# Ciphertext verification security of symmetric encryption schemes

Save this PDF as:

Size: px
Start display at page:

Download "Ciphertext verification security of symmetric encryption schemes"

## Transcription

9 holds obviously. Notice that, Theorem 1 also holds for the generalized chosen-ciphertext attack (INDgCCA) [3]. Theorem 2 (IND-CVA NM-CPA). For any symmetric encryption scheme SE = (K, E, D) which is IND-CVA secure, we can construct a symmetric encryption scheme SE = (K, E, D ) which is also IND-CVA secure but is not NM-CPA secure. Proof of Theorem 2. The SE = (K, E, D ) is constructed as follows: E K(M) C E K (M), C 0 C where 0 is a bit 0, Returns C. D K(C) Parse C as b C where b is a bit, M D K (C ), Returns M. It is obvious that, an adversary can flip the first bit of the challenge ciphertext C to get a new ciphertext that corresponds to the same the challenge plaintext m b. We claim that SE = (K, E, D ) preserves the IND-CVA security of the original scheme of SE = (K, E, D). According to the notion of verification oracle, the verification oracle D K(C) returns whatever the corresponding D K(C ) returns. That is, both of the verification oracles provide the identical information about the challenge message. If the original scheme of SE = (K, E, D) is IND-CVA secure, so is the new scheme SE = (K, E, D ). Theorem 3 (IND-CPA IND-CVA). For any symmetric encryption scheme SE = (K, E, D) which is IND-CPA secure, we can construct a symmetric encryption scheme SE = (K, E, D ) which is also IND-CPA secure but is not IND-CVA secure. Proof of Theorem 3. The SE = (K, E, D ) is constructed as follows: E K(M) C E K (M), C 0 C where 0 is a bit 0, Returns C. D K(C) Parse C as b C where b is a bit, M D K (C ), If b = 0 then returns M, Else parses M as b M where b is a bit, If b = b then return, Else return M An adversary can flip the first bit of the challenge ciphertext C, then queries the verification oracle D K( ) with the new ciphertext. If the first bit of the challenge plaintext m b is 1, then D K( ) will returns 0, otherwise, returns 1. The IND-CPA security of SE = (K, E, D ) is obvious, we omit the proof for conciseness. Remark 1. This example shows exactly how the ciphertext verification compromises the privacy of encryption and how a CVA attacker works. Comparing with the CPA attacker, a CVA attacker needs slightly more power to know whether a ciphertext valid. On one hand, this requirement is commonly met in the network environment. For instance, when a user logs in a server for some service (e.g. ), he sends the server his password to verify his identification, and the server always responses him an invalid message if it fails in verification, which indeed provides a verification oracle to the user. On the other hand, verifying a ciphertext is much easier, and a simple hashing would be sufficient (e.g. HMAC). IND-CVA reveals the influence of integrity on privacy. Remark 2. We compare a CVA attacker with a CCA attacker. A CCA (or even gcca) attacker is more powerful than a CVA attacker. A CCA attacker needs to know exactly the corresponding plaintext of an arbitrary ciphertext, which implies that the attacker must know the validity of the ciphertext, too. Although it is possible for an adversary to have access to a decryption oracle in some cases, the fact is that in most cases, especially in common network environments, the adversary can only have access to the encryption oracle and verification oracle, rather than the exact decryption oracle [1,4 6]. In other words, while the IND-CCA security is a useful and important security notion, it is too strong and not necessary for some (fundamental) applications such as secure channels. Moreover, it is NOT present in the prevalent modes of symmetric encryption (such as in stream ciphers or CBC mode even when the underlying block cipher is chosen-ciphertext secure, see Section 6.11 of ref. [8]) and therefore assuming this strong property as the basic secrecy requirement of the encryption function would exclude the use of such standard efficient mechanisms. HU Z Y et al. Sci China Ser F-Inf Sci Sep vol. 52 no

10 In addition, an IND-CCA attacker usually uses more resources than an IND-CVA attacker. Take the Encrypt-then-MAC paradigm, for instance, an IND-CCA adversary will access to both the MAC verification oracle and decryption oracle. However, an IND-CVA adversary would possibly accesses to the MAC verification oracle only, which consumes resources less than an IND-CCA adversary (e.g. HMAC). Theorem 4 (INT-PTXT IND-CPA IND- CVA). For any authentication scheme MA = (K M, T, V) which is WUF-CMA secure, we can construct an authentication scheme MA = (K M, T, V ), and a symmetric encryption scheme SE = (K E, E, D) which is IND-CPA secure, but the MACthen-Encrypt scheme is not IND-CVA secure. Proof of Theorem 4. We take the example presented in ref. [1] as a counter example. Let MA be a secure single-valued MAC, and define MA to be identical to MA except that on the all-zeros string it allows the last bit of the tag to be set arbitrarily (i.e., for this string the verification function will accept as valid two different tags). An attacker against MtE(OT P, MA ) can distinguish between a ciphertext that encrypts the all-zeros message and the ciphertext of any other message as follows. It just flips the last bit of the ciphertext and watches for acceptance or rejection of the message; clearly, the message is accepted if and only if it was the all-zeros message. Theorem 5 (IND-CVA INT-PTXT). For any symmetric encryption scheme SE = (K, E, D) which is IND-CVA secure, we can construct a symmetric encryption scheme SE = (K, E, D ) which is also IND-CVA secure but is not INT-PTXT secure. Figure 1 Relationship between the IND-CVA and other security conceptions. Theorem 5 can be easily proved with Theorem 1 and the relationship between IND-CCA and INT- PTXT [10]. But, to further illustrate the difference between IND-CVA and INT-PTXT, we give a more primary proof in Appendix. In summary, the relationship between IND-CVA and other conceptions are shown in Figure 1. 5 Practical impacts of IND-CVA 5.1 SSL and MAC-then-Encrypt The famous SSL protocol, which indeed works in the form of MAC-then-Encrypt, is not generally secure conditioning on a SUF-CMA secure MAC and an IND-CPA secure encryption scheme, due to the reaction attack. Then, how is it secure if the underlying encryption scheme is strengthened up to IND-CVA? We review the syntax of MACthen-Encrypt first. Definition 5 (Construction of MAC-then- Encrypt scheme). Let SE = (K E, E, D) and MA = (K M, T, V) be the underlying encryption and authentication scheme respectively, we define MAC-then-Encrypt paradigm of MtE = (K, T E, DV) as follows: K(k) K E K E (k) K M K M (k) Returns K E, K M. T E KE,K M (m) t T KM (m), c E KE (m t), return c. DV KE,K M (c) d D KE (c), parse d as m t If V KM (m, t) = 1 return m else return. Theorem 6 (Integrity of MAC-then-Encrypt). Let SE = (K E, E, D) and MA = (K M, T, V) be an encryption scheme and an authentication schemes respectively. Let MtE = (K, T E, DV) be the composite encryption scheme constructed as per Definition 5. If the underlying encryption scheme SE is IND-CVA secure and the underlying MAC is WUF-CMA secure, then the MAC-then-Encrypt is INT-PTXT secure. Concretely, Adv int ptxt MtE (k) Adv wuf cma MA (k) HU Z Y et al. Sci China Ser F-Inf Sci Sep vol. 52 no

11 While the above theorem holds obviously, the privacy may not be preserved in the MAC-then- Encrypt paradigm. Theorem 7 (MAC-then-Encrypt with a WUF- CMA secure MAC and an IND-CVA secure encryption is not IND-CVA secure). Given the IND-CVA secure OT P scheme mentioned in section 3.2 and a WUF-CMA secure message authentication scheme MA = (K M, T, V), we can construct a message authentication scheme MA, such that MA is WUF-CMA secure, but the composite scheme MtE = (K, T E, DV) formed as per Definition 5 based on OT P and MA is not IND-CVA secure. The counter example used in Theorem 4 can still take effect in proof of Theorem 7. We omit the proof for briefness. Then how about of the security of the MACthen-Encrypt if the underlying encryption scheme is IND-CVA secure and the underlying authentication scheme is SUF-CMA secure? The answer is still negative, as the following theorem says. Theorem 8 (MAC-then-Encrypt with a SUF- CMA secure MAC and an IND-CVA secure encryption is not IND-CVA secure). Given the IND-CVA secure OTP scheme mentioned in section 3.2 and a SUF-CMA secure message authentication scheme MA = (K M, T, V), we can construct an encryption scheme SE, such that SE is IND-CVA secure, but the composite scheme MtE = (K, T E, DV) formed as per Definition 5 based on SE and MA is not IND-CVA secure. The proof of Theorem 8 is tedious, so we put it in Appendix. Remark 3. It is an intuitive and popular way to combine a secure MAC with a secure encryption to guarantee a secure communication. While an authentication (or signature) scheme may indeed enhance the privacy in some mode (i.e. Encryptthen-MAC), Theorem 7 and Theorem 8 show that it may also compromise the privacy in other mode (i.e. MAC-then-Encrypt), due to the integrity verification. We believe the same problem exists in the case of Encrypt-and-MAC. Remark 4. Recall the problem mentioned in ref. [1], due to the reaction attack, an IND-CPA secure encryption scheme may not implement a secure channel by the form of MAC-then-Encrypt, no matter how secure the underlying MAC is. Theorem 8 tells us why the MAC-then-Encrypt is not secure generally, even if the underlying encryption scheme is enhanced up to IND-CVA. Then, is it possible for the MAC-then-Encrypt paradigm to implement secure channel? The answer is yes. As Hu et al. [11] had pointed out, if the underlying encryption scheme is NM-CPA secure, the MACthen-Encrypt can be IND-CCA secure. 5.2 IPSec and Encrypt-then-MAC Up to now, IPSec, which works in the Encryptthen-MAC form, is the unique protocol that works in the composite form and is generally secure in the network setting. While the Encrypt-then-MAC can implement secure channels, its security also shows that the CCA security is not necessary in terms of secure channel. In this section, we will discuss how secure the Encrypt-then-MAC is in the sense of CVA, showing that the CVA security may be sufficient to characterize the privacy requirements of secure channels. We recite the construction of Encrypt-then-MAC first: Definition 6 (Construction of Encryptthen-MAC scheme). Let SE = (K E, E, D) and MA = (K M, T, V) be the underlying encryption and authentication scheme respectively, we define Encrypt-then-MAC paradigm of EtM = (K, T E, DV) as follows: K(k) K E K E (k) K M K M (k) Returns K E, K M. T E KE,K M (m) c E KE (m), t T KM (c ), return c t. DV KE,K M (c) parse c as c t If V KM (c, t ) = 1 then m D KE (c ), return m else return. Theorem 9 (Encrypt-then-MAC with a WUF- CMA secure MAC and an IND-CPA secure encryption is IND-CVA secure and INT-PTXT secure). HU Z Y et al. Sci China Ser F-Inf Sci Sep vol. 52 no

15 3 An J H, Dodis T, Rabin T. On the security of joint signature and encryption. In: Knudsen L, ed. Advances in Cryptology EUROCRYPT 2002, vol of Lecture Notes in Computer Science. Berlin: Springer-Verlag, Canetti R, Krawczyk H. Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann B, ed. Advances in Cryptology EUROCRYPT 2001, vol of Lecture Notes in Computer Science. Berlin: Springer-Verlag, Extended version at /040 5 Canetti R, Krawczyk H. Universally composable notions of key exchange and secure channels. In: Eurocypt 02, LNCS Vol Extended version at oacr.ogr/2002/ Canetti R. Universally composable security: a new paradigm for cryptographic protocols. In: 42nd FOCS, 2001, the latest full version available at 7 Namprempre C. Secure channels based on authenticated encryption schemes: a simple characterization. In: Zheng Y, ed. Advance in Cryptology-ASIACRYPT 2002, Lecture Notes in Computer Science. Berlin: Springer-Verlag, Goldwasser S, Bellare M. Lecture Notes on Cryptography. Summer course on cryptography, MIT, Available from 9 Bellare M, Namprempre C. Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. In: Okamoto T, ed. Advances in Cryptology ASIACRYPT 2000, volume 1976 of Lecture Notes in Computer Science. Berlin: Springer-Verlag, Bellare M, Desai A, Jokipii E, et al. A concrete security treatment of symmetric encryption: Analysis of the DES modes of operation. In: Proceedings of the 38th Symposium on Foundations of Computer Science, IEEE Computer Society Press, Hu Z Y, Lin D D, Wu W L. Security notes on the MACthen-Encrypt paradigm. In: Proceedings of the Eighth International Conference for Young Computer Scientist, Beijing, China, Bellare M, Rogaway P. The game-playing technique. Cryptology eprint Archive 2004/332, December 1, Shoup V. Sequences of games: a tool for taming complexity in security proofs. Cryptology eprint Archive 2004/332, November 30, HU Z Y et al. Sci China Ser F-Inf Sci Sep vol. 52 no

### Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense

### The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) Hugo Krawczyk Abstract. We study the question of how to generically compose symmetric encryption and authentication

### Provable-Security Analysis of Authenticated Encryption in Kerberos

Provable-Security Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 30332-0765

### Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm

An extended abstract of this paper appears in Tatsuaki Okamoto, editor, Advances in Cryptology ASIACRYPT 2000, Volume 1976 of Lecture Notes in Computer Science, pages 531 545, Kyoto, Japan, December 3

### Authentication and Encryption: How to order them? Motivation

Authentication and Encryption: How to order them? Debdeep Muhopadhyay IIT Kharagpur Motivation Wide spread use of internet requires establishment of a secure channel. Typical implementations operate in

### Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

### CryptoVerif Tutorial

CryptoVerif Tutorial Bruno Blanchet INRIA Paris-Rocquencourt bruno.blanchet@inria.fr November 2014 Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 1 / 14 Exercise 1: preliminary definition SUF-CMA

### 1 Message Authentication

Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

### Message Authentication Code

Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44

### Authenticated encryption

Authenticated encryption Dr. Enigma Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu October 16th, 2013 Active attacks on CPA-secure encryption

### Message Authentication Codes 133

Message Authentication Codes 133 CLAIM 4.8 Pr[Mac-forge A,Π (n) = 1 NewBlock] is negligible. We construct a probabilistic polynomial-time adversary A who attacks the fixed-length MAC Π and succeeds in

### Lecture 13: Message Authentication Codes

Lecture 13: Message Authentication Codes Last modified 2015/02/02 In CCA security, the distinguisher can ask the library to decrypt arbitrary ciphertexts of its choosing. Now in addition to the ciphertexts

### Chapter 11. Asymmetric Encryption. 11.1 Asymmetric encryption schemes

Chapter 11 Asymmetric Encryption The setting of public-key cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret

MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and

### 1 Construction of CCA-secure encryption

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.

### Talk announcement please consider attending!

Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically

### MAC. SKE in Practice. Lecture 5

MAC. SKE in Practice. Lecture 5 Active Adversary Active Adversary An active adversary can inject messages into the channel Active Adversary An active adversary can inject messages into the channel Eve

### Symmetric Crypto MAC. Pierre-Alain Fouque

Symmetric Crypto MAC Pierre-Alain Fouque Birthday Paradox In a set of D elements, by picking at random D elements, we have with high probability a collision two elements are equal D=365, about 23 people

### Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

### SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K,E,D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2 Correct

### Reconsidering Generic Composition

Reconsidering Generic Composition Chanathip Namprempre Thammasat University, Thailand Phillip Rogaway University of California, Davis, USA Tom Shrimpton Portland State University, USA 1/24 What is the

### Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the

### lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

Symmetric Crypto Pierre-Alain Fouque Birthday Paradox In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal N=365, about 23 people are

### Lecture 3: One-Way Encryption, RSA Example

ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require

### Lecture 5 - CPA security, Pseudorandom functions

Lecture 5 - CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.

### Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz Abstract We propose simple and efficient CCA-secure public-key encryption schemes (i.e., schemes

### Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a

### Overview of Symmetric Encryption

CS 361S Overview of Symmetric Encryption Vitaly Shmatikov Reading Assignment Read Kaufman 2.1-4 and 4.2 slide 2 Basic Problem ----- ----- -----? Given: both parties already know the same secret Goal: send

### MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

### 1 Signatures vs. MACs

CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures

### Chapter 12. Digital signatures. 12.1 Digital signature schemes

Chapter 12 Digital signatures In the public key setting, the primitive used to provide data integrity is a digital signature scheme. In this chapter we look at security notions and constructions for this

### 1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

### Introduction. Digital Signature

Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

### Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks

Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks Tsz Hon Yuen - Huawei, Singapore Ye Zhang - Pennsylvania State University, USA Siu Ming

### Security Analysis of DRBG Using HMAC in NIST SP 800-90

Security Analysis of DRBG Using MAC in NIST SP 800-90 Shoichi irose Graduate School of Engineering, University of Fukui hrs shch@u-fukui.ac.jp Abstract. MAC DRBG is a deterministic random bit generator

### 1 Domain Extension for MACs

CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures Katz-Lindell Ÿ4.34.4 (2nd ed) and Ÿ12.0-12.3 (1st ed).

### Chapter 3. Network Domain Security

Communication System Security, Chapter 3, Draft, L.D. Chen and G. Gong, 2008 1 Chapter 3. Network Domain Security A network can be considered as the physical resource for a communication system. This chapter

### CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a one-round Feistel cipher

### Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

### CS155. Cryptography Overview

CS155 Cryptography Overview Cryptography Is n A tremendous tool n The basis for many security mechanisms Is not n The solution to all security problems n Reliable unless implemented properly n Reliable

### Developing and Investigation of a New Technique Combining Message Authentication and Encryption

Developing and Investigation of a New Technique Combining Message Authentication and Encryption Eyas El-Qawasmeh and Saleem Masadeh Computer Science Dept. Jordan University for Science and Technology P.O.

### Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53

Cryptography and Network Security, PART IV: Reviews, Patches, and Theory Timo Karvi 11.2012 Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53 Key Lengths I The old

### Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 13

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 13 Some More Secure Channel Issues Outline In the course we have yet only seen catastrophic

### EXAM questions for the course TTM4135 - Information Security May 2013. Part 1

EXAM questions for the course TTM4135 - Information Security May 2013 Part 1 This part consists of 5 questions all from one common topic. The number of maximal points for every correctly answered question

### Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical public-key

### Authenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol

Authenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol Mihir Bellare UC San Diego mihir@cs.ucsd.edu Tadayoshi Kohno UC San Diego tkohno@cs.ucsd.edu Chanathip Namprempre Thammasat

### CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash

### Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm

Error oracle attacks and CBC encryption Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm Agenda 1. Introduction 2. CBC mode 3. Error oracles 4. Example 1 5. Example 2 6. Example 3 7. Stream ciphers

### Lecture 15 - Digital Signatures

Lecture 15 - Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations - easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.

### Digital Signatures. What are Signature Schemes?

Digital Signatures Debdeep Mukhopadhyay IIT Kharagpur What are Signature Schemes? Provides message integrity in the public key setting Counter-parts of the message authentication schemes in the public

### Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak

Non-Black-Box Techniques In Crytpography Introduction Thesis for the Ph.D degree Boaz Barak A computer program (or equivalently, an algorithm) is a list of symbols a finite string. When we interpret a

### MTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu

MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic

### Designing Hash functions. Reviewing... Message Authentication Codes. and message authentication codes. We have seen how to authenticate messages:

Designing Hash functions and message authentication codes Reviewing... We have seen how to authenticate messages: Using symmetric encryption, in an heuristic fashion Using public-key encryption in interactive

### Improved Online/Offline Signature Schemes

Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion

### Ky Vu DeVry University, Atlanta Georgia College of Arts & Science

Ky Vu DeVry University, Atlanta Georgia College of Arts & Science Table of Contents - Objective - Cryptography: An Overview - Symmetric Key - Asymmetric Key - Transparent Key: A Paradigm Shift - Security

### Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract

Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart

### Chapter 7. Message Authentication. 7.1 The setting

Chapter 7 Message Authentication In most people s minds, privacy is the goal most strongly associated to cryptography. But message authentication is arguably even more important. Indeed you may or may

### Multi-Recipient Encryption Schemes: Efficient Constructions and their Security

This is the full version of the paper with same title that appeared in IEEE Transactions on Information Theory, Volume 53, Number 11, 2007. It extends the previously published versions Ku, BBS. Multi-Recipient

### CS558. Network Security. Boston University, Computer Science. Midterm Spring 2014.

CS558. Network Security. Boston University, Computer Science. Midterm Spring 2014. Instructor: Sharon Goldberg March 25, 2014. 9:30-10:50 AM. One-sided handwritten aid sheet allowed. No cell phone or calculators

### Network Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest

### Network Security. Modes of Operation. Steven M. Bellovin February 3, 2009 1

Modes of Operation Steven M. Bellovin February 3, 2009 1 Using Cryptography As we ve already seen, using cryptography properly is not easy Many pitfalls! Errors in use can lead to very easy attacks You

### Introduction. Chapter 1

Chapter 1 Introduction This is a chapter from version 1.1 of the book Mathematics of Public Key Cryptography by Steven Galbraith, available from http://www.isg.rhul.ac.uk/ sdg/crypto-book/ The copyright

Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

### On the Security of the CCM Encryption Mode and of a Slight Variant

On the Security of the CCM Encryption Mode and of a Slight Variant Pierre-Alain Fouque 1 and Gwenaëlle Martinet 2 and Frédéric Valette 3 and Sébastien Zimmer 1 1 École normale supérieure, 45 rue d Ulm,

### Secure Computation Without Authentication

Secure Computation Without Authentication Boaz Barak 1, Ran Canetti 2, Yehuda Lindell 3, Rafael Pass 4, and Tal Rabin 2 1 IAS. E:mail: boaz@ias.edu 2 IBM Research. E-mail: {canetti,talr}@watson.ibm.com

### CS 758: Cryptography / Network Security

CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html

### Message Authentication Codes. Lecture Outline

Message Authentication Codes Murat Kantarcioglu Based on Prof. Ninghui Li s Slides Message Authentication Code Lecture Outline 1 Limitation of Using Hash Functions for Authentication Require an authentic

### On the Security of CTR + CBC-MAC

On the Security of CTR + CBC-MAC NIST Modes of Operation Additional CCM Documentation Jakob Jonsson * jakob jonsson@yahoo.se Abstract. We analyze the security of the CTR + CBC-MAC (CCM) encryption mode.

6.857 Computer and Network Security Fall Term, 1997 Lecture 4 : 16 September 1997 Lecturer: Ron Rivest Scribe: Michelle Goldberg 1 Conditionally Secure Cryptography Conditionally (or computationally) secure

### Client Server Registration Protocol

Client Server Registration Protocol The Client-Server protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are

### Capture Resilient ElGamal Signature Protocols

Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department

### Recommendation for Applications Using Approved Hash Algorithms

NIST Special Publication 800-107 Recommendation for Applications Using Approved Hash Algorithms Quynh Dang Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T Y February

### CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 1 January 9, 2012 CPSC 467b, Lecture 1 1/22 Course Overview Symmetric Cryptography CPSC 467b, Lecture 1 2/22 Course Overview CPSC

### The Mathematics of the RSA Public-Key Cryptosystem

The Mathematics of the RSA Public-Key Cryptosystem Burt Kaliski RSA Laboratories ABOUT THE AUTHOR: Dr Burt Kaliski is a computer scientist whose involvement with the security industry has been through

### Cryptography: Authentication, Blind Signatures, and Digital Cash

Cryptography: Authentication, Blind Signatures, and Digital Cash Rebecca Bellovin 1 Introduction One of the most exciting ideas in cryptography in the past few decades, with the widest array of applications,

### Authenticated Encryption (AE) Instructor: Ahmad Boorghany

Sharif University of Technology Department of Computer Engineering Data and Network Security Lab Authenticated Encryption (AE) Instructor: Ahmad Boorghany Most of the slides are obtained from Bellare and

### Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Network Security Gaurav Naik Gus Anderson, Philadelphia, PA Lectures on Network Security Feb 12 (Today!): Public Key Crypto, Hash Functions, Digital Signatures, and the Public Key Infrastructure Feb 14:

### Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives

Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives Olivier Pereira Université catholique de Louvain ICTEAM Crypto Group B-1348, Belgium olivier.pereira@uclouvain.be

### Cryptography and Network Security Chapter 12

Cryptography and Network Security Chapter 12 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 12 Message Authentication Codes At cats' green on the Sunday he

### CIS 5371 Cryptography. 8. Encryption --

CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.

### A Survey and Analysis of Solutions to the. Oblivious Memory Access Problem. Erin Elizabeth Chapman

A Survey and Analysis of Solutions to the Oblivious Memory Access Problem by Erin Elizabeth Chapman A thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in

### Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. #01 Lecture No. #10 Symmetric Key Ciphers (Refer

### New Efficient Searchable Encryption Schemes from Bilinear Pairings

International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang

### Remotely Keyed Encryption Using Non-Encrypting Smart Cards

THE ADVANCED COMPUTING SYSTEMS ASSOCIATION The following paper was originally published in the USENIX Workshop on Smartcard Technology Chicago, Illinois, USA, May 10 11, 1999 Remotely Keyed Encryption

### Cryptography and Network Security: Summary

Cryptography and Network Security: Summary Timo Karvi 12.2013 Timo Karvi () Cryptography and Network Security: Summary 12.2013 1 / 17 Summary of the Requirements for the exam The advices are valid for

### Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz June 13, 2006 Abstract We propose simple and efficient CCA-secure public-key encryption schemes

### Security/Privacy Models for "Internet of things": What should be studied from RFID schemes? Daisuke Moriyama and Shin ichiro Matsuo NICT, Japan

Security/Privacy Models for "Internet of things": What should be studied from RFID schemes? Daisuke Moriyama and Shin ichiro Matsuo NICT, Japan 1 Internet of Things (IoT) CASAGRAS defined that: A global

### Cryptographic Hash Functions Message Authentication Digital Signatures

Cryptographic Hash Functions Message Authentication Digital Signatures Abstract We will discuss Cryptographic hash functions Message authentication codes HMAC and CBC-MAC Digital signatures 2 Encryption/Decryption

### Content Teaching Academy at James Madison University

Content Teaching Academy at James Madison University 1 2 The Battle Field: Computers, LANs & Internetworks 3 Definitions Computer Security - generic name for the collection of tools designed to protect

### Computational Soundness of Symbolic Security and Implicit Complexity

Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 3-7, 2013 Overview

### Key Privacy for Identity Based Encryption

Key Privacy for Identity Based Encryption Internet Security Research Lab Technical Report 2006-2 Jason E. Holt Internet Security Research Lab Brigham Young University c 2006 Brigham Young University March

### Cryptography for Secure Channels Kenny Paterson

Cryptography for Secure Channels Kenny Paterson Information Security Group Royal Holloway, University of London kenny.paterson@rhul.ac.uk Onassis Foundation Science Lecture Series 1 Outline Introduction

### Modes of Operation of Block Ciphers

Chapter 3 Modes of Operation of Block Ciphers A bitblock encryption function f: F n 2 Fn 2 is primarily defined on blocks of fixed length n To encrypt longer (or shorter) bit sequences the sender must

### Delegation of Cryptographic Servers for Capture-Resilient Devices

ACM, 2001. This is the authors' version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version is available at http://doi.acm.org/10.1145/501983.501986.

### Two Factor Zero Knowledge Proof Authentication System

Two Factor Zero Knowledge Proof Authentication System Quan Nguyen Mikhail Rudoy Arjun Srinivasan 6.857 Spring 2014 Project Abstract It is often necessary to log onto a website or other system from an untrusted

### CSE/EE 461 Lecture 23

CSE/EE 461 Lecture 23 Network Security David Wetherall djw@cs.washington.edu Last Time Naming Application Presentation How do we name hosts etc.? Session Transport Network Domain Name System (DNS) Data

### Simulation-Based Security with Inexhaustible Interactive Turing Machines

Simulation-Based Security with Inexhaustible Interactive Turing Machines Ralf Küsters Institut für Informatik Christian-Albrechts-Universität zu Kiel 24098 Kiel, Germany kuesters@ti.informatik.uni-kiel.de