Ciphertext verification security of symmetric encryption schemes

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Ciphertext verification security of symmetric encryption schemes"

Transcription

1 info.scichina.com Ciphertext verification security of symmetric encryption schemes HU ZhenYu 1, SUN FuChun 1 & JIANG JianChun 2 1 National Laboratory of Information Science and Technology, Department of Computer Science and Technology, Tsinghua University, Beijing , China; 2 Institute of Software, Chinese Academy of Sciences, Beijing , China This paper formally discusses the security problem caused by the ciphertext verification, presenting a new security notion named IND-CVA (indistinguishability under ciphertext verification attacks) to characterize the privacy of encryption schemes in this situation. Allowing the adversary to access to both encryption oracle and ciphertext verification oracle, the new notion IND-CVA is slightly stronger than IND-CPA (indistinguishability under chosen-plaintext attacks) but much weaker than IND-CCA (indistinguishability under chosen-ciphertext attacks), and can be satisfied by most of the popular symmetric encryption schemes such as OTP (one-time-pad), CBC (cipher block chaining) and CTR (counter). An MAC (message authentication scheme) is usually combined with an encryption to guarantee secure communication (e.g. SSH, SSL and IPSec). However, with the notion of IND-CVA, this paper shows that a secure MAC can spoil the privacy in some cases. encryption, privacy, integrity, reaction attack, IND-CPA, IND-CCA 1 Introduction 1.1 Background and related works CPA (chosen plaintext attacks) security and CCA (chosen ciphertext attacks) security are two most important security measurements for encryption schemes. The CPA security allows an adversary to access to the encryption oracle and is the basic requirements for an encryption scheme in practice. However, CPA security is not strong enough when it is used to guarantee the secrecy of data transferred across Internet in terms of secure channel. One of the typical examples is that, though the composite scheme MAC-then-Encrypt can preserve the CPA security of the underlying encryption scheme, it may not be secure in the face of reaction attack [1]. CCA security is stronger than CPA security, which, besides the encryption oracle, allows the adversary to access to the decryption oracle, with the only restriction that the adversary is prohibited from querying the challenge ciphertext returned by the encryption oracle. While the CCA security can be used to guarantee the privacy of data transferred across Internet, it is the strongest notion for privacy and is too strong for the typical secure composite scheme Encrypt-then-MAC to generically satisfy. Moreover, the CCA security is not robust enough. If we modify a CCA-secure encryption scheme harmlessly (e.g. a useless bit Received July 16, 2008; accepted January 15, 2009 doi: /s x Corresponding author ( Hu Supported by the National Basic Research Program of China (Grant No. G2002cb312205) Citation: Hu Z Y, Sun F C, Jiang J C. Ciphertext verification security of symmetric encryption schemes. Sci China Ser F-Inf Sci, 2009, 52(9): , doi: /s x

2 is appended to the ciphertext), it may not be CCAsecure any more. Considering the insufficiency of CPA security and the unnecessary of CCA security when characterizing the privacy requirements of secure channel, it is not trivial to develop a new security notion that is stronger than CPA security but weaker than CCA security, and is applicable to fill up the gap between them. Reaction attack was first introduced by Hall et al. [2], which works by modifying a sender s ciphertexts and observing the receiver s response. In this kind of attacks, an attacker presents the owner of the private key with a ciphertext that may contain one or more errors that can be detected during decryption (that is, the ciphertext may decrypt to a plaintext which fails in a simple signature or checksum verification). By watching the reaction of the owner in order to determine whether or not the ciphertext decrypted correctly, the attacker can usually determine information about the plaintext or the private key. Different from the case of chosen plaintext attacks and chosen ciphertext attacks, when a receiver verifies a ciphertext, it provides the adversary information about whether the received ciphertext is valid. In fact, it is the integrity verification that may disclose the valuable information of the plaintext in the case of reaction attacks. So, the integrity verification should be taken for a special attack tool that can be used by an adversary to compromise the privacy of an encryption scheme, and a corresponding security notion should be introduced to capture the security under this type of attacks. With the spreading use of network, the data integrity and authentication are getting more and more attention, and lots of work has been done to strengthen the secrecy of communication with MAC or signature. While the combination of authentication (or signature) and encryption may enhance the privacy in some cases (e.g. Encryptionthen-MAC), can it possibly compromise the privacy in other case? We will give this problem a formal investigation. 1.2 Our contributions We formally discuss the security problem of encryption caused by the ciphertext verification, presenting a new security notion named IND-CVA to model the reaction attack. The new notion IND- CVA is slightly stronger than IND-CPA but much weaker than IND-CCA. Most of popular symmetric encryption schemes, such as OTP, CBC and CTR, are secure in the sense of IND-CVA, though they are neither NM-CPA (non-malleability under chosen-plaintext attacks) nor IND-CCA secure. We investigate the relationship between the new notion of IND-CVA and the conventional notions such as IND-CPA, IND-CCA and NM-CPA, showing that IND-CVA is applicable to fill up the gap between IND-CPA and IND-CCA. With the notion IND-CVA, we show how a secure MAC compromises the privacy of MAC-then- Encryption. Moreover, we discover that IND-CVA captures the exact (both sufficient and necessary) privacy requirements of secure channel, while the INT-PTXT captures the exact integrity requirements. IND-CVA reveals the negative influence of integrity verification on privacy, providing a practicable reference for protocol designers. 1.3 Comparison with related works Comparison with IND-gCCA security. An et al. [3] generalized the CCA attack with respect to some equivalence relation R(, ) on the ciphertexts. Relation R is defined as part of the encryption scheme, it depends on the public key pk, but must have the following property: if R(C 1,C 2 ) = true then D(C 1 ) = D(C 2 ). Such R is called decryptionrespecting. Now the adversary A is forbidden to ask any C equivalent to C, i.e. R(C,C ) = true. An encryption scheme is secure against generalized CCA (or gcca) if there exists some efficient decryption-respecting relation R with respect to which it is CCA-secure. Though the gcca-security may be sufficient for all applications where chosen ciphertext security matters, it is probably still a slight overkill in terms of a necessary and sufficient formalization of secure encryption from the application point of view. We would say that the gcca-security is still overly strong, since in network channel environments, an adversary may not be allowed to access the decryption oracle [4 6]. Indeed, the gcca HU Z Y et al. Sci China Ser F-Inf Sci Sep vol. 52 no

3 security is to try to relax the notion CCA-security to the minimum extent possible, just to avoid the syntactic (robust) problems of CCA-security. Contrary to the gcca-security, our CVAsecurity is to try to tighten the notion CPAsecurity to the minimum extent possible. As discussed in section 4, CVA-security is just slightly stronger than CPA-security whereas much weaker than gcca-security or CCA-security. In particular, we are saying that CVA-security seems both sufficient and necessary for implementing secure channels, and more applicable for studying generic properties of secure encryption Comparison with loose CUF security. To solve the syntactic issue of CCA-security, Krawczyk [1] has presented a notion of loose CUF. Like the notion of gcca-security, a decryptionrespecting relation ρ is proposed. If C and C are two valid ciphertexts computed under encryption function E K ( ), for some key K, and ρ(c,c ) holds then C and C decrypt to the same plaintext under K. An encryption scheme SE is CUF ρ - CPA (loose ciphertext unforgeability under chosen plaintext attacks) secure if for any valid ciphertext C that a ciphertext forger attacker F can feasibly produce there exists a ciphertext C output by the encryption oracle under one of F s queries such that ρ(c,c ). Note that valid ciphertexts produced by a loose CUF attacker always decrypt to plaintexts already queried to the encryption oracle, it is easy to determine which of the queried plaintexts they decrypt to. So we think loose CUF security has no significant difference from the INT- PTXT (integrity of plaintext) security. Moreover, while the loose CUF limits the ciphertext forgeries allowed to the attacker to decrypt to previously queried plaintexts, example attacker against the MtE scheme discussed in section 5 is able to break the security of channels without ever producing a valid ciphertext, which shows that the loose CUF is insufficient for guaranteeing secure channels Comparison with CCVA security. To characterize the privacy security of a secure channel, Namprempre [7] proposed a new notion, IND-CCVA (indistinguishability under chosen-ciphertext attacks with verification). In the sense of IND-CCVA security, an adversary is given access to an encryption oracle E K ( ) and a special decryption oracle D K (,M b ). Let b {0,1}, the oracle D K (,M b ) records the secret message M b that is randomly chosen from the message pair (M 0,M 1 ) to encrypt when the adversary to query. This oracle is the same as the standard decryption oracle D K ( ) except the following. If a given ciphertext decrypts to M b (i.e. the challenge message chosen by the encryption oracle to produce the challenge ciphertext), then the oracle D K (,M b ) returns a special symbol ±. Otherwise, it returns the decrypted message. As discussed by Namprempre, the so defined IND-CCVA security is even overly stronger such that an IND-CCA secure scheme may not be IND-CCVA secure. Besides the encryption oracle E K ( ) and decryption oracle D K ( ), an IND-CCVA adversary needs the third oracle access D K (,M b ). The oracle D K (,M b ) behaves exactly the same as the standard decryption oracle D K ( ), except that the given ciphertext decrypts to M b. At this point, the oracle D K (,M b ) returns a special symbol ±. Notice that, when the special symbol ± is returned by the oracle D K (C,M b ), it indicates the adversary that the corresponding plaintext of ciphertext C is the same as the challenge ciphertext C. If C = C, nothing more is provided to the adversary than to indicate that the queried ciphertext is the challenge ciphertext itself. However, if C C, it indicates more information than the CCA does (recall that the CCA attackers are not allowed to query the decryption oracle of the challenge ciphertext itself), the response of ± helps the adversary to confirm a decryption equivalence relation used in non-malleability security. Considering the CCA attacks, the attacker is allowed to query the decryption oracle with an arbitrary ciphertext C ( C ), and be returned the correct plaintext even if the corresponding plaintext is the challenge plaintext M b. We argue that even if the corresponding plaintext is the challenge plaintext M b, the returned value of D K (C ) does not disclose any information about the challenge plaintext. Because that, the D K (C ) just honestly tells what the corresponding plaintext is, rather than whether or not it is the challenge plaintext. For the adversary, HU Z Y et al. Sci China Ser F-Inf Sci Sep vol. 52 no

4 when he receives the response of D K (C ) (where C C ), he would surprisedly say: Oh! It is one of the plaintexts that I have chosen to challenge. Then he will disappointedly find its null, because that an encryption algorithm is always randomized or stateful, and that any deterministic or stateless scheme is not secure in IND-CPA sense [8]. From this point, we say the IND-CCVA is even stronger than IND-CCA. 1.4 Outline of this paper The remainder of this paper is organized as follows. Section 2 presents some preliminaries of this paper, including the traditional security notions of symmetric encryption schemes. Section 3 introduces the new security notion IND-CVA and gives some familiar examples for IND-CVA. Section 4 discusses the relationship between the new notion IND-CVA and the traditional ones, showing that as a new criterion to measure the privacy of encryption schemes, it fills up the gap between the IND- CPA and the IND-CCA. Section 5 investigates the application impacts of IND-CVA. Section 6 provides the conclusion of our work. 2 Preliminary definitions 2.1 Notations Throughout this paper, we will use the symbol x to denote the bit length of x, x y to the concatenation of x and y. The symbol denotes the bitwise-exclusive-or operation. If n is a positive integer, then the symbol {0,1} n denotes the set of n-bit binary strings (we also use the symbol {0,1} to denote the set of binary strings with no fixed length). If f is a randomized (resp., deterministic) algorithm, then x R f(y) (resp., x f(y) ) denotes the process of running f on input y and assigning the result to x. However, if S is a set, then x R S denotes that x is randomly chosen from S. Further more, if A is an adversary, then A = x denotes the process of an oracle answers A with x after A queries to the oracle. 2.2 Syntax and security of message authentication scheme A message authentication scheme MA = (K, T, V) consists of three algorithms: The randomized key generation algorithm K that takes input a security parameter k N and returns a key K (we write K R K(k)); the tagging algorithm T that could be either randomized or stateful, and takes the key K and a message M to return a tag σ (we write σ R T K (M). The verification algorithm V that is deterministic and takes the key K, a message M, and a candidate tag σ for M to return a bit v (we write v V K (M,σ)). We require that V K (M, T K (M)) = 1 for all M {0,1}. A message authentication scheme is sometimes called an MAC, and also sometimes the tag σ is called an MAC. To measure the security of an MAC, an adversary F is allowed to have accesses to the tagging oracle T K ( ) and verifying oracle V K (, ), and its goal is to make the verifying oracle V K (, ) accept a pair (M, σ) that was not legitimately produced (i.e. the pair is a forgery). If the message M is new, meaning F never made query M of its tagging oracle, the forgery is called a weak forgery. Otherwise, even if the message is not new, as long as the tag is new, the forgery is called a strong forgery. The strong forgery means that the adversary wins as long as σ was never returned by the tagging oracle in response to query M. Definition 1 (Security of message authentication scheme [9] ). Let MA = (K, T, V) be a message authentication scheme. Let k N, and let F W and F S be adversaries that are able to access to two oracles. Consider the following experiments: Exp wuf cma MA,F (k) W K R K(k). If F T K( ),V K (, ) W makes a query (M, σ) to the oracle V K (, ), such that V K (M, σ) return 1, and M was never queried to the oracle T K ( ), then returns 1, else return 0. Exp suf cma MA,F (k) S K R K(k). If F T K( ),V K (, ) S makes a query (M, σ) to the oracle V K (, ), such that V K (M, σ) return 1, and σ was never returned by the oracle T K ( ) in response to query M, then returns 1, else return HU Z Y et al. Sci China Ser F-Inf Sci Sep vol. 52 no

5 We define the advantages of the forgers via Adv wuf cma MA,F W (k) = Pr[Exp wuf cma MA,F W (k) = 1], Adv suf cma MA,F S (k) = Pr[Exp suf cma MA,F S (k) = 1]. We define the advantage functions of the scheme as follows. For any integers t,q t,q v,u t,u v, Adv wuf cma MA (k,t,q t,q v,u t,u v ) = max {Adv wuf cma MA,F F W (k)}, W Adv suf cma MA (k,t,q t,q v,u t,u v ) = max F S {Adv suf cma MA,F S (k)}, where the maximum is over all F W, F S with time complexity t, making at most q t oracle queries to T K ( ) the sum of whose lengths is at most u t bits, and making at most q v oracle queries to V K (, ) the sum of whose lengths is at most u v bits. The scheme MA is said to be WUF-CMA (weak unforgeability under chosen-message attacks) secure resp. SUF-CMA (strong unforgeability under chosen-message attacks) secure if the function Adv wuf cma MA,F W (k) resp. Adv suf cma MA,F S (k) is negligible for any forger F whose time complexity is polynomial in k. 2.3 Syntax and security of symmetric encryption schemes A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: The randomized key generation algorithm K that takes input a security parameter k N and returns a key K (we write K R K(k)). The encryption algorithm E that could be randomized or stateful, and takes the key K and a plaintext M to return a ciphertext C(we write C R E K (M)). The decryption algorithm D that is deterministic and stateless, and takes the key K and a string C to return either the corresponding plaintext M or the invalid symbol (we write x D K (C) where x {0,1} { }). We require that D K (E K (M)) = M for all M {0,1} Privacy of symmetric encryption schemes. The privacy of encryption scheme is measured by indistinguishability via the left-or-right model of ref. [10]. The left-or-right encryption oracle E K (LR(,,b)), where b {0,1} is defined to take input (x 0, x 1 ), computes C E K (x b ) and returns C (if E is randomized, the oracle picks any coins that E might need, and if E is stateful then updates its state appropriately). The adversary is allowed to query the oracle E K (LR(,,b)) with the pair (x 0, x 1 ) of its chosen that consists of two equal length messages and gets the return of the oracle. Its goal is to guess the challenge bit b chosen at random by the oracle. An encryption scheme is IND-CPA (indistinguishability under chosen-plaintext attacks) secure, if a reasonable adversary cannot obtain significant advantage in distinguishing the cases b = 0 and b = 1 given access to the oracle. To model IND- CCA (indistinguishability under chosen-ciphertext attacks), the adversary is allowed also to access to the decryption oracle, with the only restriction that it cannot query the decryption oracle a ciphertext output by the left-or-right encryption oracle. Definition 2 (Indistinguishability of a symmetric encryption scheme [9] ). Let SE = (K, E, D) be a symmetric encryption scheme. Let b {0, 1}, k N. Let A cpa be an adversary that can access to one oracle and let A cca be an adversary that can access to two oracles. Now, we consider the following experiments: Exp ind cpa b SE,A cpa (k) K R K(k). b A E K(LR(,,b)) cpa (k) return b Exp ind cca b SE,A cca (k) K R K(k). b A E K(LR(,,b)),D K ( ) cca (k) return b Above it is mandated that A cca never queries D K ( ) on a ciphertext C output by the E K (LR(,,b)) oracle, and that the two messages queried of E K (LR(,,b)) always have equal length. We define the advantages of the adversaries via Adv ind cpa SE,A cpa (k) = Pr[Exp ind cpa 1 SE,A cpa (k) = 1] Pr[Exp ind cpa 0 SE,A cpa (k) = 1], Adv ind cca SE,A cca (k) = Pr[Exp ind cca 1 SE,A cca (k) = 1] Pr[Exp ind cca 0 SE,A cca (k) = 1]. HU Z Y et al. Sci China Ser F-Inf Sci Sep vol. 52 no

6 We define the advantage functions of the scheme as follows. For any integers t,q e,q d,u e,u d, Adv ind cpa SE (k,t,q e,u e ) = max {Adv ind cpa SE,A A cpa (k)}, cpa Adv ind cca SE (k,t,q e,q d,u e,u d )=max {Adv ind cca SE,A A cca (k)}, cca where the maximum is over all A cpa, A cca with time-complexity t, each making to the oracle E K (LR(,,b)) at most q e queries the sum of whose lengths is at most u e bits, and, in the case of A cca, also making to the oracle D K ( ) at most q d queries the sum of whose lengths is at most u d bits. The scheme SE is said to be IND-CPA (indistinguishability under chosen-plaintext attacks) secure resp. IND-CCA (indistinguishability under chosen-ciphertext attacks) secure if the function Adv ind cpa SE,A (k) resp. Advind cca SE,A (k) is negligible for any adversary A whose time-complexity is polynomial in k Integrity of symmetric encryption schemes. To characterize the integrity (authenticity) of an encryption scheme SE = (K, E, D), an algorithm D K( ), called ciphertext verification algorithm or ciphertext verification oracle, is defined as follows [9] : D K(C) If D K (C) then return 1, Else return 0. Similar to the security definition of MAC, the adversary is allowed to have accesses to the encryption oracle E K ( ) and the ciphertext verification oracle D K( ). Its goal is to make the verification oracle accept a ciphertext that was not legitimately produced (i.e. forgery). If the corresponding plaintext was never queried of the encryption oracle, we call the forgery a plaintext forgery. A scheme in which it is computationally infeasible for the adversary to achieve this type of forgery is said to preserve the integrity of plaintexts. If the ciphertext was never returned by the encryption oracle, even if the corresponding plaintext was queried of the encryption oracle, then we call the forgery a ciphertext forgery. A scheme in which it is computationally infeasible for the adversary to achieve this type of success is said to preserve the integrity of ciphertexts. Definition 3 (Integrity of a symmetric encryption scheme [9] ). Let SE = (K, E, D) be a symmetric encryption scheme. Let k N. Let A ptxt and A ctxt be adversaries that can access to two oracles. Consider the following experiments: Exp int ptxt SE,A ptxt (k) K R K(k). If A E K( ),D K( ) ptxt (k) makes a query C to the oracle D K( ), such that D K(C) return 1, and D K (C) was never queried to the oracle E K ( ), then returns 1, else return 0. Exp int ctxt SE,A ctxt (k) K R K(k). If A E K( ),D K( ) ctxt (k) makes a query C to the oracle D K( ), such that D K(C) return 1, and C was never a response of E K ( ), then returns 1, else return 0. We define the advantages of the adversaries via Adv int ptxt SE,A ptxt (k) = Pr[Exp int ptxt SE,A ptxt (k) = 1], Adv int ctxt SE,A ctxt (k) = Pr[Exp int ctxt SE,A ctxt (k) = 1]. We define the advantage functions of the scheme as follows. For any integers t,q e,q d,u e,u d, Adv int ptxt SE (k,t,q e,q d,u e,u d ) = max {Adv int ptxt SE,A A ptxt (k)}, ptxt Adv int ctxt SE (k,t,q e,q d,u e,u d ) = max {Adv int ctxt SE,A A ctxt (k)}, ctxt where the maximum is over all A ptxt, A ctxt with time-complexity t, each making to the oracle E K ( ) at most q e queries the sum of whose lengths is at most u e bits, and, each making to the oracle D K( ) at most q d queries the sum of whose lengths is at most u d bits. The scheme SE is said to be INT- PTXT (integrity of plaintext) secure resp. INT- CTXT (integrity of ciphertext) secure if the function Adv int ptxt SE,A (k) resp. Adv int ctxt SE,A (k) is negligible for any adversary A whose time-complexity is polynomial in k. We notice that, while the verification algorithm or verification oracle D K(C) is to characterize the ability of an adversary in forging a legitimate ciphertext, it provides the adversary another ability to know whether a doctored ciphertext is valid. Different from the CPA and CCA, it is just this 1622 HU Z Y et al. Sci China Ser F-Inf Sci Sep vol. 52 no

7 simple Yes or No answer that may disclose the sensitive information of the challenge plaintext. We produce a new security notion IND-CVA (indistinguishability of an encryption scheme under ciphertext verification attacks) to describe the privacy of an encryption scheme under this situation. 3 The definition of IND-CVA security 3.1 Definition of IND-CVA security Like CPA-security and CCA-security, we measure CVA-security via the left-or-right model of ref. [10], too. The left-or-right encryption oracle E K (LR(,,b)) and the goal of the adversary is defined same as the CPA-security. To model ciphertext-verification attacks we allow the adversary to access to the ciphertext-verification oracle D K( ) besides the encryption oracle E K ( ). The detailed definition of CVA-security is as follows. Definition 4 (IND-CVA, indistinguishability of a symmetric encryption scheme under ciphertextverification attacks). Let SE = (K, E, D) be a symmetric encryption scheme. Let b {0, 1}, k N. Let A cva be an adversary that can access to the encryption oracle E K (LR(,,b)) and the ciphertext verification oracle D K( ). Consider the following experiment: Exp ind cva b SE,A cva (k) K R K(k). b A E K(LR(,,b)),DK ( ) cva (k), where b is a bit return b. Above it is mandated the two messages queried of E K (LR(,,b)) always have equal length. We define the advantage of the adversary A cva via Adv ind cva SE,A cva (k) = Pr[Exp ind cva 1 SE,A cva (k) = 1] Pr[Exp ind cva 0 SE,A cva (k) = 1]. We define the advantage functions of the scheme as follows. For any integers t,q e,q v,u e,u v, Adv ind cva SE (k,t,q e,q v,u e,u v ) = max {Adv ind cva SE,A A cva (k)}, cva where the maximum is over all A cva with timecomplexity t, each making to the E K (LR(,,b)) oracle at most q e queries the sum of whose lengths is at most u e bits, and, making to the D K( ) oracle at most q v queries the sum of whose lengths is at most u v bits. The scheme SE is said to be IND- CVA secure if the function Adv ind cva SE,A cva (k) is negligible for any adversary A cva whose time-complexity is polynomial in k. Comparing with the reaction attack, we allow the adversary of CVA to access the encryption oracle as well as the ciphertext verification oracle. There are two reasons for allowing the adversary to access the encryption oracle. One is to facilitate the description of relationship with other notions. The other is that accessing to the encryption oracle for adversary is easy to do, especially in the public environment. So we take it for granted. 3.2 Examples of CVA secure encryption schemes Example 1 (OTP mode scheme [1,8] ). Let F : {0,1} l {0,1} l be a family of functions with domain {0,1} l and range {0,1} l where l and l are positive integers. We define the encryption scheme OTP(F) to work on messages of length at most l as follows. A key in the encryption scheme is a description of a member f of the family F. The OTP encryption under f of plaintext M is performed by choosing r {0,1} l and computing c = f(r) M where f(r) is truncated to the length of M. The ciphertext is the pair (r, c). Decryption works in the obvious way. If F is the set of all functions with the above domain and range and f is chosen at random from this family we get perfect secrecy against chosenplaintext attacks as long as there are no repetitions in the values r chosen by the encryptor (after encrypting q different messages a repetition happens with probability q 2 /2 l ). If F is a family of pseudorandom functions then the same security is achieved but in a computational sense, i.e., up to the indistinguishability distance between the pseudorandom family and a truly random function. We now inspect the security of OTP(F) under the sense of IND-CVA security. Notice that, for any r {0,1} l and c {0,1} l, let m = f(r ) c, then m {0,1} l, that is, (r, c ) is a valid cipher- HU Z Y et al. Sci China Ser F-Inf Sci Sep vol. 52 no

8 text, which results the ciphertext verification oracle always returns 1 and tells nothing about the corresponding plaintext. In other words, the verification oracle cannot provide any help to the adversary. So, the OTP(F) is IND-CVA secure, if the F is a family of pseudorandom functions. Example 2 (CBC mode scheme [1,8] ). Let F be a family of permutations over {0,1} l where l is a positive integer. We define the encryption scheme CBC(F) to work on messages of length a multiple of l. A key in the encryption scheme is a description of a member f of the family F. The CBC encryption under f of plaintext x is performed by partitioning x into blocks x[1],...,x[p] of length l each, then choosing r {0,1} l (called initial vector, IV ) and computing the ciphertext c = c[0],c[1],...,c[p] as c[0] = r, c[i] = f(c[i 1] x[i]), i = 1,...,p. Decryption works in the obvious inverse way. It has been proved that if F is the set of all permutations over {0, 1} l and f is chosen at random from F then CBC(F) is IND-CPA secure [8]. If F is the set of all permutations over {0,1} l, then for any f chosen at random from F, CBC(F) is a permutations over {0,1} nl, where n(> 1) is a positive integer. For any string c of length nl(n > 1), the decryption of c does not return the invalid symbol. That is, all the query of verification oracle returns 1, which tells nothing about the corresponding plaintexts. So if F is the set of all permutations over {0,1} l and f is chosen at random from F then CBC(F) is IND-CVA secure. Example 3 (CTR mode scheme [8] ). Let l and L be positive integers, F : {0,1} l {0,1} L be a function family (Not necessarily a family of permutations). We define the encryption scheme CTR(F) to work on messages of length a multiple of l. A key in the encryption scheme is a description of a member f of the family F. The R- CTR (randomized counter) mode encryption under f of plaintext x is performed by partitioning x into blocks x[1],...,x[p] of length l each, then choosing r {0,1} l (called IV ) and computing the ciphertext c = c[0],c[1],...,c[p] as c[0] = r, c[i] = f(r + i) x[i], i = 1,...,p. Decryption works in the obvious way. The C-CTR (counter-based counter) mode maintains a counter ctr that is initially zero instead of the random string r. When encryption blocks x[1],...,x[p] of length l each, it computes the ciphertext c = c[0],c[1],...,c[p] as c[0] = ctr, c[i] = f(ctr + i) x[i] (i = 1,...,p), ctr = ctr + i. It has been proved that if F is a set of pseudorandom function over {0,1} l and f is chosen at random from F then CTR(F) (R-CTR or C-CTR) is IND-CPA secure [8]. Notice the construction of CTR mode, the CTR(F) (R-CTR or C-CTR ) is an onto function. For any ciphertext of length nl(where n > 1 is a positive integer and L is the block length), there is a corresponding plaintext, if there is no integration verification. That is, all the query of verification oracle returns 1, which tells nothing about the corresponding plaintexts. So if F is a set of pseudorandom function over {0,1} l and f is chosen at random from F then CTR(F) (R-CTR or C-CTR) is IND-CVA secure. 4 Relation to other notions The notion IND-CVA is presented to depict the adversary who has access to the ciphertext verification oracle, and to characterize the reaction attack. It is interesting to compare the IND-CVA with other popular security notions. We use the notation A B to denote that the security notion A implies the security notion B, and A B that the security notion A does not imply security notion B. When we claim that A B, we will give a formal proof, whereas when we claim that A B, we will present a counter-example. Theorem 1 (IND-CCA IND-CVA). For any symmetric encryption scheme SE = (K, E, D), if it is IND-CCA secure, it is also IND-CVA secure. An IND-CCA attacker is more powerful than an IND-CVA attacker. For any ciphertext, an IND- CCA attacker will know not only whether it is valid, but also its corresponding plaintext. So, if an adversary, who can only access to ciphertext verification oracle, breaks the security, it can also break the security if it is given more power to access to the decryption oracle. So Theorem HU Z Y et al. Sci China Ser F-Inf Sci Sep vol. 52 no

9 holds obviously. Notice that, Theorem 1 also holds for the generalized chosen-ciphertext attack (INDgCCA) [3]. Theorem 2 (IND-CVA NM-CPA). For any symmetric encryption scheme SE = (K, E, D) which is IND-CVA secure, we can construct a symmetric encryption scheme SE = (K, E, D ) which is also IND-CVA secure but is not NM-CPA secure. Proof of Theorem 2. The SE = (K, E, D ) is constructed as follows: E K(M) C E K (M), C 0 C where 0 is a bit 0, Returns C. D K(C) Parse C as b C where b is a bit, M D K (C ), Returns M. It is obvious that, an adversary can flip the first bit of the challenge ciphertext C to get a new ciphertext that corresponds to the same the challenge plaintext m b. We claim that SE = (K, E, D ) preserves the IND-CVA security of the original scheme of SE = (K, E, D). According to the notion of verification oracle, the verification oracle D K(C) returns whatever the corresponding D K(C ) returns. That is, both of the verification oracles provide the identical information about the challenge message. If the original scheme of SE = (K, E, D) is IND-CVA secure, so is the new scheme SE = (K, E, D ). Theorem 3 (IND-CPA IND-CVA). For any symmetric encryption scheme SE = (K, E, D) which is IND-CPA secure, we can construct a symmetric encryption scheme SE = (K, E, D ) which is also IND-CPA secure but is not IND-CVA secure. Proof of Theorem 3. The SE = (K, E, D ) is constructed as follows: E K(M) C E K (M), C 0 C where 0 is a bit 0, Returns C. D K(C) Parse C as b C where b is a bit, M D K (C ), If b = 0 then returns M, Else parses M as b M where b is a bit, If b = b then return, Else return M An adversary can flip the first bit of the challenge ciphertext C, then queries the verification oracle D K( ) with the new ciphertext. If the first bit of the challenge plaintext m b is 1, then D K( ) will returns 0, otherwise, returns 1. The IND-CPA security of SE = (K, E, D ) is obvious, we omit the proof for conciseness. Remark 1. This example shows exactly how the ciphertext verification compromises the privacy of encryption and how a CVA attacker works. Comparing with the CPA attacker, a CVA attacker needs slightly more power to know whether a ciphertext valid. On one hand, this requirement is commonly met in the network environment. For instance, when a user logs in a server for some service (e.g. ), he sends the server his password to verify his identification, and the server always responses him an invalid message if it fails in verification, which indeed provides a verification oracle to the user. On the other hand, verifying a ciphertext is much easier, and a simple hashing would be sufficient (e.g. HMAC). IND-CVA reveals the influence of integrity on privacy. Remark 2. We compare a CVA attacker with a CCA attacker. A CCA (or even gcca) attacker is more powerful than a CVA attacker. A CCA attacker needs to know exactly the corresponding plaintext of an arbitrary ciphertext, which implies that the attacker must know the validity of the ciphertext, too. Although it is possible for an adversary to have access to a decryption oracle in some cases, the fact is that in most cases, especially in common network environments, the adversary can only have access to the encryption oracle and verification oracle, rather than the exact decryption oracle [1,4 6]. In other words, while the IND-CCA security is a useful and important security notion, it is too strong and not necessary for some (fundamental) applications such as secure channels. Moreover, it is NOT present in the prevalent modes of symmetric encryption (such as in stream ciphers or CBC mode even when the underlying block cipher is chosen-ciphertext secure, see Section 6.11 of ref. [8]) and therefore assuming this strong property as the basic secrecy requirement of the encryption function would exclude the use of such standard efficient mechanisms. HU Z Y et al. Sci China Ser F-Inf Sci Sep vol. 52 no

10 In addition, an IND-CCA attacker usually uses more resources than an IND-CVA attacker. Take the Encrypt-then-MAC paradigm, for instance, an IND-CCA adversary will access to both the MAC verification oracle and decryption oracle. However, an IND-CVA adversary would possibly accesses to the MAC verification oracle only, which consumes resources less than an IND-CCA adversary (e.g. HMAC). Theorem 4 (INT-PTXT IND-CPA IND- CVA). For any authentication scheme MA = (K M, T, V) which is WUF-CMA secure, we can construct an authentication scheme MA = (K M, T, V ), and a symmetric encryption scheme SE = (K E, E, D) which is IND-CPA secure, but the MACthen-Encrypt scheme is not IND-CVA secure. Proof of Theorem 4. We take the example presented in ref. [1] as a counter example. Let MA be a secure single-valued MAC, and define MA to be identical to MA except that on the all-zeros string it allows the last bit of the tag to be set arbitrarily (i.e., for this string the verification function will accept as valid two different tags). An attacker against MtE(OT P, MA ) can distinguish between a ciphertext that encrypts the all-zeros message and the ciphertext of any other message as follows. It just flips the last bit of the ciphertext and watches for acceptance or rejection of the message; clearly, the message is accepted if and only if it was the all-zeros message. Theorem 5 (IND-CVA INT-PTXT). For any symmetric encryption scheme SE = (K, E, D) which is IND-CVA secure, we can construct a symmetric encryption scheme SE = (K, E, D ) which is also IND-CVA secure but is not INT-PTXT secure. Figure 1 Relationship between the IND-CVA and other security conceptions. Theorem 5 can be easily proved with Theorem 1 and the relationship between IND-CCA and INT- PTXT [10]. But, to further illustrate the difference between IND-CVA and INT-PTXT, we give a more primary proof in Appendix. In summary, the relationship between IND-CVA and other conceptions are shown in Figure 1. 5 Practical impacts of IND-CVA 5.1 SSL and MAC-then-Encrypt The famous SSL protocol, which indeed works in the form of MAC-then-Encrypt, is not generally secure conditioning on a SUF-CMA secure MAC and an IND-CPA secure encryption scheme, due to the reaction attack. Then, how is it secure if the underlying encryption scheme is strengthened up to IND-CVA? We review the syntax of MACthen-Encrypt first. Definition 5 (Construction of MAC-then- Encrypt scheme). Let SE = (K E, E, D) and MA = (K M, T, V) be the underlying encryption and authentication scheme respectively, we define MAC-then-Encrypt paradigm of MtE = (K, T E, DV) as follows: K(k) K E K E (k) K M K M (k) Returns K E, K M. T E KE,K M (m) t T KM (m), c E KE (m t), return c. DV KE,K M (c) d D KE (c), parse d as m t If V KM (m, t) = 1 return m else return. Theorem 6 (Integrity of MAC-then-Encrypt). Let SE = (K E, E, D) and MA = (K M, T, V) be an encryption scheme and an authentication schemes respectively. Let MtE = (K, T E, DV) be the composite encryption scheme constructed as per Definition 5. If the underlying encryption scheme SE is IND-CVA secure and the underlying MAC is WUF-CMA secure, then the MAC-then-Encrypt is INT-PTXT secure. Concretely, Adv int ptxt MtE (k) Adv wuf cma MA (k) HU Z Y et al. Sci China Ser F-Inf Sci Sep vol. 52 no

11 While the above theorem holds obviously, the privacy may not be preserved in the MAC-then- Encrypt paradigm. Theorem 7 (MAC-then-Encrypt with a WUF- CMA secure MAC and an IND-CVA secure encryption is not IND-CVA secure). Given the IND-CVA secure OT P scheme mentioned in section 3.2 and a WUF-CMA secure message authentication scheme MA = (K M, T, V), we can construct a message authentication scheme MA, such that MA is WUF-CMA secure, but the composite scheme MtE = (K, T E, DV) formed as per Definition 5 based on OT P and MA is not IND-CVA secure. The counter example used in Theorem 4 can still take effect in proof of Theorem 7. We omit the proof for briefness. Then how about of the security of the MACthen-Encrypt if the underlying encryption scheme is IND-CVA secure and the underlying authentication scheme is SUF-CMA secure? The answer is still negative, as the following theorem says. Theorem 8 (MAC-then-Encrypt with a SUF- CMA secure MAC and an IND-CVA secure encryption is not IND-CVA secure). Given the IND-CVA secure OTP scheme mentioned in section 3.2 and a SUF-CMA secure message authentication scheme MA = (K M, T, V), we can construct an encryption scheme SE, such that SE is IND-CVA secure, but the composite scheme MtE = (K, T E, DV) formed as per Definition 5 based on SE and MA is not IND-CVA secure. The proof of Theorem 8 is tedious, so we put it in Appendix. Remark 3. It is an intuitive and popular way to combine a secure MAC with a secure encryption to guarantee a secure communication. While an authentication (or signature) scheme may indeed enhance the privacy in some mode (i.e. Encryptthen-MAC), Theorem 7 and Theorem 8 show that it may also compromise the privacy in other mode (i.e. MAC-then-Encrypt), due to the integrity verification. We believe the same problem exists in the case of Encrypt-and-MAC. Remark 4. Recall the problem mentioned in ref. [1], due to the reaction attack, an IND-CPA secure encryption scheme may not implement a secure channel by the form of MAC-then-Encrypt, no matter how secure the underlying MAC is. Theorem 8 tells us why the MAC-then-Encrypt is not secure generally, even if the underlying encryption scheme is enhanced up to IND-CVA. Then, is it possible for the MAC-then-Encrypt paradigm to implement secure channel? The answer is yes. As Hu et al. [11] had pointed out, if the underlying encryption scheme is NM-CPA secure, the MACthen-Encrypt can be IND-CCA secure. 5.2 IPSec and Encrypt-then-MAC Up to now, IPSec, which works in the Encryptthen-MAC form, is the unique protocol that works in the composite form and is generally secure in the network setting. While the Encrypt-then-MAC can implement secure channels, its security also shows that the CCA security is not necessary in terms of secure channel. In this section, we will discuss how secure the Encrypt-then-MAC is in the sense of CVA, showing that the CVA security may be sufficient to characterize the privacy requirements of secure channels. We recite the construction of Encrypt-then-MAC first: Definition 6 (Construction of Encryptthen-MAC scheme). Let SE = (K E, E, D) and MA = (K M, T, V) be the underlying encryption and authentication scheme respectively, we define Encrypt-then-MAC paradigm of EtM = (K, T E, DV) as follows: K(k) K E K E (k) K M K M (k) Returns K E, K M. T E KE,K M (m) c E KE (m), t T KM (c ), return c t. DV KE,K M (c) parse c as c t If V KM (c, t ) = 1 then m D KE (c ), return m else return. Theorem 9 (Encrypt-then-MAC with a WUF- CMA secure MAC and an IND-CPA secure encryption is IND-CVA secure and INT-PTXT secure). HU Z Y et al. Sci China Ser F-Inf Sci Sep vol. 52 no

12 Let SE = (K E, E, D) and MA = (K M, T, V) be an encryption scheme and an authentication scheme respectively. Let EtM = (K, T E, DV) be the composite encryption scheme constructed as per Definition 6. If the underlying encryption scheme SE is IND-CPA secure and the underlying MAC is WUF- CMA secure, then EtM is INT-PTXT secure and IND-CVA secure. Concretely, Adv ind cva EtM Adv int ptxt EtM (k) 2Advwuf cma(k) MA + Adv ind cpa SE (k), (1) (k) Advwuf cma MA (k). (2) For the proof of Theorem 9, we refer the reader to Appendix. Remark 5. Because of the reaction attack (recall Theorem 7 and Theorem 8), a MAC-then- Encrypt of IND-CPA secure may not be generally secure in terms of secure channel, which implies that IND-CPA is too weak to guarantee the security of secure channel. On the other hand, as some papers had discussed, while Encrypt-then- MAC can implement secure channels, it needs not be IND-CCA secure and INT-CTXT [1,3]. Then what degree of security should a scheme achieve to implement a secure channel? Theorem 9 shows that it should be both IND-CVA and INT-PTXT secure. Notice that the goal of a secure channel is to provide both integrity and privacy of data transmitted across networks [1,4]. The first goal means that any modification of messages produced by the attacker over the communication links, should be detected and rejected by the recipient; the second goal means that among the many messages exchanged in a session the attacker chooses a pair of test message of which only one is sent, the attacker cannot guess correctly which one was sent with probability significantly greater than 1/2. In other words, the attacker against a secure channel is granted to access to both the encryption oracle and ciphertext verification oracle. It is just the access to both encryption oracle and ciphertext verification oracle that make up the ability of an IND-CVA adversary. So we say IND-CVA as well as INT-PTXT captures exactly the privacy and integrity requirements of secure channel respectively. 6 Conclusions IND-CVA is slightly stronger than IND-CPA, yet much weaker than IND-CCA, and can be satisfied by many popular schemes (e.g. OTP, CBC and CTR). IND-CVA provides a new criterion to measure the privacy of encryption schemes. It fills up the gap between IND-CPA and IND-CCA, complementing the security measurements of encryption schemes. Especially it exactly characterizes the privacy requirements of secure channel, provides a practicable reference for protocol designers. Appendix Proof of some of the theorems Proof of Theorem 5. Let SE = (K, E, D) be the given symmetric encryption scheme. Following the idea of ref. [9], we construct the scheme SE = (K, E, D ) such that SE is IND-CVA secure but is not INT-PTXT secure. The idea is simple. A certain known string (or strings) will be viewed by D as valid and decrypted to certain known messages, so that forgery is easy. But these ciphertexts will never be produced by the encryption algorithm, so privacy will not be affected. Here are the details. The new scheme SE = (K, E, D ) has the same key generation algorithm as the old scheme and the following modified encryption and decryption algorithms: E K(M) D K(C) C E K (M), C 0 C where 0 is the bit 0, return C. parse C as b C where b is a bit, If b = 0 then M D K (C ), return M Else return 0 We present an attack on SE, in the form of an adversary A who defeats the integrity of plaintexts with probability 1 using resources polynomial in the security parameter k. It works as follows: A E K( ),D K( ) (k) Submits query 10 to oracle D K ( ) We observe that D K(10) = 0, meaning 10 is a valid ciphertext, and it decrypts to a message 1628 HU Z Y et al. Sci China Ser F-Inf Sci Sep vol. 52 no

13 (namely 0) that the adversary has not queried of its oracle. So Adv int ptxt SE,A (k) = 1. Also, A makes zero queries to E K( ) and one query to D K( ) totaling 2 bits, and is certainly poly(k)-time (i.e. time-complexity is polynomial in security parameter k). To prove that SE is IND-CVA secure, it suffices to associate with any poly(k)-time adversary A attacking SE in the IND-CVA sense a poly(k)-time adversary B attacking SE in the IND-CVA sense such that Adv ind cva SE,A (k) Advind cva SE,B (k). Adversary B simply simulates A and uses its oracles to answer A s oracle queries in a straightforward manner as follows: B E K(LR(,,b)),D K( ) (k) Runs A as follows: When A makes a query M i,0,m i,1 to its left-or-right encryption oracle, does A = 0 E K (LR(M i,0,m i,1, b)) When A makes a query C i to its ciphertext verification oracle, does Parses C i as b i C i where b i is a bit If b i = 0 then A = D K (C i) Else A = 1 Until A halts and returns b Returns b. The adversary B correctly simulates the oracles that A needs. As the code shows, it is easy for B to break the scheme if A can. Furthermore, the resource usage of both adversaries is clearly the same. Thus, if SE is IND-CVA secure, so is SE. Proof of Theorem 8. Given the OPT encryption scheme SE, as we have discussed in section 3.2, it is IND-CVA secure due to that it have not any verification to an arbitrary ciphertext. Now, we consider the following OR encoding scheme, which encodes a message x of n-bits into a 2n-bits string x by representing each bit x i (i = 1,...,n), in x with two bits in x as follows: 1. if bit x i = 0 then the pair of bits (x 2i 1,x 2i ) is set to (0, 0); 2. if bit x i = 1 then the pair of bits (x 2i 1,x 2i) is set to (0, 1) or to (1, 0) or to (1, 1) (by arbitrary random choice of the encrypting party). We construct an encryption function SE as follows: to encrypt a string x, the OR encoding scheme is applied to the x to obtain string x. Then the OTP scheme is applied to sting x. For decrypting y = SE (x), one first applies the decryption function of OTP to obtain x which is then decoded into x by mapping a pair (0, 0) into 0 and either pair (0, 1) or (1, 0) or (1, 1) into 1. It is easy to see that, if a string y is the ciphertext of x, then the decryption of y is identical with the plaintext string x, and the SE is IND-CVA secure just as the original SE is. For any SUF-CMA secure MAC (e.g. HMAC) and the above encryption scheme SE, we can construct an adversary A such that Adv ind cva MtE,A (k) = 2 3. The adversary A works as follows: A ind cva MtE (k) C SE (LR(0, 1, b)) Flips the first two bits of the ciphertext C to get C,submits C as a query to the verification oracle DV ( ). v DV (C ) If v = 1,then returns 1, Else returns 0. (A1) Next, we calculate the succeed probability of adversary A. Consider the decryption of the ciphertext C. Let M be the first intermediate plaintext of C decrypted by the original OTP scheme, M the second intermediate plaintext decoded from M (M would possibly not be the final plaintext, because it should be further verified by the MAC). Notice that, since the underlying MAC is SUF-CMA secure, v=1 means that the second intermediate plaintext M of C decrypted by SE is not new to the encryption scheme SE. Since C comes from C by flipping its first two bits, if b=0, the first two bits of M should be (1, 1) and the first bit of M should be 1, implying the chance of v=1 should be 0; if b=1, the first two bits of M should be (0, 1), (1, 0) or (0, 0), and the first bit of M should be 1 or 0 with the probability of 2 3 and 1 3 respectively. Thus Pr[v = 1 b = 1] = 2 3, (A2) HU Z Y et al. Sci China Ser F-Inf Sci Sep vol. 52 no

14 Notice that and Therefore and Pr[v = 1 b = 0] = 0. Pr[v = 1] = Pr[v = 1 b = 0] + Pr[v = 1 b = 1] = 0 + Pr[v = 1 b = 1] (A3) = Pr[v = 1 b = 1] Pr[b = 1] = = 1 3, (A4) Pr[v = 0] = 1 Pr[v = 1] = 2 3. Pr[b = 1 v = 1] = Pr[v = 1 b = 1]/Pr[v = 1] (A5) = Pr[v = 1 b = 1] Pr[b = 1]/Pr[v = 1] = /1 = 1, (A6) 3 Pr[b = 1 v = 0] = Pr[v = 0 b = 1]/Pr[v = 0] = Pr[v = 0 b = 1] Pr[b = 1]/Pr[v = 0] = /2 3 = 1 (A7) 4 Denote by b the return value of adversary A. From eqs. (A4) (A7), we have Pr[b = b] = Pr[b = b v = 0] + Pr[b = b v = 1] and Eq. (A1) holds. = Pr[b = b v = 0] Pr[v = 0] + Pr[b = b v = 1] Pr[v = 1] = = , Adv ind cva MtE,A (k) = 2 3. Proof of Theorem 9. Eq. (2) holds obviously, and we prove eq. (1) only. Let A be an effective attack algorithm against the IND-CVA of EtM, following the definition of IND-CVA, we consider the following attack games: 1 Krawczyk H. The order of encryption and authentication for protecting communications (or: How Security Is SSL?). In: Crypto 01, LNCS Vol Berlin: Springer-Verlag, Game 0, Game 1 K E K E (k);k M K M (k); Run A When A queries the encryption oracle T E KE,K M ( ) with (M 0,M 1 ), do c E KE (LR(M 0,M 1,b)) t T KM (c ); c c t A = c. When A queries the verification oracle DV K E,K M ( ) with c, do Parse c as c t if V KM (c, t ) = 0 then A = 0 else A = D K E (c )//replaced by A =1 in Game 1 If A output b, return b. Let S i (i=0,1) be the event that the adversary A success (i.e. b =b) in the Game i, then 1 2 Advind cva EtM,A (k) = Pr[S 0]. (A8) Next, we define E to be the event V KM (c,t )=1 and c is never be returned by the encryption oracle E KE ( ). When E(the complement of E) occurs, i.e. V KM (c,t )= 0 or V KM (c,t )=1 but c is already returned by the encryption oracle E KE ( ), Game 1 works exactly the same as Game 0. Thus by the results of refs. [12, 13] Pr[S 0 ] Pr[S 1 ] Pr[E]. (A9) Obviously, given A, we can construct two new adversary A and F such that the following lemmas hold. Pr[E] Adv wuf cma MA,F (k), (A10) Pr[S 1 ] Pr ind cpa SE,A [b = b]. (A11) Combining eqs. (A8) (A11), we have 1 2 Advind cva EtM,A (k) = Pr[S 0] Pr[E] + Pr[S 1 ] Adv wuf cma MA,F (k) + Pr ind cpa SE,A [b = b] = Adv wuf cma MA,F (k) Advind cpa SE,A (k) Some algebraic manipulation leads to eq. (1). 2 Hall C, Goldberg I, Schneier B. Reaction attacks against several public-key cryptosystems. In: Varadharajan V, Mu Y, eds. Proceedings of Information and Communication Security, ICICS 99, vol Berlin: Springer-Verlag, HU Z Y et al. Sci China Ser F-Inf Sci Sep vol. 52 no

15 3 An J H, Dodis T, Rabin T. On the security of joint signature and encryption. In: Knudsen L, ed. Advances in Cryptology EUROCRYPT 2002, vol of Lecture Notes in Computer Science. Berlin: Springer-Verlag, Canetti R, Krawczyk H. Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann B, ed. Advances in Cryptology EUROCRYPT 2001, vol of Lecture Notes in Computer Science. Berlin: Springer-Verlag, Extended version at 2001/040 5 Canetti R, Krawczyk H. Universally composable notions of key exchange and secure channels. In: Eurocypt 02, LNCS Vol Extended version at oacr.ogr/2002/ Canetti R. Universally composable security: a new paradigm for cryptographic protocols. In: 42nd FOCS, 2001, the latest full version available at 7 Namprempre C. Secure channels based on authenticated encryption schemes: a simple characterization. In: Zheng Y, ed. Advance in Cryptology-ASIACRYPT 2002, Lecture Notes in Computer Science. Berlin: Springer-Verlag, Goldwasser S, Bellare M. Lecture Notes on Cryptography. Summer course on cryptography, MIT, Available from 9 Bellare M, Namprempre C. Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. In: Okamoto T, ed. Advances in Cryptology ASIACRYPT 2000, volume 1976 of Lecture Notes in Computer Science. Berlin: Springer-Verlag, Bellare M, Desai A, Jokipii E, et al. A concrete security treatment of symmetric encryption: Analysis of the DES modes of operation. In: Proceedings of the 38th Symposium on Foundations of Computer Science, IEEE Computer Society Press, Hu Z Y, Lin D D, Wu W L. Security notes on the MACthen-Encrypt paradigm. In: Proceedings of the Eighth International Conference for Young Computer Scientist, Beijing, China, Bellare M, Rogaway P. The game-playing technique. Cryptology eprint Archive 2004/332, December 1, Shoup V. Sequences of games: a tool for taming complexity in security proofs. Cryptology eprint Archive 2004/332, November 30, HU Z Y et al. Sci China Ser F-Inf Sci Sep vol. 52 no

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense

More information

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) Hugo Krawczyk Abstract. We study the question of how to generically compose symmetric encryption and authentication

More information

Provable-Security Analysis of Authenticated Encryption in Kerberos

Provable-Security Analysis of Authenticated Encryption in Kerberos Provable-Security Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 30332-0765

More information

Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm

Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm An extended abstract of this paper appears in Tatsuaki Okamoto, editor, Advances in Cryptology ASIACRYPT 2000, Volume 1976 of Lecture Notes in Computer Science, pages 531 545, Kyoto, Japan, December 3

More information

Authentication and Encryption: How to order them? Motivation

Authentication and Encryption: How to order them? Motivation Authentication and Encryption: How to order them? Debdeep Muhopadhyay IIT Kharagpur Motivation Wide spread use of internet requires establishment of a secure channel. Typical implementations operate in

More information

Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

More information

CryptoVerif Tutorial

CryptoVerif Tutorial CryptoVerif Tutorial Bruno Blanchet INRIA Paris-Rocquencourt bruno.blanchet@inria.fr November 2014 Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 1 / 14 Exercise 1: preliminary definition SUF-CMA

More information

1 Message Authentication

1 Message Authentication Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

More information

Message Authentication Code

Message Authentication Code Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44

More information

Authenticated encryption

Authenticated encryption Authenticated encryption Dr. Enigma Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu October 16th, 2013 Active attacks on CPA-secure encryption

More information

Message Authentication Codes 133

Message Authentication Codes 133 Message Authentication Codes 133 CLAIM 4.8 Pr[Mac-forge A,Π (n) = 1 NewBlock] is negligible. We construct a probabilistic polynomial-time adversary A who attacks the fixed-length MAC Π and succeeds in

More information

Lecture 13: Message Authentication Codes

Lecture 13: Message Authentication Codes Lecture 13: Message Authentication Codes Last modified 2015/02/02 In CCA security, the distinguisher can ask the library to decrypt arbitrary ciphertexts of its choosing. Now in addition to the ciphertexts

More information

Chapter 11. Asymmetric Encryption. 11.1 Asymmetric encryption schemes

Chapter 11. Asymmetric Encryption. 11.1 Asymmetric encryption schemes Chapter 11 Asymmetric Encryption The setting of public-key cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret

More information

MACs Message authentication and integrity. Table of contents

MACs Message authentication and integrity. Table of contents MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and

More information

1 Construction of CCA-secure encryption

1 Construction of CCA-secure encryption CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.

More information

Talk announcement please consider attending!

Talk announcement please consider attending! Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically

More information

MAC. SKE in Practice. Lecture 5

MAC. SKE in Practice. Lecture 5 MAC. SKE in Practice. Lecture 5 Active Adversary Active Adversary An active adversary can inject messages into the channel Active Adversary An active adversary can inject messages into the channel Eve

More information

Symmetric Crypto MAC. Pierre-Alain Fouque

Symmetric Crypto MAC. Pierre-Alain Fouque Symmetric Crypto MAC Pierre-Alain Fouque Birthday Paradox In a set of D elements, by picking at random D elements, we have with high probability a collision two elements are equal D=365, about 23 people

More information

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

More information

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1 SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K,E,D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2 Correct

More information

Reconsidering Generic Composition

Reconsidering Generic Composition Reconsidering Generic Composition Chanathip Namprempre Thammasat University, Thailand Phillip Rogaway University of California, Davis, USA Tom Shrimpton Portland State University, USA 1/24 What is the

More information

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the

More information

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal Symmetric Crypto Pierre-Alain Fouque Birthday Paradox In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal N=365, about 23 people are

More information

Lecture 3: One-Way Encryption, RSA Example

Lecture 3: One-Way Encryption, RSA Example ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require

More information

Lecture 5 - CPA security, Pseudorandom functions

Lecture 5 - CPA security, Pseudorandom functions Lecture 5 - CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.

More information

Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz Abstract We propose simple and efficient CCA-secure public-key encryption schemes (i.e., schemes

More information

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a

More information

Overview of Symmetric Encryption

Overview of Symmetric Encryption CS 361S Overview of Symmetric Encryption Vitaly Shmatikov Reading Assignment Read Kaufman 2.1-4 and 4.2 slide 2 Basic Problem ----- ----- -----? Given: both parties already know the same secret Goal: send

More information

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

More information

1 Signatures vs. MACs

1 Signatures vs. MACs CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures

More information

Chapter 12. Digital signatures. 12.1 Digital signature schemes

Chapter 12. Digital signatures. 12.1 Digital signature schemes Chapter 12 Digital signatures In the public key setting, the primitive used to provide data integrity is a digital signature scheme. In this chapter we look at security notions and constructions for this

More information

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6. 1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

More information

Introduction. Digital Signature

Introduction. Digital Signature Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

More information

Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks

Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks Tsz Hon Yuen - Huawei, Singapore Ye Zhang - Pennsylvania State University, USA Siu Ming

More information

Security Analysis of DRBG Using HMAC in NIST SP 800-90

Security Analysis of DRBG Using HMAC in NIST SP 800-90 Security Analysis of DRBG Using MAC in NIST SP 800-90 Shoichi irose Graduate School of Engineering, University of Fukui hrs shch@u-fukui.ac.jp Abstract. MAC DRBG is a deterministic random bit generator

More information

1 Domain Extension for MACs

1 Domain Extension for MACs CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures Katz-Lindell Ÿ4.34.4 (2nd ed) and Ÿ12.0-12.3 (1st ed).

More information

Chapter 3. Network Domain Security

Chapter 3. Network Domain Security Communication System Security, Chapter 3, Draft, L.D. Chen and G. Gong, 2008 1 Chapter 3. Network Domain Security A network can be considered as the physical resource for a communication system. This chapter

More information

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch CSC474/574 - Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a one-round Feistel cipher

More information

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

More information

CS155. Cryptography Overview

CS155. Cryptography Overview CS155 Cryptography Overview Cryptography Is n A tremendous tool n The basis for many security mechanisms Is not n The solution to all security problems n Reliable unless implemented properly n Reliable

More information

Developing and Investigation of a New Technique Combining Message Authentication and Encryption

Developing and Investigation of a New Technique Combining Message Authentication and Encryption Developing and Investigation of a New Technique Combining Message Authentication and Encryption Eyas El-Qawasmeh and Saleem Masadeh Computer Science Dept. Jordan University for Science and Technology P.O.

More information

Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53

Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53 Cryptography and Network Security, PART IV: Reviews, Patches, and Theory Timo Karvi 11.2012 Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53 Key Lengths I The old

More information

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 13

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 13 Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 13 Some More Secure Channel Issues Outline In the course we have yet only seen catastrophic

More information

EXAM questions for the course TTM4135 - Information Security May 2013. Part 1

EXAM questions for the course TTM4135 - Information Security May 2013. Part 1 EXAM questions for the course TTM4135 - Information Security May 2013 Part 1 This part consists of 5 questions all from one common topic. The number of maximal points for every correctly answered question

More information

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical public-key

More information

Authenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol

Authenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol Authenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol Mihir Bellare UC San Diego mihir@cs.ucsd.edu Tadayoshi Kohno UC San Diego tkohno@cs.ucsd.edu Chanathip Namprempre Thammasat

More information

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash

More information

Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm

Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm Error oracle attacks and CBC encryption Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm Agenda 1. Introduction 2. CBC mode 3. Error oracles 4. Example 1 5. Example 2 6. Example 3 7. Stream ciphers

More information

Lecture 15 - Digital Signatures

Lecture 15 - Digital Signatures Lecture 15 - Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations - easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.

More information

Digital Signatures. What are Signature Schemes?

Digital Signatures. What are Signature Schemes? Digital Signatures Debdeep Mukhopadhyay IIT Kharagpur What are Signature Schemes? Provides message integrity in the public key setting Counter-parts of the message authentication schemes in the public

More information

Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak

Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak Non-Black-Box Techniques In Crytpography Introduction Thesis for the Ph.D degree Boaz Barak A computer program (or equivalently, an algorithm) is a list of symbols a finite string. When we interpret a

More information

MTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu

MTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic

More information

Designing Hash functions. Reviewing... Message Authentication Codes. and message authentication codes. We have seen how to authenticate messages:

Designing Hash functions. Reviewing... Message Authentication Codes. and message authentication codes. We have seen how to authenticate messages: Designing Hash functions and message authentication codes Reviewing... We have seen how to authenticate messages: Using symmetric encryption, in an heuristic fashion Using public-key encryption in interactive

More information

Improved Online/Offline Signature Schemes

Improved Online/Offline Signature Schemes Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion

More information

Ky Vu DeVry University, Atlanta Georgia College of Arts & Science

Ky Vu DeVry University, Atlanta Georgia College of Arts & Science Ky Vu DeVry University, Atlanta Georgia College of Arts & Science Table of Contents - Objective - Cryptography: An Overview - Symmetric Key - Asymmetric Key - Transparent Key: A Paradigm Shift - Security

More information

Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract

Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart

More information

Chapter 7. Message Authentication. 7.1 The setting

Chapter 7. Message Authentication. 7.1 The setting Chapter 7 Message Authentication In most people s minds, privacy is the goal most strongly associated to cryptography. But message authentication is arguably even more important. Indeed you may or may

More information

Multi-Recipient Encryption Schemes: Efficient Constructions and their Security

Multi-Recipient Encryption Schemes: Efficient Constructions and their Security This is the full version of the paper with same title that appeared in IEEE Transactions on Information Theory, Volume 53, Number 11, 2007. It extends the previously published versions Ku, BBS. Multi-Recipient

More information

CS558. Network Security. Boston University, Computer Science. Midterm Spring 2014.

CS558. Network Security. Boston University, Computer Science. Midterm Spring 2014. CS558. Network Security. Boston University, Computer Science. Midterm Spring 2014. Instructor: Sharon Goldberg March 25, 2014. 9:30-10:50 AM. One-sided handwritten aid sheet allowed. No cell phone or calculators

More information

Network Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Network Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23 Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest

More information

Network Security. Modes of Operation. Steven M. Bellovin February 3, 2009 1

Network Security. Modes of Operation. Steven M. Bellovin February 3, 2009 1 Modes of Operation Steven M. Bellovin February 3, 2009 1 Using Cryptography As we ve already seen, using cryptography properly is not easy Many pitfalls! Errors in use can lead to very easy attacks You

More information

Introduction. Chapter 1

Introduction. Chapter 1 Chapter 1 Introduction This is a chapter from version 1.1 of the book Mathematics of Public Key Cryptography by Steven Galbraith, available from http://www.isg.rhul.ac.uk/ sdg/crypto-book/ The copyright

More information

Advanced Cryptography

Advanced Cryptography Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

More information

On the Security of the CCM Encryption Mode and of a Slight Variant

On the Security of the CCM Encryption Mode and of a Slight Variant On the Security of the CCM Encryption Mode and of a Slight Variant Pierre-Alain Fouque 1 and Gwenaëlle Martinet 2 and Frédéric Valette 3 and Sébastien Zimmer 1 1 École normale supérieure, 45 rue d Ulm,

More information

Secure Computation Without Authentication

Secure Computation Without Authentication Secure Computation Without Authentication Boaz Barak 1, Ran Canetti 2, Yehuda Lindell 3, Rafael Pass 4, and Tal Rabin 2 1 IAS. E:mail: boaz@ias.edu 2 IBM Research. E-mail: {canetti,talr}@watson.ibm.com

More information

CS 758: Cryptography / Network Security

CS 758: Cryptography / Network Security CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html

More information

Message Authentication Codes. Lecture Outline

Message Authentication Codes. Lecture Outline Message Authentication Codes Murat Kantarcioglu Based on Prof. Ninghui Li s Slides Message Authentication Code Lecture Outline 1 Limitation of Using Hash Functions for Authentication Require an authentic

More information

On the Security of CTR + CBC-MAC

On the Security of CTR + CBC-MAC On the Security of CTR + CBC-MAC NIST Modes of Operation Additional CCM Documentation Jakob Jonsson * jakob jonsson@yahoo.se Abstract. We analyze the security of the CTR + CBC-MAC (CCM) encryption mode.

More information

6.857 Computer and Network Security Fall Term, 1997 Lecture 4 : 16 September 1997 Lecturer: Ron Rivest Scribe: Michelle Goldberg 1 Conditionally Secure Cryptography Conditionally (or computationally) secure

More information

Client Server Registration Protocol

Client Server Registration Protocol Client Server Registration Protocol The Client-Server protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are

More information

Capture Resilient ElGamal Signature Protocols

Capture Resilient ElGamal Signature Protocols Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department

More information

Recommendation for Applications Using Approved Hash Algorithms

Recommendation for Applications Using Approved Hash Algorithms NIST Special Publication 800-107 Recommendation for Applications Using Approved Hash Algorithms Quynh Dang Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T Y February

More information

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 1 January 9, 2012 CPSC 467b, Lecture 1 1/22 Course Overview Symmetric Cryptography CPSC 467b, Lecture 1 2/22 Course Overview CPSC

More information

The Mathematics of the RSA Public-Key Cryptosystem

The Mathematics of the RSA Public-Key Cryptosystem The Mathematics of the RSA Public-Key Cryptosystem Burt Kaliski RSA Laboratories ABOUT THE AUTHOR: Dr Burt Kaliski is a computer scientist whose involvement with the security industry has been through

More information

Cryptography: Authentication, Blind Signatures, and Digital Cash

Cryptography: Authentication, Blind Signatures, and Digital Cash Cryptography: Authentication, Blind Signatures, and Digital Cash Rebecca Bellovin 1 Introduction One of the most exciting ideas in cryptography in the past few decades, with the widest array of applications,

More information

Authenticated Encryption (AE) Instructor: Ahmad Boorghany

Authenticated Encryption (AE) Instructor: Ahmad Boorghany Sharif University of Technology Department of Computer Engineering Data and Network Security Lab Authenticated Encryption (AE) Instructor: Ahmad Boorghany Most of the slides are obtained from Bellare and

More information

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering Network Security Gaurav Naik Gus Anderson, Philadelphia, PA Lectures on Network Security Feb 12 (Today!): Public Key Crypto, Hash Functions, Digital Signatures, and the Public Key Infrastructure Feb 14:

More information

Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives

Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives Olivier Pereira Université catholique de Louvain ICTEAM Crypto Group B-1348, Belgium olivier.pereira@uclouvain.be

More information

Cryptography and Network Security Chapter 12

Cryptography and Network Security Chapter 12 Cryptography and Network Security Chapter 12 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 12 Message Authentication Codes At cats' green on the Sunday he

More information

CIS 5371 Cryptography. 8. Encryption --

CIS 5371 Cryptography. 8. Encryption -- CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.

More information

A Survey and Analysis of Solutions to the. Oblivious Memory Access Problem. Erin Elizabeth Chapman

A Survey and Analysis of Solutions to the. Oblivious Memory Access Problem. Erin Elizabeth Chapman A Survey and Analysis of Solutions to the Oblivious Memory Access Problem by Erin Elizabeth Chapman A thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in

More information

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. #01 Lecture No. #10 Symmetric Key Ciphers (Refer

More information

New Efficient Searchable Encryption Schemes from Bilinear Pairings

New Efficient Searchable Encryption Schemes from Bilinear Pairings International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang

More information

Remotely Keyed Encryption Using Non-Encrypting Smart Cards

Remotely Keyed Encryption Using Non-Encrypting Smart Cards THE ADVANCED COMPUTING SYSTEMS ASSOCIATION The following paper was originally published in the USENIX Workshop on Smartcard Technology Chicago, Illinois, USA, May 10 11, 1999 Remotely Keyed Encryption

More information

Cryptography and Network Security: Summary

Cryptography and Network Security: Summary Cryptography and Network Security: Summary Timo Karvi 12.2013 Timo Karvi () Cryptography and Network Security: Summary 12.2013 1 / 17 Summary of the Requirements for the exam The advices are valid for

More information

Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz June 13, 2006 Abstract We propose simple and efficient CCA-secure public-key encryption schemes

More information

Security/Privacy Models for "Internet of things": What should be studied from RFID schemes? Daisuke Moriyama and Shin ichiro Matsuo NICT, Japan

Security/Privacy Models for Internet of things: What should be studied from RFID schemes? Daisuke Moriyama and Shin ichiro Matsuo NICT, Japan Security/Privacy Models for "Internet of things": What should be studied from RFID schemes? Daisuke Moriyama and Shin ichiro Matsuo NICT, Japan 1 Internet of Things (IoT) CASAGRAS defined that: A global

More information

Cryptographic Hash Functions Message Authentication Digital Signatures

Cryptographic Hash Functions Message Authentication Digital Signatures Cryptographic Hash Functions Message Authentication Digital Signatures Abstract We will discuss Cryptographic hash functions Message authentication codes HMAC and CBC-MAC Digital signatures 2 Encryption/Decryption

More information

Content Teaching Academy at James Madison University

Content Teaching Academy at James Madison University Content Teaching Academy at James Madison University 1 2 The Battle Field: Computers, LANs & Internetworks 3 Definitions Computer Security - generic name for the collection of tools designed to protect

More information

Computational Soundness of Symbolic Security and Implicit Complexity

Computational Soundness of Symbolic Security and Implicit Complexity Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 3-7, 2013 Overview

More information

Key Privacy for Identity Based Encryption

Key Privacy for Identity Based Encryption Key Privacy for Identity Based Encryption Internet Security Research Lab Technical Report 2006-2 Jason E. Holt Internet Security Research Lab Brigham Young University c 2006 Brigham Young University March

More information

Cryptography for Secure Channels Kenny Paterson

Cryptography for Secure Channels Kenny Paterson Cryptography for Secure Channels Kenny Paterson Information Security Group Royal Holloway, University of London kenny.paterson@rhul.ac.uk Onassis Foundation Science Lecture Series 1 Outline Introduction

More information

Modes of Operation of Block Ciphers

Modes of Operation of Block Ciphers Chapter 3 Modes of Operation of Block Ciphers A bitblock encryption function f: F n 2 Fn 2 is primarily defined on blocks of fixed length n To encrypt longer (or shorter) bit sequences the sender must

More information

Delegation of Cryptographic Servers for Capture-Resilient Devices

Delegation of Cryptographic Servers for Capture-Resilient Devices ACM, 2001. This is the authors' version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version is available at http://doi.acm.org/10.1145/501983.501986.

More information

Two Factor Zero Knowledge Proof Authentication System

Two Factor Zero Knowledge Proof Authentication System Two Factor Zero Knowledge Proof Authentication System Quan Nguyen Mikhail Rudoy Arjun Srinivasan 6.857 Spring 2014 Project Abstract It is often necessary to log onto a website or other system from an untrusted

More information

CSE/EE 461 Lecture 23

CSE/EE 461 Lecture 23 CSE/EE 461 Lecture 23 Network Security David Wetherall djw@cs.washington.edu Last Time Naming Application Presentation How do we name hosts etc.? Session Transport Network Domain Name System (DNS) Data

More information

Simulation-Based Security with Inexhaustible Interactive Turing Machines

Simulation-Based Security with Inexhaustible Interactive Turing Machines Simulation-Based Security with Inexhaustible Interactive Turing Machines Ralf Küsters Institut für Informatik Christian-Albrechts-Universität zu Kiel 24098 Kiel, Germany kuesters@ti.informatik.uni-kiel.de

More information

Recommendation for Cryptographic Key Generation

Recommendation for Cryptographic Key Generation NIST Special Publication 800-133 Recommendation for Cryptographic Key Generation Elaine Barker Allen Roginsky http://dx.doi.org/10.6028/nist.sp.800-133 C O M P U T E R S E C U R I T Y NIST Special Publication

More information

Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012

Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012 Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database

More information