CSC 5930/9010 Modern Cryptography: Cryptographic Hashing
|
|
- Emily McKenzie
- 5 years ago
- Views:
Transcription
1 CSC 5930/9010 Modern Cryptography: Cryptographic Hashing Professor Henry Carter Fall 2018
2 Recap Message integrity guarantees that a message has not been modified by an adversary Definition requires that an adversary can't forge a tag We can construct efficient (and inefficient) MACs using PRFs More efficient constructions will be build in the next chapter Combined secrecy and integrity provides authenticated encryption This is possible but problematic if the underlying components are not used correctly!
3 Identification In the real world, we use unique identifiers for a variety of applications SSN address Fingerprints In cryptography, we often need unique and unpredictable identifiers Cryptographic hashes provide a tool to achieve this Hash functions will be used in many constructions, both symmetric key and public key
4 Hash functions In general, a function that reduces an arbitrary-length input to a fixed-length output is a hash function Hash functions have many uses outside of cryptography Can anyone name one? For this class, we want hashes that can provide guarantees against active adversaries
5 Cryptographic Guarantees Collision-resistant Hard to find two inputs that hash to the same output Preimage-resistant Given a hash, hard to find the input (preimage) that generated it Unpredictable source of randomness, or "Random oracle" More on this later
6 A simple (insecure) example For building a hash table of length N, arithmetic modulo N works as a hash function Is it collision-resistant? Is it preimage-resistant?
7 Defining Security The definitions of collision-resistant and preimageresistant are actually related We focus on the strongest definition, collisionresistance Like previous constructions, we define security based on an adversarial game
8 Hash function definition Gen: takes an input 1 n and outputs a key s H: takes an input of a key s and a string x {0,1}* and outputs a string H s (x) {0,1} l (n), where l is the fixed output length If H only accepts inputs of a fixed-length that is greater than l, we call H a compression function
9 <latexit sha1_base64="1yaer8ebovf7t5wkf1cuw6utso8=">aaadehicbvjlb9naelybocw8wjhygrgjjfiaxbmakjakhmgxsh1eqtnqvr7bq67xxruueln5bfwofgbxuhni1o2qpguks9/o85vpexzsadma/xr3wg8eptrde9x+8vtz8xf7by9pdv6vhe94lvnyfjknuig8mcjinbulsiyuebzefbhxs2sstcjvsvkwom9yokqsodpkujxwz8cpavwhweq4jiwkheoafwwwiknlwjswnr7alms6yjhjozp1p9uagqly9vtf+9aoqkyeqlfvgzbm4kodcimzfexvvihbfs7b0x5u2rb3knlzl6h4neltdpzaaejenaqmgqki8souldhglqaw6hpdinya4zrjcjvkltyqiggqcorrwa9wf3waukkx+nl+mrham6vfbo9ylda6lkgskw7xbkwmg0vfdvrtduydivd43q5vchmtc91b9oejnkbrf0evbuhwud8zduenwx3gr0hhwduu/svueow8svo5zfqf+6pczgtwgsgl1btswdb+xri8j6hyhnpenzewgrfkisdos/qif+pdrkhzpvuycyntkq3vxqzzf7hzystv57vqjacqfjmorisyhoxbqsrk5eyuctbecuikpgul44bobqutyu2v0kiyyskxzcbbs93sion8u0ldb6fjou/427hz9hkt4p7z2nnj9bzfeeccornn6pw43p3h/nj/u392/rag1w31b1j33hxnk2flwun/4kewsq==</latexit> <latexit sha1_base64="1yaer8ebovf7t5wkf1cuw6utso8=">aaadehicbvjlb9naelybocw8wjhygrgjjfiaxbmakjakhmgxsh1eqtnqvr7bq67xxruueln5bfwofgbxuhni1o2qpguks9/o85vpexzsadma/xr3wg8eptrde9x+8vtz8xf7by9pdv6vhe94lvnyfjknuig8mcjinbulsiyuebzefbhxs2sstcjvsvkwom9yokqsodpkujxwz8cpavwhweq4jiwkheoafwwwiknlwjswnr7alms6yjhjozp1p9uagqly9vtf+9aoqkyeqlfvgzbm4kodcimzfexvvihbfs7b0x5u2rb3knlzl6h4neltdpzaaejenaqmgqki8souldhglqaw6hpdinya4zrjcjvkltyqiggqcorrwa9wf3waukkx+nl+mrham6vfbo9ylda6lkgskw7xbkwmg0vfdvrtduydivd43q5vchmtc91b9oejnkbrf0evbuhwud8zduenwx3gr0hhwduu/svueow8svo5zfqf+6pczgtwgsgl1btswdb+xri8j6hyhnpenzewgrfkisdos/qif+pdrkhzpvuycyntkq3vxqzzf7hzystv57vqjacqfjmorisyhoxbqsrk5eyuctbecuikpgul44bobqutyu2v0kiyyskxzcbbs93sion8u0ldb6fjou/427hz9hkt4p7z2nnj9bzfeeccornn6pw43p3h/nj/u392/rag1w31b1j33hxnk2flwun/4kewsq==</latexit> <latexit sha1_base64="1yaer8ebovf7t5wkf1cuw6utso8=">aaadehicbvjlb9naelybocw8wjhygrgjjfiaxbmakjakhmgxsh1eqtnqvr7bq67xxruueln5bfwofgbxuhni1o2qpguks9/o85vpexzsadma/xr3wg8eptrde9x+8vtz8xf7by9pdv6vhe94lvnyfjknuig8mcjinbulsiyuebzefbhxs2sstcjvsvkwom9yokqsodpkujxwz8cpavwhweq4jiwkheoafwwwiknlwjswnr7alms6yjhjozp1p9uagqly9vtf+9aoqkyeqlfvgzbm4kodcimzfexvvihbfs7b0x5u2rb3knlzl6h4neltdpzaaejenaqmgqki8souldhglqaw6hpdinya4zrjcjvkltyqiggqcorrwa9wf3waukkx+nl+mrham6vfbo9ylda6lkgskw7xbkwmg0vfdvrtduydivd43q5vchmtc91b9oejnkbrf0evbuhwud8zduenwx3gr0hhwduu/svueow8svo5zfqf+6pczgtwgsgl1btswdb+xri8j6hyhnpenzewgrfkisdos/qif+pdrkhzpvuycyntkq3vxqzzf7hzystv57vqjacqfjmorisyhoxbqsrk5eyuctbecuikpgul44bobqutyu2v0kiyyskxzcbbs93sion8u0ldb6fjou/427hz9hkt4p7z2nnj9bzfeeccornn6pw43p3h/nj/u392/rag1w31b1j33hxnk2flwun/4kewsq==</latexit> <latexit sha1_base64="1yaer8ebovf7t5wkf1cuw6utso8=">aaadehicbvjlb9naelybocw8wjhygrgjjfiaxbmakjakhmgxsh1eqtnqvr7bq67xxruueln5bfwofgbxuhni1o2qpguks9/o85vpexzsadma/xr3wg8eptrde9x+8vtz8xf7by9pdv6vhe94lvnyfjknuig8mcjinbulsiyuebzefbhxs2sstcjvsvkwom9yokqsodpkujxwz8cpavwhweq4jiwkheoafwwwiknlwjswnr7alms6yjhjozp1p9uagqly9vtf+9aoqkyeqlfvgzbm4kodcimzfexvvihbfs7b0x5u2rb3knlzl6h4neltdpzaaejenaqmgqki8souldhglqaw6hpdinya4zrjcjvkltyqiggqcorrwa9wf3waukkx+nl+mrham6vfbo9ylda6lkgskw7xbkwmg0vfdvrtduydivd43q5vchmtc91b9oejnkbrf0evbuhwud8zduenwx3gr0hhwduu/svueow8svo5zfqf+6pczgtwgsgl1btswdb+xri8j6hyhnpenzewgrfkisdos/qif+pdrkhzpvuycyntkq3vxqzzf7hzystv57vqjacqfjmorisyhoxbqsrk5eyuctbecuikpgul44bobqutyu2v0kiyyskxzcbbs93sion8u0ldb6fjou/427hz9hkt4p7z2nnj9bzfeeccornn6pw43p3h/nj/u392/rag1w31b1j33hxnk2flwun/4kewsq==</latexit> <latexit sha1_base64="i+qx+ndcqrqgomi7jgwcftylk24=">aaadahicbvjnb9naef2bj5bwlckry4gekuwlsnobc1ilh+zopkatfefrejo2v12vze66kljy4ddwq1z5jxz5j4ztgjkwot29mz33zmatsknrgucx59+5e+/+zu6dzsnhj5887e49o7nlbqsoralkc5fwi0pqhdvpff5ubnmrkdxplj+2+fmrnfaw+tqtkpwwpnmylyi7ombd38eqc5tdwmvrmtcpiwnvyxcc+gbg+32qfkigrlrzg5y8ce1appcwbrhseewnwoetcjcslbuoumsfv83xsg8ur4ntfw4amyuzsd429fqyd7ywozvy14ktzkruofxq18tozcyjmvim9tbrnjofadlddvq+uq2necv8vbigphojnv/tmov2gsngfxabhgvqy+uiznvetjwvrv2gdkjxaydhullpw42tqugye9cwky4ueyytgpoxakfn6hzleexmflwatkq1rdjnfw0vrf0ucvw2s9ibuzb8x25su/tdtjg6qh1qcs2u1gpcce1hys4ncqcwblgwkrycylnhwtfhtjrpsv0tnjdksirmi+h2up9s0orcm4u6dc6ghyhht8pe0yf1enfzc/asdvji3rijnmirgzphnxifd+v98b/63/zv/o/rut9bv3notsl/+qeonfae</latexit> <latexit sha1_base64="i+qx+ndcqrqgomi7jgwcftylk24=">aaadahicbvjnb9naef2bj5bwlckry4gekuwlsnobc1ilh+zopkatfefrejo2v12vze66kljy4ddwq1z5jxz5j4ztgjkwot29mz33zmatsknrgucx59+5e+/+zu6dzsnhj5887e49o7nlbqsoralkc5fwi0pqhdvpff5ubnmrkdxplj+2+fmrnfaw+tqtkpwwpnmylyi7ombd38eqc5tdwmvrmtcpiwnvyxcc+gbg+32qfkigrlrzg5y8ce1appcwbrhseewnwoetcjcslbuoumsfv83xsg8ur4ntfw4amyuzsd429fqyd7ywozvy14ktzkruofxq18tozcyjmvim9tbrnjofadlddvq+uq2necv8vbigphojnv/tmov2gsngfxabhgvqy+uiznvetjwvrv2gdkjxaydhullpw42tqugye9cwky4ueyytgpoxakfn6hzleexmflwatkq1rdjnfw0vrf0ucvw2s9ibuzb8x25su/tdtjg6qh1qcs2u1gpcce1hys4ncqcwblgwkrycylnhwtfhtjrpsv0tnjdksirmi+h2up9s0orcm4u6dc6ghyhht8pe0yf1enfzc/asdvji3rijnmirgzphnxifd+v98b/63/zv/o/rut9bv3notsl/+qeonfae</latexit> <latexit sha1_base64="i+qx+ndcqrqgomi7jgwcftylk24=">aaadahicbvjnb9naef2bj5bwlckry4gekuwlsnobc1ilh+zopkatfefrejo2v12vze66kljy4ddwq1z5jxz5j4ztgjkwot29mz33zmatsknrgucx59+5e+/+zu6dzsnhj5887e49o7nlbqsoralkc5fwi0pqhdvpff5ubnmrkdxplj+2+fmrnfaw+tqtkpwwpnmylyi7ombd38eqc5tdwmvrmtcpiwnvyxcc+gbg+32qfkigrlrzg5y8ce1appcwbrhseewnwoetcjcslbuoumsfv83xsg8ur4ntfw4amyuzsd429fqyd7ywozvy14ktzkruofxq18tozcyjmvim9tbrnjofadlddvq+uq2necv8vbigphojnv/tmov2gsngfxabhgvqy+uiznvetjwvrv2gdkjxaydhullpw42tqugye9cwky4ueyytgpoxakfn6hzleexmflwatkq1rdjnfw0vrf0ucvw2s9ibuzb8x25su/tdtjg6qh1qcs2u1gpcce1hys4ncqcwblgwkrycylnhwtfhtjrpsv0tnjdksirmi+h2up9s0orcm4u6dc6ghyhht8pe0yf1enfzc/asdvji3rijnmirgzphnxifd+v98b/63/zv/o/rut9bv3notsl/+qeonfae</latexit> <latexit sha1_base64="i+qx+ndcqrqgomi7jgwcftylk24=">aaadahicbvjnb9naef2bj5bwlckry4gekuwlsnobc1ilh+zopkatfefrejo2v12vze66kljy4ddwq1z5jxz5j4ztgjkwot29mz33zmatsknrgucx59+5e+/+zu6dzsnhj5887e49o7nlbqsoralkc5fwi0pqhdvpff5ubnmrkdxplj+2+fmrnfaw+tqtkpwwpnmylyi7ombd38eqc5tdwmvrmtcpiwnvyxcc+gbg+32qfkigrlrzg5y8ce1appcwbrhseewnwoetcjcslbuoumsfv83xsg8ur4ntfw4amyuzsd429fqyd7ywozvy14ktzkruofxq18tozcyjmvim9tbrnjofadlddvq+uq2necv8vbigphojnv/tmov2gsngfxabhgvqy+uiznvetjwvrv2gdkjxaydhullpw42tqugye9cwky4ueyytgpoxakfn6hzleexmflwatkq1rdjnfw0vrf0ucvw2s9ibuzb8x25su/tdtjg6qh1qcs2u1gpcce1hys4ncqcwblgwkrycylnhwtfhtjrpsv0tnjdksirmi+h2up9s0orcm4u6dc6ghyhht8pe0yf1enfzc/asdvji3rijnmirgzphnxifd+v98b/63/zv/o/rut9bv3notsl/+qeonfae</latexit> Hash-coll experiment The collision-finding experiment Hash coll A, (n): 1. Generate a key s using Gen(1 n ) 2. A is given s and outputs x, x 0. These values must be in {0, 1}`0(n) if the hash is fixed-length. 3. The experiment outputs 1 i x 6= x 0 and H s (x) =H s (x 0 ) A hash function =(Gen, H) is collision resistant if for all PPT adversaries A there is a negligible function negl such that Pr[Hash coll A, (n) = 1] apple negl(n) Without compression, this is trivial to achieve
10 Keys in hashes? In reality, hash functions are usually unkeyed In theory, this is an issue since an arbitrary adversary can hard-code a collision and output it against any Hashcoll challenge In reality, as long as no collisions are found in the unkeyed hash, the theory still holds
11 Weaker Definitions In addition to collision-resistance, we also consider two other security definitions: Target collision-resistance Preimage-resistance (one-way) It can be shown that collision-resistance implies both of these weaker notions Fewer restrictions on the adversary == stronger definition In practice, we generally look for collision-resistance
12 Constructing Hash Functions As with block ciphers and modes of operations, hash functions are generally built from compression functions Domain extension techniques allow the compression function to be chained together for longer inputs The Merkle-Damgård transform is by far the most common domain extension technique
13 Merkle-Damgård
14 Applications Hash functions are useful in a plethora of cryptographic applications We will study more in the second half of the semester They are primarily useful in the symmetric-key setting for building MACs We can construct a more efficient MAC than CBC-Mac using hash functions
15 <latexit sha1_base64="k13fgrgg9soel88yaku0rsjhade=">aaaefxichvnntxsxef1cwij9gvbyy6gsslituzylfriqlyfmucqq8swxifi63qwvrx3z3qj0lx/xp9g/0gt7b8ebjskavj9g45n33ryx47hgxny6p5dqy/vhj1dwn6w9ffb8xcv1jvdnruwasloqhnixmtfmcmlolbecxyw1i1ks2hk8ont359+ynlzjezszs15ghpinnbklqf5grfefwfcjyw770dwiniaznuxapsqmcbx9pireaciymwtidkgebjndm2ipe6ipw34ara5kih7xgxxmst8nohudkrktqpjl6hjhmmovyu04t/eq2ncople6p7bidqincrqraoprzaq2en0jizrmvhm92a7a5kqj2vulyjbksucwzfw7m65flglfgfl7ggq4ddr88er6qfoljboco0fkzzbie/bhehejudejwmjqytywopclsr/bxfauyhwo2bks9a2oascpk9u5qyqg7o1djigccswgycjdxv6nhjfwgp6himcuzwty3qh5lze+rqqwwkk1unzg9ufn7pvpzq3wnkc07n9eawtosb2fhprak2twfopaagfncyjjcr1pjoop02j/cifymtmyo95f3+y0o+wb+0fybztedy77g0sr0udrpgpsukgmuqw7y9srilaccrfc3laxcukolzgubbfek8qpmiutzazkd5eoaahm3u4osgbmjiuxmim2nxfvxpkhu8vcju97rwkak3rglotc7d39khhwzagvewwi1ry14nmimlclf28bssr3vxegmvrymgy7i0pnzab14v2j7gdno+0q4687mwefkhnxvtfew6/phd6ud+b1vwpv1ko1h7vftd+1p8t/61v1on6eldawqp7x3skp7/4dhx9jew==</latexit> <latexit sha1_base64="k13fgrgg9soel88yaku0rsjhade=">aaaefxichvnntxsxef1cwij9gvbyy6gsslituzylfriqlyfmucqq8swxifi63qwvrx3z3qj0lx/xp9g/0gt7b8ebjskavj9g45n33ryx47hgxny6p5dqy/vhj1dwn6w9ffb8xcv1jvdnruwasloqhnixmtfmcmlolbecxyw1i1ks2hk8ont359+ynlzjezszs15ghpinnbklqf5grfefwfcjyw770dwiniaznuxapsqmcbx9pireaciymwtidkgebjndm2ipe6ipw34ara5kih7xgxxmst8nohudkrktqpjl6hjhmmovyu04t/eq2ncople6p7bidqincrqraoprzaq2en0jizrmvhm92a7a5kqj2vulyjbksucwzfw7m65flglfgfl7ggq4ddr88er6qfoljboco0fkzzbie/bhehejudejwmjqytywopclsr/bxfauyhwo2bks9a2oascpk9u5qyqg7o1djigccswgycjdxv6nhjfwgp6himcuzwty3qh5lze+rqqwwkk1unzg9ufn7pvpzq3wnkc07n9eawtosb2fhprak2twfopaagfncyjjcr1pjoop02j/cifymtmyo95f3+y0o+wb+0fybztedy77g0sr0udrpgpsukgmuqw7y9srilaccrfc3laxcukolzgubbfek8qpmiutzazkd5eoaahm3u4osgbmjiuxmim2nxfvxpkhu8vcju97rwkak3rglotc7d39khhwzagvewwi1ry14nmimlclf28bssr3vxegmvrymgy7i0pnzab14v2j7gdno+0q4687mwefkhnxvtfew6/phd6ud+b1vwpv1ko1h7vftd+1p8t/61v1on6eldawqp7x3skp7/4dhx9jew==</latexit> <latexit sha1_base64="k13fgrgg9soel88yaku0rsjhade=">aaaefxichvnntxsxef1cwij9gvbyy6gsslituzylfriqlyfmucqq8swxifi63qwvrx3z3qj0lx/xp9g/0gt7b8ebjskavj9g45n33ryx47hgxny6p5dqy/vhj1dwn6w9ffb8xcv1jvdnruwasloqhnixmtfmcmlolbecxyw1i1ks2hk8ont359+ynlzjezszs15ghpinnbklqf5grfefwfcjyw770dwiniaznuxapsqmcbx9pireaciymwtidkgebjndm2ipe6ipw34ara5kih7xgxxmst8nohudkrktqpjl6hjhmmovyu04t/eq2ncople6p7bidqincrqraoprzaq2en0jizrmvhm92a7a5kqj2vulyjbksucwzfw7m65flglfgfl7ggq4ddr88er6qfoljboco0fkzzbie/bhehejudejwmjqytywopclsr/bxfauyhwo2bks9a2oascpk9u5qyqg7o1djigccswgycjdxv6nhjfwgp6himcuzwty3qh5lze+rqqwwkk1unzg9ufn7pvpzq3wnkc07n9eawtosb2fhprak2twfopaagfncyjjcr1pjoop02j/cifymtmyo95f3+y0o+wb+0fybztedy77g0sr0udrpgpsukgmuqw7y9srilaccrfc3laxcukolzgubbfek8qpmiutzazkd5eoaahm3u4osgbmjiuxmim2nxfvxpkhu8vcju97rwkak3rglotc7d39khhwzagvewwi1ry14nmimlclf28bssr3vxegmvrymgy7i0pnzab14v2j7gdno+0q4687mwefkhnxvtfew6/phd6ud+b1vwpv1ko1h7vftd+1p8t/61v1on6eldawqp7x3skp7/4dhx9jew==</latexit> <latexit sha1_base64="k13fgrgg9soel88yaku0rsjhade=">aaaefxichvnntxsxef1cwij9gvbyy6gsslituzylfriqlyfmucqq8swxifi63qwvrx3z3qj0lx/xp9g/0gt7b8ebjskavj9g45n33ryx47hgxny6p5dqy/vhj1dwn6w9ffb8xcv1jvdnruwasloqhnixmtfmcmlolbecxyw1i1ks2hk8ont359+ynlzjezszs15ghpinnbklqf5grfefwfcjyw770dwiniaznuxapsqmcbx9pireaciymwtidkgebjndm2ipe6ipw34ara5kih7xgxxmst8nohudkrktqpjl6hjhmmovyu04t/eq2ncople6p7bidqincrqraoprzaq2en0jizrmvhm92a7a5kqj2vulyjbksucwzfw7m65flglfgfl7ggq4ddr88er6qfoljboco0fkzzbie/bhehejudejwmjqytywopclsr/bxfauyhwo2bks9a2oascpk9u5qyqg7o1djigccswgycjdxv6nhjfwgp6himcuzwty3qh5lze+rqqwwkk1unzg9ufn7pvpzq3wnkc07n9eawtosb2fhprak2twfopaagfncyjjcr1pjoop02j/cifymtmyo95f3+y0o+wb+0fybztedy77g0sr0udrpgpsukgmuqw7y9srilaccrfc3laxcukolzgubbfek8qpmiutzazkd5eoaahm3u4osgbmjiuxmim2nxfvxpkhu8vcju97rwkak3rglotc7d39khhwzagvewwi1ry14nmimlclf28bssr3vxegmvrymgy7i0pnzab14v2j7gdno+0q4687mwefkhnxvtfew6/phd6ud+b1vwpv1ko1h7vftd+1p8t/61v1on6eldawqp7x3skp7/4dhx9jew==</latexit> First example: Hash-and-MAC Let =(Mac,Vrfy) be a MAC for messages of length `(n), and H = (Gen H,H) be a hash function with output length `(n). Construct a MAC 0 =(Gen 0,Mac 0,Vrfy 0 ) for arbitrary-length messages as: Gen 0 : on input 1 n choose a uniform key k 2 {0, 1} n and run Gen H (1 n )to obtain s. Thekeyisk 0 := hk, si Mac 0 : on input hk, si and m 2 {0, 1}, output t Mac k (H s (m)) Vrfy 0 : on input hk, si,m 0,t, output 1 i Vrfy k (H s (m 0 ),t)? =1
16 Proof Intuitively, if an attacker can develop a message/tag pair that has not been queried before, either: The attacker found a colliding message with a previouslyseen tag The attacker forged a new tag on a new message
17 Proof Collision found
18 Proof Tag forged
19 Second example: hashing with a key The previous construction still requires another secure MAC in addition to a hash It is possible (and more efficient) to build a MAC directly from a hash function Could we introduce a key into the message and hash?
20 Hashing a key and a message Construction: Gen : generate a uniformly random k {0,1} n and s using Gen H (1 n ) Mac : generate t H s (k m) Vrfy : output 1 iff H s (k m ) = t Is it secure? Consider a Merkle-Damgård hash. How can we break this MAC?
21 A secure version: HMAC An industry standard, HMAC, is built on this concept HMAC hashes the output of the previous hash Incorporates additional values to reduce the assumptions required of the hash function
22 HMAC
23 Security Informally, HMAC can be seen as a "hash-then-mac" construction where the second MAC is for fixed-length messages Note this solves the issues with using Merkle-Damgård hashes as a MAC The use of two pads on the inner and outer hash emulates the creation of two separate keys Assuming the hash function behaves like a PRG Theorem statement Proof is relatively involved, so we skip
24 Hashing in practice: MD5 128-bit output hash based on Merkle-Damgård Developed in 1991 and used widely Multiple collisions have been found, as well as techniques for generating collisions
25 Hashing in practice: SHA-X A family of hash functions developed starting in the early 90's Output lengths of 160, 256, and 512 bits SHA-0,1,2 all composed of special-purpose block ciphers using the Davies-Meyer compression function and the Merkle-Damgård domain extension transform SHA-3 developed through a NIST bake-off, does not use standard D-M compression functions or the M-D transform Further study in progress
26 Attacks on hash functions Given these handy constructions, how difficult is "finding a collision"? There may be attacks that are specific to different compression functions A brute-force attack tries 2L + 1 inputs, guaranteeing a collision There are probabilistic attacks that are more effective than you might think
27 The Birthday Problem Given a group of people, we consider birthdays as "hashes of people" A collision happens when two people share the same birthday How many people are needed for the collision probability to be over 1/2? Let's try it!
28 The Birthday Bound Appendix A proves that you need roughly n people to get the collision probability to 1/2 How many queries does this imply for our hash functions? How can we relate hash length to security achieved?
29 Additional Applications Hashes are also commonly used to fingerprint files Examples include malware signatures, cloud deduplication, and peer-to-peer file search For large numbers of files, the stored fingerprints can be combined into a Merkle tree An alternative to the Merkle-Damgård construction for domain extension
30 Additional Applications Storing hashed passwords is a common way to thwart attackers who have breached a server's repository of credentials Password salting ensures that an adversary must brute force each password hash instead of maintaining a lookup table A hash chain uses preimage-resistance to create a chain of authentication values that can be used and discarded over time E.g., RSA authentication tokens
31 Additional Applications Assuming high-entropy input, hash functions can be used to generate secret keys Commitment schemes provide a cryptographic protocol for having a party "commit" to a value that remains hidden until the commitment is "opened" Must be both "hiding" and "binding" More (public-key) applications in the coming weeks!
32 Recap Hash functions map arbitrary-length strings to fixedlength outputs Cryptographic hashes should be collision-resistant Implying preimage-resistance In the symmetric-key setting, hash functions are useful for building efficient MACs The birthday bound provides a rule of thumb for the expected concrete security of any hash function
33 Next Time... Fall break Midterm exam Covers chapters 1-5 Open book/note Please be tidy Bring a calculator 33
34 Review: Introduction What is the difference between modern and ancient cryptography? Example schemes Rotation (shift) cipher Vigenere cipher Monoalphabetic substitution Lessons learned?
35 Review: Perfect Secrecy Probability concepts Definitions of perfect secrecy There are four The one-time pad Helpful rule for swapping conditional probabilities? What are the limitations?
36 Review: Symmetric Encryption Definitions What assumptions make them computationally secure? Security levels We discussed three definitions for encryption security Basic primitives PRG PRF PRP
37 Review: Symmetric Encryption Constructions Stream ciphers Block ciphers Block cipher modes of operation Pitfalls Generating randomness (e.g., IVs) Requirement for ALL CPA-secure schemes?
38 Review: Message Integrity Definitions Mac-forge and Mac-sforge Security desired Proves who created the message Proves the message wasn t modified Not guaranteed What were some attacks that we had to be concerned with?
39 Review: Message Integrity Constructions with PRFs Basic construction Extending the input size Necessary addition to prevent tampering? Authenticated encryption Two definitions required Three approaches Which one meets both definitions?
40 Review: Hashing Definitions Collision-resistance Target collision-resistance Preimage-resistance (one-way) Domain extension MAC construction(s) Brute-force attacks
CSC 5930/9010 Modern Cryptography: Digital Signatures
CSC 5930/9010 Modern Cryptography: Digital Signatures Professor Henry Carter Fall 2018 Recap Implemented public key schemes in practice commonly encapsulate a symmetric key for the rest of encryption KEM/DEM
More informationCSC 5930/9010 Modern Cryptography: Public Key Cryptography
CSC 5930/9010 Modern Cryptography: Public Key Cryptography Professor Henry Carter Fall 2018 Recap Number theory provides useful tools for manipulating integers and primes modulo a large value Abstract
More informationCryptographic Hash Functions
ECE458 Winter 2013 Cryptographic Hash Functions Dan Boneh (Mods by Vijay Ganesh) Previous Lectures: What we have covered so far in cryptography! One-time Pad! Definition of perfect security! Block and
More informationA hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).
CA4005: CRYPTOGRAPHY AND SECURITY PROTOCOLS 1 5 5.1 A hash function is an efficient function mapping binary strings of arbitrary length to binary strings of fixed length (e.g. 128 bits), called the hash-value
More informationHash Function. Guido Bertoni Luca Breveglieri. Fundations of Cryptography - hash function pp. 1 / 18
Hash Function Guido Bertoni Luca Breveglieri Fundations of Cryptography - hash function pp. 1 / 18 Definition a hash function H is defined as follows: H : msg space digest space the msg space is the set
More information1 Defining Message authentication
ISA 562: Information Security, Theory and Practice Lecture 3 1 Defining Message authentication 1.1 Defining MAC schemes In the last lecture we saw that, even if our data is encrypted, a clever adversary
More informationComputer Security CS 526
Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes CS555 Topic 4 1 Readings for This Lecture Required reading from wikipedia Block Cipher Ciphertext Indistinguishability
More informationMessage authentication codes
Message authentication codes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction security of MAC Constructions block cipher
More informationLecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422
Lecture 18 Message Integrity Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422 Cryptography is the study/practice of techniques for secure communication,
More informationCOMP4109 : Applied Cryptography
COMP4109 : Applied Cryptography Fall 2013 M. Jason Hinek Carleton University Applied Cryptography Day 2 information security cryptographic primitives unkeyed primitives NSA... one-way functions hash functions
More informationCryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015
Cryptographic Hash Functions Rocky K. C. Chang, February 5, 2015 1 This set of slides addresses 2 Outline Cryptographic hash functions Unkeyed and keyed hash functions Security of cryptographic hash functions
More informationLecture 1: Course Introduction
Lecture 1: Course Introduction Thomas Johansson T. Johansson (Lund University) 1 / 37 Chapter 9: Symmetric Key Distribution To understand the problems associated with managing and distributing secret keys.
More informationMessage Authentication Codes and Cryptographic Hash Functions
Message Authentication Codes and Cryptographic Hash Functions Readings Sections 2.6, 4.3, 5.1, 5.2, 5.4, 5.6, 5.7 1 Secret Key Cryptography: Insecure Channels and Media Confidentiality Using a secret key
More informationMultiple forgery attacks against Message Authentication Codes
Multiple forgery attacks against Message Authentication Codes David A. McGrew and Scott R. Fluhrer Cisco Systems, Inc. {mcgrew,sfluhrer}@cisco.com May 31, 2005 Abstract Some message authentication codes
More informationCSC 5930/9010 Modern Cryptography: Public-Key Infrastructure
CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure Professor Henry Carter Fall 2018 Recap Digital signatures provide message authenticity and integrity in the public-key setting As well as public
More informationData Integrity & Authentication. Message Authentication Codes (MACs)
Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice (sender) Bob (receiver) Fran
More informationCourse Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here
Course Business Midterm is on March 1 Allowed to bring one index card (double sided) Final Exam is Monday, May 1 (7 PM) Location: Right here 1 Cryptography CS 555 Topic 18: AES, Differential Cryptanalysis,
More informationIntegrity of messages
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 106 Integrity of messages Goal: Ensure change of message by attacker can be detected Key tool: Cryptographic hash function Definition
More informationIntroduction to Cryptography. Lecture 6
Introduction to Cryptography Lecture 6 Benny Pinkas page 1 1 Data Integrity, Message Authentication Risk: an active adversary might change messages exchanged between Alice and Bob M Alice M M M Bob Eve
More informationCS408 Cryptography & Internet Security
CS408 Cryptography & Internet Security Lecture 18: Cryptographic hash functions, Message authentication codes Functions Definition Given two sets, X and Y, a function f : X Y (from set X to set Y), is
More informationCS 495 Cryptography Lecture 6
CS 495 Cryptography Lecture 6 Dr. Mohammad Nabil Alaggan malaggan@fci.helwan.edu.eg Helwan University Faculty of Computers and Information CS 495 Fall 2014 http://piazza.com/fci_helwan_university/fall2014/cs495
More informationData Integrity. Modified by: Dr. Ramzi Saifan
Data Integrity Modified by: Dr. Ramzi Saifan Encryption/Decryption Provides message confidentiality. Does it provide message authentication? 2 Message Authentication Bob receives a message m from Alice,
More informationLecture 4: Authentication and Hashing
Lecture 4: Authentication and Hashing Introduction to Modern Cryptography 1 Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 1 These slides are based on Benny Chor s slides. Some Changes in Grading
More informationData Integrity & Authentication. Message Authentication Codes (MACs)
Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice (sender) Bob (reciever) Fran
More informationComputer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS
More informationCIS 4360 Secure Computer Systems Symmetric Cryptography
CIS 4360 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2017 Previous Class Classical Cryptography Frequency analysis Never use home-made cryptography Goals of Cryptography
More informationsymmetric cryptography s642 computer security adam everspaugh
symmetric cryptography s642 adam everspaugh ace@cs.wisc.edu computer security Announcement Midterm next week: Monday, March 7 (in-class) Midterm Review session Friday: March 4 (here, normal class time)
More informationCryptographic Hash Functions
Cryptographic Hash Functions Çetin Kaya Koç koc@cs.ucsb.edu Çetin Kaya Koç http://koclab.org Winter 2017 1 / 34 Cryptographic Hash Functions A hash function provides message integrity and authentication
More informationInformation Security CS526
Information CS 526 Topic 3 Ciphers and Cipher : Stream Ciphers, Block Ciphers, Perfect Secrecy, and IND-CPA 1 Announcements HW1 is out, due on Sept 10 Start early, late policy is 3 total late days for
More informationLecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS
Lecture 5 Cryptographic Hash Functions Read: Chapter 5 in KPS 1 Purpose CHF one of the most important tools in modern cryptography and security CHF-s are used for many authentication, integrity, digital
More informationComputer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 10r. Recitation assignment & concept review Paul Krzyzanowski Rutgers University Spring 2018 April 3, 2018 CS 419 2018 Paul Krzyzanowski 1 1. What is a necessary condition for perfect
More informationMessage Authentication ( 消息认证 )
Message Authentication ( 消息认证 ) Sheng Zhong Yuan Zhang Computer Science and Technology Department Nanjing University 2017 Fall Sheng Zhong, Yuan Zhang (CS@NJU) Message Authentication ( 消息认证 ) 2017 Fall
More informationFeedback Week 4 - Problem Set
4/26/13 Homework Feedback Introduction to Cryptography Feedback Week 4 - Problem Set You submitted this homework on Mon 17 Dec 2012 11:40 PM GMT +0000. You got a score of 10.00 out of 10.00. Question 1
More informationH must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls)
What is a hash function? mapping of: {0, 1} {0, 1} n H must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls) The Merkle-Damgård algorithm
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 4 Markus Bläser, Saarland University Message authentication How can you be sure that a message has not been modified? Encyrption is not
More informationSome Stuff About Crypto
Some Stuff About Crypto Adrian Frith Laboratory of Foundational Aspects of Computer Science Department of Mathematics and Applied Mathematics University of Cape Town This work is licensed under a Creative
More informationComputer Security Spring Hashes & Macs. Aggelos Kiayias University of Connecticut
Computer Security Spring 2008 Hashes & Macs Aggelos Kiayias University of Connecticut What is a hash function? A way to produce the fingerprint of a file what are the required properties: 1. Efficiency.
More informationCSCE 715: Network Systems Security
CSCE 715: Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina Next Topic in Cryptographic Tools Symmetric key encryption Asymmetric key encryption Hash functions and
More informationCryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi
Cryptographic Primitives A brief introduction Ragesh Jaiswal CSE, IIT Delhi Cryptography: Introduction Throughout most of history: Cryptography = art of secret writing Secure communication M M = D K (C)
More informationCryptographic hash functions and MACs
Cryptographic hash functions and MACs Myrto Arapinis School of Informatics University of Edinburgh October 05, 2017 1 / 21 Introduction Encryption confidentiality against eavesdropping 2 / 21 Introduction
More informationHomework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.
Homework 2: Symmetric Crypto February 17, 2015 Submission policy. information: This assignment MUST be submitted as a PDF via websubmit and MUST include the following 1. List of collaborators 2. List of
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Symmetric Cryptography January 20, 2011 Practical Aspects of Modern Cryptography 2 Agenda Symmetric key ciphers Stream ciphers Block ciphers Cryptographic hash
More informationCryptography MIS
Cryptography MIS-5903 http://community.mis.temple.edu/mis5903sec011s17/ Cryptography History Substitution Monoalphabetic Polyalphabetic (uses multiple alphabets) uses Vigenere Table Scytale cipher (message
More informationCryptography. Summer Term 2010
Summer Term 2010 Chapter 2: Hash Functions Contents Definition and basic properties Basic design principles and SHA-1 The SHA-3 competition 2 Contents Definition and basic properties Basic design principles
More informationNetwork and System Security
Network and System Security Lecture 5 2/12/2013 Hashes and Message Digests Mohammad Almalag 1 Overview 1. What is a cryptographic hash? 2. How are hashes used? 3. One-Way Functions 4. Birthday Problem
More informationDeploying a New Hash Algorithm. Presented By Archana Viswanath
Deploying a New Hash Algorithm Presented By Archana Viswanath 1 function? Hash function - takes a message of any length as input - produces a fixed length string as output - termed as a message digest
More informationA hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 8 Hash Functions 8.1 Hash Functions Hash Functions A hash function is an efficient function mapping binary strings of arbitrary length to binary strings of fixed
More informationCryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1
Cryptography CS 555 Topic 11: Encryption Modes and CCA Security CS555 Spring 2012/Topic 11 1 Outline and Readings Outline Encryption modes CCA security Readings: Katz and Lindell: 3.6.4, 3.7 CS555 Spring
More informationENEE 459-C Computer Security. Message authentication
ENEE 459-C Computer Security Message authentication Data Integrity and Source Authentication Encryption does not protect data from modification by another party. Why? Need a way to ensure that data arrives
More informationCryptographic Hash Functions. William R. Speirs
Cryptographic Hash Functions William R. Speirs What is a hash function? Compression: A function that maps arbitrarily long binary strings to fixed length binary strings Ease of Computation: Given a hash
More informationPaper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage
1 Announcements Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage 2 Recap and Overview Previous lecture: Symmetric key
More informationLecture 8 Message Authentication. COSC-260 Codes and Ciphers Adam O Neill Adapted from
Lecture 8 Message Authentication COSC-260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Setting the Stage We now have two lower-level primitives in our tool bag: blockciphers
More informationSymmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University
Symmetric-Key Cryptography Part 1 Tom Shrimpton Portland State University Building a privacy-providing primitive I want my communication with Bob to be private -- Alice What kind of communication? SMS?
More informationCryptographic Hash Functions
Cryptographic Hash Functions Cryptographic Hash Functions A cryptographic hash function takes a message of arbitrary length and creates a message digest of fixed length. Iterated Hash Function A (compression)
More informationIntroduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms
Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms Egemen K. Çetinkaya Egemen K. Çetinkaya Department of Electrical & Computer Engineering Missouri University of
More informationsymmetric cryptography s642 computer security adam everspaugh
symmetric cryptography s642 adam everspaugh ace@cs.wisc.edu computer security Announcements Midterm next week: Monday, March 7 (in-class) Midterm Review session Friday: March 4 (here, normal class time)
More informationConcrete cryptographic security in F*
Concrete cryptographic security in F* crypto hash (SHA3) INT-CMA encrypt then-mac Auth. encryption Secure RPC some some some adversary attack attack symmetric encryption (AES). IND-CMA, CCA2 secure channels
More informationBetriebssysteme und Sicherheit. Stefan Köpsell, Thorsten Strufe. Modul 5: Mechanismen Integrität
Betriebssysteme und Sicherheit Stefan Köpsell, Thorsten Strufe Modul 5: Mechanismen Integrität Disclaimer: large parts from Mark Manulis, Dan Boneh, Stefan Katzenbeisser Dresden, WS 17/18 Reprise from
More informationSpring 2010: CS419 Computer Security
Spring 2010: CS419 Computer Security MAC, HMAC, Hash functions and DSA Vinod Ganapathy Lecture 6 Message Authentication message authentication is concerned with: protecting the integrity of a message validating
More informationCryptography. Lecture 12. Arpita Patra
Cryptography Lecture 12 Arpita Patra Digital Signatures q In PK setting, privacy is provided by PKE q Integrity/authenticity is provided by digital signatures (counterpart of MACs in PK world) q Definition:
More informationLecture 6: Symmetric Cryptography. CS 5430 February 21, 2018
Lecture 6: Symmetric Cryptography CS 5430 February 21, 2018 The Big Picture Thus Far Attacks are perpetrated by threats that inflict harm by exploiting vulnerabilities which are controlled by countermeasures.
More informationSecurity Requirements
Message Authentication and Hash Functions CSCI 454/554 Security Requirements disclosure traffic analysis masquerade content modification sequence modification timing modification source repudiation destination
More informationCS-E4320 Cryptography and Data Security Lecture 5: Hash Functions
Lecture 5: Hash Functions Céline Blondeau Email: celine.blondeau@aalto.fi Department of Computer Science Aalto University, School of Science Hash Functions Birthday Paradox Design of Hash Functions SHA-3
More informationOverview. CSC 580 Cryptography and Computer Security. Hash Function Basics and Terminology. March 28, Cryptographic Hash Functions (Chapter 11)
CSC 580 Cryptography and Computer Security Cryptographic Hash Functions (Chapter 11) March 28, 2017 Overview Today: Review Homework 8 solutions Discuss cryptographic hash functions Next: Study for quiz
More informationCryptology complementary. Symmetric modes of operation
Cryptology complementary Symmetric modes of operation Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 05 03 Symmetric modes 2018 05 03
More informationGeneric collision attacks on hash-functions and HMAC
Generic collision attacks on hash-functions and HMAC Chris Mitchell Royal Holloway, University of London 1 Agenda 1. Hash-functions and collision attacks 2. Memoryless strategy for finding collisions 3.
More informationJaap van Ginkel Security of Systems and Networks
Jaap van Ginkel Security of Systems and Networks November 17, 2016 Part 3 Modern Crypto SSN Modern Cryptography Hashes MD5 SHA Secret key cryptography AES Public key cryptography DES Presentations Minimum
More information9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng Basic concepts in cryptography systems Secret cryptography Public cryptography 1 2 Encryption/Decryption Cryptanalysis
More informationCSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography
CSCI 454/554 Computer and Network Security Topic 2. Introduction to Cryptography Outline Basic Crypto Concepts and Definitions Some Early (Breakable) Cryptosystems Key Issues 2 Basic Concepts and Definitions
More informationChapter 11 Message Integrity and Message Authentication
Chapter 11 Message Integrity and Message Authentication Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 11.1 Chapter 11 Objectives To define message integrity
More informationCryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Outline Basic concepts in cryptography systems Secret key cryptography Public key cryptography Hash functions 2 Encryption/Decryption
More informationCS155. Cryptography Overview
CS155 Cryptography Overview Cryptography Is n n A tremendous tool The basis for many security mechanisms Is not n n n n The solution to all security problems Reliable unless implemented properly Reliable
More informationHomework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING
UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING ENEE 457 Computer Systems Security Instructor: Charalampos Papamanthou Homework 2 Out: 09/23/16 Due: 09/30/16 11:59pm Instructions
More informationCSC 580 Cryptography and Computer Security
CSC 580 Cryptography and Computer Security Cryptographic Hash Functions (Chapter 11) March 22 and 27, 2018 Overview Today: Quiz (based on HW 6) Graded HW 2 due Grad/honors students: Project topic selection
More informationV.Sorge/E.Ritter, Handout 6
06-20008 Cryptography The University of Birmingham Autumn Semester 2015 School of Computer Science V.Sorge/E.Ritter, 2015 Handout 6 Summary of this handout: Cryptographic Hash Functions Merkle-Damgård
More informationCIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm
CIS 4360 Introduction to Computer Security Fall 2010 WITH ANSWERS in bold Name:.................................... Number:............ First Midterm Instructions This is a closed-book examination. Maximum
More informationCryptography: More Primitives
Design and Analysis of Algorithms May 8, 2015 Massachusetts Institute of Technology 6.046J/18.410J Profs. Erik Demaine, Srini Devadas and Nancy Lynch Recitation 11 Cryptography: More Primitives 1 Digital
More informationSummary on Crypto Primitives and Protocols
Summary on Crypto Primitives and Protocols Levente Buttyán CrySyS Lab, BME www.crysys.hu 2015 Levente Buttyán Basic model of cryptography sender key data ENCODING attacker e.g.: message spatial distance
More informationStudy Guide for the Final Exam
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Handout #22 Professor M. J. Fischer April 30, 2005 1 Exam Coverage Study Guide for the Final Exam The final
More informationCryptography. and Network Security. Lecture 0. Manoj Prabhakaran. IIT Bombay
Cryptography and Network Security Lecture 0 Manoj Prabhakaran IIT Bombay Security In this course: Cryptography as used in network security Humans, Societies, The World Network Hardware OS Libraries Programs
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 15 February 29, 2012 CPSC 467b, Lecture 15 1/65 Message Digest / Cryptographic Hash Functions Hash Function Constructions Extending
More informationLecture 4: Hashes and Message Digests,
T-79.159 Cryptography and Data Security Lecture 4: Hashes and Message Digests Helsinki University of Technology mjos@tcs.hut.fi 1 Cryptographic hash functions Maps a message M (a bit string of arbitrary
More informationCOMP4109 : Applied Cryptography
COMP4109 : Applied Cryptography Fall 2013 M. Jason Hinek Carleton University Applied Cryptography Day 8 (and maybe 9) secret-key primitives Message Authentication Codes Pseudorandom number generators 2
More informationChapter 12 : Digital Signature Schemes
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 12 : Digital Signature Schemes 1 Chapter 12 Digital Signature Schemes Apologies: all numbering
More informationOutline. Cryptography. Encryption/Decryption. Basic Concepts and Definitions. Cryptography vs. Steganography. Cryptography: the art of secret writing
Outline CSCI 454/554 Computer and Network Security Basic Crypto Concepts and Definitions Some Early (Breakable) Cryptosystems Key Issues Topic 2. Introduction to Cryptography 2 Cryptography Basic Concepts
More informationCRYPTOLOGY KEY MANAGEMENT CRYPTOGRAPHY CRYPTANALYSIS. Cryptanalytic. Brute-Force. Ciphertext-only Known-plaintext Chosen-plaintext Chosen-ciphertext
CRYPTOLOGY CRYPTOGRAPHY KEY MANAGEMENT CRYPTANALYSIS Cryptanalytic Brute-Force Ciphertext-only Known-plaintext Chosen-plaintext Chosen-ciphertext 58 Types of Cryptographic Private key (Symmetric) Public
More informationSolutions to exam in Cryptography December 17, 2013
CHALMERS TEKNISKA HÖGSKOLA Datavetenskap Daniel Hedin DIT250/TDA351 Solutions to exam in Cryptography December 17, 2013 Hash functions 1. A cryptographic hash function is a deterministic function that
More informationSecurity Analysis of Extended Sponge Functions. Thomas Peyrin
Security Analysis of Extended Sponge Functions Hash functions in cryptology: theory and practice Leiden, Netherlands Orange Labs University of Versailles June 4, 2008 Outline 1 The Extended Sponge Functions
More informationOverview of Cryptography
18739A: Foundations of Security and Privacy Overview of Cryptography Anupam Datta CMU Fall 2007-08 Is Cryptography A tremendous tool The basis for many security mechanisms Is not The solution to all security
More informationLecture 10, Zero Knowledge Proofs, Secure Computation
CS 4501-6501 Topics in Cryptography 30 Mar 2018 Lecture 10, Zero Knowledge Proofs, Secure Computation Lecturer: Mahmoody Scribe: Bella Vice-Van Heyde, Derrick Blakely, Bobby Andris 1 Introduction Last
More informationGoals of Modern Cryptography
Goals of Modern Cryptography Providing information security: Data Privacy Data Integrity and Authenticity in various computational settings. Data Privacy M Alice Bob The goal is to ensure that the adversary
More informationLecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model
CMSC 858K Advanced Topics in Cryptography March 11, 2004 Lecturer: Jonathan Katz Lecture 14 Scribe(s): Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze 1 A Note on Adaptively-Secure NIZK A close look
More informationFurther Analysis of a Proposed Hash-Based Signature Standard
Further Analysis of a Proposed Hash-Based Signature Standard Scott Fluhrer Cisco Systems, USA sfluhrer@cisco.com Abstract. We analyze the concrete security of a hash-based signature scheme described in
More informationECE 646 Fall 2009 Final Exam December 15, Multiple-choice test
ECE 646 Fall 2009 Final Exam December 15, 2009 Multiple-choice test 1. (1 pt) Parallel processing can be used to speed up the following cryptographic transformations (please note that multiple answers
More informationLecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS
Lecture 5 Cryptographic Hash Functions Read: Chapter 5 in KPS 1 Purpose CHF one of the most important tools in modern cryptography and security In crypto, CHF instantiates a Random Oracle paradigm In security,
More informationUNIT - IV Cryptographic Hash Function 31.1
UNIT - IV Cryptographic Hash Function 31.1 31-11 SECURITY SERVICES Network security can provide five services. Four of these services are related to the message exchanged using the network. The fifth service
More informationAuthenticated encryption
Authenticated encryption Mac forgery game M {} k R 0,1 s m t M M {m } t mac k (m ) Repeat as many times as the adversary wants (m, t) Wins if m M verify m, t = 1 Mac forgery game Allow the adversary to
More informationECE 646 Lecture 11. Hash functions & MACs. Digital Signature. message. hash. function. Alice. Bob. Alice s public key. Alice s private key
ECE 646 Lecture 11 Hash functions & MACs Digital Signature Alice Message Signature Message Signature Bob Hash function Hash function Hash value Public key algorithm yes Hash value 1 Hash value 2 no Public
More informationLecture 1 Applied Cryptography (Part 1)
Lecture 1 Applied Cryptography (Part 1) Patrick P. C. Lee Tsinghua Summer Course 2010 1-1 Roadmap Introduction to Security Introduction to Cryptography Symmetric key cryptography Hash and message authentication
More informationCryptography and Network Security
Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 14: Folklore, Course summary, Exam requirements Ion Petre Department of IT, Åbo Akademi University 1 Folklore on
More information