Lecture Note 05 Date:
|
|
- Tracey Manning
- 5 years ago
- Views:
Transcription
1 P.Lafourcade Lecture Note 05 Date: Security models 1st Semester 2008/2009 MANGEOT Guillaume ROJAT Antoine THARAUD Jrmie Contents 1 Block Cipher Modes Electronic Code Block (ECB) [Dwo01] Cipher Block Chaining (CBC) [Dwo01] Cipher Feedback Mode (CFB) [Dwo01] Output Feedback Mode (OFB) [Dwo01] Attack on ECB The symmetric encryption scheme Adversary Attack on CBC Security Attack on CBC : Initial value weakness regarding Indinstinguishability Recalls Attack on weak IV Conclusion Hibrid encryption Goals Mechanism Security Hash Functions Main idea OAEP Main idea Description Encryption Decryption Exercise correction 13 1
2 1 Block Cipher Modes A block cipher is a symmetric key cipher operating on fixed-length groups of bits called blocks with an unvarying transformation. Because messages may be of any length, and because encrypting the same plaintext under the same key always produces the same output, it exists several modes of operation which allow block ciphers to provide confidentiality for messages of arbitrary length. 1.1 Electronic Code Block (ECB) [Dwo01] In ECB encryption,the forward cipher function ( Block Cipher Encryption ) is applied directly and independently to each block of the plaintext. The resulting sequence of output blocks is the ciphertext. In ECB decryption, the inverse cipher function ( Block Cipher Decryption ) is applied directly and independently to each block of the ciphertext. The resulting sequence of output blocks is the plaintext. In ECB encryption and ECB decryption, multiple forward cipher functions and inverse cipher functions can be computed in parallel. 2
3 The disadvantage of this method is that identical plaintext blocks are encrypted into identical ciphertext blocks. It is unsecure and should not be used if this property is undesirable. 3
4 1.2 Cipher Block Chaining (CBC) [Dwo01] In the cipher-block chaining mode, each block of plaintext is XORed with the previous ciphertext block before being encrypted. The first block of the message is XORed with an initial value (IV). CBC encryption : C 0 = IV C i = E k (P i C i 1 ) In CBC encryption, the input block to each forward cipher operation (except the first) depends on the result of the previous forward cipher operation, so the forward cipher operations cannot be performed in parallel. CBC decryption : C 0 = IV P i = D k (C i ) C i 1 In CBC decryption, the input blocks for the inverse cipher function are immediately available, so that multiple inverse cipher operations can be performed in parallel. CBC is the most commonly used mode of operation. 4
5 1.3 Cipher Feedback Mode (CFB) [Dwo01] The Cipher Feedback mode is a confidentiality mode that features the feedback of successive ciphertext segments into the input blocks of the forward cipher to generate output blocks that are XORed with the plaintext to produce the ciphertext, and vice versa. This mode is a close relative of CBC : C 0 = IV C i = E k (C i 1 ) P i P i = D k (C i 1 ) C i In CFB encryption, like CBC encryption, the input block to each forward cipher function (except the first) depends on the result of the previous forward cipher function; therefore, multiple forward cipher operations cannot be performed in parallel. In CFB decryption, the required forward cipher operations can be performed in parallel if the input blocks are first constructed (in series) from the IV and the ciphertext. Compared to CBC mode, CFB mode has a better resistance in errors introduction. 5
6 1.4 Output Feedback Mode (OFB) [Dwo01] The output feedback mode makes a block cipher into a synchronous stream cipher: it generates keystream blocks, which are then XORed with the plaintext blocks to get the ciphertext. Algorithm : O 0 = IV O i = E k (O i 1 ) C i = P i O i P i = C i O i Encryption and decryption are the same because of the symmetry of the XOR operation. In both OFB encryption and OFB decryption, each forward cipher function (except the first) depends on the results of the previous forward cipher function; therefore, multiple forward cipher functions cannot be performed in parallel. The OFB mode requires a unique IV for every message that is ever encrypted under the 6
7 given key. If not, the confidentiality of those messages may be compromised.confidentiality may also be compromised if any of the input blocks to the forward cipher function for the encryption of a message is designated as the IV for the encryption of another message under the given key. Changing a bit in the ciphertext changes a bit in the plaintext at the same location, so many error correcting codes function normally, even when applied before encryption. 2 Attack on ECB 2.1 The symmetric encryption scheme The encryption fonction of the scheme is the following : E : K (0, 1) n (0, 1) n. The symmetric encryption scheme is (K, E, D). This scheme encrypts block of size n bits. 2.2 Adversary The left-right function LR(x, y, b) = { x if b=1 y if b=0 We will build an adversary A with a high IND-CPA advantage. According to the description of ECB, if we have two similar block in the plain text, ECB will produce two similar cipher texts. So if we choose two messages as follows : 0 n 0 n and 0 n 1 n. The adversary is the following : Adversary : A E K(LR(..,..,b)) m 0 0 n 0 n m 1 0 n 1 n C E K (LR(m 0, m 1, b)) {The message C is composed by two blocks of n bits : C 0 and C 1 } if C 0 = C 1 then b 0 else b 1 end if return b We will now prove the following assertion : Adv IND-CPA (A) = 1. By definition we have : Adv IND-CPA (A) = Pr[Exp IND CP A 0 (A) = 1] Pr[Exp IND CP A 1 (A) = 1] If b = 1 then the encryption returns C = E K (0 n ) E K (0 n ). So we have C 0 = C 1 and the adversary will return 1. 7
8 If b = 0 then the encryption returns C = E K (0 n ) E K (1 n ). So we have C 0 C 1 and the adversary will return 0. That is why we have Pr[Exp IND CP A 1 (A) = 1] = 1 Pr[Exp IND CP A 0 (A) = 1] = 0. The previous assertion shows that the ECB scheme is insecure. That is why it should not be used for designing crypto-systems. For a funny example of ECB weakness see sharmaarchive blockciphers-simple-attack-on-ecb-mode.aspx. 3 Attack on CBC 3.1 Security The CBC design for symmetric encryption seems more secure than ECB. Indeed, there is a mix between what has been enrypted before, the key and the current plain text block. More or less this ensure that a given cipher text block depends on every previous block. But for the first step of the encryption, we need to chose an initial value (IV). This choice has to be done very carefully. Indeed, in the next section will describe an attack based on the property of IV. 3.2 Attack on CBC : Initial value weakness regarding Indinstinguishability Recalls The CBC scheme for encryption works as follows : A cipher block is encrypted as follows : C i = E k (P i C i 1 ) for i 0, and C 0 = IV 8
9 3.2.2 Attack on weak IV The attack is based on a predictible initial value. In order to simplify, we will consider that the first IV (IV 0 ) is 0 and then each time we encrypt a new message, IV i+1 IV i + 1. The plain texts will be of size 2n : M i = M i,0.m i,1. The Adversary we will used is the following : Adversary : AE K (LR(..,.., b)) m 1,0 0 n m 1,1 0 n m 2,0 0 n m 2,1 0 n 1 1 < IV 1, C 1 > r E K (LR(m 1,0, m 2,0, b)) < IV 2, C 2 > r E K (LR(m 1,1, m 2,1, b)) if C 1 = C 2 then b 0 else b 1 end if return b We will now prove that : Adv IND-CPA (A) = 1. Remark We need to prove that the algorithm of the attacker is deterministic and that it outputs the correct answer. Let s compute the two following probabilities : Pr[Exp IND CP A 1 (A) = 1]. Pr[Exp IND CP A 2 (A) = 1]. Pr[Exp IND CP A 1 (A) = 1] this is b = 1: So we will encrypt m 1,0 and then m 1,1 : C 1 = E K (IV 1 m 1,0 ) = E K (0 0) = E K (0) C 2 = E K (IV 2 m 1,1 ) = E K (1 0) = E K (1) So we obtain : C 1 C 2 and the adversary will answer 1. Pr[Exp IND CP A 2 (A) = 1] this is b = 0: So we will encrypt m 1,0 and then m 1,1 : C 1 = E K (IV 1 m 2,0 ) = E K (0 0) = E K (0) C 2 = E K (IV 2 m 2,1 ) = E K (1 1) = E K (0) So we obtain : C 1 = C 2 and the adversary will answer 0. We can conclued that : Pr[Exp IND CP A 1 (A) = 1] = 1 and Pr[Exp IND CP A 2 (A) = 1] = 0. This proves the assertion. 9
10 3.2.3 Conclusion The mechanism of this attack can be generalized : we only need to know how the IV evolves and we perform some modifications on the chosen plaintexts. That is why we need to choose very carefully the IV. 4 Hibrid encryption 4.1 Goals The idea of the hibrid encryption schemes is to combine the advantages of the symmetric and the assymetric cryptosystems : Speed for the symmetric cryptosystems Security for the assymetric cryptosystems 4.2 Mechanism We consider two cryptosystem : E S K = (KS, E S K, DS K ) and E A K=p k,s k = (K A, E A p k, D A s k ). And we use those two cryptosystems to build HE : Encryption :E HE Input :E HE K K S C S E S K (M) C A E A p k (K) C (C A, C S ) return C The symmetric key used for fast encryption is encrypted using a assymetric (secure) cryptosystem. And then the plaintext is encrypted using a symmetric encryption scheme (fast). Decryption :D HE Input :C (C A, C S ) parse(c) K D A s k (C A ) M D S K (CS ) return M The receiver can reteive the key used for fast encryption/decryption by decrypting the assymetric block of the cipher text. Then the receiver is able to decrypt efficiently the cipher text using a symmetric cryptosystem. Remark The receiver and the sender nee to agree on the size of the assymetric part of the ciphertext. 10
11 4.3 Security The security of the hibrid encryption scheme releies on the security of the symmetric and the assymetric encryption schemes used for building it. The idea of the formalism regarding the security of such schemes is the following : Security(HE) Security(HE S ) + Security(HE A ) For example, we can prove the following property : If A and S are both secure against chosen-plain-text attack, then HE is also secure against chosen-plain-text attack. Let B be an IND-CPA adversary attacking HE. Then there exist IND-CPA adversaries A 00,01, A 11,10 attacking AE, and an adversary A attacking, such that: We will use the following notation : P (α, β) = P r[exp αβ HE (B) = 1]. We have : Adv IND-CPA HE (B) = P (1, 0) P (0, 0) And P (1, 0) P (0, 0) = [P (1, 0) P (1, 1)] + [P (1, 1) P (0, 1)] + [P (0, 1) P (0, 0)]. Using the definition of the different advantages, we obtain : 1. Adv IND-CPA A (A 11,10 ) P (1, 0) P (1, 1) 2. Adv IND-CPA S (A) P (1, 1) P (0, 1) 3. Adv IND-CPA A (A 00,01 ) P (0, 1) P (0, 0) This leads to the conclusion. From the previous inequalities we have Adv IND-CPA HE (B) Adv IND-CPA A (A 11,10 ) + Adv IND-CPA S (A) + Adv IND-CPA A (A 00,01 ) As we supposed that A and S were secure, Adv IND-CPA HE (B) is negligeable and HE is secure. If you want further details you may look at [HK07] and [EHHA99] (the second one is not freely available). 5 Hash Functions 5.1 Main idea A cryptographic hash function takes as input an arbitrary block of data and returns a fixed-size bit string with two means: padding compressing A cryptographic hash function should respect: 11
12 can t be inversed (Preimage resistance) can t find another source for the same image (Second preimage resistance) without collision (Collision resistance) non malleable, doesn t keep the structure of the source Cryptographic hash functions are useful to: build an all-or-nothing transform zero-knowledge protocol oneway algorithm in general signing 6 OAEP 6.1 Main idea First of all as Padding algorithm, its first aim is to complete the message length to the maximum determined size with random adds. It s useful to be used by an algorithm which need a fixed size to be computed, without adding redundancy in the plaintext. Its scheme look likes a feistel scheme using two hash function But there are two other great properties: 1. the adding of randomness, convert the deterministic encryption scheme into a probabilistic scheme 2. prevent partial decryption of ciphertexts or other information by ensuring that nobody can recover any portion of the plaintext without being able to invert the trapdoor one-way permutation This last property, allows the OAEP algorithm to be used to build an all-or-nothing transform 6.2 Description M is the plaintext message G and H are two hash function r is a random nonce seed 12
13 6.2.1 Encryption OAEP(M) = [(M + G(r)) ((r + H(M + G(r)))] Decryption OAEP(M) = c1 c2 M = c1 + G(H(c1) + c2) To get more information, you sould see: [BR95] [Sho01] [FOPS00] [PV06]. 7 Exercise correction Soon available 13
14 References [BR95] [Dwo01] M. Bellare and P. Rogaway. Optimal Asymmetric Encryption How to encrypt with RSA. Extended abstract in Advances in Cryptology - Eurocrypt 94 Proceedings, LNCS Vol. 950, A. Springer-Verlag, Morris Dworkin. Recommendation for block cipher modes of operation. NIST Special Publication, A:66, [EHHA99] Mahmoud Taher El-Hadidi, Nadia Hamed Hegazi, and Heba Kamal Aslan. Performance evaluation of a new hybrid encryption protocol for authentication and key distribution. Computers and Communications, IEEE Symposium on, [FOPS00] [HK07] [PV06] Eiichiro Fujisaki, Tatsuaki Okamoto, David Pointcheval, and Jacques Stern. Rsa-oaep is secure under the rsa assumption. Cryptology eprint Archive, Report 2000/061, Dennis Hofheinz and Eike Kiltz. Secure hybrid encryption from weakened key encapsulation. In Alfred Menezes, editor, CRYPTO, Lecture Notes in Computer Science. Springer, P. Paillier and J. Villar. Trading one-wayness against chosen-ciphertext security in factoring-based encryption [Sho01] Victor Shoup. Oaep reconsidered. september
Lecture Note 05 Date:
P.Lafourcade Lecture Note 05 Date: 11.10.2010 Security models: Symmetric Encryption 1st Semester 2010/2011 Cailler Alexandre Masson Florian Contents 1 Block Cipher Modes 3 1.1 Electronic CodeBook (ECB)
More informationAdvanced Cryptography 1st Semester Symmetric Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 22th 2007 1 / 58 Last Time (I) Security Notions Cyclic Groups Hard Problems One-way IND-CPA,
More informationCS408 Cryptography & Internet Security
CS408 Cryptography & Internet Security Lectures 16, 17: Security of RSA El Gamal Cryptosystem Announcement Final exam will be on May 11, 2015 between 11:30am 2:00pm in FMH 319 http://www.njit.edu/registrar/exams/finalexams.php
More informationHomework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING
UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING ENEE 457 Computer Systems Security Instructor: Charalampos Papamanthou Homework 2 Out: 09/23/16 Due: 09/30/16 11:59pm Instructions
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More information1 Achieving IND-CPA security
ISA 562: Information Security, Theory and Practice Lecture 2 1 Achieving IND-CPA security 1.1 Pseudorandom numbers, and stateful encryption As we saw last time, the OTP is perfectly secure, but it forces
More informationCIS 4360 Secure Computer Systems Symmetric Cryptography
CIS 4360 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2017 Previous Class Classical Cryptography Frequency analysis Never use home-made cryptography Goals of Cryptography
More informationCryptology complementary. Symmetric modes of operation
Cryptology complementary Symmetric modes of operation Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 05 03 Symmetric modes 2018 05 03
More informationComputer Security CS 526
Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes CS555 Topic 4 1 Readings for This Lecture Required reading from wikipedia Block Cipher Ciphertext Indistinguishability
More informationSymmetric Encryption
Symmetric Encryption Ahmed Y. Banihammd & Ihsan, ALTUNDAG Mon November 5, 2007 Advanced Cryptography 1st Semester 2007-2008 University Joseph Fourrier, Verimag Master Of Information Security And Coding
More informationSome Aspects of Block Ciphers
Some Aspects of Block Ciphers Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in CU-ISI Tutorial Workshop on Cryptology, 17 th July 2011 Palash Sarkar
More informationNetwork Security Technology Project
Network Security Technology Project Shanghai Jiao Tong University Presented by Wei Zhang zhang-wei@sjtu.edu.cn!1 Part I Implement the textbook RSA algorithm. The textbook RSA is essentially RSA without
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Symmetric Cryptography January 20, 2011 Practical Aspects of Modern Cryptography 2 Agenda Symmetric key ciphers Stream ciphers Block ciphers Cryptographic hash
More informationLecture 1 Applied Cryptography (Part 1)
Lecture 1 Applied Cryptography (Part 1) Patrick P. C. Lee Tsinghua Summer Course 2010 1-1 Roadmap Introduction to Security Introduction to Cryptography Symmetric key cryptography Hash and message authentication
More informationBlock ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016
Block ciphers CS 161: Computer Security Prof. Raluca Ada Popa February 26, 2016 Announcements Last time Syntax of encryption: Keygen, Enc, Dec Security definition for known plaintext attack: attacker provides
More informationRSA. Public Key CryptoSystem
RSA Public Key CryptoSystem DIFFIE AND HELLMAN (76) NEW DIRECTIONS IN CRYPTOGRAPHY Split the Bob s secret key K to two parts: K E, to be used for encrypting messages to Bob. K D, to be used for decrypting
More informationBlock ciphers, stream ciphers
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Jan 31, 2018 Announcements Project 1 is out, due Feb 14 midnight Recall: Block cipher A
More informationBlock cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75
Block cipher modes Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 75 Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 76 Block cipher modes Block ciphers (like
More informationCHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P))
CHAPTER 6. SYMMETRIC CIPHERS Multiple encryption is a technique in which an encryption algorithm is used multiple times. In the first instance, plaintext is converted to ciphertext using the encryption
More informationBlock ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 74 Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 8 September 28, 2015 CPSC 467, Lecture 8 1/44 Chaining Modes Block chaining modes Extending chaining modes to bytes Public-key Cryptography
More informationPaper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage
1 Announcements Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage 2 Recap and Overview Previous lecture: Symmetric key
More informationCryptography Functions
Cryptography Functions Lecture 3 1/29/2013 References: Chapter 2-3 Network Security: Private Communication in a Public World, Kaufman, Perlman, Speciner Types of Cryptographic Functions Secret (Symmetric)
More informationIntroduction to cryptology (GBIN8U16)
Introduction to cryptology (GBIN8U16) Finite fields, block ciphers Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 01 31 Finite fields,
More informationData Encryption Standard (DES)
Data Encryption Standard (DES) Best-known symmetric cryptography method: DES 1973: Call for a public cryptographic algorithm standard for commercial purposes by the National Bureau of Standards Goals:
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Lecture 6 Michael J. Fischer Department of Computer Science Yale University January 27, 2010 Michael J. Fischer CPSC 467b, Lecture 6 1/36 1 Using block ciphers
More informationComputer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS
More informationEfficient chosen ciphertext secure PKE scheme with short ciphertext
Efficient chosen ciphertext secure PKE scheme with short ciphertext Xianhui Lu 1, Xuejia Lai 2, Dake He 1, Guomin Li 1 Email:lu xianhui@gmail.com 1:School of Information Science & Technology, SWJTU, Chengdu,
More informationWeak adaptive chosen ciphertext secure hybrid encryption scheme
Weak adaptive chosen ciphertext secure hybrid encryption scheme Xianhui Lu 1, Xuejia Lai 2, Dake He 1, Guomin Li 1 Email:luxianhui@gmail.com 1:School of Information Science & Technology, SWJTU, Chengdu,
More informationSolutions to exam in Cryptography December 17, 2013
CHALMERS TEKNISKA HÖGSKOLA Datavetenskap Daniel Hedin DIT250/TDA351 Solutions to exam in Cryptography December 17, 2013 Hash functions 1. A cryptographic hash function is a deterministic function that
More informationSummary on Crypto Primitives and Protocols
Summary on Crypto Primitives and Protocols Levente Buttyán CrySyS Lab, BME www.crysys.hu 2015 Levente Buttyán Basic model of cryptography sender key data ENCODING attacker e.g.: message spatial distance
More informationUnit 8 Review. Secure your network! CS144, Stanford University
Unit 8 Review Secure your network! 1 Basic Problem Internet To first approximation, attackers control the network Can snoop, replay, suppress, send How do we defend against this? Communicate securely despite
More informationUnderstanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl
Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl www.crypto-textbook.com Chapter 5 More About Block Ciphers ver. November 26, 2010 Last modified 10-2-17
More informationCode-Based Cryptography McEliece Cryptosystem
Code-Based Cryptography McEliece Cryptosystem I. Márquez-Corbella 0 2. McEliece Cryptosystem 1. Formal Definition 2. Security-Reduction Proof 3. McEliece Assumptions 4. Notions of Security 5. Critical
More informationData Integrity & Authentication. Message Authentication Codes (MACs)
Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice (sender) Bob (receiver) Fran
More informationpage 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas
Introduction to Cryptography Lecture 3 Benny Pinkas page 1 1 Pseudo-random generator Pseudo-random generator seed output s G G(s) (random, s =n) Deterministic function of s, publicly known G(s) = 2n Distinguisher
More informationECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos
ECE596C: Handout #7 Analysis of DES and the AES Standard Electrical and Computer Engineering, University of Arizona, Loukas Lazos Abstract. In this lecture we analyze the security properties of DES and
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 6 January 25, 2012 CPSC 467b, Lecture 6 1/46 Byte padding Chaining modes Stream ciphers Symmetric cryptosystem families Stream ciphers
More informationIntroduction to Cryptography. Lecture 3
Introduction to Cryptography Lecture 3 Benny Pinkas March 6, 2011 Introduction to Cryptography, Benny Pinkas page 1 Pseudo-random generator seed s (random, s =n) Pseudo-random generator G Deterministic
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.2 Secret Key Cryptography CSC 474/574 Dr. Peng Ning 1 Agenda Generic block cipher Feistel cipher DES Modes of block ciphers Multiple encryptions Message
More informationCIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm
CIS 4360 Introduction to Computer Security Fall 2010 WITH ANSWERS in bold Name:.................................... Number:............ First Midterm Instructions This is a closed-book examination. Maximum
More informationIntroduction to Network Security Missouri S&T University CPE 5420 Data Encryption Standard
Introduction to Network Security Missouri S&T University CPE 5420 Data Encryption Standard Egemen K. Çetinkaya Egemen K. Çetinkaya Department of Electrical & Computer Engineering Missouri University of
More informationNew Public Key Cryptosystems Based on the Dependent RSA Problems
New Public Key Cryptosystems Based on the Dependent RSA Problems David Pointcheval LIENS CNRS, École Normale Supérieure, 45 rue d Ulm, 75230 Paris Cedex 05, France. David.Pointcheval@ens.fr http://www.dmi.ens.fr/
More informationComputational Security, Stream and Block Cipher Functions
Computational Security, Stream and Block Cipher Functions 18 March 2019 Lecture 3 Most Slides Credits: Steve Zdancewic (UPenn) 18 March 2019 SE 425: Communication and Information Security 1 Topics for
More informationPSEC{3: Provably Secure Elliptic Curve. Encryption Scheme { V3. (Submission to P1363a)
PSEC{3: Provably Secure Elliptic Curve Encryption Scheme { V3 (Submission to P1363a) Tatsuaki Okamoto 1 and David Pointcheval 2 1 NTT Labs, 1-1 Hikarinooka, Yokosuka-shi 239-847 Japan. E-mail: okamoto@isl.ntt.co.jp.
More informationIntroduction to Cryptography. Lecture 6
Introduction to Cryptography Lecture 6 Benny Pinkas page 1 1 Data Integrity, Message Authentication Risk: an active adversary might change messages exchanged between Alice and Bob M Alice M M M Bob Eve
More informationData Integrity. Modified by: Dr. Ramzi Saifan
Data Integrity Modified by: Dr. Ramzi Saifan Encryption/Decryption Provides message confidentiality. Does it provide message authentication? 2 Message Authentication Bob receives a message m from Alice,
More informationModified Parameter Attacks: Practical Attacks Against CCA2 Secure Cryptosystems, and Countermeasures
Modified Parameter Attacks: Practical Attacks Against CCA2 Secure Cryptosystems, and Countermeasures Nick Howgrave-Graham, Joe Silverman, Ari Singer, William Whyte NTRU Cryptosystems Abstract. We introduce
More informationMessage authentication codes
Message authentication codes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction security of MAC Constructions block cipher
More informationCourse Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18
Course Map Key Establishment Authenticated Encryption Key Management COMP 7/8120 Cryptography and Data Security Lecture 8: How to use Block Cipher - many time key Stream Ciphers Block Ciphers Secret Key
More informationContent of this part
UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Introduction to Cryptography ECE 597XX/697XX Part 5 More About Block Ciphers Israel Koren ECE597/697 Koren Part.5.1 Content of this
More informationBlock Cipher Modes of Operation
Block Cipher Modes of Operation Luke Anderson luke@lukeanderson.com.au 23 rd March 2018 University Of Sydney Overview 1. Crypto-Bulletin 2. Modes Of Operation 2.1 Evaluating Modes 2.2 Electronic Code Book
More informationBlock Cipher Operation. CS 6313 Fall ASU
Chapter 7 Block Cipher Operation 1 Outline q Multiple Encryption and Triple DES q Electronic Codebook q Cipher Block Chaining Mode q Cipher Feedback Mode q Output Feedback Mode q Counter Mode q XTS-AES
More informationSecurity of Identity Based Encryption - A Different Perspective
Security of Identity Based Encryption - A Different Perspective Priyanka Bose and Dipanjan Das priyanka@cs.ucsb.edu,dipanjan@cs.ucsb.edu Department of Computer Science University of California Santa Barbara
More informationPractical Aspects of Modern Cryptography
Practical Aspects of Modern Cryptography Lecture 3: Symmetric s and Hash Functions Josh Benaloh & Brian LaMacchia Meet Alice and Bob Alice Bob Message Modern Symmetric s Setup: Alice wants to send a private
More informationStudy Guide to Mideterm Exam
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Handout #7 Professor M. J. Fischer February 20, 2012 Study Guide to Mideterm Exam For the exam, you are responsible
More informationA Designer s Guide to KEMs. Errata List
A Designer s Guide to KEMs Alexander W. Dent Information Security Group, Royal Holloway, University of London, Egham Hill, Egham, Surrey, U.K. alex@fermat.ma.rhul.ac.uk http://www.isg.rhul.ac.uk/~alex/
More informationPractical Symmetric On-line Encryption
Practical Symmetric On-line Encryption Pierre-Alain Fouque, Gwenaëlle Martinet, and Guillaume Poupard DCSSI Crypto Lab 51 Boulevard de La Tour-Maubourg 75700 Paris 07 SP, France Pierre-Alain.Fouque@ens.fr
More informationCSCE 813 Internet Security Symmetric Cryptography
CSCE 813 Internet Security Symmetric Cryptography Professor Lisa Luo Fall 2017 Previous Class Essential Internet Security Requirements Confidentiality Integrity Authenticity Availability Accountability
More informationLecture 18 - Chosen Ciphertext Security
Lecture 18 - Chosen Ciphertext Security Boaz Barak November 21, 2005 Public key encryption We now go back to public key encryption. As we saw in the case of private key encryption, CPA security is not
More informationConstruction of Stream Ciphers from Block Ciphers and their Security
Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology IJCSMC, Vol. 3, Issue. 9, September 2014,
More informationMTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov October 31, 2005 Abstract Standard security assumptions (IND-CPA, IND- CCA) are explained. A number of cryptosystems
More informationComputer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08. Cryptography Part II Paul Krzyzanowski Rutgers University Spring 2018 March 23, 2018 CS 419 2018 Paul Krzyzanowski 1 Block ciphers Block ciphers encrypt a block of plaintext at a
More informationFeedback Week 4 - Problem Set
4/26/13 Homework Feedback Introduction to Cryptography Feedback Week 4 - Problem Set You submitted this homework on Mon 17 Dec 2012 11:40 PM GMT +0000. You got a score of 10.00 out of 10.00. Question 1
More informationCryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1
Cryptography CS 555 Topic 11: Encryption Modes and CCA Security CS555 Spring 2012/Topic 11 1 Outline and Readings Outline Encryption modes CCA security Readings: Katz and Lindell: 3.6.4, 3.7 CS555 Spring
More informationData Integrity & Authentication. Message Authentication Codes (MACs)
Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice (sender) Bob (reciever) Fran
More informationCryptography. Recall from last lecture. [Symmetric] Encryption. How Cryptography Helps. One-time pad. Idea: Computational security
Recall from last lecture Cryptography To a first approximation, attackers control network Next two lectures: How to defend against this 1. Communicate securely despite insecure networks cryptography 2.
More informationAN INTEGRATED BLOCK AND STREAM CIPHER APPROACH FOR KEY ENHANCEMENT
AN INTEGRATED BLOCK AND STREAM CIPHER APPROACH FOR KEY ENHANCEMENT 1 MANIKANDAN.G, 2 MANIKANDAN.R, 3 RAJENDIRAN.P, 4 KRISHNAN.G, 5 SUNDARGANESH.G 1 Assistant Professor, School of Computing, SASTRA University,
More informationOAEP 3-Round A Generic and Secure Asymmetric Encryption Padding. Asiacrypt '04 Jeju Island - Korea
OAEP 3-Round A Generic and Secure Asymmetric Encryption Padding Duong Hieu Phan ENS France David Pointcheval CNRS-ENS France Asiacrypt '04 Jeju Island - Korea December 6 th 2004 Summary Asymmetric Encryption
More informationIntroduction to Cryptography. Lecture 3
Introduction to Cryptography Lecture 3 Benny Pinkas March 6, 2011 Introduction to Cryptography, Benny Pinkas page 1 Pseudo-random generator seed s (random, s =n) Pseudo-random generator G Deterministic
More information05 - WLAN Encryption and Data Integrity Protocols
05 - WLAN Encryption and Data Integrity Protocols Introduction 802.11i adds new encryption and data integrity methods. includes encryption algorithms to protect the data, cryptographic integrity checks
More informationCSE 127: Computer Security Cryptography. Kirill Levchenko
CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017 Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified
More informationBCA III Network security and Cryptography Examination-2016 Model Paper 1
Time: 3hrs BCA III Network security and Cryptography Examination-2016 Model Paper 1 M.M:50 The question paper contains 40 multiple choice questions with four choices and student will have to pick the correct
More informationMcOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes
McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes Ewan Fleischmann Christian Forler Stefan Lucks Bauhaus-Universität Weimar FSE 2012 Fleischmann, Forler, Lucks. FSE 2012. McOE:
More informationLecture 8. 1 Some More Security Definitions for Encryption Schemes
U.C. Berkeley CS276: Cryptography Lecture 8 Professor David Wagner February 9, 2006 Lecture 8 1 Some More Security Definitions for Encryption Schemes 1.1 Real-or-random (rr) security Real-or-random security,
More informationIntroduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers
Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block Ciphers Stream Ciphers Start with a secret key ( seed ) Generate a keying stream i-th bit/byte of keying stream is a function
More informationEncryption from the Diffie-Hellman assumption. Eike Kiltz
Encryption from the Diffie-Hellman assumption Eike Kiltz Elliptic curve public-key crypto Key-agreement Signatures Encryption Diffie-Hellman 76 passive security ElGamal 84 passive security Hybrid DH (ECDH)
More informationLecture 1: Course Introduction
Lecture 1: Course Introduction Thomas Johansson T. Johansson (Lund University) 1 / 37 Chapter 9: Symmetric Key Distribution To understand the problems associated with managing and distributing secret keys.
More informationNetwork Security Essentials Chapter 2
Network Security Essentials Chapter 2 Fourth Edition by William Stallings Lecture slides by Lawrie Brown Encryption What is encryption? Why do we need it? No, seriously, let's discuss this. Why do we need
More informationInformation Security CS526
Information CS 526 Topic 3 Ciphers and Cipher : Stream Ciphers, Block Ciphers, Perfect Secrecy, and IND-CPA 1 Announcements HW1 is out, due on Sept 10 Start early, late policy is 3 total late days for
More informationRandom Oracles - OAEP
Random Oracles - OAEP Anatoliy Gliberman, Dmitry Zontov, Patrick Nordahl September 23, 2004 Reading Overview There are two papers presented this week. The first paper, Random Oracles are Practical: A Paradigm
More informationUsing block ciphers 1
Using block ciphers 1 Using block ciphers DES is a type of block cipher, taking 64-bit plaintexts and returning 64-bit ciphetexts. We now discuss a number of ways in which block ciphers are employed in
More informationPrivate-Key Encryption
Private-Key Encryption Ali El Kaafarani Mathematical Institute Oxford University 1 of 50 Outline 1 Block Ciphers 2 The Data Encryption Standard (DES) 3 The Advanced Encryption Standard (AES) 4 Attacks
More informationBlockwise-Adaptive Attackers
Blockwise-Adaptive Attackers Revisiting the (In)Security of Some Provably Secure Encryption Modes: CBC, GEM, IACBC Antoine Joux, Gwenaëlle Martinet, and Frédéric Valette DCSSI Crypto Lab 18, rue du Docteur
More informationStream Ciphers and Block Ciphers
Stream Ciphers and Block Ciphers Ruben Niederhagen September 18th, 2013 Introduction 2/22 Recall from last lecture: Public-key crypto: Pair of keys: public key for encryption, private key for decryption.
More informationLecture 2: Shared-Key Cryptography
Graduate Course on Computer Security Lecture 2: Cryptography Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ DIMI, Universita di Udine,
More informationComputer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 10r. Recitation assignment & concept review Paul Krzyzanowski Rutgers University Spring 2018 April 3, 2018 CS 419 2018 Paul Krzyzanowski 1 1. What is a necessary condition for perfect
More informationSymmetric Encryption. Thierry Sans
Symmetric Encryption Thierry Sans Design principles (reminder) 1. Kerkoff Principle The security of a cryptosystem must not rely on keeping the algorithm secret 2. Diffusion Mixing-up symbols 3. Confusion
More informationHomework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.
Homework 2: Symmetric Crypto February 17, 2015 Submission policy. information: This assignment MUST be submitted as a PDF via websubmit and MUST include the following 1. List of collaborators 2. List of
More informationCryptography [Symmetric Encryption]
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography [Symmetric Encryption] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More informationLecture 6: Symmetric Cryptography. CS 5430 February 21, 2018
Lecture 6: Symmetric Cryptography CS 5430 February 21, 2018 The Big Picture Thus Far Attacks are perpetrated by threats that inflict harm by exploiting vulnerabilities which are controlled by countermeasures.
More information7. Symmetric encryption. symmetric cryptography 1
CIS 5371 Cryptography 7. Symmetric encryption symmetric cryptography 1 Cryptographic systems Cryptosystem: t (MCKK GED) (M,C,K,K,G,E,D) M, plaintext message space C, ciphertext message space K, K, encryption
More informationSecurity: Cryptography
Security: Cryptography Computer Science and Engineering College of Engineering The Ohio State University Lecture 38 Some High-Level Goals Confidentiality Non-authorized users have limited access Integrity
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 4, 2017 CPSC 467, Lecture 11 1/39 ElGamal Cryptosystem Message Integrity and Authenticity Message authentication codes
More informationFrom semantic security to chosen ciphertext security
Graduate Theses and Dissertations Graduate College 2010 From semantic security to chosen ciphertext security Sahnghyun Cha Iowa State University Follow this and additional works at: http://lib.dr.iastate.edu/etd
More informationLecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model
CMSC 858K Advanced Topics in Cryptography March 11, 2004 Lecturer: Jonathan Katz Lecture 14 Scribe(s): Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze 1 A Note on Adaptively-Secure NIZK A close look
More informationCSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography
CSCI 454/554 Computer and Network Security Topic 2. Introduction to Cryptography Outline Basic Crypto Concepts and Definitions Some Early (Breakable) Cryptosystems Key Issues 2 Basic Concepts and Definitions
More informationCS 161 Computer Security
Raluca Popa Spring 2018 CS 161 Computer Security Homework 2 Due: Wednesday, February 14, at 11:59pm Instructions. This homework is due Wednesday, February 14, at 11:59pm. No late homeworks will be accepted.
More informationStream Ciphers An Overview
Stream Ciphers An Overview Palash Sarkar Indian Statistical Institute, Kolkata email: palash@isicalacin stream cipher overview, Palash Sarkar p1/51 Classical Encryption Adversary message ciphertext ciphertext
More information