Talk announcement please consider attending!

Similar documents
MACs Message authentication and integrity. Table of contents

Message Authentication Code

Lecture 9 - Message Authentication Codes

1 Construction of CCA-secure encryption

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

1 Message Authentication

CS155. Cryptography Overview

Authentication and Encryption: How to order them? Motivation

Authenticated encryption

MAC. SKE in Practice. Lecture 5

Message Authentication Codes 133

Lecture 13: Message Authentication Codes

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Provable-Security Analysis of Authenticated Encryption in Kerberos

Cryptography Overview

Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL

Overview of Symmetric Encryption

Network Security. Modes of Operation. Steven M. Bellovin February 3,

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

CS 758: Cryptography / Network Security

Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives

Lecture 3: One-Way Encryption, RSA Example

GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte. Yehuda Lindell Bar-Ilan University

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Modes of Operation of Block Ciphers

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

Message Authentication Codes. Lecture Outline

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

Network Security. Chapter 3 Symmetric Cryptography. Symmetric Encryption. Modes of Encryption. Symmetric Block Ciphers - Modes of Encryption ECB (1)

On the Security of CTR + CBC-MAC

Computational Soundness of Symbolic Security and Implicit Complexity

Symmetric Crypto MAC. Pierre-Alain Fouque


Cryptography. Jonathan Katz, University of Maryland, College Park, MD

Designing Hash functions. Reviewing... Message Authentication Codes. and message authentication codes. We have seen how to authenticate messages:

Developing and Investigation of a New Technique Combining Message Authentication and Encryption

Cryptography and Network Security Chapter 12

Reconsidering Generic Composition

Lecture 4 Data Encryption Standard (DES)

Lecture 5 - CPA security, Pseudorandom functions

Cryptography and Network Security, PART IV: Reviews, Patches, and Theory 1 / 53

Block encryption. CS-4920: Lecture 7 Secret key cryptography. Determining the plaintext ciphertext mapping. CS4920-Lecture 7 4/1/2015

Table of Contents. Bibliografische Informationen digitalisiert durch

Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm

How To Attack A Block Cipher With A Key Key (Dk) And A Key (K) On A 2Dns) On An Ipa (Ipa) On The Ipa 2Ds (Ipb) On Pcode)

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

Post-Quantum Cryptography #4

Ciphertext verification security of symmetric encryption schemes

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptographic Hash Functions Message Authentication Digital Signatures

Network Security - ISA 656 Introduction to Cryptography

AES Cipher Modes with EFM32

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 13

Cryptographic Engine

Message Authentication Codes

Message authentication

1 Signatures vs. MACs

Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012

How To Understand And Understand The History Of Cryptography

One-Way Encryption and Message Authentication

Evaluation of Some Blockcipher Modes of Operation

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

CUNSHENG DING HKUST, Hong Kong. Computer Security. Computer Security. Cunsheng DING, HKUST COMP4631

Fundamentals of Computer Security

Introduction to Cryptography CS 355

Cryptography and Network Security: Summary

Hash Functions. Integrity checks

EXAM questions for the course TTM Information Security May Part 1

Lecture 15 - Digital Signatures

Sample or Random Security A Security Model for Segment-Based Visual Cryptography

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Chapter 7. Message Authentication. 7.1 The setting

A Survey and Analysis of Solutions to the. Oblivious Memory Access Problem. Erin Elizabeth Chapman

Introduction. Digital Signature

1 Data Encryption Algorithm

IronKey Data Encryption Methods

Princeton University Computer Science COS 432: Information Security (Fall 2013)

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Cryptographic mechanisms

Advanced Topics in Cryptography and Network Security

CS 161 Computer Security Spring 2010 Paxson/Wagner MT2

Cryptography and Network Security Block Cipher

a Course in Cryptography

Chosen-Ciphertext Security from Identity-Based Encryption

Ch.9 Cryptography. The Graduate Center, CUNY.! CSc Theoretical Computer Science Konstantinos Vamvourellis

CryptoVerif Tutorial

Cryptography. Lecture Notes from CS276, Spring Luca Trevisan Stanford University

Network Security. Security. Security Services. Crytographic algorithms. privacy authenticity Message integrity. Public key (RSA) Message digest (MD5)

Massachusetts Institute of Technology Handout : Network and Computer Security October 9, 2003 Professor Ronald L. Rivest.

Chapter 11. Asymmetric Encryption Asymmetric encryption schemes

Transcription:

Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically About Knowledge ABSTRACT: Cryptographic notions of knowledge consider the knowledge obtained, or possessed, by computationally-bounded agents under adversarial conditions. In this talk, we will survey some recent cryptographically-inspired approaches for reasoning about agents' knowledge in the context of mechanism design, coding theory, voting theory and weather forecasting.

Optional lab for Assignment 1 solutions: Date: TOMORROW (Tuesday, Feb 3) Time: 1PM 2PM Place: LH 101 (Assignment 2 is due one week from Wednesday!)

a1q3a Many students did not follow my hint! Let E be the event that m has property P and let F N be the event that A(m) outputs N consecutive zeros Question asks you to solve for Pr E F N A common (but incorrect) response: Pr[E] = ε (true) Pr F 0 E = δ (true) Pr F 0 E = 1 δ (true) Hence, Pr F 0 = ε δ (true) Hence, Pr F 0 = ε (1 δ) (not true!!! ) Hence, Pr F N = ε (1 δ) N (not true!!! ) Hence Pr[E F N ] = (1 ε 1 δ N ) (not true!!!) What is this probability???

a1q3c Another ubiquitous mistake (nobody lost marks, though). What is wrong with the following? 1 2 N 1 0.99999 1 /99 N 23.24 hence, N = 24 consecutive 0s suffice. Log 2 1 0.99999 Log 1 2 2 2 -N 1 /99 23.24 N N N 23.23 N 23.24

Last Wednesday s lecture: Pseudorandom functions and permutations Birthday bounds Block ciphers Modes of operation (maybe?) Today s lecture: Modes of operation Message authentication codes

Review: PRF formal definition Let Func[n] be the set of all function from {0,1} n to 0,1 n Def: A keyed function F: {0,1} {0,1} {0,1} is a pseudorandom function (PRF) iff, for every PPT distinguisher D, there exists a negligible function ε: N R + such that Pr D F(k, ) 1 n = 1 k R 0,1 n Pr D f 1 n = 1 f R Func[n] ε(n)

Review: PRF indistinguishability game 1 n 1 N Game 0: Challenger k R 0,1 n D given oracle access to F(k, ) Distinguisher D F(k, ) 1 n 1 N b {0,1} Game 1: 1 n 1 N Challenger f R Func[n] D given oracle access to f Distinguisher D f( ) 1 n 1 N b {0,1} Distinguisher s wins if it outputs b = 0 in Game 0 or b = 1 in Game 1

Review: PRP formal definition Let Perm[n] denote the set of all permutations on {0,1} n A keyed permutation is efficient if there is a PPT algorithm to compute its inverse. Def: A keyed permutation Π: {0,1} {0,1} {0,1} is a pseudorandom permutation (PRP) iff it is efficient and, for every PPT distinguisher D, there exists a negligible function ε: N R + such that Pr D Π(k, ) 1 n = 1 k R 0,1 n Pr D π( ) 1 n = 1 π R Perm[n] ε(n)

Review: Strong PRPs Def: A keyed bijection Π: {0,1} {0,1} {0,1} is a strong pseudorandom permutation (SPRP) iff it is efficient and, for every PPT distinguisher D, there exists a negligible function ε: N R + such that Pr D Π k,,π 1 (k, ) 1 n = 1 k R 0,1 n Pr D π,π 1 ( ) 1 n = 1 π R Perm[n] ε(n) NOTE: Distinguisher gets oracle access both to the permutation and to the inverse permutation!

Fixed-length encryption from strong PRPs Gen(1 n ) outputs k R 0,1 n Enc k (m) outputs c Π k, m Dec k (c) outputs m Π 1 k, c Is this secure? Goals: YES, but only if the key is used to encrypt a single fixed-length plaintext Security for multiple encryptions variable-length encryption with short ciphertexts

I538: Introduction to Cryptography Ryan Henry Computationally secret encryption Modes of operation

Electronic Code Book (ECB) m m 1 m 2 m l m 1 m 2 k k k m 3 Π k Π k Π k c 1 c 2 c l c c 1 c 2 c l Split m into k -bit blocks and apply PRP Π k to each block individually Does ECB mode offer IND-CPA security? NO! Indistinguishable encryptions in the presence of an eavesdropper? NO!

Insecurity of ECB mode (b, 1 n ) 0,1 1 N 1 n 1 N Challenger m 0, m 1 M, m 0 = m 1 k Gen 1 n c Enc k (m b ) Attacker (A) b {0,1} Choose m, m {0,1} n one block each Set m 0 m m and m 1 m m two blocks each Output 1 if c has form c 1 c 1 and output 0 if c has form c 1 c 2 Advantage is Adv eav A = 1 2

Insecurity of ECB mode (in picture form) plaintext (bitmap) ECB mode ciphertext CBC mode ciphertext

Cipher Block Chaining (CBC) m m 1 m 2 m l m 1 m 2 k k k m l Π k Π k Π k IV c 1 c 2 c l c IV, c 1 c 2 c l Choose IV R {0,1} n and XOR first block with IV prior to encryption XOR each subsequent plaintext block with ciphertext of preceding block Reveal IV along with ciphertext

Output Feedback (OFB) m m 1 m 2 m l k k k F k F k F k IV m 1 c 1 m 2 c 2 m l c l c (IV, c 1 c 2 c l ) Choose IV R {0,1} n and XOR first block with F k (IV) i To encrypt ith plaintext block, XOR by F k Reveal IV along with ciphertext IV

Counter mode (CTR) m m 1 m 2 m l k IV+1 k IV+2 k IV+l F k F k F k m 1 m 2 m l c 1 c 2 c l c (IV, c 1 c 2 c l ) Essentially a block-by-block stream cipher

Comparing modes of operation Electronic Code Book (ECB) mode Pros: simple, parallelizable, non-malleable Cons: no CPA security, no secrecy in the presence of an eavesdropper Cipher Block Chaining (CBC) mode Pros: CPA-secure, parallelizable decryption Cons: encryption is inherently sequential, malleable Output Feedback (OFB) mode Pros: CPA-secure Cons: encryption and decryption both inherently sequential, malleable Counter (CTR) mode Pros: CPA-secure, fully parallelizable Cons: malleable

I538: Introduction to Cryptography Ryan Henry Message authentication codes Motivation, definitions, and constructions

Secrecy vs Authenticity So far we have only worried about message secrecy Secrecy / authenticity! OTP, stream cipher, CTR and OFB mode Flip bit of CT flip corresponding bit of PT ECB mode Flip bit of CT randomize block of PT Add/remove/permute CT blocks add/remove/permute PT blocks CBC mode Are authenticity attacks possible? YES! Is this detectable?

Malleability of CBC mode c (IV, c 1 c 2 c 3 ) c 1 c 2 k k k c 3 IV What integrity attacks are possible? Π 1 k Π 1 k Π 1 k m 1 m 2 m 3 Flip bit in IV flip corresponding bit in m 1 Truncate c 3 from CT truncate m 3 from PT Flip bit in c i randomize m i and flip corresponding bit in m i+1 m m 1 m 2 m 3

Non-cryptographic integrity checks Cyclic Redundancy Check (CRC) Detects random errors due to noise channel Not intended to detect intentional errors introduced by an Attacker Straw man proposal: Alice computes c Enc k (m) using CTR mode block cipher Alice computes t CRC(c) Ciphertext is c = c t What can possibly go wrong? c is malleable attacker can modify c and then update t to match!

Non-cryptographic integrity checks A candidate fix: Compute t CRC m Ciphertext is c Enc k (m t) What can possibly go wrong now? CRC is linear!! CRC x y z = CRC x CRC y CRC(z) Integrity in the presence of attackers requires a secret key

Message authentication codes (MACs) Def: A message authentication code (MAC) is a triple of algorithms (Gen, MAC, Ver) Gen: 1 N K is a randomized algorithm MAC: K M T is a (usually) deterministic algorithm Ver: K M T {0,1} is a deterministic algorithm Often write MAC k (m) instead of MAC k, m, Ver k (m, t) instead of Ver k, m, t M is the message space K is the key space T is the tag space set of possible messages set of possible keys set of possible tags

Correctness Intuitively: the property of being able to verify (given the right key) Def: A MAC (Gen, MAC, Ver) is correct if k K and m M, Pr[ Ver k (m, MAC k (m)) = 1 ] = 1

MAC-Forgery game 1 n 1 N MAC Oracle m 1 M Attacker 1 n 1 N k Gen(1 n ) t 1 MAC k (m 1 ) m 2 M t 2 MAC k (m 2 ) A MAC(k, ) m q M t q MAC k (m q ) (m, t) M T Attackers wins if (m, t) {(m 1, t 1 ),..., (m q, t q )} and Ver k m, t = 1

Existential unforgeability Intuitively: the property of being secure against malicious tampering A s success probability in the MAC-Forgery game denoted Adv MAC A Def: A MAC (Gen, MAC, Ver) is existentially unforgeable under adaptive chosen message attacks if, for every PPT adversary A, there exists a negligible function ε: N R + such that Adv MAC A ε n.

Fixed-length MAC from PRFs Gen(1 n ) outputs k R 0,1 n MAC k (m) outputs t F k, m Ver k (m, t) outputs 1 if F k, m = t and 0 otherwise Thm: If F: {0,1} n {0,1} n {0,1} n is a PRF, then (Gen, MAC, Ver) as defined above is existentially unforgeable under adaptive chosen message attacks.

PRF fixed-length MAC reduction PRF distinguisher (D) 1 n, O D gets oracle access either to MAC k ( ) or to a PRF F k, In both cases, k R {0,1} n oracle D has advantage Adv PRF D = Adv MAC A! b 1 n t 1 O(m 1 ) t q O(m q ) MAC attacker (A) m 1 m q Adv CPA A = ε(n) (m, t) /

Replay attacks MACs guarantee the authenticity of messages in most cases An important case where they do not is replay attacks Common ways to prevent replay: sequence numbers and timestamps

Naïve CBC-MAC Let F k k {0,1} be any PRF family Gen(1 n ) outputs k R 0,1 n MAC k m does the following: split m into n-bit blocks m 1,..., m l initialize t 0 = 0 n compute t i = F k (t i 1 m i ) for i = 1,..., l output the tag t = t l Ver k (m, t) outputs 1 if t = MAC k (m) and 0 otherwise

Naïve CBC-MAC m m 1 m 2 m 3 m 1 m 2 k k k m 3 F k F k F k 0 n t Is naïve CBC-MAC existentially unforgeable under adaptive chosen message attacks? NO! (but why?)

Attacking naïve CBC-MAC 1 n 1 N MAC Oracle Attacker 1 n 1 N k Gen(1 n ) A MAC(k, ) m M t MAC k (m) Indeed: t 1 F k m = t so that t 2 F k m t t = t (m m t, t) M T

CBC-MAC Fix 1: Prepend the length Let F k k {0,1} be any PRF family Gen(1 n ) outputs k R 0,1 n MAC k m does the following: split m into n-bit blocks m 1,..., m l initialize t 0 F k (l) pad l to n bits compute t i F k (t i 1 m i ) for i = 1,..., l output the tag t F k (t l )? Ver k (m, t) outputs 1 if t = MAC k (m) and 0 otherwise

CBC-MAC Fix 2: nested CBC-MAC (NMAC) Let F k k {0,1} be any PRF family Gen(1 n ) outputs k = (k 1, k 2 ) R 0,1 n {0,1} n MAC k m does the following: split m into n-bit blocks m 1,..., m l initialize t 0 0 n compute t i F k1 (t i 1 m i ) for i = 1,..., l output the tag t F k2 (t l )? Naïve CBC-MAC on the tag using second key Ver k (m, t) outputs 1 if t = MAC k (m) and 0 otherwise

CBC-MAC Fix 3: Use a length-specific key Let F k k {0,1} be any PRF family Gen(1 n ) outputs k R 0,1 n MAC k m does the following: split m into n-bit blocks m 1,..., m l compute a key k l F k (l) initialize t 0 0 n compute t i F kl (t i 1 m i ) for i = 1,..., l output the tag t t l derive length-specific key from length + master key? Ver k (m, t) outputs 1 if t = MAC k (m) and 0 otherwise

CBC-MAC vs CBC mode encryption CBC mode uses random IV Otherwise, cannot be IND-CPA secure! CBC-MAC uses a fixed IV Otherwise, cannot be existentially unforgeable against chosen message attacks! CBC mode outputs every block of ciphertext Otherwise, cannot be correct! CBC-MAC only outputs last block Otherwise, cannot be existentially unforgeable against chosen message attacks!

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information