Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18
|
|
- Brittany Miller
- 5 years ago
- Views:
Transcription
1 Course Map Key Establishment Authenticated Encryption Key Management COMP 7/8120 Cryptography and Data Security Lecture 8: How to use Block Cipher - many time key Stream Ciphers Block Ciphers Secret Key Encryption Encryption RSA ElGamal Public Key Encryption Message Authentication Codes Message Authentication Authentication Digital Signature Entity Authentication Based on slides from Dan Boneh COMP 7/ Kan Yang 1 COMP 7/ Kan Yang 2 Learning Objectives Semantic Security for many time key (Chosen Plaintext Attack) How to use Block Cipher (many time key) Cipher Block Chaining (CBC) Model Counter (CTR) Model How to use PRPs (Block Ciphers)? Goal: build secure encryption from a secure PRP (e.g. AES). one-time keys (semantic security) 1. Adversary s power: Adv sees only one ciphertext (one-time key) 2. Adversary s goal: Learn info about PT from CT (semantic security) many-time keys (chosen-plaintext security) COMP 7/ Kan Yang 3 COMP 7/ Kan Yang 4 1
2 ECB is not Semantically Secure ECB is not semantically secure for messages that contain more than one block. bî{0,1} Two blocks m 0 = Hello World A m 1 = Hello Hello (c 1,c 2 ) E(k, m b ) Det. Counter Mode Deterministic counter mode from a PRF F: K 0, 1 ) 0,1 ) E DETCTR (k, m) = Å m[0] m[1] m[l] F(k,0) F(k,1) F(k,L) c[0] c[1] c[l] Then Adv SS [A, ECB] = 1 If c 1 =c 2 output 0, else output 1 COMP 7/ Kan Yang 5 Stream cipher built from a PRF (e.g. AES, 3DES) COMP 7/ Kan Yang 6 Semantic Security for many-time key Key used more than once adv. sees many CTs with same key How to use PRPs (Block Ciphers) with many time key? Adversary s power: chosen-plaintext attack (CPA) Can obtain the encryption of arbitrary messages of his choice (conservative modeling of real life) Adversary s goal: Break semantic security COMP 7/ Kan Yang 7 COMP 7/ Kan Yang 8 2
3 Semantic Security for many-time key E = (E,D) a cipher defined over (K,M,C). For b=0,1 define EXP(b) as: Semantic Security for many-time key E = (E,D) a cipher defined over (K,M,C). For b=0,1 define EXP(b) as: b m 1,0, m 1,1 Î M : m 1,0 = m 1,1 b m 2,0, m 2,1 Î M : m 2,0 = m 2,1 c 1 E(k, m 1,b ) c 2 E(k, m 2,b ) COMP 7/ Kan Yang 9 COMP 7/ Kan Yang 10 b Semantic Security for many-time key (CPA security) E = (E,D) a cipher defined over (K,M,C). for i=1,,q: m i,0, m i,1 Î M : m i,0 = m i,1 c i E(k, m i,b ) For b=0,1 define EXP(b) as: if adv. wants c = E(k, m) it queries with m j,0 = m j,1 =m Def: E is sem. sec. under CPA if for all efficient A: Adv CPA [A,E] = Pr[EXP(0)=1] Pr[EXP(1)=1] is negligible. b Î {0,1} Ciphers insecure under CPA Suppose E(k,m) always outputs same ciphertext for msg m. Then: m 0, m 0 Î M c 0 E(k, m 0 ) m 0, m 1 Î M c E(k, m b ) output 0 if c = c 0 So what? an attacker can learn that two encrypted files are the same, two encrypted packets are the same, etc. Leads to significant attacks when message space M is small COMP 7/ Kan Yang 11 COMP 7/ Kan Yang 12 3
4 Ciphers insecure under CPA Suppose E(k,m) always outputs same ciphertext for msg m. Then: m 0, m 0 Î M c 0 E(k, m 0 ) m 0, m 1 Î M c E(k, m b ) output 0 if c = c 0 If secret key is to be used multiple times Þ given the same plaintext message twice, encryption must produce different outputs. Solution 1: randomized encryption E(k,m) is a randomized algorithm: m 0 enc dec m 0 m 1 m 1 encrypting same msg twice gives different ciphertexts (w.h.p) ciphertext must be longer than plaintext Roughly speaking: CT-size = PT-size + # random bits COMP 7/ Kan Yang 13 COMP 7/ Kan Yang 14 Let F: K R M be a secure PRF. R For m M define E(k,m) = [ r R, output (r, F(k,r) m) ] Is E semantically secure under CPA? Yes, whenever F is a secure PRF No, there is always a CPA attack on this system Yes, but only if R is large enough so r never repeats (w.h.p) It depends on what F is used COMP 7/ Kan Yang 15 Solution 2: nonce-based Encryption nonce n: a value that changes from msg to msg. nonce Alice m, n E(k,m,n)=c E k (k,n) pair never used more than once method 1: nonce is a counter (e.g. packet counter) used when encryptor keeps state from msg to msg if decryptor has same state, need not send nonce with CT Bob method 2: encryptor chooses a random nonce, n N c, n D(k,c,n)=m D COMP 7/ Kan Yang 16 k 4
5 b CPA security for nonce-based encryption System should be secure when nonces are chosen adversarially. for i=1,,q: n i and m i,0, m i,1 : m i,0 = m i,1 c E(k, m i,b, n i ) b Î {0,1} All nonces {n 1,, n q } must be distinct. Def: nonce-based E is sem. sec. under CPA if for all efficient A: Adv ncpa [A,E] = Pr[EXP(0)=1] Pr[EXP(1)=1] is negligible. Let F: K R M be a secure PRF. Let r = 0 initially. For m M define E(k,m) = [ r++, output (r, F(k, r) m) ] Is E CPA secure nonce-based encryption? Yes, whenever F is a secure PRF No, there is always a nonce-based CPA attack on this system Yes, but only if R is large enough so r never repeats It depends on what F is used COMP 7/ Kan Yang 17 COMP 7/ Kan Yang 18 How to use Block Cipher (many time key) How to use Block Cipher (many time key) Example applications: 1. File systems: Same AES key used to encrypt many files. 2. IPsec: Same AES key used to encrypt many packets. Operation Models: Cipher Block Chaining (CBC) Model Counter (CTR) Model COMP 7/ Kan Yang 19 COMP 7/ Kan Yang 20 5
6 Construction 1: Random CBC (with random ) Decryption circuit Let (E,D) be a PRP. E CBC (k,m): choose random X and do: In symbols: c[0] = E(k, m[0] ) m[0] = D(k, c[0]) m[0] m[1] m[2] m[3] Å Å Å Å c[0] c[1] c[2] c[3] E(k, ) E(k, ) E(k, ) E(k, ) D(k, ) D(k, ) D(k, ) D(k, ) c[0] c[1] c[2] c[3] ciphertext COMP 7/ Kan Yang 21 Å Å Å Å m[0] m[1] m[2] m[3] COMP 7/ Kan Yang 22 CBC: CPA Analysis An example CBC Theorem: For any L>0, If E is a secure PRP over (K,X) then E CBC is a sem. sec. under CPA over (K, X L, X L+1 ). In particular, for a q-query adversary A attacking E CBC there exists a PRP adversary B s.t.: Adv CPA [A, E CBC ] 2 Adv PRP [B, E] + 2 q 2 L 2 / X q = # messages encrypted with k, L = length of max message Adv CPA [A, E CBC ] 2 PRP Adv[B, E] + 2 q 2 L 2 / X Suppose we want Adv CPA [A, E CBC ] 1/2 32 q 2 L 2 / X < 1/ 2 32 AES: X = q L < 2 48 So, after 2 48 AES blocks, must change key Note: CBC is only secure as long as q 2 L 2 << X 3DES: X = 2 64 q L < 2 16 COMP 7/ Kan Yang 23 COMP 7/ Kan Yang 24 6
7 Warning: an attack on CBC with rand. CBC where attacker can predict the is not CPA-secure!! Suppose given c E CBC (k,m) can predict for next message 0 Î X c 1 [ 1, E(k, 0 1 ) ] m 0 = 1, m 1 m 0 c [, E(k, 1 ) ] or c [, E(k, m 1 ) ] predict output 0 if c[1] = c 1 [1] Bug in SSL/TLS 1.0: for record #i is last CT block of record #(i-1) COMP 7/ Kan Yang 25 Construction 1 : nonce-based CBC Cipher block chaining with unique nonce: key = (k,k 1 ) unique nonce means: (key, n) pair is used for only one message nonce m[0] m[1] m[2] m[3] Å Å Å Å E(k 1, ) E(k, ) E(k, ) E(k, ) E(k, ) nonce c[0] c[1] c[2] c[3] included only if unknown to decryptor ciphertext COMP 7/ Kan Yang 26 An example Crypto API (OpenSSL) A CBC technicality: padding void AES_cbc_encrypt( const unsigned char *in, unsigned char *out, size_t length, const AES_KEY *key, unsigned char *ivec, user supplies AES_ENCRYPT or AES_DECRYPT); E(k 1, ) ʹ m[0] m[1] m[2] m[3] ll pad Å Å Å Å E(k, ) E(k, ) E(k, ) E(k, ) c[0] c[1] c[2] c[3] When nonce is non random need to encrypt it before use COMP 7/ Kan Yang 27 TLS: for n>0, n byte pad is n n if no pad needed, add a dummy block n n removed during decryption COMP 7/ Kan Yang 28 7
8 How to use Block Cipher (many time key) Example applications: 1. File systems: Same AES key used to encrypt many files. 2. IPsec: Same AES key used to encrypt many packets. Operation Models: Cipher Block Chaining (CBC) Model Counter (CTR) Model Construction 2: rand ctr-mode Let F: K {0,1} n {0,1} n be a secure PRF. E(k,m): choose a random Î {0,1} n and do: msg m[0] m[1] m[l] F(k,) F(k,+1) F(k,+L) c[0] c[1] c[l] ciphertext Å COMP 7/ Kan Yang 29 note: parallelizable (unlike CBC) COMP 7/ Kan Yang 30 Construction 2 : nonce ctr-mode msg m[0] m[1] F(k,) F(k,+1) m[l] F(k,+L) c[0] c[1] c[l] 128 bits ciphertext To ensure F(k,x) is never used more than once, choose as: : Å nonce counter starts at 0 64 bits 64 bits for every msg COMP 7/ Kan Yang 31 rand ctr-mode (rand. ): CPA analysis Counter-mode Theorem: For any L>0, If F is a secure PRF over (K,X,X) then E CTR is a sem. sec. under CPA over (K,X L,X L+1 ). In particular, for a q-query adversary A attacking E CTR there exists a PRF adversary B s.t.: Adv CPA [A, E CTR ] 2 Adv PRF [B, F] + 2 q 2 L / X Note: ctr-mode only secure as long as q 2 L << X. Better than CBC! COMP 7/ Kan Yang 32 8
9 An example q = # messages encrypted with k, L = length of max message Adv CPA [A, E CTR ] 2 Adv PRF [B, E] + 2 q 2 L / X Suppose we want Adv CPA [A, E CTR ] 1/2 32 q 2 L / X < 1/ 2 32 AES: X = q L 1/2 < 2 48 So, after 2 32 CTs each of len 2 32, must change key (total of 2 64 AES blocks) Comparison: ctr vs. CBC CBC ctr mode uses PRP PRF parallel processing No Yes Security of rand. enc. q^2 L^2 << X q^2 L << X dummy padding block Yes No 1 byte msgs (nonce-based) 16x expansion no expansion (for CBC, dummy padding block can be solved using ciphertext stealing) COMP 7/ Kan Yang 33 COMP 7/ Kan Yang 34 Summary PRPs and PRFs: a useful abstraction of block ciphers. We examined two security notions: (security against eavesdropping) 1. Semantic security against one-time CPA. 2. Semantic security against many-time CPA. Note: neither mode ensures data integrity. Further reading A concrete security treatment of symmetric encryption: Analysis of the DES modes of operation, M. Bellare, A. Desai, E. Jokipii and P. Rogaway, FOCS 1997 Nonce-Based Symmetric Encryption, P. Rogaway, FSE 2004 Stated security results summarized in the following table: Power one-time key Many-time key (CPA) Goal Sem. Sec. steam-ciphers det. ctr-mode rand CBC rand ctr-mode CPA and integrity later COMP 7/ Kan Yang 35 COMP 7/ Kan Yang 36 9
Authenticated Encryption
18733: Applied Cryptography Anupam Datta (CMU) Authenticated Encryption Online Cryptography Course Authenticated Encryption Active attacks on CPA-secure encryption Recap: the story so far Confidentiality:
More informationSecurity and Cryptography 1. Stefan Köpsell, Thorsten Strufe. Module 5: Pseudo Random Permutations and Block Ciphers
Security and Cryptography 1 Stefan Köpsell, Thorsten Strufe Module 5: Pseudo Random Permutations and Block Ciphers Disclaimer: large parts from Mark Manulis and Dan Boneh Dresden, WS 14/15 Reprise from
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 8 2018 Review CPA-secure construction Security proof by reduction
More informationAuthenticated Encryption
18733: Applied Cryptography Anupam Datta (CMU) Authenticated Encryption Online Cryptography Course Authenticated Encryption Active attacks on CPA-secure encryption Recap: the story so far Confidentiality:
More informationCryptography 2017 Lecture 3
Cryptography 2017 Lecture 3 Block Ciphers - AES, DES Modes of Operation - ECB, CBC, CTR November 7, 2017 1 / 1 What have seen? What are we discussing today? What is coming later? Lecture 2 One Time Pad
More informationCryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39
Cryptography 2017 Lecture 4 Attacks against Block Ciphers Introduction to Public Key Cryptography November 14, 2017 1 / 39 What have seen? What are we discussing today? What is coming later? Lecture 3
More informationCS155. Cryptography Overview
CS155 Cryptography Overview Cryptography Is n n A tremendous tool The basis for many security mechanisms Is not n n n n The solution to all security problems Reliable unless implemented properly Reliable
More informationIntroduction to Cryptography. Lecture 3
Introduction to Cryptography Lecture 3 Benny Pinkas March 6, 2011 Introduction to Cryptography, Benny Pinkas page 1 Pseudo-random generator seed s (random, s =n) Pseudo-random generator G Deterministic
More informationBlock cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75
Block cipher modes Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 75 Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 76 Block cipher modes Block ciphers (like
More informationPublic key encryption: definitions and security
Online Cryptography Course Public Key Encryption from trapdoor permutations Public key encryption: definitions and security Public key encryption Bob: generates (PK, SK) and gives PK to Alice Alice Bob
More informationCS155. Cryptography Overview
CS155 Cryptography Overview Cryptography! Is n A tremendous tool n The basis for many security mechanisms! Is not n The solution to all security problems n Reliable unless implemented properly n Reliable
More informationFeedback Week 4 - Problem Set
4/26/13 Homework Feedback Introduction to Cryptography Feedback Week 4 - Problem Set You submitted this homework on Mon 17 Dec 2012 11:40 PM GMT +0000. You got a score of 10.00 out of 10.00. Question 1
More informationSymmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University
Symmetric-Key Cryptography Part 1 Tom Shrimpton Portland State University Building a privacy-providing primitive I want my communication with Bob to be private -- Alice What kind of communication? SMS?
More informationCrypto: Symmetric-Key Cryptography
Computer Security Course. Song Crypto: Symmetric-Key Cryptography Slides credit: Dan Boneh, David Wagner, Doug Tygar Overview Cryptography: secure communication over insecure communication channels Three
More informationInformation Security CS526
Information CS 526 Topic 3 Ciphers and Cipher : Stream Ciphers, Block Ciphers, Perfect Secrecy, and IND-CPA 1 Announcements HW1 is out, due on Sept 10 Start early, late policy is 3 total late days for
More informationAc,ve a4acks on CPA- secure encryp,on
Online Cryptography Course Authen,cated Encryp,on Ac,ve a4acks on CPA- secure encryp,on Recap: the story so far Confiden'ality: seman,c security against a CPA a4ack Encryp,on secure against eavesdropping
More informationBlock ciphers, stream ciphers
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Jan 31, 2018 Announcements Project 1 is out, due Feb 14 midnight Recall: Block cipher A
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Message Authentication Codes Syntax: Key space K λ Message space M Tag space T λ MAC(k,m) à σ Ver(k,m,σ) à 0/1 Correctness: m,k,
More informationBlock ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 74 Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways
More informationCryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1
Cryptography CS 555 Topic 11: Encryption Modes and CCA Security CS555 Spring 2012/Topic 11 1 Outline and Readings Outline Encryption modes CCA security Readings: Katz and Lindell: 3.6.4, 3.7 CS555 Spring
More informationsymmetric cryptography s642 computer security adam everspaugh
symmetric cryptography s642 adam everspaugh ace@cs.wisc.edu computer security Announcement Midterm next week: Monday, March 7 (in-class) Midterm Review session Friday: March 4 (here, normal class time)
More informationIntroduction to Cryptography. Lecture 3
Introduction to Cryptography Lecture 3 Benny Pinkas March 6, 2011 Introduction to Cryptography, Benny Pinkas page 1 Pseudo-random generator seed s (random, s =n) Pseudo-random generator G Deterministic
More informationComputer Security CS 526
Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes CS555 Topic 4 1 Readings for This Lecture Required reading from wikipedia Block Cipher Ciphertext Indistinguishability
More informationConcrete Security of Symmetric-Key Encryption
Concrete Security of Symmetric-Key Encryption Breno de Medeiros Department of Computer Science Florida State University Concrete Security of Symmetric-Key Encryption p.1 Security of Encryption The gold
More informationSymmetric Cryptography
CSE 484 (Winter 2010) Symmetric Cryptography Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials...
More informationsymmetric cryptography s642 computer security adam everspaugh
symmetric cryptography s642 adam everspaugh ace@cs.wisc.edu computer security Announcements Midterm next week: Monday, March 7 (in-class) Midterm Review session Friday: March 4 (here, normal class time)
More informationPublic-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7
Public-Key Cryptography Professor Yanmin Gong Week 3: Sep. 7 Outline Key exchange and Diffie-Hellman protocol Mathematical backgrounds for modular arithmetic RSA Digital Signatures Key management Problem:
More informationCryptography Overview
Cryptography Overview Cryptography Is n A tremendous tool n The basis for many security mechanisms Is not n The solution to all security problems n Reliable unless implemented properly used properly n
More informationCryptography: Symmetric Encryption [continued]
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption [continued] Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann,
More informationBlock ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016
Block ciphers CS 161: Computer Security Prof. Raluca Ada Popa February 26, 2016 Announcements Last time Syntax of encryption: Keygen, Enc, Dec Security definition for known plaintext attack: attacker provides
More informationOnline Cryptography Course. Basic key exchange. Trusted 3 rd par7es. Dan Boneh
Online Cryptography Course Dan Boneh Basic key exchange Trusted 3 rd par7es Key management Problem: n users. Storing mutual secret keys is difficult Total: O(n) keys per user A befer solu7on Online Trusted
More informationCryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security
Cryptography CS 555 Topic 8: Modes of Encryption, The Penguin and CCA security 1 Reminder: Homework 1 Due on Friday at the beginning of class Please typeset your solutions 2 Recap Pseudorandom Functions
More informationSymmetric-Key Cryptography
Symmetric-Key Cryptography CS 161: Computer Security Prof. Raluca Ada Popa Sept 13, 2016 Announcements Project due Sept 20 Special guests Alice Bob The attacker (Eve - eavesdropper, Malice) Sometimes Chris
More informationScanned by CamScanner
Scanned by CamScanner Scanned by CamScanner Scanned by CamScanner Scanned by CamScanner Scanned by CamScanner Scanned by CamScanner Scanned by CamScanner Symmetric-Key Cryptography CS 161: Computer Security
More informationCryptology complementary. Symmetric modes of operation
Cryptology complementary Symmetric modes of operation Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 05 03 Symmetric modes 2018 05 03
More informationCryptography Overview
ECE458 Winter 2013 Cryptography Overview Dan Boneh (Modified by Vijay Ganesh) Cryptography: Today s Lecture! An introduction to cryptography n Basic definitions n Uses of cryptography! SSL/TLS! Symmetric-key
More informationCryptography (cont.)
CSE 484 / CSE M 584 (Autumn 2011) Cryptography (cont.) Daniel Halperin Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others
More informationPaper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage
1 Announcements Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage 2 Recap and Overview Previous lecture: Symmetric key
More informationCryptography [Symmetric Encryption]
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography [Symmetric Encryption] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More informationENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions
ENEE 457: Computer Systems Security 09/12/16 Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions Charalampos (Babis) Papamanthou Department of Electrical and Computer
More informationCS 161 Computer Security. Week of September 11, 2017: Cryptography I
Weaver Fall 2017 CS 161 Computer Security Discussion 3 Week of September 11, 2017: Cryptography I Question 1 Activity: Cryptographic security levels (20 min) Say Alice has a randomly-chosen symmetric key
More informationCryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu
More informationLecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24
Assume encryption and decryption use the same key. Will discuss how to distribute key to all parties later Symmetric ciphers unusable for authentication of sender Lecturers: Mark D. Ryan and David Galindo.
More information1 Achieving IND-CPA security
ISA 562: Information Security, Theory and Practice Lecture 2 1 Achieving IND-CPA security 1.1 Pseudorandom numbers, and stateful encryption As we saw last time, the OTP is perfectly secure, but it forces
More informationpage 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas
Introduction to Cryptography Lecture 3 Benny Pinkas page 1 1 Pseudo-random generator Pseudo-random generator seed output s G G(s) (random, s =n) Deterministic function of s, publicly known G(s) = 2n Distinguisher
More information9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng Basic concepts in cryptography systems Secret cryptography Public cryptography 1 2 Encryption/Decryption Cryptanalysis
More informationCryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Outline Basic concepts in cryptography systems Secret key cryptography Public key cryptography Hash functions 2 Encryption/Decryption
More informationAutomated Analysis and Synthesis of Modes of Operation and Authenticated Encryption Schemes
Automated Analysis and Synthesis of Modes of Operation and Authenticated Encryption Schemes Alex J. Malozemoff University of Maryland Joint work with Matthew Green, Viet Tung Hoang, and Jonathan Katz Presented
More informationCryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu
More informationSummary on Crypto Primitives and Protocols
Summary on Crypto Primitives and Protocols Levente Buttyán CrySyS Lab, BME www.crysys.hu 2015 Levente Buttyán Basic model of cryptography sender key data ENCODING attacker e.g.: message spatial distance
More informationBlock Cipher Operation. CS 6313 Fall ASU
Chapter 7 Block Cipher Operation 1 Outline q Multiple Encryption and Triple DES q Electronic Codebook q Cipher Block Chaining Mode q Cipher Feedback Mode q Output Feedback Mode q Counter Mode q XTS-AES
More informationLecture 6: Symmetric Cryptography. CS 5430 February 21, 2018
Lecture 6: Symmetric Cryptography CS 5430 February 21, 2018 The Big Picture Thus Far Attacks are perpetrated by threats that inflict harm by exploiting vulnerabilities which are controlled by countermeasures.
More informationLecture 8. 1 Some More Security Definitions for Encryption Schemes
U.C. Berkeley CS276: Cryptography Lecture 8 Professor David Wagner February 9, 2006 Lecture 8 1 Some More Security Definitions for Encryption Schemes 1.1 Real-or-random (rr) security Real-or-random security,
More informationComputer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 10r. Recitation assignment & concept review Paul Krzyzanowski Rutgers University Spring 2018 April 3, 2018 CS 419 2018 Paul Krzyzanowski 1 1. What is a necessary condition for perfect
More informationGoals of Modern Cryptography
Goals of Modern Cryptography Providing information security: Data Privacy Data Integrity and Authenticity in various computational settings. Data Privacy M Alice Bob The goal is to ensure that the adversary
More information18733: Applied Cryptography Anupam Datta (CMU) Basic key exchange. Dan Boneh
18733: Applied Cryptography Anupam Datta (CMU) Basic key exchange Online Cryptography Course Basic key exchange Trusted 3 rd parties Key management Problem: n users. Storing mutual secret keys is difficult
More informationUnit 8 Review. Secure your network! CS144, Stanford University
Unit 8 Review Secure your network! 1 Basic Problem Internet To first approximation, attackers control the network Can snoop, replay, suppress, send How do we defend against this? Communicate securely despite
More informationDouble-DES, Triple-DES & Modes of Operation
Double-DES, Triple-DES & Modes of Operation Prepared by: Dr. Mohamed Abd-Eldayem Ref.: Cryptography and Network Security by William Stallings & Lecture slides by Lawrie Brown Multiple Encryption & DES
More informationCryptography. Andreas Hülsing. 6 September 2016
Cryptography Andreas Hülsing 6 September 2016 1 / 21 Announcements Homepage: http: //www.hyperelliptic.org/tanja/teaching/crypto16/ Lecture is recorded First row might be on recordings. Anything organizational:
More informationSome Aspects of Block Ciphers
Some Aspects of Block Ciphers Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in CU-ISI Tutorial Workshop on Cryptology, 17 th July 2011 Palash Sarkar
More informationThe ElGamal Public- key System
Online Cryptography Course Dan Boneh Public key encryp3on from Diffie- Hellman The ElGamal Public- key System Recap: public key encryp3on: (Gen, E, D) Gen pk sk m c c m E D Recap: public- key encryp3on
More informationSymmetric Encryption
Symmetric Encryption Ahmed Y. Banihammd & Ihsan, ALTUNDAG Mon November 5, 2007 Advanced Cryptography 1st Semester 2007-2008 University Joseph Fourrier, Verimag Master Of Information Security And Coding
More informationHomework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.
Homework 2: Symmetric Crypto February 17, 2015 Submission policy. information: This assignment MUST be submitted as a PDF via websubmit and MUST include the following 1. List of collaborators 2. List of
More informationCS408 Cryptography & Internet Security
CS408 Cryptography & Internet Security Lectures 16, 17: Security of RSA El Gamal Cryptosystem Announcement Final exam will be on May 11, 2015 between 11:30am 2:00pm in FMH 319 http://www.njit.edu/registrar/exams/finalexams.php
More informationMessage authentication codes
Message authentication codes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction security of MAC Constructions block cipher
More informationChapter 18: wolfcrypt API Reference
Chapter 18: wolfcrypt API Reference Table of Contents March, 2016 Version 3.9.0 18.1 AES 18.2 Arc4 18.3 ASN 18.4 Blake2 18.5 Camellia 18.6 ChaCha 18.7 ChaCha20 with Poly1305 18.8 Coding 18.9 Compression
More informationCSE 127: Computer Security Cryptography. Kirill Levchenko
CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017 Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified
More informationStorage Encryption: A Cryptographer s View. Shai Halevi IBM Research
Storage Encryption: A Cryptographer s View Shai Halevi IBM Research Motivation You re working on storage encryption? It must be the most boring thing in the world Anonymous Encryption is the most basic
More informationA Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security. T. Shrimpton October 18, 2004
A Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security T. Shrimpton October 18, 2004 Abstract In this note we introduce a variation of the standard definition of chosen-ciphertext
More informationSymmetric Crypto MAC. Pierre-Alain Fouque
Symmetric Crypto MAC Pierre-Alain Fouque Message Authentication Code (MAC) Warning: Encryption does not provide integrity Eg: CTR mode ensures confidentiality if the blockcipher used is secure. However,
More informationECE 646 Lecture 8. Modes of operation of block ciphers
ECE 646 Lecture 8 Modes of operation of block ciphers Required Reading: I. W. Stallings, "Cryptography and Network-Security," 5 th and 6 th Edition, Chapter 6 Block Cipher Operation II. A. Menezes, P.
More informationChapter 3 : Private-Key Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 3 : Private-Key Encryption 1 Private-Key Encryption 3.1 Computational Security 3.1.1 The
More informationAdvanced Cryptography 1st Semester Symmetric Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 22th 2007 1 / 58 Last Time (I) Security Notions Cyclic Groups Hard Problems One-way IND-CPA,
More informationPublic key encryp4on: defini4ons and security
Online Cryptography Course Dan Boneh Public Key Encryp4on from trapdoor permuta4ons Public key encryp4on: defini4ons and security Public key encryp4on Bob: generates (PK, SK) and gives PK to Alice Alice
More informationChapter 6 Contemporary Symmetric Ciphers
Chapter 6 Contemporary Symmetric Ciphers "I am fairly familiar with all the forms of secret writings, and am myself the author of a trifling monograph upon the subject, in which I analyze one hundred and
More informationPart VI. Public-key cryptography
Part VI Public-key cryptography Drawbacks with symmetric-key cryptography Symmetric-key cryptography: Communicating parties a priori share some secret information. Secure Channel Alice Unsecured Channel
More informationOn Re-keying Mechanisms for Extending The Lifetime of Symmetric Keys draft-smyshlyaev-re-keying
On Re-keying Mechanisms for Extending The Lifetime of Symmetric Keys draft-smyshlyaev-re-keying Stanislav V. Smyshlyaev, Ph.D. Head of Information Security Department, CryptoPro LLC CryptoPro LLC (www.cryptopro.ru)
More informationSymmetric Cryptography
CSE 484 (Winter 2010) Symmetric Cryptography Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials...
More informationThe Extended Codebook (XCB) Mode of Operation
The Extended Codebook (XCB) Mode of Operation David A. McGrew and Scott Fluhrer Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95032 {mcgrew,sfluhrer}@cisco.com October 25, 2004 Abstract We describe
More informationLecture Note 05 Date:
P.Lafourcade Lecture Note 05 Date: 29.09.2009 Security models 1st Semester 2008/2009 MANGEOT Guillaume ROJAT Antoine THARAUD Jrmie Contents 1 Block Cipher Modes 2 1.1 Electronic Code Block (ECB) [Dwo01]....................
More informationOCB Mode. Mihir Bellare UCSD John Black UNR Ted Krovetz Digital Fountain
OCB Mode Phillip Rogaway Department of Computer Science UC Davis + Chiang Mai Univ rogaway@cs.ucdavis.edu http://www.cs.ucdavis.edu/~rogaway +66 1 530 7620 +1 530 753 0987 Mihir Bellare UCSD mihir@cs.ucsd.edu
More informationSymmetric Encryption. Thierry Sans
Symmetric Encryption Thierry Sans Design principles (reminder) 1. Kerkoff Principle The security of a cryptosystem must not rely on keeping the algorithm secret 2. Diffusion Mixing-up symbols 3. Confusion
More informationIntroduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers
Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block Ciphers Stream Ciphers Start with a secret key ( seed ) Generate a keying stream i-th bit/byte of keying stream is a function
More informationCryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Fall 2016 Adam (Ada) Lerner lerner@cs.washington.edu Thanks
More informationCryptographic hash functions and MACs
Cryptographic hash functions and MACs Myrto Arapinis School of Informatics University of Edinburgh October 05, 2017 1 / 21 Introduction Encryption confidentiality against eavesdropping 2 / 21 Introduction
More informationCIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm
CIS 4360 Introduction to Computer Security Fall 2010 WITH ANSWERS in bold Name:.................................... Number:............ First Midterm Instructions This is a closed-book examination. Maximum
More informationComputational Security, Stream and Block Cipher Functions
Computational Security, Stream and Block Cipher Functions 18 March 2019 Lecture 3 Most Slides Credits: Steve Zdancewic (UPenn) 18 March 2019 SE 425: Communication and Information Security 1 Topics for
More informationCHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P))
CHAPTER 6. SYMMETRIC CIPHERS Multiple encryption is a technique in which an encryption algorithm is used multiple times. In the first instance, plaintext is converted to ciphertext using the encryption
More informationCryptography Functions
Cryptography Functions Lecture 3 1/29/2013 References: Chapter 2-3 Network Security: Private Communication in a Public World, Kaufman, Perlman, Speciner Types of Cryptographic Functions Secret (Symmetric)
More informationNetwork Security Essentials Chapter 2
Network Security Essentials Chapter 2 Fourth Edition by William Stallings Lecture slides by Lawrie Brown Encryption What is encryption? Why do we need it? No, seriously, let's discuss this. Why do we need
More informationRefresher: Applied Cryptography
Refresher: Applied Cryptography (emphasis on common tools for secure processors) Chris Fletcher Fall 2017, 598 CLF, UIUC Complementary reading Intel SGX Explained (ISE) Victor Costan, Srini Devadas https://eprint.iacr.org/2016/086.pdf
More informationChapter 6: Contemporary Symmetric Ciphers
CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Chapter 6: Contemporary Symmetric Ciphers Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Why Triple-DES?
More informationBlock Cipher Modes of Operation
Block Cipher Modes of Operation Luke Anderson luke@lukeanderson.com.au 23 rd March 2018 University Of Sydney Overview 1. Crypto-Bulletin 2. Modes Of Operation 2.1 Evaluating Modes 2.2 Electronic Code Book
More informationIntroduction to Symmetric Cryptography
Introduction to Symmetric Cryptography Tingting Chen Cal Poly Pomona 1 Some slides are from Dr. Cliff Zou. www.cs.ucf.edu/~czou/cis3360-12/ch08-cryptoconcepts.ppt Basic Cryptography Private Key Cryptography
More informationAWS Key Management Service (KMS) Handling cryptographic bounds for use of AES-GCM
AWS Key Management Service (KMS) Handling cryptographic bounds for use of AES-GCM Matthew Campagna Amazon Web Services Shay Gueron Amazon Web Services University of Haifa 1 Outline The AWS Key Management
More informationLecture 5. Constructions of Block ciphers. Winter 2018 CS 485/585 Introduction to Cryptography
1 Winter 2018 CS 485/585 Introduction to Cryptography Lecture 5 Portland State University Jan. 23, 2018 Lecturer: Fang Song Draft note. Version: January 25, 2018. Email fang.song@pdx.edu for comments and
More informationThe OCB Authenticated-Encryption Algorithm
The OCB Authenticated-Encryption Algorithm Ted Krovetz California State University, Sacramento, USA Phillip Rogaway University of California, Davis, USA IETF 83 Paris, France CFRG 11:20-12:20 in 212/213
More informationUsing block ciphers 1
Using block ciphers 1 Using block ciphers DES is a type of block cipher, taking 64-bit plaintexts and returning 64-bit ciphetexts. We now discuss a number of ways in which block ciphers are employed in
More informationCS 161 Computer Security
Raluca Popa Spring 2018 CS 161 Computer Security Discussion 3 Week of February 5, 2018: Cryptography I Question 1 Activity: Cryptographic security levels (20 min) Say Alice has a randomly-chosen symmetric
More informationCryptography. Recall from last lecture. [Symmetric] Encryption. How Cryptography Helps. One-time pad. Idea: Computational security
Recall from last lecture Cryptography To a first approximation, attackers control network Next two lectures: How to defend against this 1. Communicate securely despite insecure networks cryptography 2.
More information