Ciphertext verification security of symmetric encryption schemes


 Polly Cox
 2 years ago
 Views:
Transcription
1 info.scichina.com Ciphertext verification security of symmetric encryption schemes HU ZhenYu 1, SUN FuChun 1 & JIANG JianChun 2 1 National Laboratory of Information Science and Technology, Department of Computer Science and Technology, Tsinghua University, Beijing , China; 2 Institute of Software, Chinese Academy of Sciences, Beijing , China This paper formally discusses the security problem caused by the ciphertext verification, presenting a new security notion named INDCVA (indistinguishability under ciphertext verification attacks) to characterize the privacy of encryption schemes in this situation. Allowing the adversary to access to both encryption oracle and ciphertext verification oracle, the new notion INDCVA is slightly stronger than INDCPA (indistinguishability under chosenplaintext attacks) but much weaker than INDCCA (indistinguishability under chosenciphertext attacks), and can be satisfied by most of the popular symmetric encryption schemes such as OTP (onetimepad), CBC (cipher block chaining) and CTR (counter). An MAC (message authentication scheme) is usually combined with an encryption to guarantee secure communication (e.g. SSH, SSL and IPSec). However, with the notion of INDCVA, this paper shows that a secure MAC can spoil the privacy in some cases. encryption, privacy, integrity, reaction attack, INDCPA, INDCCA 1 Introduction 1.1 Background and related works CPA (chosen plaintext attacks) security and CCA (chosen ciphertext attacks) security are two most important security measurements for encryption schemes. The CPA security allows an adversary to access to the encryption oracle and is the basic requirements for an encryption scheme in practice. However, CPA security is not strong enough when it is used to guarantee the secrecy of data transferred across Internet in terms of secure channel. One of the typical examples is that, though the composite scheme MACthenEncrypt can preserve the CPA security of the underlying encryption scheme, it may not be secure in the face of reaction attack [1]. CCA security is stronger than CPA security, which, besides the encryption oracle, allows the adversary to access to the decryption oracle, with the only restriction that the adversary is prohibited from querying the challenge ciphertext returned by the encryption oracle. While the CCA security can be used to guarantee the privacy of data transferred across Internet, it is the strongest notion for privacy and is too strong for the typical secure composite scheme EncryptthenMAC to generically satisfy. Moreover, the CCA security is not robust enough. If we modify a CCAsecure encryption scheme harmlessly (e.g. a useless bit Received July 16, 2008; accepted January 15, 2009 doi: /s x Corresponding author ( Hu Supported by the National Basic Research Program of China (Grant No. G2002cb312205) Citation: Hu Z Y, Sun F C, Jiang J C. Ciphertext verification security of symmetric encryption schemes. Sci China Ser FInf Sci, 2009, 52(9): , doi: /s x
2 is appended to the ciphertext), it may not be CCAsecure any more. Considering the insufficiency of CPA security and the unnecessary of CCA security when characterizing the privacy requirements of secure channel, it is not trivial to develop a new security notion that is stronger than CPA security but weaker than CCA security, and is applicable to fill up the gap between them. Reaction attack was first introduced by Hall et al. [2], which works by modifying a sender s ciphertexts and observing the receiver s response. In this kind of attacks, an attacker presents the owner of the private key with a ciphertext that may contain one or more errors that can be detected during decryption (that is, the ciphertext may decrypt to a plaintext which fails in a simple signature or checksum verification). By watching the reaction of the owner in order to determine whether or not the ciphertext decrypted correctly, the attacker can usually determine information about the plaintext or the private key. Different from the case of chosen plaintext attacks and chosen ciphertext attacks, when a receiver verifies a ciphertext, it provides the adversary information about whether the received ciphertext is valid. In fact, it is the integrity verification that may disclose the valuable information of the plaintext in the case of reaction attacks. So, the integrity verification should be taken for a special attack tool that can be used by an adversary to compromise the privacy of an encryption scheme, and a corresponding security notion should be introduced to capture the security under this type of attacks. With the spreading use of network, the data integrity and authentication are getting more and more attention, and lots of work has been done to strengthen the secrecy of communication with MAC or signature. While the combination of authentication (or signature) and encryption may enhance the privacy in some cases (e.g. EncryptionthenMAC), can it possibly compromise the privacy in other case? We will give this problem a formal investigation. 1.2 Our contributions We formally discuss the security problem of encryption caused by the ciphertext verification, presenting a new security notion named INDCVA to model the reaction attack. The new notion IND CVA is slightly stronger than INDCPA but much weaker than INDCCA. Most of popular symmetric encryption schemes, such as OTP, CBC and CTR, are secure in the sense of INDCVA, though they are neither NMCPA (nonmalleability under chosenplaintext attacks) nor INDCCA secure. We investigate the relationship between the new notion of INDCVA and the conventional notions such as INDCPA, INDCCA and NMCPA, showing that INDCVA is applicable to fill up the gap between INDCPA and INDCCA. With the notion INDCVA, we show how a secure MAC compromises the privacy of MACthen Encryption. Moreover, we discover that INDCVA captures the exact (both sufficient and necessary) privacy requirements of secure channel, while the INTPTXT captures the exact integrity requirements. INDCVA reveals the negative influence of integrity verification on privacy, providing a practicable reference for protocol designers. 1.3 Comparison with related works Comparison with INDgCCA security. An et al. [3] generalized the CCA attack with respect to some equivalence relation R(, ) on the ciphertexts. Relation R is defined as part of the encryption scheme, it depends on the public key pk, but must have the following property: if R(C 1,C 2 ) = true then D(C 1 ) = D(C 2 ). Such R is called decryptionrespecting. Now the adversary A is forbidden to ask any C equivalent to C, i.e. R(C,C ) = true. An encryption scheme is secure against generalized CCA (or gcca) if there exists some efficient decryptionrespecting relation R with respect to which it is CCAsecure. Though the gccasecurity may be sufficient for all applications where chosen ciphertext security matters, it is probably still a slight overkill in terms of a necessary and sufficient formalization of secure encryption from the application point of view. We would say that the gccasecurity is still overly strong, since in network channel environments, an adversary may not be allowed to access the decryption oracle [4 6]. Indeed, the gcca HU Z Y et al. Sci China Ser FInf Sci Sep vol. 52 no
3 security is to try to relax the notion CCAsecurity to the minimum extent possible, just to avoid the syntactic (robust) problems of CCAsecurity. Contrary to the gccasecurity, our CVAsecurity is to try to tighten the notion CPAsecurity to the minimum extent possible. As discussed in section 4, CVAsecurity is just slightly stronger than CPAsecurity whereas much weaker than gccasecurity or CCAsecurity. In particular, we are saying that CVAsecurity seems both sufficient and necessary for implementing secure channels, and more applicable for studying generic properties of secure encryption Comparison with loose CUF security. To solve the syntactic issue of CCAsecurity, Krawczyk [1] has presented a notion of loose CUF. Like the notion of gccasecurity, a decryptionrespecting relation ρ is proposed. If C and C are two valid ciphertexts computed under encryption function E K ( ), for some key K, and ρ(c,c ) holds then C and C decrypt to the same plaintext under K. An encryption scheme SE is CUF ρ  CPA (loose ciphertext unforgeability under chosen plaintext attacks) secure if for any valid ciphertext C that a ciphertext forger attacker F can feasibly produce there exists a ciphertext C output by the encryption oracle under one of F s queries such that ρ(c,c ). Note that valid ciphertexts produced by a loose CUF attacker always decrypt to plaintexts already queried to the encryption oracle, it is easy to determine which of the queried plaintexts they decrypt to. So we think loose CUF security has no significant difference from the INT PTXT (integrity of plaintext) security. Moreover, while the loose CUF limits the ciphertext forgeries allowed to the attacker to decrypt to previously queried plaintexts, example attacker against the MtE scheme discussed in section 5 is able to break the security of channels without ever producing a valid ciphertext, which shows that the loose CUF is insufficient for guaranteeing secure channels Comparison with CCVA security. To characterize the privacy security of a secure channel, Namprempre [7] proposed a new notion, INDCCVA (indistinguishability under chosenciphertext attacks with verification). In the sense of INDCCVA security, an adversary is given access to an encryption oracle E K ( ) and a special decryption oracle D K (,M b ). Let b {0,1}, the oracle D K (,M b ) records the secret message M b that is randomly chosen from the message pair (M 0,M 1 ) to encrypt when the adversary to query. This oracle is the same as the standard decryption oracle D K ( ) except the following. If a given ciphertext decrypts to M b (i.e. the challenge message chosen by the encryption oracle to produce the challenge ciphertext), then the oracle D K (,M b ) returns a special symbol ±. Otherwise, it returns the decrypted message. As discussed by Namprempre, the so defined INDCCVA security is even overly stronger such that an INDCCA secure scheme may not be INDCCVA secure. Besides the encryption oracle E K ( ) and decryption oracle D K ( ), an INDCCVA adversary needs the third oracle access D K (,M b ). The oracle D K (,M b ) behaves exactly the same as the standard decryption oracle D K ( ), except that the given ciphertext decrypts to M b. At this point, the oracle D K (,M b ) returns a special symbol ±. Notice that, when the special symbol ± is returned by the oracle D K (C,M b ), it indicates the adversary that the corresponding plaintext of ciphertext C is the same as the challenge ciphertext C. If C = C, nothing more is provided to the adversary than to indicate that the queried ciphertext is the challenge ciphertext itself. However, if C C, it indicates more information than the CCA does (recall that the CCA attackers are not allowed to query the decryption oracle of the challenge ciphertext itself), the response of ± helps the adversary to confirm a decryption equivalence relation used in nonmalleability security. Considering the CCA attacks, the attacker is allowed to query the decryption oracle with an arbitrary ciphertext C ( C ), and be returned the correct plaintext even if the corresponding plaintext is the challenge plaintext M b. We argue that even if the corresponding plaintext is the challenge plaintext M b, the returned value of D K (C ) does not disclose any information about the challenge plaintext. Because that, the D K (C ) just honestly tells what the corresponding plaintext is, rather than whether or not it is the challenge plaintext. For the adversary, HU Z Y et al. Sci China Ser FInf Sci Sep vol. 52 no
4 when he receives the response of D K (C ) (where C C ), he would surprisedly say: Oh! It is one of the plaintexts that I have chosen to challenge. Then he will disappointedly find its null, because that an encryption algorithm is always randomized or stateful, and that any deterministic or stateless scheme is not secure in INDCPA sense [8]. From this point, we say the INDCCVA is even stronger than INDCCA. 1.4 Outline of this paper The remainder of this paper is organized as follows. Section 2 presents some preliminaries of this paper, including the traditional security notions of symmetric encryption schemes. Section 3 introduces the new security notion INDCVA and gives some familiar examples for INDCVA. Section 4 discusses the relationship between the new notion INDCVA and the traditional ones, showing that as a new criterion to measure the privacy of encryption schemes, it fills up the gap between the IND CPA and the INDCCA. Section 5 investigates the application impacts of INDCVA. Section 6 provides the conclusion of our work. 2 Preliminary definitions 2.1 Notations Throughout this paper, we will use the symbol x to denote the bit length of x, x y to the concatenation of x and y. The symbol denotes the bitwiseexclusiveor operation. If n is a positive integer, then the symbol {0,1} n denotes the set of nbit binary strings (we also use the symbol {0,1} to denote the set of binary strings with no fixed length). If f is a randomized (resp., deterministic) algorithm, then x R f(y) (resp., x f(y) ) denotes the process of running f on input y and assigning the result to x. However, if S is a set, then x R S denotes that x is randomly chosen from S. Further more, if A is an adversary, then A = x denotes the process of an oracle answers A with x after A queries to the oracle. 2.2 Syntax and security of message authentication scheme A message authentication scheme MA = (K, T, V) consists of three algorithms: The randomized key generation algorithm K that takes input a security parameter k N and returns a key K (we write K R K(k)); the tagging algorithm T that could be either randomized or stateful, and takes the key K and a message M to return a tag σ (we write σ R T K (M). The verification algorithm V that is deterministic and takes the key K, a message M, and a candidate tag σ for M to return a bit v (we write v V K (M,σ)). We require that V K (M, T K (M)) = 1 for all M {0,1}. A message authentication scheme is sometimes called an MAC, and also sometimes the tag σ is called an MAC. To measure the security of an MAC, an adversary F is allowed to have accesses to the tagging oracle T K ( ) and verifying oracle V K (, ), and its goal is to make the verifying oracle V K (, ) accept a pair (M, σ) that was not legitimately produced (i.e. the pair is a forgery). If the message M is new, meaning F never made query M of its tagging oracle, the forgery is called a weak forgery. Otherwise, even if the message is not new, as long as the tag is new, the forgery is called a strong forgery. The strong forgery means that the adversary wins as long as σ was never returned by the tagging oracle in response to query M. Definition 1 (Security of message authentication scheme [9] ). Let MA = (K, T, V) be a message authentication scheme. Let k N, and let F W and F S be adversaries that are able to access to two oracles. Consider the following experiments: Exp wuf cma MA,F (k) W K R K(k). If F T K( ),V K (, ) W makes a query (M, σ) to the oracle V K (, ), such that V K (M, σ) return 1, and M was never queried to the oracle T K ( ), then returns 1, else return 0. Exp suf cma MA,F (k) S K R K(k). If F T K( ),V K (, ) S makes a query (M, σ) to the oracle V K (, ), such that V K (M, σ) return 1, and σ was never returned by the oracle T K ( ) in response to query M, then returns 1, else return HU Z Y et al. Sci China Ser FInf Sci Sep vol. 52 no
5 We define the advantages of the forgers via Adv wuf cma MA,F W (k) = Pr[Exp wuf cma MA,F W (k) = 1], Adv suf cma MA,F S (k) = Pr[Exp suf cma MA,F S (k) = 1]. We define the advantage functions of the scheme as follows. For any integers t,q t,q v,u t,u v, Adv wuf cma MA (k,t,q t,q v,u t,u v ) = max {Adv wuf cma MA,F F W (k)}, W Adv suf cma MA (k,t,q t,q v,u t,u v ) = max F S {Adv suf cma MA,F S (k)}, where the maximum is over all F W, F S with time complexity t, making at most q t oracle queries to T K ( ) the sum of whose lengths is at most u t bits, and making at most q v oracle queries to V K (, ) the sum of whose lengths is at most u v bits. The scheme MA is said to be WUFCMA (weak unforgeability under chosenmessage attacks) secure resp. SUFCMA (strong unforgeability under chosenmessage attacks) secure if the function Adv wuf cma MA,F W (k) resp. Adv suf cma MA,F S (k) is negligible for any forger F whose time complexity is polynomial in k. 2.3 Syntax and security of symmetric encryption schemes A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: The randomized key generation algorithm K that takes input a security parameter k N and returns a key K (we write K R K(k)). The encryption algorithm E that could be randomized or stateful, and takes the key K and a plaintext M to return a ciphertext C(we write C R E K (M)). The decryption algorithm D that is deterministic and stateless, and takes the key K and a string C to return either the corresponding plaintext M or the invalid symbol (we write x D K (C) where x {0,1} { }). We require that D K (E K (M)) = M for all M {0,1} Privacy of symmetric encryption schemes. The privacy of encryption scheme is measured by indistinguishability via the leftorright model of ref. [10]. The leftorright encryption oracle E K (LR(,,b)), where b {0,1} is defined to take input (x 0, x 1 ), computes C E K (x b ) and returns C (if E is randomized, the oracle picks any coins that E might need, and if E is stateful then updates its state appropriately). The adversary is allowed to query the oracle E K (LR(,,b)) with the pair (x 0, x 1 ) of its chosen that consists of two equal length messages and gets the return of the oracle. Its goal is to guess the challenge bit b chosen at random by the oracle. An encryption scheme is INDCPA (indistinguishability under chosenplaintext attacks) secure, if a reasonable adversary cannot obtain significant advantage in distinguishing the cases b = 0 and b = 1 given access to the oracle. To model IND CCA (indistinguishability under chosenciphertext attacks), the adversary is allowed also to access to the decryption oracle, with the only restriction that it cannot query the decryption oracle a ciphertext output by the leftorright encryption oracle. Definition 2 (Indistinguishability of a symmetric encryption scheme [9] ). Let SE = (K, E, D) be a symmetric encryption scheme. Let b {0, 1}, k N. Let A cpa be an adversary that can access to one oracle and let A cca be an adversary that can access to two oracles. Now, we consider the following experiments: Exp ind cpa b SE,A cpa (k) K R K(k). b A E K(LR(,,b)) cpa (k) return b Exp ind cca b SE,A cca (k) K R K(k). b A E K(LR(,,b)),D K ( ) cca (k) return b Above it is mandated that A cca never queries D K ( ) on a ciphertext C output by the E K (LR(,,b)) oracle, and that the two messages queried of E K (LR(,,b)) always have equal length. We define the advantages of the adversaries via Adv ind cpa SE,A cpa (k) = Pr[Exp ind cpa 1 SE,A cpa (k) = 1] Pr[Exp ind cpa 0 SE,A cpa (k) = 1], Adv ind cca SE,A cca (k) = Pr[Exp ind cca 1 SE,A cca (k) = 1] Pr[Exp ind cca 0 SE,A cca (k) = 1]. HU Z Y et al. Sci China Ser FInf Sci Sep vol. 52 no
6 We define the advantage functions of the scheme as follows. For any integers t,q e,q d,u e,u d, Adv ind cpa SE (k,t,q e,u e ) = max {Adv ind cpa SE,A A cpa (k)}, cpa Adv ind cca SE (k,t,q e,q d,u e,u d )=max {Adv ind cca SE,A A cca (k)}, cca where the maximum is over all A cpa, A cca with timecomplexity t, each making to the oracle E K (LR(,,b)) at most q e queries the sum of whose lengths is at most u e bits, and, in the case of A cca, also making to the oracle D K ( ) at most q d queries the sum of whose lengths is at most u d bits. The scheme SE is said to be INDCPA (indistinguishability under chosenplaintext attacks) secure resp. INDCCA (indistinguishability under chosenciphertext attacks) secure if the function Adv ind cpa SE,A (k) resp. Advind cca SE,A (k) is negligible for any adversary A whose timecomplexity is polynomial in k Integrity of symmetric encryption schemes. To characterize the integrity (authenticity) of an encryption scheme SE = (K, E, D), an algorithm D K( ), called ciphertext verification algorithm or ciphertext verification oracle, is defined as follows [9] : D K(C) If D K (C) then return 1, Else return 0. Similar to the security definition of MAC, the adversary is allowed to have accesses to the encryption oracle E K ( ) and the ciphertext verification oracle D K( ). Its goal is to make the verification oracle accept a ciphertext that was not legitimately produced (i.e. forgery). If the corresponding plaintext was never queried of the encryption oracle, we call the forgery a plaintext forgery. A scheme in which it is computationally infeasible for the adversary to achieve this type of forgery is said to preserve the integrity of plaintexts. If the ciphertext was never returned by the encryption oracle, even if the corresponding plaintext was queried of the encryption oracle, then we call the forgery a ciphertext forgery. A scheme in which it is computationally infeasible for the adversary to achieve this type of success is said to preserve the integrity of ciphertexts. Definition 3 (Integrity of a symmetric encryption scheme [9] ). Let SE = (K, E, D) be a symmetric encryption scheme. Let k N. Let A ptxt and A ctxt be adversaries that can access to two oracles. Consider the following experiments: Exp int ptxt SE,A ptxt (k) K R K(k). If A E K( ),D K( ) ptxt (k) makes a query C to the oracle D K( ), such that D K(C) return 1, and D K (C) was never queried to the oracle E K ( ), then returns 1, else return 0. Exp int ctxt SE,A ctxt (k) K R K(k). If A E K( ),D K( ) ctxt (k) makes a query C to the oracle D K( ), such that D K(C) return 1, and C was never a response of E K ( ), then returns 1, else return 0. We define the advantages of the adversaries via Adv int ptxt SE,A ptxt (k) = Pr[Exp int ptxt SE,A ptxt (k) = 1], Adv int ctxt SE,A ctxt (k) = Pr[Exp int ctxt SE,A ctxt (k) = 1]. We define the advantage functions of the scheme as follows. For any integers t,q e,q d,u e,u d, Adv int ptxt SE (k,t,q e,q d,u e,u d ) = max {Adv int ptxt SE,A A ptxt (k)}, ptxt Adv int ctxt SE (k,t,q e,q d,u e,u d ) = max {Adv int ctxt SE,A A ctxt (k)}, ctxt where the maximum is over all A ptxt, A ctxt with timecomplexity t, each making to the oracle E K ( ) at most q e queries the sum of whose lengths is at most u e bits, and, each making to the oracle D K( ) at most q d queries the sum of whose lengths is at most u d bits. The scheme SE is said to be INT PTXT (integrity of plaintext) secure resp. INT CTXT (integrity of ciphertext) secure if the function Adv int ptxt SE,A (k) resp. Adv int ctxt SE,A (k) is negligible for any adversary A whose timecomplexity is polynomial in k. We notice that, while the verification algorithm or verification oracle D K(C) is to characterize the ability of an adversary in forging a legitimate ciphertext, it provides the adversary another ability to know whether a doctored ciphertext is valid. Different from the CPA and CCA, it is just this 1622 HU Z Y et al. Sci China Ser FInf Sci Sep vol. 52 no
7 simple Yes or No answer that may disclose the sensitive information of the challenge plaintext. We produce a new security notion INDCVA (indistinguishability of an encryption scheme under ciphertext verification attacks) to describe the privacy of an encryption scheme under this situation. 3 The definition of INDCVA security 3.1 Definition of INDCVA security Like CPAsecurity and CCAsecurity, we measure CVAsecurity via the leftorright model of ref. [10], too. The leftorright encryption oracle E K (LR(,,b)) and the goal of the adversary is defined same as the CPAsecurity. To model ciphertextverification attacks we allow the adversary to access to the ciphertextverification oracle D K( ) besides the encryption oracle E K ( ). The detailed definition of CVAsecurity is as follows. Definition 4 (INDCVA, indistinguishability of a symmetric encryption scheme under ciphertextverification attacks). Let SE = (K, E, D) be a symmetric encryption scheme. Let b {0, 1}, k N. Let A cva be an adversary that can access to the encryption oracle E K (LR(,,b)) and the ciphertext verification oracle D K( ). Consider the following experiment: Exp ind cva b SE,A cva (k) K R K(k). b A E K(LR(,,b)),DK ( ) cva (k), where b is a bit return b. Above it is mandated the two messages queried of E K (LR(,,b)) always have equal length. We define the advantage of the adversary A cva via Adv ind cva SE,A cva (k) = Pr[Exp ind cva 1 SE,A cva (k) = 1] Pr[Exp ind cva 0 SE,A cva (k) = 1]. We define the advantage functions of the scheme as follows. For any integers t,q e,q v,u e,u v, Adv ind cva SE (k,t,q e,q v,u e,u v ) = max {Adv ind cva SE,A A cva (k)}, cva where the maximum is over all A cva with timecomplexity t, each making to the E K (LR(,,b)) oracle at most q e queries the sum of whose lengths is at most u e bits, and, making to the D K( ) oracle at most q v queries the sum of whose lengths is at most u v bits. The scheme SE is said to be IND CVA secure if the function Adv ind cva SE,A cva (k) is negligible for any adversary A cva whose timecomplexity is polynomial in k. Comparing with the reaction attack, we allow the adversary of CVA to access the encryption oracle as well as the ciphertext verification oracle. There are two reasons for allowing the adversary to access the encryption oracle. One is to facilitate the description of relationship with other notions. The other is that accessing to the encryption oracle for adversary is easy to do, especially in the public environment. So we take it for granted. 3.2 Examples of CVA secure encryption schemes Example 1 (OTP mode scheme [1,8] ). Let F : {0,1} l {0,1} l be a family of functions with domain {0,1} l and range {0,1} l where l and l are positive integers. We define the encryption scheme OTP(F) to work on messages of length at most l as follows. A key in the encryption scheme is a description of a member f of the family F. The OTP encryption under f of plaintext M is performed by choosing r {0,1} l and computing c = f(r) M where f(r) is truncated to the length of M. The ciphertext is the pair (r, c). Decryption works in the obvious way. If F is the set of all functions with the above domain and range and f is chosen at random from this family we get perfect secrecy against chosenplaintext attacks as long as there are no repetitions in the values r chosen by the encryptor (after encrypting q different messages a repetition happens with probability q 2 /2 l ). If F is a family of pseudorandom functions then the same security is achieved but in a computational sense, i.e., up to the indistinguishability distance between the pseudorandom family and a truly random function. We now inspect the security of OTP(F) under the sense of INDCVA security. Notice that, for any r {0,1} l and c {0,1} l, let m = f(r ) c, then m {0,1} l, that is, (r, c ) is a valid cipher HU Z Y et al. Sci China Ser FInf Sci Sep vol. 52 no
8 text, which results the ciphertext verification oracle always returns 1 and tells nothing about the corresponding plaintext. In other words, the verification oracle cannot provide any help to the adversary. So, the OTP(F) is INDCVA secure, if the F is a family of pseudorandom functions. Example 2 (CBC mode scheme [1,8] ). Let F be a family of permutations over {0,1} l where l is a positive integer. We define the encryption scheme CBC(F) to work on messages of length a multiple of l. A key in the encryption scheme is a description of a member f of the family F. The CBC encryption under f of plaintext x is performed by partitioning x into blocks x[1],...,x[p] of length l each, then choosing r {0,1} l (called initial vector, IV ) and computing the ciphertext c = c[0],c[1],...,c[p] as c[0] = r, c[i] = f(c[i 1] x[i]), i = 1,...,p. Decryption works in the obvious inverse way. It has been proved that if F is the set of all permutations over {0, 1} l and f is chosen at random from F then CBC(F) is INDCPA secure [8]. If F is the set of all permutations over {0,1} l, then for any f chosen at random from F, CBC(F) is a permutations over {0,1} nl, where n(> 1) is a positive integer. For any string c of length nl(n > 1), the decryption of c does not return the invalid symbol. That is, all the query of verification oracle returns 1, which tells nothing about the corresponding plaintexts. So if F is the set of all permutations over {0,1} l and f is chosen at random from F then CBC(F) is INDCVA secure. Example 3 (CTR mode scheme [8] ). Let l and L be positive integers, F : {0,1} l {0,1} L be a function family (Not necessarily a family of permutations). We define the encryption scheme CTR(F) to work on messages of length a multiple of l. A key in the encryption scheme is a description of a member f of the family F. The R CTR (randomized counter) mode encryption under f of plaintext x is performed by partitioning x into blocks x[1],...,x[p] of length l each, then choosing r {0,1} l (called IV ) and computing the ciphertext c = c[0],c[1],...,c[p] as c[0] = r, c[i] = f(r + i) x[i], i = 1,...,p. Decryption works in the obvious way. The CCTR (counterbased counter) mode maintains a counter ctr that is initially zero instead of the random string r. When encryption blocks x[1],...,x[p] of length l each, it computes the ciphertext c = c[0],c[1],...,c[p] as c[0] = ctr, c[i] = f(ctr + i) x[i] (i = 1,...,p), ctr = ctr + i. It has been proved that if F is a set of pseudorandom function over {0,1} l and f is chosen at random from F then CTR(F) (RCTR or CCTR) is INDCPA secure [8]. Notice the construction of CTR mode, the CTR(F) (RCTR or CCTR ) is an onto function. For any ciphertext of length nl(where n > 1 is a positive integer and L is the block length), there is a corresponding plaintext, if there is no integration verification. That is, all the query of verification oracle returns 1, which tells nothing about the corresponding plaintexts. So if F is a set of pseudorandom function over {0,1} l and f is chosen at random from F then CTR(F) (RCTR or CCTR) is INDCVA secure. 4 Relation to other notions The notion INDCVA is presented to depict the adversary who has access to the ciphertext verification oracle, and to characterize the reaction attack. It is interesting to compare the INDCVA with other popular security notions. We use the notation A B to denote that the security notion A implies the security notion B, and A B that the security notion A does not imply security notion B. When we claim that A B, we will give a formal proof, whereas when we claim that A B, we will present a counterexample. Theorem 1 (INDCCA INDCVA). For any symmetric encryption scheme SE = (K, E, D), if it is INDCCA secure, it is also INDCVA secure. An INDCCA attacker is more powerful than an INDCVA attacker. For any ciphertext, an IND CCA attacker will know not only whether it is valid, but also its corresponding plaintext. So, if an adversary, who can only access to ciphertext verification oracle, breaks the security, it can also break the security if it is given more power to access to the decryption oracle. So Theorem HU Z Y et al. Sci China Ser FInf Sci Sep vol. 52 no
9 holds obviously. Notice that, Theorem 1 also holds for the generalized chosenciphertext attack (INDgCCA) [3]. Theorem 2 (INDCVA NMCPA). For any symmetric encryption scheme SE = (K, E, D) which is INDCVA secure, we can construct a symmetric encryption scheme SE = (K, E, D ) which is also INDCVA secure but is not NMCPA secure. Proof of Theorem 2. The SE = (K, E, D ) is constructed as follows: E K(M) C E K (M), C 0 C where 0 is a bit 0, Returns C. D K(C) Parse C as b C where b is a bit, M D K (C ), Returns M. It is obvious that, an adversary can flip the first bit of the challenge ciphertext C to get a new ciphertext that corresponds to the same the challenge plaintext m b. We claim that SE = (K, E, D ) preserves the INDCVA security of the original scheme of SE = (K, E, D). According to the notion of verification oracle, the verification oracle D K(C) returns whatever the corresponding D K(C ) returns. That is, both of the verification oracles provide the identical information about the challenge message. If the original scheme of SE = (K, E, D) is INDCVA secure, so is the new scheme SE = (K, E, D ). Theorem 3 (INDCPA INDCVA). For any symmetric encryption scheme SE = (K, E, D) which is INDCPA secure, we can construct a symmetric encryption scheme SE = (K, E, D ) which is also INDCPA secure but is not INDCVA secure. Proof of Theorem 3. The SE = (K, E, D ) is constructed as follows: E K(M) C E K (M), C 0 C where 0 is a bit 0, Returns C. D K(C) Parse C as b C where b is a bit, M D K (C ), If b = 0 then returns M, Else parses M as b M where b is a bit, If b = b then return, Else return M An adversary can flip the first bit of the challenge ciphertext C, then queries the verification oracle D K( ) with the new ciphertext. If the first bit of the challenge plaintext m b is 1, then D K( ) will returns 0, otherwise, returns 1. The INDCPA security of SE = (K, E, D ) is obvious, we omit the proof for conciseness. Remark 1. This example shows exactly how the ciphertext verification compromises the privacy of encryption and how a CVA attacker works. Comparing with the CPA attacker, a CVA attacker needs slightly more power to know whether a ciphertext valid. On one hand, this requirement is commonly met in the network environment. For instance, when a user logs in a server for some service (e.g. ), he sends the server his password to verify his identification, and the server always responses him an invalid message if it fails in verification, which indeed provides a verification oracle to the user. On the other hand, verifying a ciphertext is much easier, and a simple hashing would be sufficient (e.g. HMAC). INDCVA reveals the influence of integrity on privacy. Remark 2. We compare a CVA attacker with a CCA attacker. A CCA (or even gcca) attacker is more powerful than a CVA attacker. A CCA attacker needs to know exactly the corresponding plaintext of an arbitrary ciphertext, which implies that the attacker must know the validity of the ciphertext, too. Although it is possible for an adversary to have access to a decryption oracle in some cases, the fact is that in most cases, especially in common network environments, the adversary can only have access to the encryption oracle and verification oracle, rather than the exact decryption oracle [1,4 6]. In other words, while the INDCCA security is a useful and important security notion, it is too strong and not necessary for some (fundamental) applications such as secure channels. Moreover, it is NOT present in the prevalent modes of symmetric encryption (such as in stream ciphers or CBC mode even when the underlying block cipher is chosenciphertext secure, see Section 6.11 of ref. [8]) and therefore assuming this strong property as the basic secrecy requirement of the encryption function would exclude the use of such standard efficient mechanisms. HU Z Y et al. Sci China Ser FInf Sci Sep vol. 52 no
10 In addition, an INDCCA attacker usually uses more resources than an INDCVA attacker. Take the EncryptthenMAC paradigm, for instance, an INDCCA adversary will access to both the MAC verification oracle and decryption oracle. However, an INDCVA adversary would possibly accesses to the MAC verification oracle only, which consumes resources less than an INDCCA adversary (e.g. HMAC). Theorem 4 (INTPTXT INDCPA IND CVA). For any authentication scheme MA = (K M, T, V) which is WUFCMA secure, we can construct an authentication scheme MA = (K M, T, V ), and a symmetric encryption scheme SE = (K E, E, D) which is INDCPA secure, but the MACthenEncrypt scheme is not INDCVA secure. Proof of Theorem 4. We take the example presented in ref. [1] as a counter example. Let MA be a secure singlevalued MAC, and define MA to be identical to MA except that on the allzeros string it allows the last bit of the tag to be set arbitrarily (i.e., for this string the verification function will accept as valid two different tags). An attacker against MtE(OT P, MA ) can distinguish between a ciphertext that encrypts the allzeros message and the ciphertext of any other message as follows. It just flips the last bit of the ciphertext and watches for acceptance or rejection of the message; clearly, the message is accepted if and only if it was the allzeros message. Theorem 5 (INDCVA INTPTXT). For any symmetric encryption scheme SE = (K, E, D) which is INDCVA secure, we can construct a symmetric encryption scheme SE = (K, E, D ) which is also INDCVA secure but is not INTPTXT secure. Figure 1 Relationship between the INDCVA and other security conceptions. Theorem 5 can be easily proved with Theorem 1 and the relationship between INDCCA and INT PTXT [10]. But, to further illustrate the difference between INDCVA and INTPTXT, we give a more primary proof in Appendix. In summary, the relationship between INDCVA and other conceptions are shown in Figure 1. 5 Practical impacts of INDCVA 5.1 SSL and MACthenEncrypt The famous SSL protocol, which indeed works in the form of MACthenEncrypt, is not generally secure conditioning on a SUFCMA secure MAC and an INDCPA secure encryption scheme, due to the reaction attack. Then, how is it secure if the underlying encryption scheme is strengthened up to INDCVA? We review the syntax of MACthenEncrypt first. Definition 5 (Construction of MACthen Encrypt scheme). Let SE = (K E, E, D) and MA = (K M, T, V) be the underlying encryption and authentication scheme respectively, we define MACthenEncrypt paradigm of MtE = (K, T E, DV) as follows: K(k) K E K E (k) K M K M (k) Returns K E, K M. T E KE,K M (m) t T KM (m), c E KE (m t), return c. DV KE,K M (c) d D KE (c), parse d as m t If V KM (m, t) = 1 return m else return. Theorem 6 (Integrity of MACthenEncrypt). Let SE = (K E, E, D) and MA = (K M, T, V) be an encryption scheme and an authentication schemes respectively. Let MtE = (K, T E, DV) be the composite encryption scheme constructed as per Definition 5. If the underlying encryption scheme SE is INDCVA secure and the underlying MAC is WUFCMA secure, then the MACthenEncrypt is INTPTXT secure. Concretely, Adv int ptxt MtE (k) Adv wuf cma MA (k) HU Z Y et al. Sci China Ser FInf Sci Sep vol. 52 no
11 While the above theorem holds obviously, the privacy may not be preserved in the MACthen Encrypt paradigm. Theorem 7 (MACthenEncrypt with a WUF CMA secure MAC and an INDCVA secure encryption is not INDCVA secure). Given the INDCVA secure OT P scheme mentioned in section 3.2 and a WUFCMA secure message authentication scheme MA = (K M, T, V), we can construct a message authentication scheme MA, such that MA is WUFCMA secure, but the composite scheme MtE = (K, T E, DV) formed as per Definition 5 based on OT P and MA is not INDCVA secure. The counter example used in Theorem 4 can still take effect in proof of Theorem 7. We omit the proof for briefness. Then how about of the security of the MACthenEncrypt if the underlying encryption scheme is INDCVA secure and the underlying authentication scheme is SUFCMA secure? The answer is still negative, as the following theorem says. Theorem 8 (MACthenEncrypt with a SUF CMA secure MAC and an INDCVA secure encryption is not INDCVA secure). Given the INDCVA secure OTP scheme mentioned in section 3.2 and a SUFCMA secure message authentication scheme MA = (K M, T, V), we can construct an encryption scheme SE, such that SE is INDCVA secure, but the composite scheme MtE = (K, T E, DV) formed as per Definition 5 based on SE and MA is not INDCVA secure. The proof of Theorem 8 is tedious, so we put it in Appendix. Remark 3. It is an intuitive and popular way to combine a secure MAC with a secure encryption to guarantee a secure communication. While an authentication (or signature) scheme may indeed enhance the privacy in some mode (i.e. EncryptthenMAC), Theorem 7 and Theorem 8 show that it may also compromise the privacy in other mode (i.e. MACthenEncrypt), due to the integrity verification. We believe the same problem exists in the case of EncryptandMAC. Remark 4. Recall the problem mentioned in ref. [1], due to the reaction attack, an INDCPA secure encryption scheme may not implement a secure channel by the form of MACthenEncrypt, no matter how secure the underlying MAC is. Theorem 8 tells us why the MACthenEncrypt is not secure generally, even if the underlying encryption scheme is enhanced up to INDCVA. Then, is it possible for the MACthenEncrypt paradigm to implement secure channel? The answer is yes. As Hu et al. [11] had pointed out, if the underlying encryption scheme is NMCPA secure, the MACthenEncrypt can be INDCCA secure. 5.2 IPSec and EncryptthenMAC Up to now, IPSec, which works in the EncryptthenMAC form, is the unique protocol that works in the composite form and is generally secure in the network setting. While the EncryptthenMAC can implement secure channels, its security also shows that the CCA security is not necessary in terms of secure channel. In this section, we will discuss how secure the EncryptthenMAC is in the sense of CVA, showing that the CVA security may be sufficient to characterize the privacy requirements of secure channels. We recite the construction of EncryptthenMAC first: Definition 6 (Construction of EncryptthenMAC scheme). Let SE = (K E, E, D) and MA = (K M, T, V) be the underlying encryption and authentication scheme respectively, we define EncryptthenMAC paradigm of EtM = (K, T E, DV) as follows: K(k) K E K E (k) K M K M (k) Returns K E, K M. T E KE,K M (m) c E KE (m), t T KM (c ), return c t. DV KE,K M (c) parse c as c t If V KM (c, t ) = 1 then m D KE (c ), return m else return. Theorem 9 (EncryptthenMAC with a WUF CMA secure MAC and an INDCPA secure encryption is INDCVA secure and INTPTXT secure). HU Z Y et al. Sci China Ser FInf Sci Sep vol. 52 no
12 Let SE = (K E, E, D) and MA = (K M, T, V) be an encryption scheme and an authentication scheme respectively. Let EtM = (K, T E, DV) be the composite encryption scheme constructed as per Definition 6. If the underlying encryption scheme SE is INDCPA secure and the underlying MAC is WUF CMA secure, then EtM is INTPTXT secure and INDCVA secure. Concretely, Adv ind cva EtM Adv int ptxt EtM (k) 2Advwuf cma(k) MA + Adv ind cpa SE (k), (1) (k) Advwuf cma MA (k). (2) For the proof of Theorem 9, we refer the reader to Appendix. Remark 5. Because of the reaction attack (recall Theorem 7 and Theorem 8), a MACthen Encrypt of INDCPA secure may not be generally secure in terms of secure channel, which implies that INDCPA is too weak to guarantee the security of secure channel. On the other hand, as some papers had discussed, while Encryptthen MAC can implement secure channels, it needs not be INDCCA secure and INTCTXT [1,3]. Then what degree of security should a scheme achieve to implement a secure channel? Theorem 9 shows that it should be both INDCVA and INTPTXT secure. Notice that the goal of a secure channel is to provide both integrity and privacy of data transmitted across networks [1,4]. The first goal means that any modification of messages produced by the attacker over the communication links, should be detected and rejected by the recipient; the second goal means that among the many messages exchanged in a session the attacker chooses a pair of test message of which only one is sent, the attacker cannot guess correctly which one was sent with probability significantly greater than 1/2. In other words, the attacker against a secure channel is granted to access to both the encryption oracle and ciphertext verification oracle. It is just the access to both encryption oracle and ciphertext verification oracle that make up the ability of an INDCVA adversary. So we say INDCVA as well as INTPTXT captures exactly the privacy and integrity requirements of secure channel respectively. 6 Conclusions INDCVA is slightly stronger than INDCPA, yet much weaker than INDCCA, and can be satisfied by many popular schemes (e.g. OTP, CBC and CTR). INDCVA provides a new criterion to measure the privacy of encryption schemes. It fills up the gap between INDCPA and INDCCA, complementing the security measurements of encryption schemes. Especially it exactly characterizes the privacy requirements of secure channel, provides a practicable reference for protocol designers. Appendix Proof of some of the theorems Proof of Theorem 5. Let SE = (K, E, D) be the given symmetric encryption scheme. Following the idea of ref. [9], we construct the scheme SE = (K, E, D ) such that SE is INDCVA secure but is not INTPTXT secure. The idea is simple. A certain known string (or strings) will be viewed by D as valid and decrypted to certain known messages, so that forgery is easy. But these ciphertexts will never be produced by the encryption algorithm, so privacy will not be affected. Here are the details. The new scheme SE = (K, E, D ) has the same key generation algorithm as the old scheme and the following modified encryption and decryption algorithms: E K(M) D K(C) C E K (M), C 0 C where 0 is the bit 0, return C. parse C as b C where b is a bit, If b = 0 then M D K (C ), return M Else return 0 We present an attack on SE, in the form of an adversary A who defeats the integrity of plaintexts with probability 1 using resources polynomial in the security parameter k. It works as follows: A E K( ),D K( ) (k) Submits query 10 to oracle D K ( ) We observe that D K(10) = 0, meaning 10 is a valid ciphertext, and it decrypts to a message 1628 HU Z Y et al. Sci China Ser FInf Sci Sep vol. 52 no
13 (namely 0) that the adversary has not queried of its oracle. So Adv int ptxt SE,A (k) = 1. Also, A makes zero queries to E K( ) and one query to D K( ) totaling 2 bits, and is certainly poly(k)time (i.e. timecomplexity is polynomial in security parameter k). To prove that SE is INDCVA secure, it suffices to associate with any poly(k)time adversary A attacking SE in the INDCVA sense a poly(k)time adversary B attacking SE in the INDCVA sense such that Adv ind cva SE,A (k) Advind cva SE,B (k). Adversary B simply simulates A and uses its oracles to answer A s oracle queries in a straightforward manner as follows: B E K(LR(,,b)),D K( ) (k) Runs A as follows: When A makes a query M i,0,m i,1 to its leftorright encryption oracle, does A = 0 E K (LR(M i,0,m i,1, b)) When A makes a query C i to its ciphertext verification oracle, does Parses C i as b i C i where b i is a bit If b i = 0 then A = D K (C i) Else A = 1 Until A halts and returns b Returns b. The adversary B correctly simulates the oracles that A needs. As the code shows, it is easy for B to break the scheme if A can. Furthermore, the resource usage of both adversaries is clearly the same. Thus, if SE is INDCVA secure, so is SE. Proof of Theorem 8. Given the OPT encryption scheme SE, as we have discussed in section 3.2, it is INDCVA secure due to that it have not any verification to an arbitrary ciphertext. Now, we consider the following OR encoding scheme, which encodes a message x of nbits into a 2nbits string x by representing each bit x i (i = 1,...,n), in x with two bits in x as follows: 1. if bit x i = 0 then the pair of bits (x 2i 1,x 2i ) is set to (0, 0); 2. if bit x i = 1 then the pair of bits (x 2i 1,x 2i) is set to (0, 1) or to (1, 0) or to (1, 1) (by arbitrary random choice of the encrypting party). We construct an encryption function SE as follows: to encrypt a string x, the OR encoding scheme is applied to the x to obtain string x. Then the OTP scheme is applied to sting x. For decrypting y = SE (x), one first applies the decryption function of OTP to obtain x which is then decoded into x by mapping a pair (0, 0) into 0 and either pair (0, 1) or (1, 0) or (1, 1) into 1. It is easy to see that, if a string y is the ciphertext of x, then the decryption of y is identical with the plaintext string x, and the SE is INDCVA secure just as the original SE is. For any SUFCMA secure MAC (e.g. HMAC) and the above encryption scheme SE, we can construct an adversary A such that Adv ind cva MtE,A (k) = 2 3. The adversary A works as follows: A ind cva MtE (k) C SE (LR(0, 1, b)) Flips the first two bits of the ciphertext C to get C,submits C as a query to the verification oracle DV ( ). v DV (C ) If v = 1,then returns 1, Else returns 0. (A1) Next, we calculate the succeed probability of adversary A. Consider the decryption of the ciphertext C. Let M be the first intermediate plaintext of C decrypted by the original OTP scheme, M the second intermediate plaintext decoded from M (M would possibly not be the final plaintext, because it should be further verified by the MAC). Notice that, since the underlying MAC is SUFCMA secure, v=1 means that the second intermediate plaintext M of C decrypted by SE is not new to the encryption scheme SE. Since C comes from C by flipping its first two bits, if b=0, the first two bits of M should be (1, 1) and the first bit of M should be 1, implying the chance of v=1 should be 0; if b=1, the first two bits of M should be (0, 1), (1, 0) or (0, 0), and the first bit of M should be 1 or 0 with the probability of 2 3 and 1 3 respectively. Thus Pr[v = 1 b = 1] = 2 3, (A2) HU Z Y et al. Sci China Ser FInf Sci Sep vol. 52 no
14 Notice that and Therefore and Pr[v = 1 b = 0] = 0. Pr[v = 1] = Pr[v = 1 b = 0] + Pr[v = 1 b = 1] = 0 + Pr[v = 1 b = 1] (A3) = Pr[v = 1 b = 1] Pr[b = 1] = = 1 3, (A4) Pr[v = 0] = 1 Pr[v = 1] = 2 3. Pr[b = 1 v = 1] = Pr[v = 1 b = 1]/Pr[v = 1] (A5) = Pr[v = 1 b = 1] Pr[b = 1]/Pr[v = 1] = /1 = 1, (A6) 3 Pr[b = 1 v = 0] = Pr[v = 0 b = 1]/Pr[v = 0] = Pr[v = 0 b = 1] Pr[b = 1]/Pr[v = 0] = /2 3 = 1 (A7) 4 Denote by b the return value of adversary A. From eqs. (A4) (A7), we have Pr[b = b] = Pr[b = b v = 0] + Pr[b = b v = 1] and Eq. (A1) holds. = Pr[b = b v = 0] Pr[v = 0] + Pr[b = b v = 1] Pr[v = 1] = = , Adv ind cva MtE,A (k) = 2 3. Proof of Theorem 9. Eq. (2) holds obviously, and we prove eq. (1) only. Let A be an effective attack algorithm against the INDCVA of EtM, following the definition of INDCVA, we consider the following attack games: 1 Krawczyk H. The order of encryption and authentication for protecting communications (or: How Security Is SSL?). In: Crypto 01, LNCS Vol Berlin: SpringerVerlag, Game 0, Game 1 K E K E (k);k M K M (k); Run A When A queries the encryption oracle T E KE,K M ( ) with (M 0,M 1 ), do c E KE (LR(M 0,M 1,b)) t T KM (c ); c c t A = c. When A queries the verification oracle DV K E,K M ( ) with c, do Parse c as c t if V KM (c, t ) = 0 then A = 0 else A = D K E (c )//replaced by A =1 in Game 1 If A output b, return b. Let S i (i=0,1) be the event that the adversary A success (i.e. b =b) in the Game i, then 1 2 Advind cva EtM,A (k) = Pr[S 0]. (A8) Next, we define E to be the event V KM (c,t )=1 and c is never be returned by the encryption oracle E KE ( ). When E(the complement of E) occurs, i.e. V KM (c,t )= 0 or V KM (c,t )=1 but c is already returned by the encryption oracle E KE ( ), Game 1 works exactly the same as Game 0. Thus by the results of refs. [12, 13] Pr[S 0 ] Pr[S 1 ] Pr[E]. (A9) Obviously, given A, we can construct two new adversary A and F such that the following lemmas hold. Pr[E] Adv wuf cma MA,F (k), (A10) Pr[S 1 ] Pr ind cpa SE,A [b = b]. (A11) Combining eqs. (A8) (A11), we have 1 2 Advind cva EtM,A (k) = Pr[S 0] Pr[E] + Pr[S 1 ] Adv wuf cma MA,F (k) + Pr ind cpa SE,A [b = b] = Adv wuf cma MA,F (k) Advind cpa SE,A (k) Some algebraic manipulation leads to eq. (1). 2 Hall C, Goldberg I, Schneier B. Reaction attacks against several publickey cryptosystems. In: Varadharajan V, Mu Y, eds. Proceedings of Information and Communication Security, ICICS 99, vol Berlin: SpringerVerlag, HU Z Y et al. Sci China Ser FInf Sci Sep vol. 52 no
15 3 An J H, Dodis T, Rabin T. On the security of joint signature and encryption. In: Knudsen L, ed. Advances in Cryptology EUROCRYPT 2002, vol of Lecture Notes in Computer Science. Berlin: SpringerVerlag, Canetti R, Krawczyk H. Analysis of keyexchange protocols and their use for building secure channels. In: Pfitzmann B, ed. Advances in Cryptology EUROCRYPT 2001, vol of Lecture Notes in Computer Science. Berlin: SpringerVerlag, Extended version at /040 5 Canetti R, Krawczyk H. Universally composable notions of key exchange and secure channels. In: Eurocypt 02, LNCS Vol Extended version at oacr.ogr/2002/ Canetti R. Universally composable security: a new paradigm for cryptographic protocols. In: 42nd FOCS, 2001, the latest full version available at 7 Namprempre C. Secure channels based on authenticated encryption schemes: a simple characterization. In: Zheng Y, ed. Advance in CryptologyASIACRYPT 2002, Lecture Notes in Computer Science. Berlin: SpringerVerlag, Goldwasser S, Bellare M. Lecture Notes on Cryptography. Summer course on cryptography, MIT, Available from 9 Bellare M, Namprempre C. Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. In: Okamoto T, ed. Advances in Cryptology ASIACRYPT 2000, volume 1976 of Lecture Notes in Computer Science. Berlin: SpringerVerlag, Bellare M, Desai A, Jokipii E, et al. A concrete security treatment of symmetric encryption: Analysis of the DES modes of operation. In: Proceedings of the 38th Symposium on Foundations of Computer Science, IEEE Computer Society Press, Hu Z Y, Lin D D, Wu W L. Security notes on the MACthenEncrypt paradigm. In: Proceedings of the Eighth International Conference for Young Computer Scientist, Beijing, China, Bellare M, Rogaway P. The gameplaying technique. Cryptology eprint Archive 2004/332, December 1, Shoup V. Sequences of games: a tool for taming complexity in security proofs. Cryptology eprint Archive 2004/332, November 30, HU Z Y et al. Sci China Ser FInf Sci Sep vol. 52 no
Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre
Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense
More informationThe Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)
The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) Hugo Krawczyk Abstract. We study the question of how to generically compose symmetric encryption and authentication
More informationProvableSecurity Analysis of Authenticated Encryption in Kerberos
ProvableSecurity Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 303320765
More informationAuthenticated Encryption: Relations among notions and analysis of the generic composition paradigm
An extended abstract of this paper appears in Tatsuaki Okamoto, editor, Advances in Cryptology ASIACRYPT 2000, Volume 1976 of Lecture Notes in Computer Science, pages 531 545, Kyoto, Japan, December 3
More informationAuthentication and Encryption: How to order them? Motivation
Authentication and Encryption: How to order them? Debdeep Muhopadhyay IIT Kharagpur Motivation Wide spread use of internet requires establishment of a secure channel. Typical implementations operate in
More informationLecture 9  Message Authentication Codes
Lecture 9  Message Authentication Codes Boaz Barak March 1, 2010 Reading: BonehShoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,
More informationCryptoVerif Tutorial
CryptoVerif Tutorial Bruno Blanchet INRIA ParisRocquencourt bruno.blanchet@inria.fr November 2014 Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 1 / 14 Exercise 1: preliminary definition SUFCMA
More information1 Message Authentication
Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions
More informationMessage Authentication Code
Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBCMAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44
More informationAuthenticated encryption
Authenticated encryption Dr. Enigma Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu October 16th, 2013 Active attacks on CPAsecure encryption
More informationMessage Authentication Codes 133
Message Authentication Codes 133 CLAIM 4.8 Pr[Macforge A,Π (n) = 1 NewBlock] is negligible. We construct a probabilistic polynomialtime adversary A who attacks the fixedlength MAC Π and succeeds in
More informationLecture 13: Message Authentication Codes
Lecture 13: Message Authentication Codes Last modified 2015/02/02 In CCA security, the distinguisher can ask the library to decrypt arbitrary ciphertexts of its choosing. Now in addition to the ciphertexts
More informationChapter 11. Asymmetric Encryption. 11.1 Asymmetric encryption schemes
Chapter 11 Asymmetric Encryption The setting of publickey cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret
More informationMACs Message authentication and integrity. Table of contents
MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and
More information1 Construction of CCAsecure encryption
CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of secure encryption We now show how the MAC can be applied to obtain a secure encryption scheme.
More informationTalk announcement please consider attending!
Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically
More informationMAC. SKE in Practice. Lecture 5
MAC. SKE in Practice. Lecture 5 Active Adversary Active Adversary An active adversary can inject messages into the channel Active Adversary An active adversary can inject messages into the channel Eve
More informationSymmetric Crypto MAC. PierreAlain Fouque
Symmetric Crypto MAC PierreAlain Fouque Birthday Paradox In a set of D elements, by picking at random D elements, we have with high probability a collision two elements are equal D=365, about 23 people
More informationLecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture  PRGs for one time pads
CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K,E,D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2 Correct
More informationReconsidering Generic Composition
Reconsidering Generic Composition Chanathip Namprempre Thammasat University, Thailand Phillip Rogaway University of California, Davis, USA Tom Shrimpton Portland State University, USA 1/24 What is the
More informationOverview of Cryptographic Tools for Data Security. Murat Kantarcioglu
UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the
More informationlundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal
Symmetric Crypto PierreAlain Fouque Birthday Paradox In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal N=365, about 23 people are
More informationLecture 3: OneWay Encryption, RSA Example
ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: OneWay Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require
More informationLecture 5  CPA security, Pseudorandom functions
Lecture 5  CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.
More informationChosenCiphertext Security from IdentityBased Encryption
ChosenCiphertext Security from IdentityBased Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz Abstract We propose simple and efficient CCAsecure publickey encryption schemes (i.e., schemes
More informationCryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs
Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a
More informationOverview of Symmetric Encryption
CS 361S Overview of Symmetric Encryption Vitaly Shmatikov Reading Assignment Read Kaufman 2.14 and 4.2 slide 2 Basic Problem   ? Given: both parties already know the same secret Goal: send
More informationMESSAGE AUTHENTICATION IN AN IDENTITYBASED ENCRYPTION SCHEME: 1KEYENCRYPTTHENMAC
MESSAGE AUTHENTICATION IN AN IDENTITYBASED ENCRYPTION SCHEME: 1KEYENCRYPTTHENMAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial
More information1 Signatures vs. MACs
CS 120/ E177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. KatzLindell 10 1 Signatures vs. MACs Digital signatures
More informationChapter 12. Digital signatures. 12.1 Digital signature schemes
Chapter 12 Digital signatures In the public key setting, the primitive used to provide data integrity is a digital signature scheme. In this chapter we look at security notions and constructions for this
More information1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.
1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks
More informationIntroduction. Digital Signature
Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology
More informationIdentitybased Encryption with PostChallenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks
Identitybased Encryption with PostChallenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks Tsz Hon Yuen  Huawei, Singapore Ye Zhang  Pennsylvania State University, USA Siu Ming
More informationSecurity Analysis of DRBG Using HMAC in NIST SP 80090
Security Analysis of DRBG Using MAC in NIST SP 80090 Shoichi irose Graduate School of Engineering, University of Fukui hrs shch@ufukui.ac.jp Abstract. MAC DRBG is a deterministic random bit generator
More information1 Domain Extension for MACs
CS 127/CSCI E127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures KatzLindell Ÿ4.34.4 (2nd ed) and Ÿ12.012.3 (1st ed).
More informationChapter 3. Network Domain Security
Communication System Security, Chapter 3, Draft, L.D. Chen and G. Gong, 2008 1 Chapter 3. Network Domain Security A network can be considered as the physical resource for a communication system. This chapter
More informationCSC474/574  Information Systems Security: Homework1 Solutions Sketch
CSC474/574  Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a oneround Feistel cipher
More informationOutline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures
Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike
More informationCS155. Cryptography Overview
CS155 Cryptography Overview Cryptography Is n A tremendous tool n The basis for many security mechanisms Is not n The solution to all security problems n Reliable unless implemented properly n Reliable
More informationDeveloping and Investigation of a New Technique Combining Message Authentication and Encryption
Developing and Investigation of a New Technique Combining Message Authentication and Encryption Eyas ElQawasmeh and Saleem Masadeh Computer Science Dept. Jordan University for Science and Technology P.O.
More informationCryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53
Cryptography and Network Security, PART IV: Reviews, Patches, and Theory Timo Karvi 11.2012 Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53 Key Lengths I The old
More informationChair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 13
Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 13 Some More Secure Channel Issues Outline In the course we have yet only seen catastrophic
More informationEXAM questions for the course TTM4135  Information Security May 2013. Part 1
EXAM questions for the course TTM4135  Information Security May 2013 Part 1 This part consists of 5 questions all from one common topic. The number of maximal points for every correctly answered question
More informationUniversal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure PublicKey Encryption
Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure PublicKey Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical publickey
More informationAuthenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol
Authenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol Mihir Bellare UC San Diego mihir@cs.ucsd.edu Tadayoshi Kohno UC San Diego tkohno@cs.ucsd.edu Chanathip Namprempre Thammasat
More informationCIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives
CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; DH key exchange; Hash functions; Application of hash
More informationError oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm
Error oracle attacks and CBC encryption Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm Agenda 1. Introduction 2. CBC mode 3. Error oracles 4. Example 1 5. Example 2 6. Example 3 7. Stream ciphers
More informationLecture 15  Digital Signatures
Lecture 15  Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations  easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.
More informationDigital Signatures. What are Signature Schemes?
Digital Signatures Debdeep Mukhopadhyay IIT Kharagpur What are Signature Schemes? Provides message integrity in the public key setting Counterparts of the message authentication schemes in the public
More informationNonBlackBox Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak
NonBlackBox Techniques In Crytpography Introduction Thesis for the Ph.D degree Boaz Barak A computer program (or equivalently, an algorithm) is a list of symbols a finite string. When we interpret a
More informationMTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic
More informationDesigning Hash functions. Reviewing... Message Authentication Codes. and message authentication codes. We have seen how to authenticate messages:
Designing Hash functions and message authentication codes Reviewing... We have seen how to authenticate messages: Using symmetric encryption, in an heuristic fashion Using publickey encryption in interactive
More informationImproved Online/Offline Signature Schemes
Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion
More informationKy Vu DeVry University, Atlanta Georgia College of Arts & Science
Ky Vu DeVry University, Atlanta Georgia College of Arts & Science Table of Contents  Objective  Cryptography: An Overview  Symmetric Key  Asymmetric Key  Transparent Key: A Paradigm Shift  Security
More informationVictor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract
Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart
More informationChapter 7. Message Authentication. 7.1 The setting
Chapter 7 Message Authentication In most people s minds, privacy is the goal most strongly associated to cryptography. But message authentication is arguably even more important. Indeed you may or may
More informationMultiRecipient Encryption Schemes: Efficient Constructions and their Security
This is the full version of the paper with same title that appeared in IEEE Transactions on Information Theory, Volume 53, Number 11, 2007. It extends the previously published versions Ku, BBS. MultiRecipient
More informationCS558. Network Security. Boston University, Computer Science. Midterm Spring 2014.
CS558. Network Security. Boston University, Computer Science. Midterm Spring 2014. Instructor: Sharon Goldberg March 25, 2014. 9:3010:50 AM. Onesided handwritten aid sheet allowed. No cell phone or calculators
More informationNetwork Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23
Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest
More informationNetwork Security. Modes of Operation. Steven M. Bellovin February 3, 2009 1
Modes of Operation Steven M. Bellovin February 3, 2009 1 Using Cryptography As we ve already seen, using cryptography properly is not easy Many pitfalls! Errors in use can lead to very easy attacks You
More informationIntroduction. Chapter 1
Chapter 1 Introduction This is a chapter from version 1.1 of the book Mathematics of Public Key Cryptography by Steven Galbraith, available from http://www.isg.rhul.ac.uk/ sdg/cryptobook/ The copyright
More informationAdvanced Cryptography
Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.
More informationOn the Security of the CCM Encryption Mode and of a Slight Variant
On the Security of the CCM Encryption Mode and of a Slight Variant PierreAlain Fouque 1 and Gwenaëlle Martinet 2 and Frédéric Valette 3 and Sébastien Zimmer 1 1 École normale supérieure, 45 rue d Ulm,
More informationSecure Computation Without Authentication
Secure Computation Without Authentication Boaz Barak 1, Ran Canetti 2, Yehuda Lindell 3, Rafael Pass 4, and Tal Rabin 2 1 IAS. E:mail: boaz@ias.edu 2 IBM Research. Email: {canetti,talr}@watson.ibm.com
More informationCS 758: Cryptography / Network Security
CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html
More informationMessage Authentication Codes. Lecture Outline
Message Authentication Codes Murat Kantarcioglu Based on Prof. Ninghui Li s Slides Message Authentication Code Lecture Outline 1 Limitation of Using Hash Functions for Authentication Require an authentic
More informationOn the Security of CTR + CBCMAC
On the Security of CTR + CBCMAC NIST Modes of Operation Additional CCM Documentation Jakob Jonsson * jakob jonsson@yahoo.se Abstract. We analyze the security of the CTR + CBCMAC (CCM) encryption mode.
More information6.857 Computer and Network Security Fall Term, 1997 Lecture 4 : 16 September 1997 Lecturer: Ron Rivest Scribe: Michelle Goldberg 1 Conditionally Secure Cryptography Conditionally (or computationally) secure
More informationClient Server Registration Protocol
Client Server Registration Protocol The ClientServer protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are
More informationCapture Resilient ElGamal Signature Protocols
Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department
More informationRecommendation for Applications Using Approved Hash Algorithms
NIST Special Publication 800107 Recommendation for Applications Using Approved Hash Algorithms Quynh Dang Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T Y February
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 1 January 9, 2012 CPSC 467b, Lecture 1 1/22 Course Overview Symmetric Cryptography CPSC 467b, Lecture 1 2/22 Course Overview CPSC
More informationThe Mathematics of the RSA PublicKey Cryptosystem
The Mathematics of the RSA PublicKey Cryptosystem Burt Kaliski RSA Laboratories ABOUT THE AUTHOR: Dr Burt Kaliski is a computer scientist whose involvement with the security industry has been through
More informationCryptography: Authentication, Blind Signatures, and Digital Cash
Cryptography: Authentication, Blind Signatures, and Digital Cash Rebecca Bellovin 1 Introduction One of the most exciting ideas in cryptography in the past few decades, with the widest array of applications,
More informationAuthenticated Encryption (AE) Instructor: Ahmad Boorghany
Sharif University of Technology Department of Computer Engineering Data and Network Security Lab Authenticated Encryption (AE) Instructor: Ahmad Boorghany Most of the slides are obtained from Bellare and
More informationNetwork Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering
Network Security Gaurav Naik Gus Anderson, Philadelphia, PA Lectures on Network Security Feb 12 (Today!): Public Key Crypto, Hash Functions, Digital Signatures, and the Public Key Infrastructure Feb 14:
More informationLeakageResilient Authentication and Encryption from Symmetric Cryptographic Primitives
LeakageResilient Authentication and Encryption from Symmetric Cryptographic Primitives Olivier Pereira Université catholique de Louvain ICTEAM Crypto Group B1348, Belgium olivier.pereira@uclouvain.be
More informationCryptography and Network Security Chapter 12
Cryptography and Network Security Chapter 12 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 12 Message Authentication Codes At cats' green on the Sunday he
More informationCIS 5371 Cryptography. 8. Encryption 
CIS 5371 Cryptography p y 8. Encryption  Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: Allornothing secrecy.
More informationA Survey and Analysis of Solutions to the. Oblivious Memory Access Problem. Erin Elizabeth Chapman
A Survey and Analysis of Solutions to the Oblivious Memory Access Problem by Erin Elizabeth Chapman A thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. #01 Lecture No. #10 Symmetric Key Ciphers (Refer
More informationNew Efficient Searchable Encryption Schemes from Bilinear Pairings
International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang
More informationRemotely Keyed Encryption Using NonEncrypting Smart Cards
THE ADVANCED COMPUTING SYSTEMS ASSOCIATION The following paper was originally published in the USENIX Workshop on Smartcard Technology Chicago, Illinois, USA, May 10 11, 1999 Remotely Keyed Encryption
More informationCryptography and Network Security: Summary
Cryptography and Network Security: Summary Timo Karvi 12.2013 Timo Karvi () Cryptography and Network Security: Summary 12.2013 1 / 17 Summary of the Requirements for the exam The advices are valid for
More informationChosenCiphertext Security from IdentityBased Encryption
ChosenCiphertext Security from IdentityBased Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz June 13, 2006 Abstract We propose simple and efficient CCAsecure publickey encryption schemes
More informationSecurity/Privacy Models for "Internet of things": What should be studied from RFID schemes? Daisuke Moriyama and Shin ichiro Matsuo NICT, Japan
Security/Privacy Models for "Internet of things": What should be studied from RFID schemes? Daisuke Moriyama and Shin ichiro Matsuo NICT, Japan 1 Internet of Things (IoT) CASAGRAS defined that: A global
More informationCryptographic Hash Functions Message Authentication Digital Signatures
Cryptographic Hash Functions Message Authentication Digital Signatures Abstract We will discuss Cryptographic hash functions Message authentication codes HMAC and CBCMAC Digital signatures 2 Encryption/Decryption
More informationContent Teaching Academy at James Madison University
Content Teaching Academy at James Madison University 1 2 The Battle Field: Computers, LANs & Internetworks 3 Definitions Computer Security  generic name for the collection of tools designed to protect
More informationComputational Soundness of Symbolic Security and Implicit Complexity
Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 37, 2013 Overview
More informationKey Privacy for Identity Based Encryption
Key Privacy for Identity Based Encryption Internet Security Research Lab Technical Report 20062 Jason E. Holt Internet Security Research Lab Brigham Young University c 2006 Brigham Young University March
More informationCryptography for Secure Channels Kenny Paterson
Cryptography for Secure Channels Kenny Paterson Information Security Group Royal Holloway, University of London kenny.paterson@rhul.ac.uk Onassis Foundation Science Lecture Series 1 Outline Introduction
More informationModes of Operation of Block Ciphers
Chapter 3 Modes of Operation of Block Ciphers A bitblock encryption function f: F n 2 Fn 2 is primarily defined on blocks of fixed length n To encrypt longer (or shorter) bit sequences the sender must
More informationDelegation of Cryptographic Servers for CaptureResilient Devices
ACM, 2001. This is the authors' version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version is available at http://doi.acm.org/10.1145/501983.501986.
More informationTwo Factor Zero Knowledge Proof Authentication System
Two Factor Zero Knowledge Proof Authentication System Quan Nguyen Mikhail Rudoy Arjun Srinivasan 6.857 Spring 2014 Project Abstract It is often necessary to log onto a website or other system from an untrusted
More informationCSE/EE 461 Lecture 23
CSE/EE 461 Lecture 23 Network Security David Wetherall djw@cs.washington.edu Last Time Naming Application Presentation How do we name hosts etc.? Session Transport Network Domain Name System (DNS) Data
More informationSimulationBased Security with Inexhaustible Interactive Turing Machines
SimulationBased Security with Inexhaustible Interactive Turing Machines Ralf Küsters Institut für Informatik ChristianAlbrechtsUniversität zu Kiel 24098 Kiel, Germany kuesters@ti.informatik.unikiel.de
More informationRecommendation for Cryptographic Key Generation
NIST Special Publication 800133 Recommendation for Cryptographic Key Generation Elaine Barker Allen Roginsky http://dx.doi.org/10.6028/nist.sp.800133 C O M P U T E R S E C U R I T Y NIST Special Publication
More informationSecurity Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012
Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database
More information