Boaz Barak A computer program (or equivalently, an algorithm) is a list of symbols a finite string. When we interpret a

### Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012

Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database

### Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz June 13, 2006 Abstract We propose simple and efficient CCA-secure public-key encryption schemes

### Authentic Digital Signature Based on Quantum Correlation

Authentic Digital Signature Based on Quantum Correlation Xiao-Jun Wen, Yun Liu School of Electronic Information Engineering, Beijing Jiaotong University, Beijing 00044, China Abstract: An authentic digital

### Network Security. HIT Shimrit Tzur-David

Network Security HIT Shimrit Tzur-David 1 Goals: 2 Network Security Understand principles of network security: cryptography and its many uses beyond confidentiality authentication message integrity key

### Lecture 2: Complexity Theory Review and Interactive Proofs

600.641 Special Topics in Theoretical Cryptography January 23, 2007 Lecture 2: Complexity Theory Review and Interactive Proofs Instructor: Susan Hohenberger Scribe: Karyn Benson 1 Introduction to Cryptography

### CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 1 January 9, 2012 CPSC 467b, Lecture 1 1/22 Course Overview Symmetric Cryptography CPSC 467b, Lecture 1 2/22 Course Overview CPSC

### CIS433/533 - Computer and Network Security Cryptography

CIS433/533 - Computer and Network Security Cryptography Professor Kevin Butler Winter 2011 Computer and Information Science A historical moment Mary Queen of Scots is being held by Queen Elizabeth and

### The Misuse of RC4 in Microsoft Word and Excel

The Misuse of RC4 in Microsoft Word and Excel Hongjun Wu Institute for Infocomm Research, Singapore hongjun@i2r.a-star.edu.sg Abstract. In this report, we point out a serious security flaw in Microsoft

### Developing and Investigation of a New Technique Combining Message Authentication and Encryption

Developing and Investigation of a New Technique Combining Message Authentication and Encryption Eyas El-Qawasmeh and Saleem Masadeh Computer Science Dept. Jordan University for Science and Technology P.O.

### Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Network Security Gaurav Naik Gus Anderson, Philadelphia, PA Lectures on Network Security Feb 12 (Today!): Public Key Crypto, Hash Functions, Digital Signatures, and the Public Key Infrastructure Feb 14:

### SECURITY ANALYSIS OF A SINGLE SIGN-ON MECHANISM FOR DISTRIBUTED COMPUTER NETWORKS

SECURITY ANALYSIS OF A SINGLE SIGN-ON MECHANISM FOR DISTRIBUTED COMPUTER NETWORKS Abstract: The Single sign-on (SSO) is a new authentication mechanism that enables a legal user with a single credential

### Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Introduction to Cryptography What is cryptography?

### Lecture 2: Universality

CS 710: Complexity Theory 1/21/2010 Lecture 2: Universality Instructor: Dieter van Melkebeek Scribe: Tyson Williams In this lecture, we introduce the notion of a universal machine, develop efficient universal

Content Teaching Academy at James Madison University 1 2 The Battle Field: Computers, LANs & Internetworks 3 Definitions Computer Security - generic name for the collection of tools designed to protect

### RSA Attacks. By Abdulaziz Alrasheed and Fatima

RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.