Talk announcement please consider attending!

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Talk announcement please consider attending!"

Transcription

1 Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically About Knowledge ABSTRACT: Cryptographic notions of knowledge consider the knowledge obtained, or possessed, by computationally-bounded agents under adversarial conditions. In this talk, we will survey some recent cryptographically-inspired approaches for reasoning about agents' knowledge in the context of mechanism design, coding theory, voting theory and weather forecasting.

2 Optional lab for Assignment 1 solutions: Date: TOMORROW (Tuesday, Feb 3) Time: 1PM 2PM Place: LH 101 (Assignment 2 is due one week from Wednesday!)

3 a1q3a Many students did not follow my hint! Let E be the event that m has property P and let F N be the event that A(m) outputs N consecutive zeros Question asks you to solve for Pr E F N A common (but incorrect) response: Pr[E] = ε (true) Pr F 0 E = δ (true) Pr F 0 E = 1 δ (true) Hence, Pr F 0 = ε δ (true) Hence, Pr F 0 = ε (1 δ) (not true!!! ) Hence, Pr F N = ε (1 δ) N (not true!!! ) Hence Pr[E F N ] = (1 ε 1 δ N ) (not true!!!) What is this probability???

4 a1q3c Another ubiquitous mistake (nobody lost marks, though). What is wrong with the following? 1 2 N /99 N hence, N = 24 consecutive 0s suffice. Log Log N 1 / N N N N 23.24

5 Last Wednesday s lecture: Pseudorandom functions and permutations Birthday bounds Block ciphers Modes of operation (maybe?) Today s lecture: Modes of operation Message authentication codes

6 Review: PRF formal definition Let Func[n] be the set of all function from {0,1} n to 0,1 n Def: A keyed function F: {0,1} {0,1} {0,1} is a pseudorandom function (PRF) iff, for every PPT distinguisher D, there exists a negligible function ε: N R + such that Pr D F(k, ) 1 n = 1 k R 0,1 n Pr D f 1 n = 1 f R Func[n] ε(n)

7 Review: PRF indistinguishability game 1 n 1 N Game 0: Challenger k R 0,1 n D given oracle access to F(k, ) Distinguisher D F(k, ) 1 n 1 N b {0,1} Game 1: 1 n 1 N Challenger f R Func[n] D given oracle access to f Distinguisher D f( ) 1 n 1 N b {0,1} Distinguisher s wins if it outputs b = 0 in Game 0 or b = 1 in Game 1

8 Review: PRP formal definition Let Perm[n] denote the set of all permutations on {0,1} n A keyed permutation is efficient if there is a PPT algorithm to compute its inverse. Def: A keyed permutation Π: {0,1} {0,1} {0,1} is a pseudorandom permutation (PRP) iff it is efficient and, for every PPT distinguisher D, there exists a negligible function ε: N R + such that Pr D Π(k, ) 1 n = 1 k R 0,1 n Pr D π( ) 1 n = 1 π R Perm[n] ε(n)

9 Review: Strong PRPs Def: A keyed bijection Π: {0,1} {0,1} {0,1} is a strong pseudorandom permutation (SPRP) iff it is efficient and, for every PPT distinguisher D, there exists a negligible function ε: N R + such that Pr D Π k,,π 1 (k, ) 1 n = 1 k R 0,1 n Pr D π,π 1 ( ) 1 n = 1 π R Perm[n] ε(n) NOTE: Distinguisher gets oracle access both to the permutation and to the inverse permutation!

10 Fixed-length encryption from strong PRPs Gen(1 n ) outputs k R 0,1 n Enc k (m) outputs c Π k, m Dec k (c) outputs m Π 1 k, c Is this secure? Goals: YES, but only if the key is used to encrypt a single fixed-length plaintext Security for multiple encryptions variable-length encryption with short ciphertexts

11 I538: Introduction to Cryptography Ryan Henry Computationally secret encryption Modes of operation

12 Electronic Code Book (ECB) m m 1 m 2 m l m 1 m 2 k k k m 3 Π k Π k Π k c 1 c 2 c l c c 1 c 2 c l Split m into k -bit blocks and apply PRP Π k to each block individually Does ECB mode offer IND-CPA security? NO! Indistinguishable encryptions in the presence of an eavesdropper? NO!

13 Insecurity of ECB mode (b, 1 n ) 0,1 1 N 1 n 1 N Challenger m 0, m 1 M, m 0 = m 1 k Gen 1 n c Enc k (m b ) Attacker (A) b {0,1} Choose m, m {0,1} n one block each Set m 0 m m and m 1 m m two blocks each Output 1 if c has form c 1 c 1 and output 0 if c has form c 1 c 2 Advantage is Adv eav A = 1 2

14 Insecurity of ECB mode (in picture form) plaintext (bitmap) ECB mode ciphertext CBC mode ciphertext

15 Cipher Block Chaining (CBC) m m 1 m 2 m l m 1 m 2 k k k m l Π k Π k Π k IV c 1 c 2 c l c IV, c 1 c 2 c l Choose IV R {0,1} n and XOR first block with IV prior to encryption XOR each subsequent plaintext block with ciphertext of preceding block Reveal IV along with ciphertext

16 Output Feedback (OFB) m m 1 m 2 m l k k k F k F k F k IV m 1 c 1 m 2 c 2 m l c l c (IV, c 1 c 2 c l ) Choose IV R {0,1} n and XOR first block with F k (IV) i To encrypt ith plaintext block, XOR by F k Reveal IV along with ciphertext IV

17 Counter mode (CTR) m m 1 m 2 m l k IV+1 k IV+2 k IV+l F k F k F k m 1 m 2 m l c 1 c 2 c l c (IV, c 1 c 2 c l ) Essentially a block-by-block stream cipher

18 Comparing modes of operation Electronic Code Book (ECB) mode Pros: simple, parallelizable, non-malleable Cons: no CPA security, no secrecy in the presence of an eavesdropper Cipher Block Chaining (CBC) mode Pros: CPA-secure, parallelizable decryption Cons: encryption is inherently sequential, malleable Output Feedback (OFB) mode Pros: CPA-secure Cons: encryption and decryption both inherently sequential, malleable Counter (CTR) mode Pros: CPA-secure, fully parallelizable Cons: malleable

19 I538: Introduction to Cryptography Ryan Henry Message authentication codes Motivation, definitions, and constructions

20 Secrecy vs Authenticity So far we have only worried about message secrecy Secrecy / authenticity! OTP, stream cipher, CTR and OFB mode Flip bit of CT flip corresponding bit of PT ECB mode Flip bit of CT randomize block of PT Add/remove/permute CT blocks add/remove/permute PT blocks CBC mode Are authenticity attacks possible? YES! Is this detectable?

21 Malleability of CBC mode c (IV, c 1 c 2 c 3 ) c 1 c 2 k k k c 3 IV What integrity attacks are possible? Π 1 k Π 1 k Π 1 k m 1 m 2 m 3 Flip bit in IV flip corresponding bit in m 1 Truncate c 3 from CT truncate m 3 from PT Flip bit in c i randomize m i and flip corresponding bit in m i+1 m m 1 m 2 m 3

22 Non-cryptographic integrity checks Cyclic Redundancy Check (CRC) Detects random errors due to noise channel Not intended to detect intentional errors introduced by an Attacker Straw man proposal: Alice computes c Enc k (m) using CTR mode block cipher Alice computes t CRC(c) Ciphertext is c = c t What can possibly go wrong? c is malleable attacker can modify c and then update t to match!

23 Non-cryptographic integrity checks A candidate fix: Compute t CRC m Ciphertext is c Enc k (m t) What can possibly go wrong now? CRC is linear!! CRC x y z = CRC x CRC y CRC(z) Integrity in the presence of attackers requires a secret key

24 Message authentication codes (MACs) Def: A message authentication code (MAC) is a triple of algorithms (Gen, MAC, Ver) Gen: 1 N K is a randomized algorithm MAC: K M T is a (usually) deterministic algorithm Ver: K M T {0,1} is a deterministic algorithm Often write MAC k (m) instead of MAC k, m, Ver k (m, t) instead of Ver k, m, t M is the message space K is the key space T is the tag space set of possible messages set of possible keys set of possible tags

25 Correctness Intuitively: the property of being able to verify (given the right key) Def: A MAC (Gen, MAC, Ver) is correct if k K and m M, Pr[ Ver k (m, MAC k (m)) = 1 ] = 1

26 MAC-Forgery game 1 n 1 N MAC Oracle m 1 M Attacker 1 n 1 N k Gen(1 n ) t 1 MAC k (m 1 ) m 2 M t 2 MAC k (m 2 ) A MAC(k, ) m q M t q MAC k (m q ) (m, t) M T Attackers wins if (m, t) {(m 1, t 1 ),..., (m q, t q )} and Ver k m, t = 1

27 Existential unforgeability Intuitively: the property of being secure against malicious tampering A s success probability in the MAC-Forgery game denoted Adv MAC A Def: A MAC (Gen, MAC, Ver) is existentially unforgeable under adaptive chosen message attacks if, for every PPT adversary A, there exists a negligible function ε: N R + such that Adv MAC A ε n.

28 Fixed-length MAC from PRFs Gen(1 n ) outputs k R 0,1 n MAC k (m) outputs t F k, m Ver k (m, t) outputs 1 if F k, m = t and 0 otherwise Thm: If F: {0,1} n {0,1} n {0,1} n is a PRF, then (Gen, MAC, Ver) as defined above is existentially unforgeable under adaptive chosen message attacks.

29 PRF fixed-length MAC reduction PRF distinguisher (D) 1 n, O D gets oracle access either to MAC k ( ) or to a PRF F k, In both cases, k R {0,1} n oracle D has advantage Adv PRF D = Adv MAC A! b 1 n t 1 O(m 1 ) t q O(m q ) MAC attacker (A) m 1 m q Adv CPA A = ε(n) (m, t) /

30 Replay attacks MACs guarantee the authenticity of messages in most cases An important case where they do not is replay attacks Common ways to prevent replay: sequence numbers and timestamps

31 Naïve CBC-MAC Let F k k {0,1} be any PRF family Gen(1 n ) outputs k R 0,1 n MAC k m does the following: split m into n-bit blocks m 1,..., m l initialize t 0 = 0 n compute t i = F k (t i 1 m i ) for i = 1,..., l output the tag t = t l Ver k (m, t) outputs 1 if t = MAC k (m) and 0 otherwise

32 Naïve CBC-MAC m m 1 m 2 m 3 m 1 m 2 k k k m 3 F k F k F k 0 n t Is naïve CBC-MAC existentially unforgeable under adaptive chosen message attacks? NO! (but why?)

33 Attacking naïve CBC-MAC 1 n 1 N MAC Oracle Attacker 1 n 1 N k Gen(1 n ) A MAC(k, ) m M t MAC k (m) Indeed: t 1 F k m = t so that t 2 F k m t t = t (m m t, t) M T

34 CBC-MAC Fix 1: Prepend the length Let F k k {0,1} be any PRF family Gen(1 n ) outputs k R 0,1 n MAC k m does the following: split m into n-bit blocks m 1,..., m l initialize t 0 F k (l) pad l to n bits compute t i F k (t i 1 m i ) for i = 1,..., l output the tag t F k (t l )? Ver k (m, t) outputs 1 if t = MAC k (m) and 0 otherwise

35 CBC-MAC Fix 2: nested CBC-MAC (NMAC) Let F k k {0,1} be any PRF family Gen(1 n ) outputs k = (k 1, k 2 ) R 0,1 n {0,1} n MAC k m does the following: split m into n-bit blocks m 1,..., m l initialize t 0 0 n compute t i F k1 (t i 1 m i ) for i = 1,..., l output the tag t F k2 (t l )? Naïve CBC-MAC on the tag using second key Ver k (m, t) outputs 1 if t = MAC k (m) and 0 otherwise

36 CBC-MAC Fix 3: Use a length-specific key Let F k k {0,1} be any PRF family Gen(1 n ) outputs k R 0,1 n MAC k m does the following: split m into n-bit blocks m 1,..., m l compute a key k l F k (l) initialize t 0 0 n compute t i F kl (t i 1 m i ) for i = 1,..., l output the tag t t l derive length-specific key from length + master key? Ver k (m, t) outputs 1 if t = MAC k (m) and 0 otherwise

37 CBC-MAC vs CBC mode encryption CBC mode uses random IV Otherwise, cannot be IND-CPA secure! CBC-MAC uses a fixed IV Otherwise, cannot be existentially unforgeable against chosen message attacks! CBC mode outputs every block of ciphertext Otherwise, cannot be correct! CBC-MAC only outputs last block Otherwise, cannot be existentially unforgeable against chosen message attacks!

MACs Message authentication and integrity. Table of contents

MACs Message authentication and integrity. Table of contents MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and

More information

Message Authentication Code

Message Authentication Code Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44

More information

Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

More information

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

More information

1 Construction of CCA-secure encryption

1 Construction of CCA-secure encryption CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.

More information

1 Message Authentication

1 Message Authentication Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

More information

CS155. Cryptography Overview

CS155. Cryptography Overview CS155 Cryptography Overview Cryptography Is n A tremendous tool n The basis for many security mechanisms Is not n The solution to all security problems n Reliable unless implemented properly n Reliable

More information

Authentication and Encryption: How to order them? Motivation

Authentication and Encryption: How to order them? Motivation Authentication and Encryption: How to order them? Debdeep Muhopadhyay IIT Kharagpur Motivation Wide spread use of internet requires establishment of a secure channel. Typical implementations operate in

More information

Authenticated encryption

Authenticated encryption Authenticated encryption Dr. Enigma Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu October 16th, 2013 Active attacks on CPA-secure encryption

More information

MAC. SKE in Practice. Lecture 5

MAC. SKE in Practice. Lecture 5 MAC. SKE in Practice. Lecture 5 Active Adversary Active Adversary An active adversary can inject messages into the channel Active Adversary An active adversary can inject messages into the channel Eve

More information

Message Authentication Codes 133

Message Authentication Codes 133 Message Authentication Codes 133 CLAIM 4.8 Pr[Mac-forge A,Π (n) = 1 NewBlock] is negligible. We construct a probabilistic polynomial-time adversary A who attacks the fixed-length MAC Π and succeeds in

More information

Lecture 13: Message Authentication Codes

Lecture 13: Message Authentication Codes Lecture 13: Message Authentication Codes Last modified 2015/02/02 In CCA security, the distinguisher can ask the library to decrypt arbitrary ciphertexts of its choosing. Now in addition to the ciphertexts

More information

Cryptography Overview

Cryptography Overview Cryptography Overview Cryptography Is n A tremendous tool n The basis for many security mechanisms Is not n The solution to all security problems n Reliable unless implemented properly n Reliable unless

More information

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) Hugo Krawczyk Abstract. We study the question of how to generically compose symmetric encryption and authentication

More information

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the

More information

Provable-Security Analysis of Authenticated Encryption in Kerberos

Provable-Security Analysis of Authenticated Encryption in Kerberos Provable-Security Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 30332-0765

More information

Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm

Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm Error oracle attacks and CBC encryption Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm Agenda 1. Introduction 2. CBC mode 3. Error oracles 4. Example 1 5. Example 2 6. Example 3 7. Stream ciphers

More information

Overview of Symmetric Encryption

Overview of Symmetric Encryption CS 361S Overview of Symmetric Encryption Vitaly Shmatikov Reading Assignment Read Kaufman 2.1-4 and 4.2 slide 2 Basic Problem ----- ----- -----? Given: both parties already know the same secret Goal: send

More information

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1 SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K,E,D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2 Correct

More information

Network Security. Modes of Operation. Steven M. Bellovin February 3, 2009 1

Network Security. Modes of Operation. Steven M. Bellovin February 3, 2009 1 Modes of Operation Steven M. Bellovin February 3, 2009 1 Using Cryptography As we ve already seen, using cryptography properly is not easy Many pitfalls! Errors in use can lead to very easy attacks You

More information

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal Symmetric Crypto Pierre-Alain Fouque Birthday Paradox In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal N=365, about 23 people are

More information

CS 758: Cryptography / Network Security

CS 758: Cryptography / Network Security CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html

More information

Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives

Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives Olivier Pereira Université catholique de Louvain ICTEAM Crypto Group B-1348, Belgium olivier.pereira@uclouvain.be

More information

Lecture 3: One-Way Encryption, RSA Example

Lecture 3: One-Way Encryption, RSA Example ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require

More information

GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte. Yehuda Lindell Bar-Ilan University

GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte. Yehuda Lindell Bar-Ilan University GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte Shay Gueron Haifa Univ. and Intel Yehuda Lindell Bar-Ilan University Appeared at ACM CCS 2015 How to Encrypt with

More information

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a

More information

Modes of Operation of Block Ciphers

Modes of Operation of Block Ciphers Chapter 3 Modes of Operation of Block Ciphers A bitblock encryption function f: F n 2 Fn 2 is primarily defined on blocks of fixed length n To encrypt longer (or shorter) bit sequences the sender must

More information

Message Authentication Codes. Lecture Outline

Message Authentication Codes. Lecture Outline Message Authentication Codes Murat Kantarcioglu Based on Prof. Ninghui Li s Slides Message Authentication Code Lecture Outline 1 Limitation of Using Hash Functions for Authentication Require an authentic

More information

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

More information

Cryptography. Jonathan Katz, University of Maryland, College Park, MD 20742.

Cryptography. Jonathan Katz, University of Maryland, College Park, MD 20742. Cryptography Jonathan Katz, University of Maryland, College Park, MD 20742. 1 Introduction Cryptography is a vast subject, addressing problems as diverse as e-cash, remote authentication, fault-tolerant

More information

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense

More information

Network Security. Chapter 3 Symmetric Cryptography. Symmetric Encryption. Modes of Encryption. Symmetric Block Ciphers - Modes of Encryption ECB (1)

Network Security. Chapter 3 Symmetric Cryptography. Symmetric Encryption. Modes of Encryption. Symmetric Block Ciphers - Modes of Encryption ECB (1) Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 3 Symmetric Cryptography General Description Modes of ion Data ion Standard (DES)

More information

On the Security of CTR + CBC-MAC

On the Security of CTR + CBC-MAC On the Security of CTR + CBC-MAC NIST Modes of Operation Additional CCM Documentation Jakob Jonsson * jakob jonsson@yahoo.se Abstract. We analyze the security of the CTR + CBC-MAC (CCM) encryption mode.

More information

1 Domain Extension for MACs

1 Domain Extension for MACs CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures Katz-Lindell Ÿ4.34.4 (2nd ed) and Ÿ12.0-12.3 (1st ed).

More information

Computational Soundness of Symbolic Security and Implicit Complexity

Computational Soundness of Symbolic Security and Implicit Complexity Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 3-7, 2013 Overview

More information

Symmetric Crypto MAC. Pierre-Alain Fouque

Symmetric Crypto MAC. Pierre-Alain Fouque Symmetric Crypto MAC Pierre-Alain Fouque Birthday Paradox In a set of D elements, by picking at random D elements, we have with high probability a collision two elements are equal D=365, about 23 people

More information

6.857 Computer and Network Security Fall Term, 1997 Lecture 4 : 16 September 1997 Lecturer: Ron Rivest Scribe: Michelle Goldberg 1 Conditionally Secure Cryptography Conditionally (or computationally) secure

More information

Developing and Investigation of a New Technique Combining Message Authentication and Encryption

Developing and Investigation of a New Technique Combining Message Authentication and Encryption Developing and Investigation of a New Technique Combining Message Authentication and Encryption Eyas El-Qawasmeh and Saleem Masadeh Computer Science Dept. Jordan University for Science and Technology P.O.

More information

Designing Hash functions. Reviewing... Message Authentication Codes. and message authentication codes. We have seen how to authenticate messages:

Designing Hash functions. Reviewing... Message Authentication Codes. and message authentication codes. We have seen how to authenticate messages: Designing Hash functions and message authentication codes Reviewing... We have seen how to authenticate messages: Using symmetric encryption, in an heuristic fashion Using public-key encryption in interactive

More information

Cryptography and Network Security Chapter 12

Cryptography and Network Security Chapter 12 Cryptography and Network Security Chapter 12 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 12 Message Authentication Codes At cats' green on the Sunday he

More information

Reconsidering Generic Composition

Reconsidering Generic Composition Reconsidering Generic Composition Chanathip Namprempre Thammasat University, Thailand Phillip Rogaway University of California, Davis, USA Tom Shrimpton Portland State University, USA 1/24 What is the

More information

Lecture 4 Data Encryption Standard (DES)

Lecture 4 Data Encryption Standard (DES) Lecture 4 Data Encryption Standard (DES) 1 Block Ciphers Map n-bit plaintext blocks to n-bit ciphertext blocks (n = block length). For n-bit plaintext and ciphertext blocks and a fixed key, the encryption

More information

Lecture 5 - CPA security, Pseudorandom functions

Lecture 5 - CPA security, Pseudorandom functions Lecture 5 - CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.

More information

Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm

Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm An extended abstract of this paper appears in Tatsuaki Okamoto, editor, Advances in Cryptology ASIACRYPT 2000, Volume 1976 of Lecture Notes in Computer Science, pages 531 545, Kyoto, Japan, December 3

More information

Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53

Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53 Cryptography and Network Security, PART IV: Reviews, Patches, and Theory Timo Karvi 11.2012 Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53 Key Lengths I The old

More information

Block encryption. CS-4920: Lecture 7 Secret key cryptography. Determining the plaintext ciphertext mapping. CS4920-Lecture 7 4/1/2015

Block encryption. CS-4920: Lecture 7 Secret key cryptography. Determining the plaintext ciphertext mapping. CS4920-Lecture 7 4/1/2015 CS-4920: Lecture 7 Secret key cryptography Reading Chapter 3 (pp. 59-75, 92-93) Today s Outcomes Discuss block and key length issues related to secret key cryptography Define several terms related to secret

More information

Table of Contents. Bibliografische Informationen http://d-nb.info/996514864. digitalisiert durch

Table of Contents. Bibliografische Informationen http://d-nb.info/996514864. digitalisiert durch 1 Introduction to Cryptography and Data Security 1 1.1 Overview of Cryptology (and This Book) 2 1.2 Symmetric Cryptography 4 1.2.1 Basics 4 1.2.2 Simple Symmetric Encryption: The Substitution Cipher...

More information

On the Security of the CCM Encryption Mode and of a Slight Variant

On the Security of the CCM Encryption Mode and of a Slight Variant On the Security of the CCM Encryption Mode and of a Slight Variant Pierre-Alain Fouque 1 and Gwenaëlle Martinet 2 and Frédéric Valette 3 and Sébastien Zimmer 1 1 École normale supérieure, 45 rue d Ulm,

More information

Cryptography and Network Security Chapter 6

Cryptography and Network Security Chapter 6 Cryptography and Network Security Chapter 6 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 6 Block Cipher Operation Many savages at the present day regard

More information

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch CSC474/574 - Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a one-round Feistel cipher

More information

Post-Quantum Cryptography #4

Post-Quantum Cryptography #4 Post-Quantum Cryptography #4 Prof. Claude Crépeau McGill University http://crypto.cs.mcgill.ca/~crepeau/waterloo 185 ( 186 Attack scenarios Ciphertext-only attack: This is the most basic type of attack

More information

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash

More information

Ciphertext verification security of symmetric encryption schemes

Ciphertext verification security of symmetric encryption schemes www.scichina.com info.scichina.com www.springerlink.com Ciphertext verification security of symmetric encryption schemes HU ZhenYu 1, SUN FuChun 1 & JIANG JianChun 2 1 National Laboratory of Information

More information

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. #01 Lecture No. #10 Symmetric Key Ciphers (Refer

More information

Cryptographic Hash Functions Message Authentication Digital Signatures

Cryptographic Hash Functions Message Authentication Digital Signatures Cryptographic Hash Functions Message Authentication Digital Signatures Abstract We will discuss Cryptographic hash functions Message authentication codes HMAC and CBC-MAC Digital signatures 2 Encryption/Decryption

More information

Network Security - ISA 656 Introduction to Cryptography

Network Security - ISA 656 Introduction to Cryptography Network Security - ISA 656 Angelos Stavrou September 18, 2007 Codes vs. K = {0, 1} l P = {0, 1} m C = {0, 1} n, C C E : P K C D : C K P p P, k K : D(E(p, k), k) = p It is infeasible to find F : P C K Let

More information

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 13

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 13 Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 13 Some More Secure Channel Issues Outline In the course we have yet only seen catastrophic

More information

AES Cipher Modes with EFM32

AES Cipher Modes with EFM32 AES Cipher Modes with EFM32 AN0033 - Application Note Introduction This application note describes how to implement several cryptographic cipher modes with the Advanced ion Standard (AES) on the EFM32

More information

Message Authentication Codes

Message Authentication Codes 2 MAC Message Authentication Codes : and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 28 October 2013 css322y13s2l08, Steve/Courses/2013/s2/css322/lectures/mac.tex,

More information

Efficient Constructions of Variable-Input-Length Block Ciphers

Efficient Constructions of Variable-Input-Length Block Ciphers Efficient Constructions of Variable-Input-Length Block Ciphers Sarvar Patel 1, Zulfikar Ramzan 2 and Ganapathy S. Sundaram 1 1 Lucent Technologies {sarvar, ganeshs}@bell-labs.com 2 DoCoMo Communications

More information

Cryptographic Engine

Cryptographic Engine Cryptographic Engine HIGHLIGHTS This section of the manual contains the following major topics: 1.0 Introduction... 2 2.0 Registers... 4 3.0 Theory of Operation... 12 4.0 Module Operation... 27 5.0 Operation

More information

Message authentication

Message authentication Message authentication -- Hash based MAC unctions -- MAC unctions based on bloc ciphers -- Authenticated encryption (c) Levente Buttyán (buttyan@crysys.hu) Secret preix method MAC (x) = H( x) insecure!

More information

1 Signatures vs. MACs

1 Signatures vs. MACs CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures

More information

Basic network security threats

Basic network security threats Basic network security threats Packet sniffing Packet forgery (spoofed from address) DNS spoofing wrong IP address for hostname Assume bad guy controls network - Can read all your packets - Can tamper

More information

Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012

Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012 Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database

More information

Lecture 5 - Cryptography

Lecture 5 - Cryptography CSE497b Introduction to Computer and Network Security - Spring 2007 - Professors Jaeger Lecture 5 - Cryptography CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/

More information

T Cryptology Spring 2009

T Cryptology Spring 2009 T-79.5501 Cryptology Spring 2009 Homework 2 Tutor : Joo Y. Cho joo.cho@tkk.fi 5th February 2009 Q1. Let us consider a cryptosystem where P = {a, b, c} and C = {1, 2, 3, 4}, K = {K 1, K 2, K 3 }, and the

More information

Evaluation of Some Blockcipher Modes of Operation

Evaluation of Some Blockcipher Modes of Operation Evaluation of Some Blockcipher Modes of Operation Phillip Rogaway University of California, Davis Dept. of Computer Science Davis, California, USA E-mail: rogaway@cs.ucdavis.edu URL: http://www.cs.ucdavis.edu/

More information

One-Way Encryption and Message Authentication

One-Way Encryption and Message Authentication One-Way Encryption and Message Authentication Cryptographic Hash Functions Johannes Mittmann mittmann@in.tum.de Zentrum Mathematik Technische Universität München (TUM) 3 rd Joint Advanced Student School

More information

Professor Radha Poovendran EE Department, University of Washington, Seattle, WA & Professor Dawn Song EECS Department, University of California,

Professor Radha Poovendran EE Department, University of Washington, Seattle, WA & Professor Dawn Song EECS Department, University of California, Professor Radha Poovendran EE Department, University of Washington, Seattle, WA & Professor Dawn Song EECS Department, University of California, Berkeley, CA 1 Summer School Objectives Exposure to current

More information

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

More information

Fundamentals of Computer Security

Fundamentals of Computer Security Fundamentals of Computer Security Spring 2015 Radu Sion Intro Encryption Hash Functions A Message From Our Sponsors Fundamentals System/Network Security, crypto How do things work Why How to design secure

More information

Introduction to Cryptography CS 355

Introduction to Cryptography CS 355 Introduction to Cryptography CS 355 Lecture 30 Digital Signatures CS 355 Fall 2005 / Lecture 30 1 Announcements Wednesday s lecture cancelled Friday will be guest lecture by Prof. Cristina Nita- Rotaru

More information

Cryptography and Network Security: Summary

Cryptography and Network Security: Summary Cryptography and Network Security: Summary Timo Karvi 12.2013 Timo Karvi () Cryptography and Network Security: Summary 12.2013 1 / 17 Summary of the Requirements for the exam The advices are valid for

More information

a Course in Cryptography

a Course in Cryptography a Course in Cryptography rafael pass abhi shelat c 2010 Pass/shelat All rights reserved Printed online 11 11 11 11 11 15 14 13 12 11 10 9 First edition: June 2007 Second edition: September 2008 Third edition:

More information

CUNSHENG DING HKUST, Hong Kong. Computer Security. Computer Security. Cunsheng DING, HKUST COMP4631

CUNSHENG DING HKUST, Hong Kong. Computer Security. Computer Security. Cunsheng DING, HKUST COMP4631 Cunsheng DING, HKUST Lecture 08: Key Management for One-key Ciphers Topics of this Lecture 1. The generation and distribution of secret keys. 2. A key distribution protocol with a key distribution center.

More information

Chapter 7. Message Authentication. 7.1 The setting

Chapter 7. Message Authentication. 7.1 The setting Chapter 7 Message Authentication In most people s minds, privacy is the goal most strongly associated to cryptography. But message authentication is arguably even more important. Indeed you may or may

More information

EXAM questions for the course TTM4135 - Information Security May 2013. Part 1

EXAM questions for the course TTM4135 - Information Security May 2013. Part 1 EXAM questions for the course TTM4135 - Information Security May 2013 Part 1 This part consists of 5 questions all from one common topic. The number of maximal points for every correctly answered question

More information

Hash Functions. Integrity checks

Hash Functions. Integrity checks Hash Functions EJ Jung slide 1 Integrity checks Integrity vs. Confidentiality! Integrity: attacker cannot tamper with message! Encryption may not guarantee integrity! Intuition: attacker may able to modify

More information

Lecture 15 - Digital Signatures

Lecture 15 - Digital Signatures Lecture 15 - Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations - easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.

More information

Sample or Random Security A Security Model for Segment-Based Visual Cryptography

Sample or Random Security A Security Model for Segment-Based Visual Cryptography Sample or Random Security A Security Model for Segment-Based Visual Cryptography Sebastian Pape Dortmund Technical University March 5th, 2014 Financial Cryptography and Data Security 2014 Sebastian Pape

More information

Network Security: Secret Key Cryptography

Network Security: Secret Key Cryptography 1 Network Security: Secret Key Cryptography Henning Schulzrinne Columbia University, New York schulzrinne@cs.columbia.edu Columbia University, Fall 2000 c 1999-2000, Henning Schulzrinne Last modified September

More information

Network Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Network Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23 Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest

More information

Security Flaws Induced by CBC Padding Applications to SSL, IPSEC, WTLS...

Security Flaws Induced by CBC Padding Applications to SSL, IPSEC, WTLS... Security Flaws Induced by CBC Padding Applications to SSL, IPSEC, WTLS... Serge Vaudenay Swiss Federal Institute of Technology (EPFL) Serge.Vaudenay@epfl.ch Abstract. In many standards, e.g. SSL/TLS, IPSEC,

More information

Introduction. Digital Signature

Introduction. Digital Signature Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

More information

Cryptography and Network Security Block Cipher

Cryptography and Network Security Block Cipher Cryptography and Network Security Block Cipher Xiang-Yang Li Modern Private Key Ciphers Stream ciphers The most famous: Vernam cipher Invented by Vernam, ( AT&T, in 1917) Process the message bit by bit

More information

Fuzzy Identity-Based Encryption

Fuzzy Identity-Based Encryption Fuzzy Identity-Based Encryption Janek Jochheim June 20th 2013 Overview Overview Motivation (Fuzzy) Identity-Based Encryption Formal definition Security Idea Ingredients Construction Security Extensions

More information

Advanced Topics in Cryptography and Network Security

Advanced Topics in Cryptography and Network Security Advanced Topics in Cryptography and Network Security Breno de Medeiros Department of Computer Science Florida State University Advanced Topics in Cryptography and Network Security p.1 Class Reference Sheet

More information

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering Network Security Gaurav Naik Gus Anderson, Philadelphia, PA Lectures on Network Security Feb 12 (Today!): Public Key Crypto, Hash Functions, Digital Signatures, and the Public Key Infrastructure Feb 14:

More information

1 Data Encryption Algorithm

1 Data Encryption Algorithm Date: Monday, September 23, 2002 Prof.: Dr Jean-Yves Chouinard Design of Secure Computer Systems CSI4138/CEG4394 Notes on the Data Encryption Standard (DES) The Data Encryption Standard (DES) has been

More information

IronKey Data Encryption Methods

IronKey Data Encryption Methods IronKey Data Encryption Methods An IronKey Technical Brief November 2007 Information Depth:Technical Introduction IronKey is dedicated to building the world s most secure fl ash drives. Our dedication

More information

CS 161 Computer Security Spring 2010 Paxson/Wagner MT2

CS 161 Computer Security Spring 2010 Paxson/Wagner MT2 CS 161 Computer Security Spring 2010 Paxson/Wagner MT2 PRINT your name:, (last) SIGN your name: (first) PRINT your class account login: cs161- Your T s name: Your section time: Name of the person sitting

More information

Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz Abstract We propose simple and efficient CCA-secure public-key encryption schemes (i.e., schemes

More information

Ch.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis

Ch.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography

More information

CryptoVerif Tutorial

CryptoVerif Tutorial CryptoVerif Tutorial Bruno Blanchet INRIA Paris-Rocquencourt bruno.blanchet@inria.fr November 2014 Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 1 / 14 Exercise 1: preliminary definition SUF-CMA

More information

Network Security. Security. Security Services. Crytographic algorithms. privacy authenticity Message integrity. Public key (RSA) Message digest (MD5)

Network Security. Security. Security Services. Crytographic algorithms. privacy authenticity Message integrity. Public key (RSA) Message digest (MD5) Network Security Security Crytographic algorithms Security Services Secret key (DES) Public key (RSA) Message digest (MD5) privacy authenticity Message integrity Secret Key Encryption Plain text Plain

More information

A Survey and Analysis of Solutions to the. Oblivious Memory Access Problem. Erin Elizabeth Chapman

A Survey and Analysis of Solutions to the. Oblivious Memory Access Problem. Erin Elizabeth Chapman A Survey and Analysis of Solutions to the Oblivious Memory Access Problem by Erin Elizabeth Chapman A thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in

More information

Massachusetts Institute of Technology Handout 13 6.857: Network and Computer Security October 9, 2003 Professor Ronald L. Rivest.

Massachusetts Institute of Technology Handout 13 6.857: Network and Computer Security October 9, 2003 Professor Ronald L. Rivest. Massachusetts Institute of Technology Handout 13 6.857: Network and Computer Security October 9, 2003 Professor Ronald L. Rivest Quiz 1 1. This quiz is intended to provide a fair measure of your understanding

More information

Cryptography. Lecture Notes from CS276, Spring 2009. Luca Trevisan Stanford University

Cryptography. Lecture Notes from CS276, Spring 2009. Luca Trevisan Stanford University Cryptography Lecture Notes from CS276, Spring 2009 Luca Trevisan Stanford University Foreword These are scribed notes from a graduate course on Cryptography offered at the University of California, Berkeley,

More information

On the Security of Double and 2-key Triple Modes of Operation

On the Security of Double and 2-key Triple Modes of Operation On the Security of Double and 2-key Triple Modes of Operation [Published in L. Knudsen, d., Fast Software ncryption, vol. 1636 of Lecture Notes in Computer Science, pp. 215 230, Springer-Verlag, 1999.]

More information