Automated Analysis and Synthesis of Modes of Operation and Authenticated Encryption Schemes
|
|
- Lesley Pope
- 6 years ago
- Views:
Transcription
1 Automated Analysis and Synthesis of Modes of Operation and Authenticated Encryption Schemes Alex J. Malozemoff University of Maryland Joint work with Matthew Green, Viet Tung Hoang, and Jonathan Katz Presented at the IACR School on Computer-aided Cryptography, University of Maryland, College Park, USA, June 1 June 4, 2015.
2 Introduction Problem: Designing/proving crypto constructions is hard 2 / 33
3 Introduction Problem: Designing/proving crypto constructions is hard (Possible) Solution: Use program synthesis! 2 / 33
4 Introduction Problem: Designing/proving crypto constructions is hard (Possible) Solution: Use program synthesis! Program Synthesis Automatically construct programs based on (small) set of rules Has been applied to crypto protocols (e.g., [AGHP12],[BCG + 13], etc.) 2 / 33
5 This Work Two results: 1. Apply program synthesis to modes of operation (CSF 2014) Joint with Matthew Green and Jonathan Katz 3 / 33
6 This Work Two results: 1. Apply program synthesis to modes of operation (CSF 2014) Joint with Matthew Green and Jonathan Katz 2. Extend ideas to authenticated encryption (new) Joint with Viet Tung Hoang and Jonathan Katz 3 / 33
7 This Work Two results: 1. Apply program synthesis to modes of operation (CSF 2014) Joint with Matthew Green and Jonathan Katz 2. Extend ideas to authenticated encryption (new) Joint with Viet Tung Hoang and Jonathan Katz 3 / 33
8 Background: Modes of Operation Blockcipher (= PRP, F k ): Encrypts fixed-length message (e.g., AES) 4 / 33
9 Background: Modes of Operation Blockcipher (= PRP, F k ): Encrypts fixed-length message (e.g., AES) Mode of Operation: encrypts arbitrary-length messages, using blockcipher as building block 4 / 33
10 Background: Modes of Operation Blockcipher (= PRP, F k ): Encrypts fixed-length message (e.g., AES) Mode of Operation: encrypts arbitrary-length messages, using blockcipher as building block Example: Cipher-Block Chaining (CBC) Mode m 1 m 2 m 3 IV F k F k F k IV c 1 c 2 c 3 4 / 33
11 Background: Security of Modes of Operation Want output of mode to look random to adversary IND$-CPA What is IND$-CPA? Adversary A has oracle access to either (World 0) a truly random function (World 1) the desired mode of operation A specifies messages to encrypt and receives resulting ciphertexts A s Goal: Decide whether in World 0 or World 1 Secure: A cannot distinguish between worlds 5 / 33
12 Motivation Lots of modes exist; some modes are complex Each scheme requires separate security proof proofs occasionally omitted, sometimes wrong! 6 / 33
13 Motivation Lots of modes exist; some modes are complex Each scheme requires separate security proof proofs occasionally omitted, sometimes wrong! Question: Can we automate the security analysis, synthesize new modes? Solution: Construct framework for automatically proving modes of operation secure, use this to synthesize new modes 6 / 33
14 Modes of Operation Model (single block of) mode as directed, acyclic graph Nodes atomic operations E.g., XOR two values, apply PRP to value, etc. Edges intermediate values 7 / 33
15 Modes of Operation Model (single block of) mode as directed, acyclic graph Nodes atomic operations E.g., XOR two values, apply PRP to value, etc. Edges intermediate values Each edge assigned label Constraints restrict how edges can be labeled 7 / 33
16 Modes of Operation Model (single block of) mode as directed, acyclic graph Nodes atomic operations E.g., XOR two values, apply PRP to value, etc. Edges intermediate values Each edge assigned label Constraints restrict how edges can be labeled Meta-Theorem: Exists valid labeling = mode IND$-CPA-secure 7 / 33
17 Mode of Operation: Formal Definition Defined by two algorithms: Init(1 n ) (c 0, z 0 ) Block(m i, z i 1 ) (c i, z i ) Enc k (m = m 1 m l ): Compute (c 0, z 0 ) Init(1 n ) For i = 1,..., l: Compute (c i, z i ) Block(m i, z i 1 ) Output c 0 c l m 1 m 2 m 3 IV F k F k F k IV c 1 c 2 c 3 8 / 33
18 Viewing Modes as Graphs GENRAND DUP IV m 1 m 2 m 3 OUT Init algorithm NEXTIV START M F k F k F k XOR IV c 1 c 2 c 3 PRP DUP OUT NEXTIV Block algorithm 9 / 33
19 Edge Labels: Intuition Recall: Edges denote intermediate values 10 / 33
20 Edge Labels: Intuition Recall: Edges denote intermediate values Intuition: Labels should capture properties of intermediate value E.g., does value look random to adversary? 10 / 33
21 Edge Labels: Intuition Recall: Edges denote intermediate values Intuition: Labels should capture properties of intermediate value E.g., does value look random to adversary? Goal: If values on edges into OUT nodes look random to adversary, then mode is IND$-CPA-secure 10 / 33
22 Edge Labels: Formalism (simplified) Each edge label is a tuple (type, flags): type {, R}: Type of intermediate value : Adversarially controlled R: Random flags {0, 1} 2 : Bit-vector denoting whether edge can be input into OUT or PRP E.g., prevents both DUP d values being output as ciphertext 11 / 33
23 Constraints GENRAND Constraints on Nodes: DUP OUT NEXTIV Init algorithm START M XOR PRP DUP OUT NEXTIV Block algorithm 12 / 33
24 Constraints GENRAND DUP (R, 11) Constraints on Nodes: GENRAND: Outgoing edge gets type R, flags.prp = 1, flags.out = 1 OUT NEXTIV Init algorithm START M XOR PRP DUP OUT NEXTIV Block algorithm 12 / 33
25 Constraints GENRAND (R, 11) DUP (R, 10) (R, 01) OUT NEXTIV Init algorithm Constraints on Nodes: GENRAND: Outgoing edge gets type R, flags.prp = 1, flags.out = 1 DUP: Outgoing edges inherit ingoing edge s type, split flag bits START M XOR PRP DUP OUT NEXTIV Block algorithm 12 / 33
26 Constraints GENRAND (R, 11) DUP (R, 10) (R, 01) OUT NEXTIV Init algorithm START M Constraints on Nodes: GENRAND: Outgoing edge gets type R, flags.prp = 1, flags.out = 1 DUP: Outgoing edges inherit ingoing edge s type, split flag bits START: Inherits type and flag bits of ingoing edge to NEXTIV (R, 01) XOR PRP DUP OUT NEXTIV Block algorithm 12 / 33
27 Constraints GENRAND (R, 11) DUP (R, 10) (R, 01) OUT NEXTIV Init algorithm START M (R, 01) (, 00) XOR Constraints on Nodes: GENRAND: Outgoing edge gets type R, flags.prp = 1, flags.out = 1 DUP: Outgoing edges inherit ingoing edge s type, split flag bits START: Inherits type and flag bits of ingoing edge to NEXTIV M: Outgoing edge gets type, flags.prp = 0, flags.out = 0 PRP DUP OUT NEXTIV Block algorithm 12 / 33
28 Constraints GENRAND (R, 11) DUP (R, 10) (R, 01) OUT NEXTIV Init algorithm START M (R, 01) (, 00) XOR (R, 01) PRP Constraints on Nodes: GENRAND: Outgoing edge gets type R, flags.prp = 1, flags.out = 1 DUP: Outgoing edges inherit ingoing edge s type, split flag bits START: Inherits type and flag bits of ingoing edge to NEXTIV M: Outgoing edge gets type, flags.prp = 0, flags.out = 0 XOR: At least one ingoing edge of type R; Outgoing edge gets type R and OR of ingoing edges flags DUP OUT NEXTIV Block algorithm 12 / 33
29 Constraints GENRAND (R, 11) DUP (R, 10) (R, 01) OUT NEXTIV Init algorithm START M (R, 01) (, 00) XOR (R, 01) PRP (R, 11) DUP Constraints on Nodes: GENRAND: Outgoing edge gets type R, flags.prp = 1, flags.out = 1 DUP: Outgoing edges inherit ingoing edge s type, split flag bits START: Inherits type and flag bits of ingoing edge to NEXTIV M: Outgoing edge gets type, flags.prp = 0, flags.out = 0 XOR: At least one ingoing edge of type R; Outgoing edge gets type R and OR of ingoing edges flags PRP: Ingoing edge must have type R and flags.prp = 1; Outgoing edge same as GENRAND OUT NEXTIV Block algorithm 12 / 33
30 Constraints GENRAND (R, 11) DUP (R, 10) (R, 01) OUT NEXTIV Init algorithm START M (R, 01) (, 00) XOR (R, 01) PRP (R, 11) DUP (R, 10) (R, 01) OUT NEXTIV Block algorithm Constraints on Nodes: GENRAND: Outgoing edge gets type R, flags.prp = 1, flags.out = 1 DUP: Outgoing edges inherit ingoing edge s type, split flag bits START: Inherits type and flag bits of ingoing edge to NEXTIV M: Outgoing edge gets type, flags.prp = 0, flags.out = 0 XOR: At least one ingoing edge of type R; Outgoing edge gets type R and OR of ingoing edges flags PRP: Ingoing edge must have type R and flags.prp = 1; Outgoing edge same as GENRAND OUT: Ingoing edge must have type R and flags.out = 1 12 / 33
31 Implementation Implemented model checker + synthesizer in OCaml Model Checker: (1) Checks whether an input mode is secure Recall: Valid labeling mode is secure Determining secure mode is a constraint-satisfaction problem Can use SMT solver (e.g., Z3) (2) Secure modes need to be decryptable Implement algorithm to check decryptability of mode Synthesizer: Can simply iterate over all possible graphs Use simple rules to reduce search space 13 / 33
32 Synthesis Results Ran model checker for modes with 10 instructions # Instructions Valid Decryptable Secure Total / 33
33 Synthesis Results Ran model checker for modes with 10 instructions # Instructions Valid Decryptable Secure Total We are able to synthesize all standard (secure) modes E.g., CBC, OFB, CFB, CTR, PCBC 14 / 33
34 Results Two results: 1. Apply program synthesis to modes of operation (CSF 2014) 2. Extend previous ideas to authenticated encryption (new) 15 / 33
35 Background: Authenticated Encryption Previous approach gave modes with privacy but not authenticity 16 / 33
36 Background: Authenticated Encryption Previous approach gave modes with privacy but not authenticity Authenticated Encryption (AE): mode of operation which encrypts and authenticates arbitrary-length messages 16 / 33
37 Background: Authenticated Encryption AE scheme: Tuple of algorithms Π = (K, E, D), where E(,, ) and D(,, ) are deterministic and take nonce as input, in addition to key and plaintext Adversary has access to oracle E(K,, ) and must never repeat a nonce Privacy: Similar to previous case Authenticity: Adversary wins if it can output (N, C) such that D(K, N, C) and C is not an oracle output 17 / 33
38 Background: Tweakable Blockciphers We restrict ourselves to AE schemes using tweakable blockciphers 18 / 33
39 Background: Tweakable Blockciphers We restrict ourselves to AE schemes using tweakable blockciphers Tweakable Blockcipher (TBC): Like (standard) blockcipher, except takes an extra argument (the tweak ): E : K T {0, 1} n {0, 1} n, where E K (T, ) is a PRP on {0, 1} n for every K K and T T 18 / 33
40 Background: Tweakable Blockciphers We restrict ourselves to AE schemes using tweakable blockciphers Tweakable Blockcipher (TBC): Like (standard) blockcipher, except takes an extra argument (the tweak ): E : K T {0, 1} n {0, 1} n, where E K (T, ) is a PRP on {0, 1} n for every K K and T T Simplifies analysis: If tweak is unique, output of TBC is random 18 / 33
41 Background: Tweakable Blockciphers We restrict ourselves to AE schemes using tweakable blockciphers Tweakable Blockcipher (TBC): Like (standard) blockcipher, except takes an extra argument (the tweak ): E : K T {0, 1} n {0, 1} n, where E K (T, ) is a PRP on {0, 1} n for every K K and T T Simplifies analysis: If tweak is unique, output of TBC is random Tweak depends on nonce, and nonce must be fresh on every query output of TBC is always random 18 / 33
42 Example: Offset Codebook (OCB) Mode M 1 M 2 M 3 M 4 Σ E K N,1 E K N,2 E K N,3 E K N,4 E K N, 4 C 1 C 2 C 3 tag C 4 τ 19 / 33
43 Authenticated Encryption: Formal Definition Defined by three algorithms (operating over two blocks at a time): Enc EK (T, X, M 1 M 2 ) (Y, C 1 C 2 ) 1 EK,E Dec K (T, Y, C1 C 2 ) (X, M 1 M 2 ) Tag EK (T, X) V 20 / 33
44 Authenticated Encryption: Formal Definition Defined by three algorithms (operating over two blocks at a time): Enc EK (T, X, M 1 M 2 ) (Y, C 1 C 2 ) 1 EK,E Dec K (T, Y, C1 C 2 ) (X, M 1 M 2 ) Tag EK (T, X) V Encryption procedure: X 0 0 2n ; v 1; M 1 M 2m M for i = 1 to m do T (N, v) (X i, C 2i 1 C 2i ) Enc EK (T, X i 1, M 2i 1 M 2i ) v v + Cost(Π) T (N, 1 v) V Tag EK (T, X) return C 1 C 2m V [1, τ ] 20 / 33
45 Authenticated Encryption: Formal Definition Decryption procedure: C 1 C 2m tag C X 0 0 2n ; v 1 for i = 1 to m do T (N, v) 1 EK,E (X i, M 2i 1 M 2i ) Dec K (T, Xi 1, C 2i 1 C 2i ) v v + Cost(Π) T (N, 1 v) V Tag EK (T, X m ) if tag V [1, τ ] then return else return M 1 M 2m 21 / 33
46 Viewing AE Schemes as Graphs Idea of modeling modes as graphs extends to AE setting: 22 / 33
47 Viewing AE Schemes as Graphs Idea of modeling modes as graphs extends to AE setting: INI IN IN INI IN IN INI XOR DUP DUP XOR TBC TBC TBC XOR TBC TBC XOR DUP DUP OUT FIN OUT OUT FIN OUT OUT Graph representations of Enc (left), Dec (middle), and Tag (right) for OCB mode. 22 / 33
48 Vertex Labels Each vertex label is a value type {$,, 0, 1}: $: Random : Adversarially controlled 0 and 1: Used to compare values on the same vertex in two runs of the Dec graph 0: The two values are the same 1: The two values are different 23 / 33
49 Constraints Constraints generally follow intuition and prior approach. E.g., $ $ TBC($ or 1) $ TBC(0) 0 TBC( ) 24 / 33
50 Verifying Privacy and Authenticity To show: Validly labeled graph privacy and authenticity 25 / 33
51 Verifying Privacy and Authenticity To show: Validly labeled graph privacy and authenticity Privacy: Outputs typed $ when inputs typed 25 / 33
52 Verifying Privacy and Authenticity To show: Validly labeled graph privacy and authenticity Privacy: Outputs typed $ when inputs typed Authenticity: Recall security definition: Adversary has access to oracle E(K,, ) and must never repeat a nonce Adversary wins if it can output (N, C) such that D(K, N, C) and C is not an oracle output 25 / 33
53 Verifying Privacy and Authenticity To show: Validly labeled graph privacy and authenticity Privacy: Outputs typed $ when inputs typed Authenticity: Recall security definition: Adversary has access to oracle E(K,, ) and must never repeat a nonce Adversary wins if it can output (N, C) such that D(K, N, C) and C is not an oracle output Consider forgery query (N, C) Want to show: Tag produced when running D(K, N, C) is random D(K, N, C) = w.h.p. 25 / 33
54 Verifying Privacy and Authenticity To show: Validly labeled graph privacy and authenticity Privacy: Outputs typed $ when inputs typed Authenticity: Recall security definition: Adversary has access to oracle E(K,, ) and must never repeat a nonce Adversary wins if it can output (N, C) such that D(K, N, C) and C is not an oracle output Consider forgery query (N, C) Want to show: Tag produced when running D(K, N, C) is random D(K, N, C) = w.h.p. Interesting Case: Suppose prior oracle query (N, M) produced ciphertext C ( C) C = C 1 C m and C = C 1 C m must differ in some block I.e., C i C i for some i 25 / 33
55 Verifying Privacy and Authenticity To show: Validly labeled graph privacy and authenticity Privacy: Outputs typed $ when inputs typed Authenticity: Recall security definition: Adversary has access to oracle E(K,, ) and must never repeat a nonce Adversary wins if it can output (N, C) such that D(K, N, C) and C is not an oracle output Consider forgery query (N, C) Want to show: Tag produced when running D(K, N, C) is random D(K, N, C) = w.h.p. Interesting Case: Suppose prior oracle query (N, M) produced ciphertext C ( C) C = C 1 C m and C = C 1 C m must differ in some block I.e., C i C i for some i Want to show: This difference tag is random 25 / 33
56 Verifying Authenticity Authenticity: 1. Consider Dec graph on first two-block chunk C i C i+1 and C where C and C differ i C i+1 26 / 33
57 Verifying Authenticity Authenticity: 1. Consider Dec graph on first two-block chunk C i C i+1 and C where C and C differ Suppose C i C i : Given INI = 0, IN 1 = 1, and IN 2 = 0, check that FIN = $ i C i+1 26 / 33
58 Verifying Authenticity Authenticity: 1. Consider Dec graph on first two-block chunk C i C i+1 and C where C and C differ Suppose C i C i : Given INI = 0, IN 1 = 1, and IN 2 = 0, check that FIN = $ Similar checks for cases where (1) C i+1 C C i C i and C i+1 C i+1 i+1 and (2) both i C i+1 26 / 33
59 Verifying Authenticity Authenticity: 1. Consider Dec graph on first two-block chunk C i C i+1 and C where C and C differ Suppose C i C i : Given INI = 0, IN 1 = 1, and IN 2 = 0, check that FIN = $ Similar checks for cases where (1) C i+1 C C i C i and C i+1 C i+1 State is random after this point i+1 and (2) both i C i+1 26 / 33
60 Verifying Authenticity Authenticity: 1. Consider Dec graph on first two-block chunk C i C i+1 and C where C and C differ Suppose C i C i : Given INI = 0, IN 1 = 1, and IN 2 = 0, check that FIN = $ Similar checks for cases where (1) C i+1 C C i C i and C i+1 C i+1 State is random after this point i+1 and (2) both 2. Consider Dec graph on blocks C i+2 C i+3 and C i+2 C i+3 i C i+1 26 / 33
61 Verifying Authenticity Authenticity: 1. Consider Dec graph on first two-block chunk C i C i+1 and C where C and C differ Suppose C i C i : Given INI = 0, IN 1 = 1, and IN 2 = 0, check that FIN = $ Similar checks for cases where (1) C i+1 C C i C i and C i+1 C i+1 State is random after this point i+1 and (2) both 2. Consider Dec graph on blocks C i+2 C i+3 and C i+2 C i+3 Given INI = $, check that FIN = $ i C i+1 26 / 33
62 Verifying Authenticity Authenticity: 1. Consider Dec graph on first two-block chunk C i C i+1 and C where C and C differ Suppose C i C i : Given INI = 0, IN 1 = 1, and IN 2 = 0, check that FIN = $ Similar checks for cases where (1) C i+1 C C i C i and C i+1 C i+1 State is random after this point i+1 and (2) both 2. Consider Dec graph on blocks C i+2 C i+3 and C i+2 C i+3 Given INI = $, check that FIN = $ State continues to be random i C i+1 26 / 33
63 Verifying Authenticity Authenticity: 1. Consider Dec graph on first two-block chunk C i C i+1 and C where C and C differ Suppose C i C i : Given INI = 0, IN 1 = 1, and IN 2 = 0, check that FIN = $ Similar checks for cases where (1) C i+1 C C i C i and C i+1 C i+1 State is random after this point i+1 and (2) both 2. Consider Dec graph on blocks C i+2 C i+3 and C i+2 C i+3 Given INI = $, check that FIN = $ State continues to be random 3. Consider Tag graph i C i+1 26 / 33
64 Verifying Authenticity Authenticity: 1. Consider Dec graph on first two-block chunk C i C i+1 and C where C and C differ Suppose C i C i : Given INI = 0, IN 1 = 1, and IN 2 = 0, check that FIN = $ Similar checks for cases where (1) C i+1 C C i C i and C i+1 C i+1 State is random after this point i+1 and (2) both 2. Consider Dec graph on blocks C i+2 C i+3 and C i+2 C i+3 Given INI = $, check that FIN = $ State continues to be random 3. Consider Tag graph Given INI = $, check that OUT = $ Tag is random i C i+1 26 / 33
65 Verifying Authenticity: Example Recall OCB: M1 M2 M3 M4 Σ E K N,1 E K N,2 E K N,3 E K N,4 E K N, 4 C1 C2 C3 C4 tag τ 27 / 33
66 Verifying Authenticity: Example Recall OCB: M1 M2 M3 M4 Σ E K N,1 E K N,2 E K N,3 E K N,4 E K N, 4 C1 C2 C3 C4 tag τ Suppose two queries are: C = C 1 C 2 C 3 C 4 tag C = C 1 C 2 C 3C 4 tag 27 / 33
67 Verifying Authenticity: Example Recall OCB: M1 M2 M3 M4 Σ E K N,1 E K N,2 E K N,3 E K N,4 E K N, 4 C1 C2 C3 C4 tag τ Suppose two queries are: C = C 1 C 2 C 3 C 4 tag C = C 1 C 2 C 3C 4 tag Need to show: 1. Dec graph with INI = 0, IN 1 = 0, IN 2 = 1 FIN = $ 27 / 33
68 Verifying Authenticity: Example Recall OCB: M1 M2 M3 M4 Σ E K N,1 E K N,2 E K N,3 E K N,4 E K N, 4 C1 C2 C3 C4 tag τ Suppose two queries are: C = C 1 C 2 C 3 C 4 tag C = C 1 C 2 C 3C 4 tag Need to show: 1. Dec graph with INI = 0, IN 1 = 0, IN 2 = 1 FIN = $ 2. Dec graph with INI = $, IN 1 = 0, IN 2 = 0 FIN = $ 27 / 33
69 Verifying Authenticity: Example Recall OCB: M1 M2 M3 M4 Σ E K N,1 E K N,2 E K N,3 E K N,4 E K N, 4 C1 C2 C3 C4 tag τ Suppose two queries are: C = C 1 C 2 C 3 C 4 tag C = C 1 C 2 C 3C 4 tag Need to show: 1. Dec graph with INI = 0, IN 1 = 0, IN 2 = 1 FIN = $ 2. Dec graph with INI = $, IN 1 = 0, IN 2 = 0 FIN = $ 3. Tag graph with INI = $ OUT = $ 27 / 33
70 Implementation Implemented model checker + synthesizer in OCaml Model Checker: Checks whether input mode (given as Enc graph) is secure Need to generate Dec graph from Enc graph to check privacy Checks simple enough that SMT solver not needed! Also include check for parallelizability of mode Synthesizer: As before, can simply iterate over all possible graphs Use various techniques to reduce search space 28 / 33
71 Synthesis Results Ran model checker for modes with 16 instructions # Nodes Secure Optimal Parallel Running Time min min min hours hours Total / 33
72 Synthesis Results Ran model checker for modes with 16 instructions # Nodes Secure Optimal Parallel Running Time min min min hours hours Total Among 5 parallel modes of size 12, only one previously known (OCB) 29 / 33
73 Synthesis Results: Example Schemes M1 M2 M3 M4 C1 C2 C3 C4 tag τ M1 M2 M3 M4 Σ C1 C2 C3 C4 tag τ M1 M2 M3 M4 C1 C2 C3 C4 tag τ 30 / 33
74 Synthesis Results: Example Schemes Implemented these (three) schemes, and compared with running time of OCB (fastest known AE scheme): Scheme Enc Dec OCB ± ± ± ± ± ± ± ± Results in cycles per bytes with 95% confidence intervals over 100 runs of each scheme 31 / 33
75 Synthesis Results: Example Schemes Implemented these (three) schemes, and compared with running time of OCB (fastest known AE scheme): Scheme Enc Dec OCB ± ± ± ± ± ± ± ± Results in cycles per bytes with 95% confidence intervals over 100 runs of each scheme Synthesized schemes competitive with OCB! 31 / 33
76 Conclusion 1. Introduced method for reasoning about modes of operation Meta-theorem: Validly labeled mode is secure Can use SMT solver to automatically prove modes secure 32 / 33
77 Conclusion 1. Introduced method for reasoning about modes of operation Meta-theorem: Validly labeled mode is secure Can use SMT solver to automatically prove modes secure 2. Extend to reasoning about (class of) authenticated encryption schemes Uses same graph idea Key insight: Use tweakable blockciphers to simplify analysis Captures (simplified variant of) many modes: OCB, XCBC, COPA, OTR, CCM Synthesized new schemes as efficient as fastest known AE scheme 32 / 33
78 Conclusion 1. Introduced method for reasoning about modes of operation Meta-theorem: Validly labeled mode is secure Can use SMT solver to automatically prove modes secure 2. Extend to reasoning about (class of) authenticated encryption schemes Uses same graph idea Key insight: Use tweakable blockciphers to simplify analysis Captures (simplified variant of) many modes: OCB, XCBC, COPA, OTR, CCM Synthesized new schemes as efficient as fastest known AE scheme 3. Open Problem: Can we apply this approach to other primitives? 32 / 33
79 Thank You Any questions? Full Versions: Modes of operation: AE schemes: To appear shortly Code: Modes of operation: AE schemes: 33 / 33
Automated Analysis and Synthesis of Block-Cipher Modes of Operation
Automated Analysis and Synthesis of Block-Cipher Modes of Operation Alex J. Malozemoff 1 Jonathan Katz 1 Matthew D. Green 2 1 University of Maryland 2 Johns Hopkins University Presented at the IEEE Computer
More informationFeedback Week 4 - Problem Set
4/26/13 Homework Feedback Introduction to Cryptography Feedback Week 4 - Problem Set You submitted this homework on Mon 17 Dec 2012 11:40 PM GMT +0000. You got a score of 10.00 out of 10.00. Question 1
More informationCryptology complementary. Symmetric modes of operation
Cryptology complementary Symmetric modes of operation Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 05 03 Symmetric modes 2018 05 03
More informationCryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1
Cryptography CS 555 Topic 11: Encryption Modes and CCA Security CS555 Spring 2012/Topic 11 1 Outline and Readings Outline Encryption modes CCA security Readings: Katz and Lindell: 3.6.4, 3.7 CS555 Spring
More informationBlock cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75
Block cipher modes Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 75 Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 76 Block cipher modes Block ciphers (like
More information1 Achieving IND-CPA security
ISA 562: Information Security, Theory and Practice Lecture 2 1 Achieving IND-CPA security 1.1 Pseudorandom numbers, and stateful encryption As we saw last time, the OTP is perfectly secure, but it forces
More informationThe OCB Authenticated-Encryption Algorithm
The OCB Authenticated-Encryption Algorithm Ted Krovetz California State University, Sacramento, USA Phillip Rogaway University of California, Davis, USA IETF 83 Paris, France CFRG 11:20-12:20 in 212/213
More informationBlock ciphers, stream ciphers
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Jan 31, 2018 Announcements Project 1 is out, due Feb 14 midnight Recall: Block cipher A
More informationAuthenticated Encryption
18733: Applied Cryptography Anupam Datta (CMU) Authenticated Encryption Online Cryptography Course Authenticated Encryption Active attacks on CPA-secure encryption Recap: the story so far Confidentiality:
More informationBlock ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016
Block ciphers CS 161: Computer Security Prof. Raluca Ada Popa February 26, 2016 Announcements Last time Syntax of encryption: Keygen, Enc, Dec Security definition for known plaintext attack: attacker provides
More informationCryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security
Cryptography CS 555 Topic 8: Modes of Encryption, The Penguin and CCA security 1 Reminder: Homework 1 Due on Friday at the beginning of class Please typeset your solutions 2 Recap Pseudorandom Functions
More informationENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions
ENEE 457: Computer Systems Security 09/12/16 Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions Charalampos (Babis) Papamanthou Department of Electrical and Computer
More informationBlock ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 74 Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways
More informationCourse Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18
Course Map Key Establishment Authenticated Encryption Key Management COMP 7/8120 Cryptography and Data Security Lecture 8: How to use Block Cipher - many time key Stream Ciphers Block Ciphers Secret Key
More informationBlock Cipher Operation. CS 6313 Fall ASU
Chapter 7 Block Cipher Operation 1 Outline q Multiple Encryption and Triple DES q Electronic Codebook q Cipher Block Chaining Mode q Cipher Feedback Mode q Output Feedback Mode q Counter Mode q XTS-AES
More informationMcOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes
McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes Ewan Fleischmann Christian Forler Stefan Lucks Bauhaus-Universität Weimar FSE 2012 Fleischmann, Forler, Lucks. FSE 2012. McOE:
More informationOCB Mode. Mihir Bellare UCSD John Black UNR Ted Krovetz Digital Fountain
OCB Mode Phillip Rogaway Department of Computer Science UC Davis + Chiang Mai Univ rogaway@cs.ucdavis.edu http://www.cs.ucdavis.edu/~rogaway +66 1 530 7620 +1 530 753 0987 Mihir Bellare UCSD mihir@cs.ucsd.edu
More informationLecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24
Assume encryption and decryption use the same key. Will discuss how to distribute key to all parties later Symmetric ciphers unusable for authentication of sender Lecturers: Mark D. Ryan and David Galindo.
More informationPermutation-based Authenticated Encryption
Permutation-based Authenticated Encryption Gilles Van Assche 1 1 STMicroelectronics COST Training School on Symmetric Cryptography and Blockchain Torremolinos, Spain, February 2018 1 / 44 Outline 1 Why
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Message Authentication Codes Syntax: Key space K λ Message space M Tag space T λ MAC(k,m) à σ Ver(k,m,σ) à 0/1 Correctness: m,k,
More informationECE 646 Lecture 8. Modes of operation of block ciphers
ECE 646 Lecture 8 Modes of operation of block ciphers Required Reading: I. W. Stallings, "Cryptography and Network-Security," 5 th and 6 th Edition, Chapter 6 Block Cipher Operation II. A. Menezes, P.
More informationPaper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage
1 Announcements Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage 2 Recap and Overview Previous lecture: Symmetric key
More informationSymmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University
Symmetric-Key Cryptography Part 1 Tom Shrimpton Portland State University Building a privacy-providing primitive I want my communication with Bob to be private -- Alice What kind of communication? SMS?
More informationCS 495 Cryptography Lecture 6
CS 495 Cryptography Lecture 6 Dr. Mohammad Nabil Alaggan malaggan@fci.helwan.edu.eg Helwan University Faculty of Computers and Information CS 495 Fall 2014 http://piazza.com/fci_helwan_university/fall2014/cs495
More informationRefresher: Applied Cryptography
Refresher: Applied Cryptography (emphasis on common tools for secure processors) Chris Fletcher Fall 2017, 598 CLF, UIUC Complementary reading Intel SGX Explained (ISE) Victor Costan, Srini Devadas https://eprint.iacr.org/2016/086.pdf
More informationInformation Security CS526
Information CS 526 Topic 3 Ciphers and Cipher : Stream Ciphers, Block Ciphers, Perfect Secrecy, and IND-CPA 1 Announcements HW1 is out, due on Sept 10 Start early, late policy is 3 total late days for
More information1 Defining Message authentication
ISA 562: Information Security, Theory and Practice Lecture 3 1 Defining Message authentication 1.1 Defining MAC schemes In the last lecture we saw that, even if our data is encrypted, a clever adversary
More informationCLOC: Authenticated Encryption
CLOC: Authenticated Encryption for Short Input Tetsu Iwata, Nagoya University Kazuhiko Minematsu, NEC Corporation Jian Guo, Nanyang Technological University Sumio Morioka, NEC Europe Ltd. FSE 2014 March
More informationIntroduction to cryptology (GBIN8U16)
Introduction to cryptology (GBIN8U16) Finite fields, block ciphers Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 01 31 Finite fields,
More informationAuthenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol
Authenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol Mihir Bellare UC San Diego mihir@cs.ucsd.edu Tadayoshi Kohno UC San Diego tkohno@cs.ucsd.edu Chanathip Namprempre Thammasat
More informationScanned by CamScanner
Scanned by CamScanner Scanned by CamScanner Scanned by CamScanner Scanned by CamScanner Scanned by CamScanner Scanned by CamScanner Scanned by CamScanner Symmetric-Key Cryptography CS 161: Computer Security
More informationBlockcipher-based Authentcated Encryption: How Small Can We Go? CHES 2017, Taipei, Taiwan
Blockcipher-based Authentcated Encryption: How Small Can We Go? Avik Chakraborti (NTT Secure Platform laboratories, Japan) Tetsu Iwata (Nagoya University, Japan) Kazuhiko Minematsu (NEC Corporation, Japan)
More informationIntroduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers
Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block Ciphers Stream Ciphers Start with a secret key ( seed ) Generate a keying stream i-th bit/byte of keying stream is a function
More informationComputer Security CS 526
Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes CS555 Topic 4 1 Readings for This Lecture Required reading from wikipedia Block Cipher Ciphertext Indistinguishability
More informationCryptography 2017 Lecture 3
Cryptography 2017 Lecture 3 Block Ciphers - AES, DES Modes of Operation - ECB, CBC, CTR November 7, 2017 1 / 1 What have seen? What are we discussing today? What is coming later? Lecture 2 One Time Pad
More informationAuthenticated encryption
Authenticated encryption Mac forgery game M {} k R 0,1 s m t M M {m } t mac k (m ) Repeat as many times as the adversary wants (m, t) Wins if m M verify m, t = 1 Mac forgery game Allow the adversary to
More informationAuthenticated Encryption
18733: Applied Cryptography Anupam Datta (CMU) Authenticated Encryption Online Cryptography Course Authenticated Encryption Active attacks on CPA-secure encryption Recap: the story so far Confidentiality:
More informationGoals of Modern Cryptography
Goals of Modern Cryptography Providing information security: Data Privacy Data Integrity and Authenticity in various computational settings. Data Privacy M Alice Bob The goal is to ensure that the adversary
More informationSymmetric-Key Cryptography
Symmetric-Key Cryptography CS 161: Computer Security Prof. Raluca Ada Popa Sept 13, 2016 Announcements Project due Sept 20 Special guests Alice Bob The attacker (Eve - eavesdropper, Malice) Sometimes Chris
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 4 Markus Bläser, Saarland University Message authentication How can you be sure that a message has not been modified? Encyrption is not
More informationECE 646 Lecture 7. Modes of Operation of Block Ciphers. Modes of Operation. Required Reading:
C 646 Lecture 7 Modes of Operation of Block Ciphers Required Reading: I. W. Stallings, "Cryptography and Network-Security," 5th dition, Chapter 6 Block Cipher Operation II. A. Menezes, P. van Oorschot,
More informationHomework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING
UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING ENEE 457 Computer Systems Security Instructor: Charalampos Papamanthou Homework 2 Out: 09/23/16 Due: 09/30/16 11:59pm Instructions
More informationSome Aspects of Block Ciphers
Some Aspects of Block Ciphers Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in CU-ISI Tutorial Workshop on Cryptology, 17 th July 2011 Palash Sarkar
More informationAuthenticated Encryption: Relations among notions and analysis of the generic composition paradigm
Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm Mihir Bellare Chanathip Namprempre July 14, 2007 Abstract An authenticated encryption scheme is a symmetric
More informationSummary on Crypto Primitives and Protocols
Summary on Crypto Primitives and Protocols Levente Buttyán CrySyS Lab, BME www.crysys.hu 2015 Levente Buttyán Basic model of cryptography sender key data ENCODING attacker e.g.: message spatial distance
More informationCryptography. Andreas Hülsing. 6 September 2016
Cryptography Andreas Hülsing 6 September 2016 1 / 21 Announcements Homepage: http: //www.hyperelliptic.org/tanja/teaching/crypto16/ Lecture is recorded First row might be on recordings. Anything organizational:
More informationABC - A New Framework for Block Ciphers. Uri Avraham
ABC - A New Framework for Block Ciphers Uri Avraham ABC - A New Framework for Block Ciphers Research Thesis Submitted in partial fulfillment of the requirements for the degree of Master of Science in
More informationLecture 6: Symmetric Cryptography. CS 5430 February 21, 2018
Lecture 6: Symmetric Cryptography CS 5430 February 21, 2018 The Big Picture Thus Far Attacks are perpetrated by threats that inflict harm by exploiting vulnerabilities which are controlled by countermeasures.
More informationSymmetric Crypto MAC. Pierre-Alain Fouque
Symmetric Crypto MAC Pierre-Alain Fouque Message Authentication Code (MAC) Warning: Encryption does not provide integrity Eg: CTR mode ensures confidentiality if the blockcipher used is secure. However,
More informationIntroduction to Cryptography. Lecture 3
Introduction to Cryptography Lecture 3 Benny Pinkas March 6, 2011 Introduction to Cryptography, Benny Pinkas page 1 Pseudo-random generator seed s (random, s =n) Pseudo-random generator G Deterministic
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 8 2018 Review CPA-secure construction Security proof by reduction
More informationCryptographic hash functions and MACs
Cryptographic hash functions and MACs Myrto Arapinis School of Informatics University of Edinburgh October 05, 2017 1 / 21 Introduction Encryption confidentiality against eavesdropping 2 / 21 Introduction
More informationHow to Use Your Block Cipher? Palash Sarkar
How to Use Your Block Cipher? Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in IACITS New Delhi, 2 nd April 2009 Palash Sarkar (ISI, Kolkata) Using
More informationPipelineable On-Line Encryption (POE)
Pipelineable On-Line Encryption (POE) FSE 2014 Farzaneh Abed 2 Scott Fluhrer 1 John Foley 1 Christian Forler 2 Eik List 2 Stefan Lucks 2 David McGrew 1 Jakob Wenzel 2 1 Cisco Systems, 2 Bauhaus-Universität
More informationAutomatic Proofs for Symmetric Encryption Modes
Automatic Proofs for Symmetric Encryption Modes Martin Gagné 2 Pascal Lafourcade 1 Yassine Lakhnech 1 Reihaneh Safavi-Naini 2 1 Université Grenoble 1, CNRS,Verimag, FRANCE 2 Department of Computer Science,
More informationUpdates on CLOC and SILC Version 3
Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, Sumio Morioka, and Eita Kobayashi DIAC 2016 September 26, 2016, Nagoya, Japan * Supported in part by JSPS KAKENHI, Grant in
More informationLecture 8: Cryptography in the presence of local/public randomness
Randomness in Cryptography Febuary 25, 2013 Lecture 8: Cryptography in the presence of local/public randomness Lecturer: Yevgeniy Dodis Scribe: Hamidreza Jahanjou So far we have only considered weak randomness
More informationISA 562: Information Security, Theory and Practice. Lecture 1
ISA 562: Information Security, Theory and Practice Lecture 1 1 Encryption schemes 1.1 The semantics of an encryption scheme. A symmetric key encryption scheme allows two parties that share a secret key
More informationSymmetric Cryptography
CSE 484 (Winter 2010) Symmetric Cryptography Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials...
More informationUpdates on CLOC and SILC
Updates on CLOC and SILC Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, Sumio Morioka, and Eita Kobayashi DIAC 2015 September 28, 2015, Singapore * Supported in part by JSPS KAKENHI, Grant in Aid for Scientific
More informationMultiple forgery attacks against Message Authentication Codes
Multiple forgery attacks against Message Authentication Codes David A. McGrew and Scott R. Fluhrer Cisco Systems, Inc. {mcgrew,sfluhrer}@cisco.com May 31, 2005 Abstract Some message authentication codes
More informationAuthenticated Encryption: How Reordering can Impact Performance
Authenticated Encryption: How Reordering can Impact Performance Basel Alomair Network Security Lab (NSL) University of Washington alomair@uw.edu Abstract. In this work, we look at authenticated encryption
More informationA Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security. T. Shrimpton October 18, 2004
A Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security T. Shrimpton October 18, 2004 Abstract In this note we introduce a variation of the standard definition of chosen-ciphertext
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Pseudorandom Permutations unctions that look like random permutations Syntax: Key space K (usually {0,1}
More informationDIAC 2015, Sept, Singapore
π-cipher V2.0 Danilo Gligoroski, ITEM, NTNU, Norway Hristina Mihajloska, FCSE, UKIM, Macedonia Simona Samardjiska, FCSE, UKIM, Macedonia Håkon Jacobsen, ITEM, NTNU, Norway Mohamed El-Hadedy, University
More informationNetwork Security. Chapter 4 Symmetric Encryption. Cornelius Diekmann With contributions by Benjamin Hof. Technische Universität München
Networ Security Chapter 4 Symmetric Encryption Cornelius Diemann With contributions by Benjamin Hof Lehrstuhl für Netzarchiteturen und Netzdienste Institut für Informati Version: October 29, 2015 IN2101,
More informationCryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39
Cryptography 2017 Lecture 4 Attacks against Block Ciphers Introduction to Public Key Cryptography November 14, 2017 1 / 39 What have seen? What are we discussing today? What is coming later? Lecture 3
More informationOn Symmetric Encryption with Distinguishable Decryption Failures
On Symmetric Encryption with Distinguishable Decryption Failures Alexandra Boldyreva, Jean Paul Degabriele, Kenny Paterson, and Martijn Stam FSE - 12th Mar 2013 Outline Distinguishable Decryption Failures
More information10 Chosen Ciphertext Attacks
10 Chosen Ciphertext Attacks In this chapter we discuss the limitations of the CPA security definition. In short, the CPA security definition considers only the information leaked to the adversary by honestlygenerated
More informationContent of this part
UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Introduction to Cryptography ECE 597XX/697XX Part 5 More About Block Ciphers Israel Koren ECE597/697 Koren Part.5.1 Content of this
More informationThe Extended Codebook (XCB) Mode of Operation
The Extended Codebook (XCB) Mode of Operation David A. McGrew and Scott Fluhrer Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95032 {mcgrew,sfluhrer}@cisco.com October 25, 2004 Abstract We describe
More informationHomework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.
Homework 2: Symmetric Crypto February 17, 2015 Submission policy. information: This assignment MUST be submitted as a PDF via websubmit and MUST include the following 1. List of collaborators 2. List of
More informationCHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P))
CHAPTER 6. SYMMETRIC CIPHERS Multiple encryption is a technique in which an encryption algorithm is used multiple times. In the first instance, plaintext is converted to ciphertext using the encryption
More informationpage 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas
Introduction to Cryptography Lecture 3 Benny Pinkas page 1 1 Pseudo-random generator Pseudo-random generator seed output s G G(s) (random, s =n) Deterministic function of s, publicly known G(s) = 2n Distinguisher
More informationCS155. Cryptography Overview
CS155 Cryptography Overview Cryptography! Is n A tremendous tool n The basis for many security mechanisms! Is not n The solution to all security problems n Reliable unless implemented properly n Reliable
More information: Practical Cryptographic Systems March 25, Midterm
650.445: Practical Cryptographic Systems March 25, 2010 Instructor: Matthew Green Midterm Name: As with any exam, please do not collaborate or otherwise share information with any other person. You are
More informationMidgame Attacks. (and their consequences) Donghoon Chang 1 and Moti Yung 2. IIIT-Delhi, India. Google Inc. & Columbia U., USA
Midgame Attacks (and their consequences) Donghoon Chang 1 and Moti Yung 2 1 IIIT-Delhi, India 2 Google Inc. & Columbia U., USA Crypto is a Technical Science As technology moves, so should crypto designs
More informationStorage Encryption: A Cryptographer s View. Shai Halevi IBM Research
Storage Encryption: A Cryptographer s View Shai Halevi IBM Research Motivation You re working on storage encryption? It must be the most boring thing in the world Anonymous Encryption is the most basic
More informationThe JAMBU Lightweight Authentication Encryption Mode (v2)
The JAMBU Lightweight Authentication Encryption Mode (v2) 29 Aug, 2015 Designers: Hongjun Wu, Tao Huang Submitters: Hongjun Wu, Tao Huang Contact: wuhongjun@gmail.com Division of Mathematical Sciences
More informationOn authenticated encryption and the CAESAR competition
On authenticated encryption and the CAESAR competition Joan Daemen STMicroelectronics and Radboud University Crypto summer school 2015 Šibenik, Croatia, May 31 - June 5, 2015 1 / 39 What is authenticated
More informationUsing block ciphers 1
Using block ciphers 1 Using block ciphers DES is a type of block cipher, taking 64-bit plaintexts and returning 64-bit ciphetexts. We now discuss a number of ways in which block ciphers are employed in
More informationIDEA, RC5. Modes of operation of block ciphers
C 646 - Lecture 8 IDA, RC5 Modes of operation of block ciphers Required Reading: I. W. Stallings, "Cryptography and Network-Security," 5th dition, Chapter 6 Block Cipher Operation II. A. Menezes, P. van
More informationLecture 8 - Message Authentication Codes
Lecture 8 - Message Authentication Codes Benny Applebaum, Boaz Barak October 12, 2007 Data integrity Until now we ve only been interested in protecting secrecy of data. However, in many cases what we care
More informationThe Curse of Small Domains New Attacks on Format-Preserving Encryption
The Curse of Small Domains New Attacks on Format-Preserving Encryption Viet Tung Hoang Florida State University Stefano Tessaro UC Santa Barbara Ni Trieu Oregon State University CRYPTO 2018 August 20,
More informationStream Ciphers An Overview
Stream Ciphers An Overview Palash Sarkar Indian Statistical Institute, Kolkata email: palash@isicalacin stream cipher overview, Palash Sarkar p1/51 Classical Encryption Adversary message ciphertext ciphertext
More informationCIS 4360 Secure Computer Systems Symmetric Cryptography
CIS 4360 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2017 Previous Class Classical Cryptography Frequency analysis Never use home-made cryptography Goals of Cryptography
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 4, 2017 CPSC 467, Lecture 11 1/39 ElGamal Cryptosystem Message Integrity and Authenticity Message authentication codes
More informationLecture 5. Constructions of Block ciphers. Winter 2018 CS 485/585 Introduction to Cryptography
1 Winter 2018 CS 485/585 Introduction to Cryptography Lecture 5 Portland State University Jan. 23, 2018 Lecturer: Fang Song Draft note. Version: January 25, 2018. Email fang.song@pdx.edu for comments and
More informationCIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm
CIS 4360 Introduction to Computer Security Fall 2010 WITH ANSWERS in bold Name:.................................... Number:............ First Midterm Instructions This is a closed-book examination. Maximum
More informationIntroduction to Cryptography. Lecture 3
Introduction to Cryptography Lecture 3 Benny Pinkas March 6, 2011 Introduction to Cryptography, Benny Pinkas page 1 Pseudo-random generator seed s (random, s =n) Pseudo-random generator G Deterministic
More informationAdvanced Cryptography 1st Semester Symmetric Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 22th 2007 1 / 58 Last Time (I) Security Notions Cyclic Groups Hard Problems One-way IND-CPA,
More informationDeoxys v1.41. Designers/Submitters: School of Physical and Mathematical Science, Nanyang Technological University, Singapore
Deoxys v1.41 Designers/Submitters: Jérémy Jean 1,2, Ivica Nikolić 2, Thomas Peyrin 2, Yannick Seurin 1 1 ANSSI, Paris, France 2 Division of Mathematical Sciences, School of Physical and Mathematical Science,
More informationSecurity & Indistinguishability in the Presence of Traffic Analysis
Security & Indistinguishability in the Presence of Traffic Analysis Cristina Onete 1 Daniele Venturi 2 1 Darmstadt University of Technology & CASED, Germany www.minicrypt.de 2 SAPIENZA University of Rome,
More informationHomework 3: Solution
Homework 3: Solution March 28, 2013 Thanks to Sachin Vasant and Xianrui Meng for contributing their solutions. Exercise 1 We construct an adversary A + that does the following to win the CPA game: 1. Select
More informationSymmetric Encryption 2: Integrity
http://wwmsite.wpengine.com/wp-content/uploads/2011/12/integrity-lion-300x222.jpg Symmetric Encryption 2: Integrity With material from Dave Levin, Jon Katz, David Brumley 1 Summing up (so far) Computational
More informationInductive Trace Properties for Computational Security
Inductive Trace Properties for Computational Security Arnab Roy, Anupam Datta, Ante Derek, John C. Mitchell Abstract Protocol authentication properties are generally trace-based, meaning that authentication
More informationProvably Secure MACs from Differentially-uniform Permutations and AES-based Implementations
Provably Secure MACs from Differentially-uniform Permutations and AES-based Implementations Kazuhiko Minematsu and Yukiyasu Tsunoo NEC Corporation Fast Software Encryption 2006, Graz, Austria Message Authentication
More informationSECURE AND ANONYMOUS HYBRID ENCRYPTION FROM CODING THEORY
SECURE AND ANONYMOUS HYBRID ENCRYPTION FROM CODING THEORY Edoardo Persichetti University of Warsaw 06 June 2013 (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 1 / 20 Part I PRELIMINARIES
More informationsymmetric cryptography s642 computer security adam everspaugh
symmetric cryptography s642 adam everspaugh ace@cs.wisc.edu computer security Announcements Midterm next week: Monday, March 7 (in-class) Midterm Review session Friday: March 4 (here, normal class time)
More informationCSE 127: Computer Security Cryptography. Kirill Levchenko
CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017 Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified
More information