# Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives

Save this PDF as:

Size: px
Start display at page:

## Transcription

8 Description of ENCs: Gen picks k 0 {0, 1} n. Encs k0 (m) returns (k 1, c 1 ), where c 1 = y 1 m, y 1 = F k0 (p B ) and k 1 = F k0 (p A ). Dec proceeds in the natural way. The leakage resulting from Encs k0 (m) is defined as L Encs (k 0, m) := (L F (p A, k 0 ), L F (p B, k 0 ), L (m, y 1 ), S L (k, p A, k 0 ), k ) with k {0, 1} n. Description of ENCs I : Encs I k 0 (m) returns (k 1, c 1 ), where c 1 = y 1 m, y 1 {0, 1} n and k 1 {0, 1} n. The leakage resulting from Encs I k 0 (m) is defined as L ENCs I (k 0, k 1, y 1, m) := (S L (k 0, p A, k 1 ), S L (k 0, p B, y 1 ), L (m, y 1 ), S L (k, p A, k 0 ), k ) with k {0, 1} n. Table 2: The ENCs and ENCs I schemes. scheme. The ENCs scheme, while being similar to the single block version of ENC, bears important differences with it: 1. It has no leak-free initialization process. This is not necessary for a one-time version of the scheme. 2. Its ciphertext contains k 1. While being harmless from a black-box point of view, including k 1 in the ciphertext will show to be useful in bounding the amount of information that leakages can transfer between rounds. We will provide constructive evidence that this addition is necessary after the proof of Lemma Its leakages contain S L (k, p A, k 0), k with a random k. This leakage has a similar purpose as adding k 1 in the ciphertext. Namely, it will be used to bound the information that can leak, in the multi-block setting, from the encryption of previous blocks. 3.4 One-time ideal versions of our schemes We now idealize the Encs encryption process by replacing the use of F for computing k 1 and y 1 by the selection of random values. Furthermore, we adapt the corresponding leakages using S L. The resulting algorithms are defined in the right part of Table 2. The following lemma expresses that leaking encryptions produced with these two schemes are hard to distinguish, by relying on the 2-simulatability assumption and the properties of the PRF. Lemma 2. Ideal single block encryption. Let F : {0, 1} n {0, 1} n {0, 1} n be a (s, t, ɛ prf )-PRF, whose implementation has a leakage function L F having (s S, t S, s, t, ɛ 2-sim) 2-simulatable leakages, and let S L be an appropriate (s S, t S)-bounded leakage simulator. Then, for every m, p A, p B, p {0, 1} n, p A p B, and every (s s r, t t r)-bounded distinguisher D L, the following holds: Pr ] D L (m, LEncs(k 0, m)) = 1 ( ) Pr D L m, LEncs I (k 0, m) = 1] ɛprf + ɛ 2-sim, with s r := 3 s S +1, t r = max(t prf, t sim), t prf being equal to 3 t S augmented with the time needed to make 2 oracle queries to the PRF challenger and select a uniformly random key in {0, 1} n, and t sim the time needed to relay the content of two Enc and one Gen queries from and to a q-sim challenger. Proof. We follow the same approach as used for proving Lemma 1: first replace the leakages of LEncs with simulated leakages, relying on the simulatability assumption, then replace the outputs of the PRF of LEncs with random values, relying on the assumption that F is a PRF. We now transpose the definitions of ENCs and ENCs I to the multi-block setting, but still focusing on the one-time encryption case. The resulting schemes, ENCl and ENCl I are described in Table 3. These ideal versions are closer to the ENC scheme definition: while we still ignore the leak-free initialization process, the ciphertexts do not contain the extra key block any more, and the leakages follow the natural definition. Just as before, we express that leaking encryptions produced with these two schemes are hard to distinguish. Lemma 3. Ideal multiple block encryption. Let F and S L be defined as in Lemma 2. Then, for every l-block message m, every p A, p B and every (s s r, t t r)-bounded distinguisher D L, the following holds: ] Pr D L (m, LEncl(k 0, m))) = 1 ( ) Pr D L m, LEncl I (k 0, m) = 1] l(ɛprf + ɛ 2-sim). Here, s r = l(2s S +3) and t r is equal to 2lt S augmented with the time needed to pick 2l random values in {0, 1} n, evaluate F 2l times and compute l operations. Proof. We define the hybrid distributions H 0,..., H l in which H i(m) is defined as the concatenation of an ideal execution LEncl I k 0 (m 1,i] ) and a real execution LEncl ki (m i+1,l] ) with k 0 chosen uniformly at random and k i resulting from the evaluation of Encl I. It is clear that H 0 is distributed just as the inputs of D L in the first probability distribution from the lemma s statement, while H l is distributed as the inputs of D L in the second probability distribution. We now show that the probability with which D L can distinguish H i 1 from H i is bounded by ɛ prf + ɛ 2-sim, which will in turn imply the expected result. For this purpose, we build, from D L, a (s, t)-bounded distinguisher D L between the two distributions d 1 and d 2 that are the input of the distinguisher of Lemma 2. D L receives its inputs m i, c i, k i, and leakages l A, l B, l, l s, k i 2 sampled from d 1 or d 2. It then: (1) Samples the encryption of the i 1 first blocks of m from LEncl I, except that it uses k i 2 as key for the round i 1 and l s as leakage for computing k i 1; (2) Extends it with c i and the leakages l A, l B and l for the i-th round; (3) Extends it with LEncl ki (m i+1,l] ) for the last l i 1 rounds. It can be easily verified that, if the inputs of D L are sampled from d 1 (resp d 2), then D L produced something sampled according to H i 1 (resp. H i). If fed to D L, the result will enable D L to distinguish H i 1 from H i with the same probability D L distinguishes d 1 from d 2. Furthermore, by inspection, we can verify that D L is (s, t)-bounded. Applying Lemma 2, this probability is then bounded by ɛ prf + ɛ 2-sim, as desired.

9 Description of ENCl: Gen picks k 0 {0, 1} n. Encl k0 (m 1,..., m l ) returns c 1,..., c l, where c i = y i m i, y i = F ki 1 (p B ) and k i = F ki 1 (p A ). Dec proceeds in the natural way. The leakage L Encl (k 0, m) resulting from computing Encl k0 (m) is defined by the sequence of (L F (p A, k i 1 ), L F (p B, k i 1 ), L (m i, y i )) for i {1,..., l}. Description of ENCl I : Encl I k 0 (m 1,..., m l ) returns (c 1,..., c l ), where c i = y i m i, y 1,..., y l {0, 1} n and k 1,..., k l {0, 1} n. The leakage L Encl I (k, y, m) resulting from computing Encl I k 0 (m) with the random vectors k and y is defined by the sequence of (S L (k i 1, p A, k i ), S L (k i 1, p B, y i ), L (m i, y i )) for i {1,..., l}. Table 3: The ENCl and ENCl I schemes. Further remarks on the definition of Encs. The proof above heavily relies on the use of the extra leakages provided when running Encs, for the linking of the hybrids. This is however not just an artifact that we use to simplify our proof. Consider for instance a situation in which Encs would not leak k 1 and a simple leakage function L F (p, k) would leak just the first bit of k F k (p). In such a setting, if k 1 is not leaked, the leakage does not provide any useful information on the encrypted message (we just loose one bit of security for the key). So, if we encrypt the messages m 1 and m 2 with Encs using two independent keys, the leakages do not provide us with any useful information. However, if we encrypt the message (m 1, m 2) using Encl, we will obtain c 1, c 2 and leakages containing the first bit of k 0 y 1, k 0 k 1 and k 1 y 2, from which we can derive the first bit of y 1 y 2, and eventually the first bit of m 1 m 2, which was not available before. This observation is a constructive evidence that encrypting two message blocks with Encl can be far more damaging on the privacy than encrypting these blocks independently with a version of Encs from which k 1 would not be leaked. The leakage of k 1 in Encs prevents the shortcoming we just described, as k 1 would provoke the leakage of the first bit of each message block. 3.5 From 1-block to l-block security The above section demonstrated how one-time versions of our encryption scheme can be idealized with controlled security loss, in the case of single and multiple block encryption. We now use these idealized encryption processes to evaluate the (eavesdropper) security of an l-block encryption with Encl I by comparison with the security of l encryptions with Encs I performed with independent keys, block by block. Lemma 4. For every pair of l-block messages m 0 and m 1 and (s, t)-bounded adversary A L, there is an (s s r, t t r)- bounded adversary A L such that the following holds: ( ) Pr A L LEncl I k 0 (m 0 ) i=1 Pr ] = 1 A L ( LEncl I k 0 (m 1 ) l ( ) ] Pr A L LEncs I k i (m 0 i ) = 1 ) = 1] ( ) Pr A L LEncs I k i (m 1 i ) = 1], with all k s chosen uniformly at random, s r = l(2s S+1) and t r equal to 2lt S to which we add the time needed to sample 2l random values and compute l times the operations. Proof. We proceed in two steps. We start by building a sequence of l + 1 messages m h,0,..., m h,l starting from m 0 and modifying its blocks one by one until obtaining m 1. That is, m h,i := m 1 1,i], m 0 i+1,l]. From the triangle inequality, it holds that: Pr i=1 A L ( LEncl I k 0 (m 0 ) ) Pr ] = 1 A L ( LEncl I k 0 (m 1 ) l ( ) ] Pr A L LEncl I k i (m h,i 1 ) = 1 ) = 1] ( ) Pr A L LEncl I k i (m h,i ) = 1]. The l differences in the sum above can now be related to the probability of distinguishing the encryptions of single block messages: from an Encs I encryption of m 0,i or m 1,i with the associated leakage L Encs I, it is immediate to sample an Encl I encryption of m h,i 1 or m h,i with the associated leakage L Encl I. The cost of this sampling is bounded by s r leakage queries and running time t r. Injecting Lemmas 2 and 3, which relate real and ideal encryptions, into Lemma 4, we obtain Theorem 3 which is our main result for eavesdropper security. Theorem 3. Let F be a (s, t, ɛ prf )-PRF, with a leakage simulator S L as in Lemma 2, and let (s r, t r) be the bounds defined in Lemma 3. For every pair of l-block messages m 0 and m 1 and (s s r, t t r)-bounded adversary A L, there is an (s 2s r, t 2t r)-bounded adversary A L such that the following holds: Pr i=1 A L ( LEncl k0 (m 0 ) ) ] = 1 Pr l Pr A L ( LEncs ki (m 0 i ) ) ] = 1 A L ( LEncl k0 (m 1 ) ) = 1] Pr A L ( LEncs ki (m 1 i ) ) = 1] + 4l(ɛprf + ɛ 2-sim). It indicates that, if we want to bound the probability that an attacker distinguishes the encryptions of two l-block messages, we can focus on bounding the probabilities that an attacker distinguishes independent encryptions of the l pairs of blocks, which is arguably easier, and derive the desired bound from it. Furthermore, the security degradation is moderate, being proportional to the number of blocks.

11 Software (8-bit) code size cycle cost physical Implementations (bytes) count function assumptions Unprotected 8] mask Boolean 34] glitch-sensitive 1-mask polynomial 13, 32] glitch-resistant 2-mask Boolean 34] glitch-sensitive FPGA (Virtex-5) area throughput cost physical Implementations (slices) (enc/sec) function assumptions Unprotected (128-bit) 33] mask Boolean (128-bit) 33] 1462 Threshold (8-bit) 26] glitch-sensitive glitch-resistant Table 4: Performance of some illustrative AES implementations (borrowed from 3]). 4] M. Bellare, J. Kilian, and P. Rogaway. The security of the cipher block chaining message authentication code. J. Comput. Syst. Sci., 61(3): , ] S. Chari, C. S. Jutla, J. R. Rao, and P. Rohatgi. Towards sound approaches to counteract power-analysis attacks. In CRYPTO 99, volume 1666 of Lecture Notes in Computer Science, pages Springer, ] Y. Dodis and K. Pietrzak. Leakage-resilient pseudorandom functions and side-channel attacks on feistel networks. In CRYPTO 2010, volume 6223 of Lecture Notes in Computer Science, pages Springer, ] S. Dziembowski and K. Pietrzak. Leakage-resilient cryptography. In FOCS 2008, pages IEEE Computer Society, ] T. Eisenbarth, Z. Gong, T. Güneysu, S. Heyse, S. Indesteege, S. Kerckhof, F. Koeune, T. Nad, T. Plos, F. Regazzoni, F. Standaert, and L. van Oldeneel tot Oldenzeel. Compact implementation and performance evaluation of block ciphers in attiny devices. In A. Mitrokotsa and S. Vaudenay, editors, AFRICACRYPT 2012, volume 7374 of Lecture Notes in Computer Science, pages Springer, ] S. Faust, K. Pietrzak, and J. Schipper. Practical leakage-resilient symmetric cryptography. In CHES 2012, volume 7428 of Lecture Notes in Computer Science, pages Springer, ] B. Fuller and A. Hamlin. Unifying leakage classes: Simulatable leakage and pseudoentropy. In ICITS 2015, volume 9063 of Lecture Notes in Computer Science, pages Springer, ] J. L. Galea, D. P. Martin, E. Oswald, D. Page, M. Stam, and M. Tunstall. Simulatable leakage: Analysis, pitfalls, and new constructions. In ASIACRYPT 2014, volume 8873 of Lecture Notes in Computer Science, pages Springer, ] D. Galindo and S. Vivek. A leakage-resilient pairing-based variant of the Schnorr signature scheme. In IMA International Conference, IMACC 2013, volume 8308 of Lecture Notes in Computer Science, pages Springer, ] V. Grosso, F. Standaert, and S. Faust. Masking vs. multiparty computation: How large is the gap for aes? In CHES ], pages ] V. Grosso, F. Standaert, and S. Faust. Masking vs. multiparty computation: how large is the gap for AES? J. Cryptographic Engineering, 4(1):47 57, ] C. Hazay, A. López-Alt, H. Wee, and D. Wichs. Leakage-resilient cryptography from minimal assumptions. In EUROCRYPT 2013, volume 7881 of Lecture Notes in Computer Science, pages Springer, ] Y. Ishai, A. Sahai, and D. Wagner. Private circuits: Securing hardware against probing attacks. In CRYPTO 2003, volume 2729 of Lecture Notes in Computer Science, pages Springer, ] M. Joye and M. Tunstall, editors. Fault Analysis in Cryptography. Information Security and Cryptography. Springer, ] E. Kiltz and K. Pietrzak. Leakage resilient ElGamal encryption. In ASIACRYPT 2010, volume 6477 of Lecture Notes in Computer Science, pages Springer, ] L. R. Knudsen and M. Robshaw. The Block Cipher Companion. Information Security and Cryptography. Springer, ] M. Liskov, R. L. Rivest, and D. Wagner. Tweakable block ciphers. In CRYPTO 2002, volume 2442 of Lecture Notes in Computer Science, pages Springer, ] S. Mangard, E. Oswald, and T. Popp. Power analysis attacks - revealing the secrets of smart cards. Springer, ] S. Mangard, T. Popp, and B. M. Gammel. Side-channel leakage of masked CMOS gates. In CT-RSA 2005, volume 3376 of Lecture Notes in Computer Science, pages Springer, ] D. P. Martin, E. Oswald, and M. Stam. A leakage resilient MAC. IACR Cryptology eprint Archive, 2013:292, ] M. Medwed, F. Standaert, J. Großschädl, and F. Regazzoni. Fresh re-keying: Security against side-channel and fault attacks for low-cost devices. In AFRICACRYPT 2010, volume 6055 of Lecture Notes in Computer Science, pages Springer, ] S. Micali and L. Reyzin. Physically observable cryptography (extended abstract). In TCC 2004, volume 2951 of Lecture Notes in Computer Science, pages Springer, 2004.

13 avoided if we try to follow the standard approach of first showing that the construction is a PRF and hence it is a MAC. But it turns out this way we need more hybrid games than the current approach. Next, we show that in the successive hybrids Hi,j and Hi,j+1 (1 i q + 1, 0 j l 1), the views of A L are computationally identical upto the 2-simulatable leakage assumption. Let ɛ i,j and ɛ i,j+1 denote the advantages of A L in the hybrids Hi,j and Hi,j+1, respectively. Lemma 5. ɛ i,j ɛ i,j+1 ɛ prf + ɛ 2-sim + (q+1)2 (l+1) 2 2 n. Proof. Using A L as a subroutine, we construct a (s, t )- bounded distinguisher D L for the distributions of Lemma 1 that has advantage as indicated on the R.H.S. of Lemma 5. D L simulates hybrid Hi,j or hybrid Hi,j+1 depending on whether its input distribution is actual or ideal, respectively. D L chooses a uniform random shared secret key k, random session keys k i,1 (1 i q), and possibly a random session key k q+1,1 for verification if the target forgery is on a different IV. Whenever D L samples a random output value, say γ, on key-message input (α, β) it records the input/output pair ((α, β), γ) in a table T, in addition to the simulated leakage S L ( k, β, γ) ( k \$ {0, 1} n ). This table is used to consistently return the same (random) output on the same input pair. Also, all the block cipher evaluations while the processing the tag requests return random outputs and simulated leakages until (including) the j th message block of the i th tag request. Recall the notation that the j th block of the i th message is denoted by m i,j, and the corresponding key and the output for the evaluation of F is denoted by k i,j and k i,j +1, respectively. A * in the superscript of a parameter, for example, as in k i,j, explicitly denotes that the parameter was chosen uniform randomly and independently (and was not computed normally). At this point, D L first receives its input d 5 upon querying its challenger with Gen( k i,j, m i,j) with k i,j {0, 1} n (cf. Remark 3). It then uses d 5 instead of the simulated leakage S L ( k i,j, m i,j, ki,j). Note that the output of this round is implicitly set to k (if j = 0, then the session key ki,1 is implicitly set to k ). It then builds the view for the (i, j + 1) th execution of F by querying its challenger for (d 1, d 3) by querying Enc(m i,j+1) (p 0 := m i,j+1). D L then provides A L with (d 1, d 3). The remaining steps are executed normally by evaluating F with the (known) inputs. In case any inconsistency arises when F is evaluated with the inputs present in the table T, then the corresponding output value recorded in the table is used. Such a situation does arise when the adversary outputs a possible forgery on a message m w.r.t. the IV IV i, such that m m i share a common prefix. Also, note that to evaluate F w.r.t. the (implicit) key k, D L has to use its input distribution to determine the output. This means that if there are more than two queries to F w.r.t. the (implicit) key k, then D L will abort the simulation. Denote this abort event by Abort. \$ In order for this simulation by D L to A L to be consistent with the working of MAC 1, two events must not occur. All the random values sampled (and listed in table T ) must be distinct. The abort event Abort mentioned above must not occur. Let us denote both the events by Collision. The reason for the first of the above conditions is that if the intermediate values repeat, then a possible pattern could arise in the successive intermediate values and there by implicitly setting the output of the (i, j) th step to k may lead to inconsistency. Next, to ensure that the Abort event does not arise, and hence 2- simulatable assumption suffices, we need to make sure that k is never used as key more than once later. This means that F is not queried with the input (k i,j, m i,j) more than once later. Note that if the first condition above does not occur, then the outputs of the later steps are function of parameters independent of the value k i,j, except possibly once during the verification stage. It is easy to see that: PrCollision] (q + 1)2 (l + 1) 2 2 n. (3) Hence the lemma follows from Lemma 1 and (3). Note that there are at most (q + 1)l distinct hybrids H i,j (1 i q + 1, 0 j l) since the hybrids H i,l and H i+1,0 are identical for 1 i q. Also note that the hybrids H and H 1,0 are identical as well. Hence we obtain: ɛ ɛ q+1,l (q + 1)l(ɛ prf + ɛ 2 sim) + (q + 1)3 l(l + 1) 2 2 n. Lemma 6. ɛ q+1,l 1 + (q+1)2 (l+1) 2 2 n ((q+1)(l+1)) 2 2 n+1 Proof. In this hybrid, all the evaluations of F are ideal, that means that distinct key-message input pairs produce random output values, and all the leakages are simulated. To break the strong-unforgeability property of MAC 1, A L must either output a forgery on a distinct IV for a possibly previously queried message, or it outputs a forgery on a previously queried IV but on a distinct message. This implies that during the verification step, conditioned on the event of no collision of randomly chosen output values, there will be distinct key-message pairs with which F will be queried and, as a consequence, a random output will be produced. Further, no collision would imply that the same would happen with the later message blocks during the verification step, including the final block. Note that the probability of collision is at most (q+1)2 (l+1) 2 2 n+1. Again, conditioned on the event of no collision, the probability that the tag τ output by A L is a valid forgery for the message m is at most 1 2 n ((q+1)(l+1)) 2. Hence the lemma follows. Theorem 1 follows from (1), (2), (4) and Lemma 6. (4)

### Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

### 1 Message Authentication

Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and

### 1 Construction of CCA-secure encryption

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.

### Talk announcement please consider attending!

Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically

### Message Authentication Codes 133

Message Authentication Codes 133 CLAIM 4.8 Pr[Mac-forge A,Π (n) = 1 NewBlock] is negligible. We construct a probabilistic polynomial-time adversary A who attacks the fixed-length MAC Π and succeeds in

### Introduction. Digital Signature

Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

### MAC. SKE in Practice. Lecture 5

MAC. SKE in Practice. Lecture 5 Active Adversary Active Adversary An active adversary can inject messages into the channel Active Adversary An active adversary can inject messages into the channel Eve

### Provable-Security Analysis of Authenticated Encryption in Kerberos

Provable-Security Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 30332-0765

### Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

### Message Authentication Code

Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44

### Lecture 15 - Digital Signatures

Lecture 15 - Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations - easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.

### Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a

### The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) Hugo Krawczyk Abstract. We study the question of how to generically compose symmetric encryption and authentication

### Computational Soundness of Symbolic Security and Implicit Complexity

Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 3-7, 2013 Overview

### Lecture 13: Message Authentication Codes

Lecture 13: Message Authentication Codes Last modified 2015/02/02 In CCA security, the distinguisher can ask the library to decrypt arbitrary ciphertexts of its choosing. Now in addition to the ciphertexts

### Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract

Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart

### Lecture 5 - CPA security, Pseudorandom functions

Lecture 5 - CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.

### Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense

### GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte. Yehuda Lindell Bar-Ilan University

GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte Shay Gueron Haifa Univ. and Intel Yehuda Lindell Bar-Ilan University Appeared at ACM CCS 2015 How to Encrypt with

### Authentication and Encryption: How to order them? Motivation

Authentication and Encryption: How to order them? Debdeep Muhopadhyay IIT Kharagpur Motivation Wide spread use of internet requires establishment of a secure channel. Typical implementations operate in

### MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

### Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the

### CS155. Cryptography Overview

CS155 Cryptography Overview Cryptography Is n A tremendous tool n The basis for many security mechanisms Is not n The solution to all security problems n Reliable unless implemented properly n Reliable

### Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks

Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks Tsz Hon Yuen - Huawei, Singapore Ye Zhang - Pennsylvania State University, USA Siu Ming

### lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

Symmetric Crypto Pierre-Alain Fouque Birthday Paradox In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal N=365, about 23 people are

### Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012

Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database

### Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

### Cryptographic Hash Functions Message Authentication Digital Signatures

Cryptographic Hash Functions Message Authentication Digital Signatures Abstract We will discuss Cryptographic hash functions Message authentication codes HMAC and CBC-MAC Digital signatures 2 Encryption/Decryption

### Counter Expertise Review on the TNO Security Analysis of the Dutch OV-Chipkaart. OV-Chipkaart Security Issues Tutorial for Non-Expert Readers

Counter Expertise Review on the TNO Security Analysis of the Dutch OV-Chipkaart OV-Chipkaart Security Issues Tutorial for Non-Expert Readers The current debate concerning the OV-Chipkaart security was

### Overview of Symmetric Encryption

CS 361S Overview of Symmetric Encryption Vitaly Shmatikov Reading Assignment Read Kaufman 2.1-4 and 4.2 slide 2 Basic Problem ----- ----- -----? Given: both parties already know the same secret Goal: send

### 1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

### Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm

An extended abstract of this paper appears in Tatsuaki Okamoto, editor, Advances in Cryptology ASIACRYPT 2000, Volume 1976 of Lecture Notes in Computer Science, pages 531 545, Kyoto, Japan, December 3

### Post-Quantum Cryptography #4

Post-Quantum Cryptography #4 Prof. Claude Crépeau McGill University http://crypto.cs.mcgill.ca/~crepeau/waterloo 185 ( 186 Attack scenarios Ciphertext-only attack: This is the most basic type of attack

### Cryptography and Network Security Chapter 12

Cryptography and Network Security Chapter 12 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 12 Message Authentication Codes At cats' green on the Sunday he

### Authentication requirement Authentication function MAC Hash function Security of

UNIT 3 AUTHENTICATION Authentication requirement Authentication function MAC Hash function Security of hash function and MAC SHA HMAC CMAC Digital signature and authentication protocols DSS Slides Courtesy

### MTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu

MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic

### Limits of Computational Differential Privacy in the Client/Server Setting

Limits of Computational Differential Privacy in the Client/Server Setting Adam Groce, Jonathan Katz, and Arkady Yerukhimovich Dept. of Computer Science University of Maryland {agroce, jkatz, arkady}@cs.umd.edu

### Applying Remote Side-Channel Analysis Attacks on a Security-enabled NFC Tag

Applying Remote Side-Channel Analysis Attacks on a Security-enabled NFC Tag Thomas Korak Thomas Plos Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology,

### Multi-Input Functional Encryption for Unbounded Arity Functions

Multi-Input Functional Encryption for Unbounded Arity Functions Saikrishna Badrinarayanan, Divya Gupta, Abhishek Jain, and Amit Sahai Abstract. The notion of multi-input functional encryption (MI-FE) was

### Network Security Technology Network Management

COMPUTER NETWORKS Network Security Technology Network Management Source Encryption E(K,P) Decryption D(K,C) Destination The author of these slides is Dr. Mark Pullen of George Mason University. Permission

### Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm

Error oracle attacks and CBC encryption Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm Agenda 1. Introduction 2. CBC mode 3. Error oracles 4. Example 1 5. Example 2 6. Example 3 7. Stream ciphers

### Symmetric Crypto MAC. Pierre-Alain Fouque

Symmetric Crypto MAC Pierre-Alain Fouque Birthday Paradox In a set of D elements, by picking at random D elements, we have with high probability a collision two elements are equal D=365, about 23 people

### Strengthening Digital Signatures via Randomized Hashing

Strengthening Digital Signatures via Randomized Hashing Shai Halevi Hugo Krawczyk January 30, 2007 Abstract We propose randomized hashing as a mode of operation for cryptographic hash functions intended

### CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash

Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

### Security/Privacy Models for "Internet of things": What should be studied from RFID schemes? Daisuke Moriyama and Shin ichiro Matsuo NICT, Japan

Security/Privacy Models for "Internet of things": What should be studied from RFID schemes? Daisuke Moriyama and Shin ichiro Matsuo NICT, Japan 1 Internet of Things (IoT) CASAGRAS defined that: A global

### On-Line/Off-Line Digital Signatures

J. Cryptology (996) 9: 35 67 996 International Association for Cryptologic Research On-Line/Off-Line Digital Signatures Shimon Even Computer Science Department, Technion Israel Institute of Technology,

### Authenticated encryption

Authenticated encryption Dr. Enigma Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu October 16th, 2013 Active attacks on CPA-secure encryption

### SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K,E,D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2 Correct

### Cryptography. Jonathan Katz, University of Maryland, College Park, MD 20742.

Cryptography Jonathan Katz, University of Maryland, College Park, MD 20742. 1 Introduction Cryptography is a vast subject, addressing problems as diverse as e-cash, remote authentication, fault-tolerant

### SPINS: Security Protocols for Sensor Networks

SPINS: Security Protocols for Sensor Networks Adrian Perrig, Robert Szewczyk, J.D. Tygar, Victor Wen, and David Culler Department of Electrical Engineering & Computer Sciences, University of California

6.857 Computer and Network Security Fall Term, 1997 Lecture 4 : 16 September 1997 Lecturer: Ron Rivest Scribe: Michelle Goldberg 1 Conditionally Secure Cryptography Conditionally (or computationally) secure

### A Secure RFID Ticket System For Public Transport

A Secure RFID Ticket System For Public Transport Kun Peng and Feng Bao Institute for Infocomm Research, Singapore Abstract. A secure RFID ticket system for public transport is proposed in this paper. It

### Lecture 3: One-Way Encryption, RSA Example

ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require

### Proofs in Cryptography

Proofs in Cryptography Ananth Raghunathan Abstract We give a brief overview of proofs in cryptography at a beginners level. We briefly cover a general way to look at proofs in cryptography and briefly

### Security Analysis of DRBG Using HMAC in NIST SP 800-90

Security Analysis of DRBG Using MAC in NIST SP 800-90 Shoichi irose Graduate School of Engineering, University of Fukui hrs shch@u-fukui.ac.jp Abstract. MAC DRBG is a deterministic random bit generator

### Chapter 11. Asymmetric Encryption. 11.1 Asymmetric encryption schemes

Chapter 11 Asymmetric Encryption The setting of public-key cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret

### Message Authentication Codes. Lecture Outline

Message Authentication Codes Murat Kantarcioglu Based on Prof. Ninghui Li s Slides Message Authentication Code Lecture Outline 1 Limitation of Using Hash Functions for Authentication Require an authentic

### Capture Resilient ElGamal Signature Protocols

Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department

### Message Authentication Codes

2 MAC Message Authentication Codes : and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 28 October 2013 css322y13s2l08, Steve/Courses/2013/s2/css322/lectures/mac.tex,

### Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical public-key

### Network Security. Modes of Operation. Steven M. Bellovin February 3, 2009 1

Modes of Operation Steven M. Bellovin February 3, 2009 1 Using Cryptography As we ve already seen, using cryptography properly is not easy Many pitfalls! Errors in use can lead to very easy attacks You

### Digital Signatures. What are Signature Schemes?

Digital Signatures Debdeep Mukhopadhyay IIT Kharagpur What are Signature Schemes? Provides message integrity in the public key setting Counter-parts of the message authentication schemes in the public

### Developing and Investigation of a New Technique Combining Message Authentication and Encryption

Developing and Investigation of a New Technique Combining Message Authentication and Encryption Eyas El-Qawasmeh and Saleem Masadeh Computer Science Dept. Jordan University for Science and Technology P.O.

### Improved Online/Offline Signature Schemes

Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion

### Secure Computation Without Authentication

Secure Computation Without Authentication Boaz Barak 1, Ran Canetti 2, Yehuda Lindell 3, Rafael Pass 4, and Tal Rabin 2 1 IAS. E:mail: boaz@ias.edu 2 IBM Research. E-mail: {canetti,talr}@watson.ibm.com

### Associate Prof. Dr. Victor Onomza Waziri

BIG DATA ANALYTICS AND DATA SECURITY IN THE CLOUD VIA FULLY HOMOMORPHIC ENCRYPTION Associate Prof. Dr. Victor Onomza Waziri Department of Cyber Security Science, School of ICT, Federal University of Technology,

### A Practical Authentication Scheme for In-Network Programming in Wireless Sensor Networks

A Practical Authentication Scheme for In-Network Programming in Wireless Sensor Networks Ioannis Krontiris Athens Information Technology P.O.Box 68, 19.5 km Markopoulo Ave. GR- 19002, Peania, Athens, Greece

### Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak

Non-Black-Box Techniques In Crytpography Introduction Thesis for the Ph.D degree Boaz Barak A computer program (or equivalently, an algorithm) is a list of symbols a finite string. When we interpret a

### SECURITY EVALUATION OF EMAIL ENCRYPTION USING RANDOM NOISE GENERATED BY LCG

SECURITY EVALUATION OF EMAIL ENCRYPTION USING RANDOM NOISE GENERATED BY LCG Chung-Chih Li, Hema Sagar R. Kandati, Bo Sun Dept. of Computer Science, Lamar University, Beaumont, Texas, USA 409-880-8748,

### Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz Abstract We propose simple and efficient CCA-secure public-key encryption schemes (i.e., schemes

### On the Security of CTR + CBC-MAC

On the Security of CTR + CBC-MAC NIST Modes of Operation Additional CCM Documentation Jakob Jonsson * jakob jonsson@yahoo.se Abstract. We analyze the security of the CTR + CBC-MAC (CCM) encryption mode.

### Computing on Encrypted Data

Computing on Encrypted Data Secure Internet of Things Seminar David Wu January, 2015 Smart Homes New Applications in the Internet of Things aggregation + analytics usage statistics and reports report energy

### Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Introduction to Cryptography What is cryptography?

### Designing Hash functions. Reviewing... Message Authentication Codes. and message authentication codes. We have seen how to authenticate messages:

Designing Hash functions and message authentication codes Reviewing... We have seen how to authenticate messages: Using symmetric encryption, in an heuristic fashion Using public-key encryption in interactive

### Common Pitfalls in Cryptography for Software Developers. OWASP AppSec Israel July 2006. The OWASP Foundation http://www.owasp.org/

Common Pitfalls in Cryptography for Software Developers OWASP AppSec Israel July 2006 Shay Zalalichin, CISSP AppSec Division Manager, Comsec Consulting shayz@comsecglobal.com Copyright 2006 - The OWASP

### Fuzzy Identity-Based Encryption

Fuzzy Identity-Based Encryption Janek Jochheim June 20th 2013 Overview Overview Motivation (Fuzzy) Identity-Based Encryption Formal definition Security Idea Ingredients Construction Security Extensions

### Remotely Keyed Encryption Using Non-Encrypting Smart Cards

THE ADVANCED COMPUTING SYSTEMS ASSOCIATION The following paper was originally published in the USENIX Workshop on Smartcard Technology Chicago, Illinois, USA, May 10 11, 1999 Remotely Keyed Encryption

### Cryptography Overview

Cryptography Overview Cryptography Is n A tremendous tool n The basis for many security mechanisms Is not n The solution to all security problems n Reliable unless implemented properly n Reliable unless

### Simulation-Based Security with Inexhaustible Interactive Turing Machines

Simulation-Based Security with Inexhaustible Interactive Turing Machines Ralf Küsters Institut für Informatik Christian-Albrechts-Universität zu Kiel 24098 Kiel, Germany kuesters@ti.informatik.uni-kiel.de

### Modes of Operation of Block Ciphers

Chapter 3 Modes of Operation of Block Ciphers A bitblock encryption function f: F n 2 Fn 2 is primarily defined on blocks of fixed length n To encrypt longer (or shorter) bit sequences the sender must

### CryptoVerif Tutorial

CryptoVerif Tutorial Bruno Blanchet INRIA Paris-Rocquencourt bruno.blanchet@inria.fr November 2014 Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 1 / 14 Exercise 1: preliminary definition SUF-CMA

### Message Authentication

Message Authentication message authentication is concerned with: protecting the integrity of a message validating identity of originator non-repudiation of origin (dispute resolution) will consider the

### On Generating the Initial Key in the Bounded-Storage Model

On Generating the Initial Key in the Bounded-Storage Model Stefan Dziembowski Institute of Informatics, Warsaw University Banacha 2, PL-02-097 Warsaw, Poland, std@mimuw.edu.pl Ueli Maurer Department of

### A low-cost Alternative for OAEP

A low-cost Alternative for OAEP Peter Schartner University of Klagenfurt Computer Science System Security peter.schartner@aau.at Technical Report TR-syssec-11-02 Abstract When encryption messages by use

### Key Privacy for Identity Based Encryption

Key Privacy for Identity Based Encryption Internet Security Research Lab Technical Report 2006-2 Jason E. Holt Internet Security Research Lab Brigham Young University c 2006 Brigham Young University March

### Digital Signatures. Prof. Zeph Grunschlag

Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each

### Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography What Is Steganography? Steganography Process of hiding the existence of the data within another file Example:

### The Misuse of RC4 in Microsoft Word and Excel

The Misuse of RC4 in Microsoft Word and Excel Hongjun Wu Institute for Infocomm Research, Singapore hongjun@i2r.a-star.edu.sg Abstract. In this report, we point out a serious security flaw in Microsoft

### Key Hopping A Security Enhancement Scheme for IEEE 802.11 WEP Standards

White Paper Key Hopping A Security Enhancement Scheme for IEEE 802.11 WEP Standards By Dr. Wen-Ping Ying, Director of Software Development, February 2002 Introduction Wireless LAN networking allows the

### The Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems

The Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems Becky Cutler Rebecca.cutler@tufts.edu Mentor: Professor Chris Gregg Abstract Modern day authentication systems

### Security Analysis for Order Preserving Encryption Schemes

Security Analysis for Order Preserving Encryption Schemes Liangliang Xiao University of Texas at Dallas Email: xll052000@utdallas.edu Osbert Bastani Harvard University Email: obastani@fas.harvard.edu I-Ling

### CS 758: Cryptography / Network Security

CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html

### Network Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest

### Department Informatik. Privacy-Preserving Email Forensics. Technical Reports / ISSN 2191-5008. Frederik Armknecht, Andreas Dewald

Department Informatik Technical Reports / ISSN 2191-5008 Frederik Armknecht, Andreas Dewald Privacy-Preserving Email Forensics Technical Report CS-2015-03 April 2015 Please cite as: Frederik Armknecht,

### A PPENDIX H RITERIA FOR AES E VALUATION C RITERIA FOR

A PPENDIX H RITERIA FOR AES E VALUATION C RITERIA FOR William Stallings Copyright 20010 H.1 THE ORIGINS OF AES...2 H.2 AES EVALUATION...3 Supplement to Cryptography and Network Security, Fifth Edition