CRYPTANALYSIS AGAINST SYMMETRIC- KEY SCHEMES WITH ONLINE CLASSICAL QUERIES AND OFFLINE QUANTUM COMPUTATIONS
|
|
- Sabrina Madlyn Gilbert
- 5 years ago
- Views:
Transcription
1 #RSAC SESSION ID: CRYP-W14 CRYPTANALYSIS AGAINST SYMMETRIC- KEY SCHEMES WITH ONLINE CLASSICAL QUERIES AND OFFLINE QUANTUM COMPUTATIONS Akinori Hosoyamada Researcher NTT Secure Platform Laboratories
2 Cryptanalysis against Symmetric- Key Schemes with Online Classical Queries and Offline Quantum Computations Akinori Hosoyamada Yu Sasaki NTT Secure Platform Laboratories
3 Outline Backgrounds Classical Online-Offline MITM attacks MITM attacks with Online Classical Queries and Offline Quantum Computations Applications Summary 3
4 Outline Backgrounds Classical Online-Offline MITM attacks MITM attacks with Online Classical Queries and Offline Quantum Computations Applications Summary 4
5 Quantum attacks on Symmetric Key Schemes Some Symmetric key schemes are also broken in poly-time by quantum computers in some specific situations Even-Mansour Chaskey Minalpher-MAC Full-state keyed sponge CBC-like MAC PMAC-like MAC LightMAC 3R-Feistel LRW, XEX, XE Chaskey-B 5
6 Quantum attacks on Symmetric Key Schemes Depends on attack models Some Symmetric key schemes are also broken in poly-time by quantum computers in some specific situations Even-Mansour Chaskey Minalpher-MAC Full-state keyed sponge CBC-like MAC PMAC-like MAC LightMAC 3R-Feistel LRW, XEX, XE Chaskey-B 6
7 Attack Models Chosen Plaintext Attack Enc. Oracle Message Ciphertext Computer Adversary 7
8 Attack Models Chosen Plaintext Attack Enc. Oracle Chosen Plaintext Attack Q1 model, classical query Enc. Oracle Message Ciphertext Message Ciphertext Computer Quantum Computer Adversary Adversary 8
9 Attack Models Chosen Plaintext Attack Enc. Oracle Chosen Plaintext Attack Q2 model, quantum query Quantum Enc. Oracle Message Ciphertext Quantum Superposed Message Quantum Superposed Ciphertext Computer Quantum Computer Adversary Adversary 9
10 Poly-time attacks are in Q2 model (quantum superposition query attack) Class Q2 Poly : OO(nn) quantum queries Even-Mansour Chaskey Minalpher-MAC Full-state keyed sponge CBC-like MAC PMAC-like MAC LightMAC 3R-Feistel LRW, XEX, XE Chaskey-B 10
11 Poly-time attacks are in Q2 model (quantum superposition query attack) Class Q2 Poly : OO(nn) quantum queries Even-Mansour Chaskey Minalpher-MAC Full-state keyed sponge CBC-like MAC PMAC-like MAC LightMAC 3R-Feistel LRW, XEX, XE Chaskey-B Poly-time attacks can be realized in Q2 model Q2 model is theoretically interesting However, Q1 is more realistic model than Q2 Q1 should receive much more attention 11
12 Attack Models Chosen Plaintext Attack Enc. Oracle We focus Chosen Plaintext Attack Q1 model, classical query Enc. Oracle Message on Ciphertext Message Ciphertext Q1 model Computer Quantum Computer Adversary Adversary 12
13 Quantum Hardware Models If hardware becomes large, architecture significantly affects running time of algorithms a. free communication model [Ber09,BB17] any qubit can interact with any qubit b. realistic communication model [Ber09,BB17] a qubit can interact with only near qubits c. independent small processors without communication 13
14 Outline Backgrounds Classical Online-Offline MITM attacks MITM attacks with Online Classical Queries and Offline Quantum Computations Applications Summary 14
15 Outline Backgrounds Classical Online-Offline MITM attacks MITM attacks with Online Classical Queries and Offline Quantum Computations Applications Summary 15
16 Classical Online-Offline MITM attacks Pattern 1 Pattern 2 xx ff ss Offline: guess 2 nn /DD distinct x nn nn ff ss ff pp zz xxx Online: query DD distinct xx nn nn xx ss ff ss ff pp xxx yy ss yyy Online: query DD many xx ss Offline: compute 2 nn /DD many xxx Conditions to Apply On-Off MITM 1. ff ss can be calculated only by making online queries (ff ss has some secret information) 2. ff pp can be calculated offline 3. If we find xx, xx s.t. ff ss xx = ff pp xx, then we can get some secret information on a crypto scheme 16
17 Classical Online-Offline MITM attacks Pattern 1 Pattern 2 xx ff ss Offline: guess 2 nn /DD distinct x ff ss nn xxx ff pp Online: query DD distinct xx nn zz nn nn xx ss ff ss ff pp xxx yy ss yyy Online: query DD many xx ss Offline: compute 2 nn /DD many xxx Attack Procedure Goal: To find xx, xx s.t. ff ss xx = ff pp (xx ) (then we can get some information) 1. Online phase: Collect DD pairs xx 1, ff ss (xx 1 ),, xx DD, ff ss xx DD 2. Offline phase: Find xx s.t. ff pp xx = ff ss xx ii for some 1 ii DD (DD-multi-target preimage search on ff pp ) Step 2 requires time TT = 2 nn /DD (tradeoff: TT DD = 2 nn ) 17
18 Classical Online-Offline MITM attacks xx ff ss Pattern 1 Example: Offline: guess 2 nn /DD distinct x nn nn nn nn xx ss ff ss ff pp xxx ff ss ff pp DD zz = 2 nn/2 TT = 2 nn/2 yy ss yyy xxx Online: query DD distinct xx DD = 2 nn/3 TT = 2 2nn/3 Online: query DD many xx ss Pattern 2 Offline: compute 2 nn /DD many xxx Attack Procedure Goal: To find xx, xx s.t. ff ss xx = ff pp (xx ) (then we can get some information) 1. Online phase: Collect DD pairs xx 1, ff ss (xx 1 ),, xx DD, ff ss xx DD 2. Offline phase: Find xx s.t. ff pp xx = ff ss xx ii for some 1 ii DD (DD-multi-target preimage search on ff pp ) Step 2 requires time TT = 2 nn /DD (tradeoff: TT DD = 2 nn ) 18
19 Classical Online-Offline MITM attacks xx ff ss Pattern 1 Example: Offline: guess 2 nn /DD distinct x nn nn nn nn xx ss ff ss ff pp xxx ff ss ff pp DD zz = 2 nn/2 TT = 2 nn/2 yy ss yyy xxx Online: query DD distinct xx DD = 2 nn/3 TT = 2 2nn/3 Online: query DD many xx ss Pattern 2 Offline: compute 2 nn /DD many xxx Attack Procedure Goal: To find xx, xx s.t. ff ss xx = ff pp (xx ) (then we can get some information) 1. Online phase: Collect DD pairs xx 1, ff ss (xx 1 ),, xx DD, ff ss xx DD 2. Offline Some phase: schemes Find xx s.t. claim ff pp xx security = ff ss xx ii up for to some TT 12 2nn/3 ii DD (BBB (DD-multi-target security) by limiting preimage DDsearch to be on < 2ff nn/3 pp ) Step 2 requires time TT = 2 nn /DD (tradeoff: TT DD = 2 nn ) 19
20 Outline Backgrounds Classical Online-Offline MITM attacks MITM attacks with Online Classical Queries and Offline Quantum Computations Applications Summary 20
21 Outline Backgrounds Classical Online-Offline MITM attacks MITM attacks with Online Classical Queries and Offline Quantum Computations Applications Summary 21
22 Attack Models Chosen Plaintext Attack Enc. Oracle Chosen Plaintext Attack Q1 model, classical query Enc. Oracle Message Ciphertext Message Ciphertext Computer Quantum Computer Adversary Adversary 22
23 MITM attacks : Online Classical Queries and Offline Quantum Computations Pattern 1 Pattern 2 xx ff ss Offline: guess 2 nn /DD distinct x ff ss nn xxx ff pp Online: query DD distinct xx nn zz nn nn xx ss ff ss ff pp xxx yy ss yyy Online: query DD many xx ss Offline: compute 2 nn /DD many xxx Attack Procedure Goal: To find xx, xx s.t. ff ss xx = ff pp (xx ) (then we can get some information) 1. Online phase: Collect DD pairs xx 1, ff ss (xx 1 ),, xx DD, ff ss xx DD 2. Offline phase: Find xx s.t. ff pp xx = ff ss xx ii for some 1 ii DD (DD-multi-target preimage search on ff pp ) Step 2 requires time TT = 2 nn /DD (tradeoff: TT DD = 2 nn ) 23
24 MITM attacks : Online Classical Queries and Offline Quantum Computations Pattern 1 Pattern 2 xx ff ss Offline: guess 2 nn /DD distinct x ff ss nn xxx ff pp Online: query DD distinct xx nn zz nn nn xx ss ff ss ff pp xxx yy ss yyy Online: query DD many xx ss Offline: compute 2 nn /DD many xxx Attack Procedure Goal: To find xx, xx s.t. ff ss xx = ff pp (xx ) (then we can get some information) 1. Online phase: Collect DD pairs xx 1, ff ss (xx 1 ),, xx DD, ff ss xx DD 2. Offline phase: Find xx s.t. ff pp xx = ff ss xx ii for some 1 ii DD (DD-multi-target preimage search on ff pp ) Step 2 can be accelerated!! (we obtain new tradeoff!!) 24
25 MITM attacks : Online Classical Queries and Offline Quantum Computations Pattern 1 Pattern 2 xx ff ss Offline: guess 2 nn /DD distinct x nn Some schemes claim security xx ss up to nn nn ff ss TT 2 2nn/3 ff pp xxx ff ss ff pp zz yy ss yyy (BBB security) by limiting DD to be < 2 nn/3 xxx Online: query DD distinct xx But Online: query DD many xx ss Those claims are broken in the quantum settings Offline: compute 2 nn /DD many xxx Attack Procedure Goal: since To tradeoff find xx, xx changes s.t. ff ss xx = from ff pp (xx TT ) (then DD = we 2can nn to get a some better information) one 1. Online phase: Collect DD pairs xx 1, ff ss (xx 1 ),, xx DD, ff ss xx DD 2. Offline phase: Find xx s.t. ff pp xx = ff ss xx ii for some 1 ii DD (DD-multi-target preimage search on ff pp ) Step 2 can be accelerated!! (we obtain new tradeoff!!) 25
26 MITM attacks : Online Classical Queries and Offline Quantum Computations Pattern 1 Pattern 2 xx ff ss Offline: guess 2 nn /DD distinct x nn Some schemes claim security xx ss up to nn nn ff ss TT 2 2nn/3 ff pp xxx ff ss ff pp zz yy ss yyy (BBB security) by limiting DD to be < 2 nn/3 xxx Online: query DD distinct xx But Online: query DD many xx ss Those claims are broken in the quantum settings Offline: compute 2 nn /DD many xxx Attack Procedure Goal: To find xx, xx s.t. due ff ss xx to = new ff pp (xx tradeoffs ) (then we can get some information) 1. Online phase: Collect DD pairs xx 1, ff ss (xx 1 ),, xx DD, ff ss xx DD 2. Offline phase: Find xx s.t. ff pp xx = ff ss xx ii for some 1 ii DD (DD-multi-target preimage search on ff pp ) Step 2 can be accelerated!! (we obtain new tradeoff!!) 26
27 MITM attacks in the quantum settings: 4 new tradeoffs between T and D NN TT DD-qubits (exp. qubits) Free communication model, DD 2 TT 2 = NN [BB17] Realistic communication model, DD 3/2 TT 2 = NN [BB17] Any (independent small processors), DD 4 TT 6 = NN 3 [CNPS17] NN 1/2 NN 3/7 Poly-qubits, DD TT 6 = NN 3 [CNPS17] ( Classical, DD TT = NN ) NN 3/7 NN 1/2 NN 2/3 NN 4/7 NN NN 3/4 DD Offline phase of MITM attack is accelerated by quantum multi-target preimage search 27
28 Outline Backgrounds Classical MITM attacks MITM attacks with Online Classical Queries and Offline Quantum Computations Applications Summary 28
29 Outline Backgrounds Classical MITM attacks MITM attacks with Online Classical Queries and Offline Quantum Computations Applications Summary 29
30 Attack on Chaskey Chaskey[Mou15] is a lightweight MAC Classical online-offline MITM attack can be applied to Chaskey (Classical tradeoff: TT DD = if n=128) 30
31 Attack on Chaskey Chaskey[Mou15] is a lightweight MAC Chaskey claims 80-bit security by restricting DD to be < 2 48 It claims security up to T 2 80 (n is set as n=128) Classical online-offline MITM attack can be applied to Chaskey (Classical tradeoff: TT DD = if n=128) 31
32 Attack on Chaskey If DD < 2 48 queries are allowed, then attack complexity becomes T D Q M Classical Case 1a (Exp. qubits, free communication) Case 1b (Exp. qubits, realistic communication) Case 1c (Exp. qubits, any communication) Case 2 (Poly. qubits) (2 7 ) 2 16 TT is overwhelmingly smaller than 2 80 of classical attack 32
33 Applications to various schemes Class Q2 Poly : OO(nn) quantum queries TDR McOE-X H 2 MAC, LPMAC Keyed sponge KMAC Even-Mansour Chaskey Minalpher-MAC Full-state keyed sponge CBC-like MAC PMAC-like MAC LightMAC 3R-Feistel LRW, XEX, XE Chaskey-B 33
34 Applications to various schemes Class Q2 Poly : OO(nn) quantum queries TDR McOE-X H 2 MAC, LPMAC Keyed sponge KMAC Even-Mansour Chaskey Minalpher-MAC Full-state keyed sponge CBC-like MAC PMAC-like MAC LightMAC 3R-Feistel LRW, XEX, XE Chaskey-B Class Q1 Exp : below OO(2 nn/2 ) classical queries 34
35 Applications to various schemes Class Q2 Poly : OO(nn) quantum queries TDR McOE-X H 2 MAC, LPMAC Keyed sponge KMAC Even-Mansour Chaskey Minalpher-MAC Full-state keyed sponge CBC-like MAC PMAC-like MAC LightMAC 3R-Feistel LRW, XEX, XE Chaskey-B Class Q1 Exp : below OO(2 nn/2 ) classical queries 35
36 Applications to various schemes Class Q2 Poly : OO(nn) quantum queries TDR McOE-X H 2 MAC, LPMAC Keyed sponge KMAC Even-Mansour Chaskey Minalpher-MAC Full-state keyed sponge CBC-like MAC PMAC-like MAC LightMAC 3R-Feistel LRW, XEX, XE Chaskey-B Class Q1 Exp : below OO(2 nn/2 ) classical queries Others FX-constructions 36
37 Outline Backgrounds Classical MITM attacks MITM attacks with Online Classical Queries and Offline Quantum Computations Applications Summary 37
38 Outline Backgrounds Classical MITM attacks MITM attacks with Online Classical Queries and Offline Quantum Computations Applications Summary 38
39 Summary MITM attack with Online Classical and Offline quantum computations (quantum attack in Q1 model) New tradeoffs between D and T in 4 models Some existing schemes claim BBB security on T by limiting the maximum number of D following the classical tradeoff DT=N, but such claims are broken by our attacks Thank you!! hosoyamada.akinori@lab.ntt.co.jp 39
40 #RSAC SESSION ID: CRYP-W14 IMPROVING STATELESS HASH-BASED SIGNATURES Guillaume Endignoux Software Engineer Google
41 Improving Stateless Hash-Based Signatures CT-RSA 2018 Jean-Philippe Aumasson 1, Guillaume Endignoux 2 Wednesday 18 th April, Kudelski Security 2 Work done while at Kudelski Security and EPFL 1
42 Hash-based signatures What are hash-based signatures? Good hash functions are hard to invert = preimage-resistance. We can use this property to create signature schemes 1. 1 Whitfield Diffie and Martin E. Hellman. New directions in cryptography
43 Hash-based signatures What are hash-based signatures? Good hash functions are hard to invert = preimage-resistance. We can use this property to create signature schemes 1. Public key P 0 H P 1 H First step: scheme to sign 1-bit message. Key generation: commit to 2 secrets with H Sign bit b: reveal σ = S b Secret key S 0 S 1 Verify signature σ: compare H(σ) with P b 1 Whitfield Diffie and Martin E. Hellman. New directions in cryptography
44 Hash-based signatures Second step: sign n-bit message n copies of the previous scheme. P 0,0 P 0,1 P 1,0 P 1,1 P n,0 P n,1 H H H H H H S 0,0 S 0,1 S 1,0 S 1,1 S n,0 S n,1 Figure 1: Lamport signatures. 3
45 Hash-based signatures Second step: sign n-bit message n copies of the previous scheme. P 0,0 P 0,1 P 1,0 P 1,1 P n,0 P n,1 H H H H H H S 0,0 S 0,1 S 1,0 S 1,1 S n,0 S n,1 Figure 1: Lamport signatures. However, this is a one-time signature scheme. 3
46 Hash-based signatures More constructions: WOTS (Winternitz one-time signatures) = compact version of the n-bit message scheme. Merkle trees = stateful multiple-time signatures. HORS = stateless few-time signatures. HORST = HORS with Merkle tree. 4
47 Hash-based signatures SPHINCS = stateless many-time signatures (up to 2 50 messages). Hyper-tree of WOTS signatures certificate chain Hyper-tree of height H = 60, divided in 12 layers of {Merkle tree + WOTS} WOTS Merkle Merkle... Hyper-tree Sign message M: Select index 0 i < 2 60 Sign M with i-th HORST instance Chain of WOTS signatures.... HORST Figure 2: SPHINCS. 5
48 Hash-based signatures Hash-based signatures in a nutshell: Post-quantum security well understood Grover s algorithm: preimage-search in O(2 n/2 ) instead of O(2 n ) for n-bit hash function. Signature size is quite large: 41 KB for SPHINCS (stateless), 8 KB for XMSS (stateful). 6
49 Contributions We propose improvements to reduce signature size of SPHINCS: PRNG to obtain a random subset (PORS) Octopus: optimized multi-authentication in Merkle trees Secret key caching Non-masked hashing 7
50 PRNG to obtain a random subset
51 From HORS to PORS Sign a message M with HORS: Hash the message H(M) = 28c5c... Split the hash to obtain indices {2, 8, c, 5, c,...} and reveal values S 2, S 8,... i SPHINCS leaf M H 2 8 c 5 c Public key P 0 P 1 P 2 P 3 P 4 P 5 P 6 P 7 P 8 P 9 P 10 P 11 P 12 P 13 P 14 P 15 H H H H H H H H H H H H H H H H Secret key S 0 S 1 S 2 S 3 S 4 S 5 S 6 S 7 S 8 S 9 S 10 S 11 S 12 S 13 S 14 S 15 8
52 From HORS to PORS Sign a message M with HORS: Hash the message H(M) = 28c5c... Split the hash to obtain indices {2, 8, c, 5, c,...} and reveal values S 2, S 8,... i SPHINCS leaf M H 2 8 c 5 c Problems: Some indices may be the same fewer values revealed lower security... Attacker is free to choose the hyper-tree index i larger attack surface. 8
53 From HORS to PORS PORS = PRNG to obtain a random subset. Seed a PRNG from the message. Generate the hyper-tree index. Ignore duplicated indices. SPHINCS leaf M G i 2 8 c 5 c e Significant security improvement for the same parameters! 9
54 From HORS to PORS Advantages of PORS: Significant security improvement for the same parameters! Smaller hyper-tree than SPHINCS for same security level Signatures are 4616 bytes smaller. Performance impact of PRNG vs. hash function is negligible For SPHINCS, generate only 32 distinct values. 10
55 Octopus: multi-authentication in Merkle trees
56 Octopus Merkle tree of height h = compact way to authenticate any of 2 h values. Small public value = root Small proofs of membership = h authentication nodes 11
57 Octopus How to authenticate k values? Use k independent proofs = kh nodes. This is suboptimal! Many redundant values... 12
58 Octopus How to authenticate k values? Optimal solution: compute smallest set of authentication nodes. 13
59 Octopus How many bytes does it save? It depends on the shape of the octopus! Examples for h = 4 and k = 4: between 2 and 8 authentication nodes. 14
60 Octopus Theorem Given a Merkle tree of height h and k leaves to authenticate, the minimal number of authentication nodes n verifies: h log 2 k n k(h log 2 k ) For k > 1, this is always better than the kh nodes for k independent proofs! 15
61 Octopus In the case of SPHINCS, k = 32 uniformly distributed leaves, tree of height h = 16. In our paper, recurrence relation to compute average number of authentication nodes. Method Number of auth. nodes Independent proofs 512 SPHINCS Octopus (worst case) 352 Octopus (average) 324 Octopus authentication saves 1909 bytes for SPHINCS signatures on average. 2 SPHINCS has a basic optimization to avoid redundant nodes close to the root. 16
62 Octopus algorithm Bottom-up algorithm to compute the optimal authentication nodes. Formal specification in the paper, let s see an example. 17
63 Octopus algorithm Bottom-up algorithm to compute the optimal authentication nodes. Formal specification in the paper, let s see an example. 17
64 Octopus algorithm Bottom-up algorithm to compute the optimal authentication nodes. Formal specification in the paper, let s see an example. 17
65 Octopus algorithm Bottom-up algorithm to compute the optimal authentication nodes. Formal specification in the paper, let s see an example. 17
66 Octopus algorithm Bottom-up algorithm to compute the optimal authentication nodes. Formal specification in the paper, let s see an example. 17
67 Octopus algorithm Bottom-up algorithm to compute the optimal authentication nodes. Formal specification in the paper, let s see an example. 17
68 Octopus algorithm Bottom-up algorithm to compute the optimal authentication nodes. Formal specification in the paper, let s see an example. 17
69 Octopus algorithm Bottom-up algorithm to compute the optimal authentication nodes. Formal specification in the paper, let s see an example. 17
70 Conclusion
71 Take-aways Octopus + PORS = great improvement over HORST. These modifications are simple to understand low risk of implementation bugs. More improvements in the paper. 18
72 Implementation Two open-source implementations: Reference C implementation, proposed for NIST pqcrypto standardization Rust implementation with focus on clarity and testing 19
73 Conclusion Thank you for your attention! 20
74 Secret key caching WOTS signatures to connect Merkle trees are large ( 2144 bytes per WOTS). Figure 3: SPHINCS. 21
75 Secret key caching We use a larger root Merkle tree, and cache more values in private key. computed at key generation time cached key (re)computed at signing time Figure 4: Secret key caching. 22
76 Non-masked hashing In SPHINCS, Merkle trees have a XOR-and-hash construction, to use a 2nd-preimage-resistant hash function H. Various masks, depending on location in hyper-tree; all stored in the public key. Post-quantum preimage search is faster with Grover s algorithm We remove the masks and rely on collision-resistant H. m i H H (a) Masked hashing in SPHINCS. (b) Mask off. 23
Summer School on Post-Quantum Cryptography 2017, TU Eindhoven Exercises on Hash-based Signature Schemes
Summer School on Post-Quantum Cryptography 2017, TU Eindhoven Exercises on Hash-based Signature Schemes 1 Lamport Consider Lamport s one-time signature scheme. Let messages be of length n and assume that
More informationPOST-QUANTUM CRYPTOGRAPHY VIENNA CYBER SECURITY WEEK DR. DANIEL SLAMANIG
POST-QUANTUM CRYPTOGRAPHY VIENNA CYBER SECURITY WEEK 2018 02.02.2018 DR. DANIEL SLAMANIG WHAT IS POST-QUANTUM CRYPTOGRAPHY? Also called quantum safe/resistant cryptography NOT quantum cryptography (= quantum
More informationHash-based Signatures
Hash-based Signatures IETF/IRTF CFRG Draft on XMSS Fraunhofer Workshop Series 01 Post-Quantum Cryptography in Practice Speaker: Dr. Bernhard Jungk 1 extended Merkle Signature Scheme 2 extended Merkle Signature
More informationIntroduction to Cryptography. Lecture 6
Introduction to Cryptography Lecture 6 Benny Pinkas page 1 1 Data Integrity, Message Authentication Risk: an active adversary might change messages exchanged between Alice and Bob M Alice M M M Bob Eve
More informationPaper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage
1 Announcements Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage 2 Recap and Overview Previous lecture: Symmetric key
More informationCOMP4109 : Applied Cryptography
COMP4109 : Applied Cryptography Fall 2013 M. Jason Hinek Carleton University Applied Cryptography Day 2 information security cryptographic primitives unkeyed primitives NSA... one-way functions hash functions
More informationNarrow-Bicliques: Cryptanalysis of Full IDEA. Gaetan Leurent, University of Luxembourg Christian Rechberger, DTU MAT
Narrow-Bicliques: Cryptanalysis of Full IDEA Dmitry Khovratovich, h Microsoft Research Gaetan Leurent, University of Luxembourg Christian Rechberger, DTU MAT Cryptanalysis 101 Differential attacks Linear
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Symmetric Cryptography January 20, 2011 Practical Aspects of Modern Cryptography 2 Agenda Symmetric key ciphers Stream ciphers Block ciphers Cryptographic hash
More informationComputer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS
More informationCourse Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here
Course Business Midterm is on March 1 Allowed to bring one index card (double sided) Final Exam is Monday, May 1 (7 PM) Location: Right here 1 Cryptography CS 555 Topic 18: AES, Differential Cryptanalysis,
More informationComputer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 10r. Recitation assignment & concept review Paul Krzyzanowski Rutgers University Spring 2018 April 3, 2018 CS 419 2018 Paul Krzyzanowski 1 1. What is a necessary condition for perfect
More informationComputer Security CS 526
Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes CS555 Topic 4 1 Readings for This Lecture Required reading from wikipedia Block Cipher Ciphertext Indistinguishability
More informationCIS 4360 Secure Computer Systems Symmetric Cryptography
CIS 4360 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2017 Previous Class Classical Cryptography Frequency analysis Never use home-made cryptography Goals of Cryptography
More informationCryptanalysis of Haraka
Cryptanalysis of Haraka Jérémy Jean Agence Nationale de la Sécurité des Systèmes d Information Crypto Laboratory FSE 2017 @ Tokyo, Japan March 6, 2017 Jeremy.Jean@ssi.gouv.fr Introduction Let n be a positive
More informationMessage authentication codes
Message authentication codes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction security of MAC Constructions block cipher
More informationCryptography Today. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 44
Cryptography Today Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 About the Course Regular classes with worksheets so you can work with some concrete examples (every Friday at 1pm).
More informationIntroduction to Cryptography. Vasil Slavov William Jewell College
Introduction to Cryptography Vasil Slavov William Jewell College Crypto definitions Cryptography studies how to keep messages secure Cryptanalysis studies how to break ciphertext Cryptology branch of mathematics,
More informationCSC/ECE 774 Advanced Network Security
Computer Science CSC/ECE 774 Advanced Network Security Topic 2. Network Security Primitives CSC/ECE 774 Dr. Peng Ning 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange;
More informationPrivate-Key Encryption
Private-Key Encryption Ali El Kaafarani Mathematical Institute Oxford University 1 of 50 Outline 1 Block Ciphers 2 The Data Encryption Standard (DES) 3 The Advanced Encryption Standard (AES) 4 Attacks
More informationSolutions to exam in Cryptography December 17, 2013
CHALMERS TEKNISKA HÖGSKOLA Datavetenskap Daniel Hedin DIT250/TDA351 Solutions to exam in Cryptography December 17, 2013 Hash functions 1. A cryptographic hash function is a deterministic function that
More informationCryptographic Concepts
Outline Identify the different types of cryptography Learn about current cryptographic methods Chapter #23: Cryptography Understand how cryptography is applied for security Given a scenario, utilize general
More informationPublic-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7
Public-Key Cryptography Professor Yanmin Gong Week 3: Sep. 7 Outline Key exchange and Diffie-Hellman protocol Mathematical backgrounds for modular arithmetic RSA Digital Signatures Key management Problem:
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 8 2018 Review CPA-secure construction Security proof by reduction
More informationStream Ciphers and Block Ciphers
Stream Ciphers and Block Ciphers Ruben Niederhagen September 18th, 2013 Introduction 2/22 Recall from last lecture: Public-key crypto: Pair of keys: public key for encryption, private key for decryption.
More informationCryptography: More Primitives
Design and Analysis of Algorithms May 8, 2015 Massachusetts Institute of Technology 6.046J/18.410J Profs. Erik Demaine, Srini Devadas and Nancy Lynch Recitation 11 Cryptography: More Primitives 1 Digital
More informationCryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security
Cryptography CS 555 Topic 8: Modes of Encryption, The Penguin and CCA security 1 Reminder: Homework 1 Due on Friday at the beginning of class Please typeset your solutions 2 Recap Pseudorandom Functions
More informationMTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov October 31, 2005 Abstract Standard security assumptions (IND-CPA, IND- CCA) are explained. A number of cryptosystems
More informationPublic-Key Encryption, Key Exchange, Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 7
Public-Key Encryption, Key Exchange, Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 7 David Cash University of Chicago Plan 1. Security of RSA 2. Key Exchange, Diffie-Hellman 3. Begin digital
More informationThe transition to post-quantum cryptography. Peter Schwabe February 19, 2018
The transition to post-quantum cryptography Peter Schwabe peter@cryptojedi.org https://cryptojedi.org February 19, 2018 About me Assistant professor at Radboud University Working on high-speed high-security
More informationAppendix A: Introduction to cryptographic algorithms and protocols
Security and Cooperation in Wireless Networks http://secowinet.epfl.ch/ Appendix A: Introduction to cryptographic algorithms and protocols 2007 Levente Buttyán and Jean-Pierre Hubaux symmetric and asymmetric
More informationInformation Security CS526
Information CS 526 Topic 3 Ciphers and Cipher : Stream Ciphers, Block Ciphers, Perfect Secrecy, and IND-CPA 1 Announcements HW1 is out, due on Sept 10 Start early, late policy is 3 total late days for
More informationCOMS W4995 Introduction to Cryptography November 13, Lecture 21: Multiple Use Signature Schemes
COMS W4995 Introduction to Cryptography November 13, 2003 Lecture 21: Multiple Use Signature Schemes Lecturer: Tal Malkin Scribes: M. Niccolai, M. Raibert Summary In this lecture, we use the one time secure
More informationGreat Theoretical Ideas in Computer Science. Lecture 27: Cryptography
15-251 Great Theoretical Ideas in Computer Science Lecture 27: Cryptography What is cryptography about? Adversary Eavesdropper I will cut his throat I will cut his throat What is cryptography about? loru23n8uladjkfb!#@
More informationHash Function. Guido Bertoni Luca Breveglieri. Fundations of Cryptography - hash function pp. 1 / 18
Hash Function Guido Bertoni Luca Breveglieri Fundations of Cryptography - hash function pp. 1 / 18 Definition a hash function H is defined as follows: H : msg space digest space the msg space is the set
More informationIntroduction to Cryptology. Lecture 2
Introduction to Cryptology Lecture 2 Announcements Access to Canvas? 2 nd Edition vs. 1 st Edition HW1 due on Tuesday, 2/7 Discrete Math Readings/Quizzes on Canvas due on Tuesday, 2/14 Agenda Last time:
More informationLecture 18 - Chosen Ciphertext Security
Lecture 18 - Chosen Ciphertext Security Boaz Barak November 21, 2005 Public key encryption We now go back to public key encryption. As we saw in the case of private key encryption, CPA security is not
More informationIntroduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms
Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms Egemen K. Çetinkaya Egemen K. Çetinkaya Department of Electrical & Computer Engineering Missouri University of
More informationCryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1
Cryptography CS 555 Topic 11: Encryption Modes and CCA Security CS555 Spring 2012/Topic 11 1 Outline and Readings Outline Encryption modes CCA security Readings: Katz and Lindell: 3.6.4, 3.7 CS555 Spring
More informationCryptographic Hash Functions
ECE458 Winter 2013 Cryptographic Hash Functions Dan Boneh (Mods by Vijay Ganesh) Previous Lectures: What we have covered so far in cryptography! One-time Pad! Definition of perfect security! Block and
More informationFeedback Week 4 - Problem Set
4/26/13 Homework Feedback Introduction to Cryptography Feedback Week 4 - Problem Set You submitted this homework on Mon 17 Dec 2012 11:40 PM GMT +0000. You got a score of 10.00 out of 10.00. Question 1
More informationCSE 127: Computer Security Cryptography. Kirill Levchenko
CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017 Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified
More informationDistributed ID-based Signature Using Tamper-Resistant Module
, pp.13-18 http://dx.doi.org/10.14257/astl.2013.29.03 Distributed ID-based Signature Using Tamper-Resistant Module Shinsaku Kiyomoto, Tsukasa Ishiguro, and Yutaka Miyake KDDI R & D Laboratories Inc., 2-1-15,
More informationCryptology complementary. Symmetric modes of operation
Cryptology complementary Symmetric modes of operation Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 05 03 Symmetric modes 2018 05 03
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 2 Cryptographic Tools First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Cryptographic Tools cryptographic algorithms
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Message Authentication Codes Syntax: Key space K λ Message space M Tag space T λ MAC(k,m) à σ Ver(k,m,σ) à 0/1 Correctness: m,k,
More informationCSC 774 Network Security
CSC 774 Network Security Topic 2. Review of Cryptographic Techniques CSC 774 Dr. Peng Ning 1 Outline Encryption/Decryption Digital signatures Hash functions Pseudo random functions Key exchange/agreement/distribution
More informationCS61A Lecture #39: Cryptography
Announcements: CS61A Lecture #39: Cryptography Homework 13 is up: due Monday. Homework 14 will be judging the contest. HKN surveys on Friday: 7.5 bonus points for filling out their survey on Friday (yes,
More informationUnit 8 Review. Secure your network! CS144, Stanford University
Unit 8 Review Secure your network! 1 Basic Problem Internet To first approximation, attackers control the network Can snoop, replay, suppress, send How do we defend against this? Communicate securely despite
More informationTowards Post-Quantum Cryptography Standardization. Lily Chen and Dustin Moody National Institute of Standards and Technology USA
Towards Post-Quantum Cryptography Standardization Lily Chen and Dustin Moody National Institute of Standards and Technology USA First mile - Towards PQC standardization After about four years of preparation,
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary Introduction Stream & Block Ciphers Block Ciphers Modes (ECB,CBC,OFB) Advanced Encryption Standard (AES) Message Authentication
More informationKurose & Ross, Chapters (5 th ed.)
Kurose & Ross, Chapters 8.2-8.3 (5 th ed.) Slides adapted from: J. Kurose & K. Ross \ Computer Networking: A Top Down Approach (5 th ed.) Addison-Wesley, April 2009. Copyright 1996-2010, J.F Kurose and
More informationIntroduction to Post-Quantum Cryptography
Introduction to Post-Quantum Cryptography CERG @ GMU http://cryptography.gmu.edu 10 PhD students 3 MS students Features Required from Today s Ciphers STRENGTH PERFORMANCE software hardware FUNCTIONALITY
More informationIntroduction to Post-Quantum Cryptography
Introduction to Post-Quantum Cryptography CERG @ GMU http://cryptography.gmu.edu 10 PhD students 3 MS students 1 Features Required from Today s Ciphers STRENGTH PERFORMANCE software hardware FUNCTIONALITY
More informationEfficient Quantum-Immune Keyless Signatures with Identity
Efficient Quantum-Immune Keyless Signatures with Identity Risto Laanoja Tallinn University of Technology / Guardtime AS May 17, 2014 Estonian CS Theory days at Narva-Jõesuu TL; DR Built a practical signature
More informationCS408 Cryptography & Internet Security
CS408 Cryptography & Internet Security Lectures 16, 17: Security of RSA El Gamal Cryptosystem Announcement Final exam will be on May 11, 2015 between 11:30am 2:00pm in FMH 319 http://www.njit.edu/registrar/exams/finalexams.php
More informationCryptography MIS
Cryptography MIS-5903 http://community.mis.temple.edu/mis5903sec011s17/ Cryptography History Substitution Monoalphabetic Polyalphabetic (uses multiple alphabets) uses Vigenere Table Scytale cipher (message
More informationAdvanced Security for Systems Engineering VO 09: Applied Cryptography
Advanced Security for Systems Engineering VO 09: Applied Cryptography Clemens Hlauschek Lukas Brandstetter Christian Schanes INSO Industrial Software Institute of Computer Aided Automation Faculty of Informatics
More informationENEE 459-C Computer Security. Message authentication
ENEE 459-C Computer Security Message authentication Data Integrity and Source Authentication Encryption does not protect data from modification by another party. Why? Need a way to ensure that data arrives
More informationL13. Reviews. Rocky K. C. Chang, April 10, 2015
L13. Reviews Rocky K. C. Chang, April 10, 2015 1 Foci of this course Understand the 3 fundamental cryptographic functions and how they are used in network security. Understand the main elements in securing
More information8/30/17. Introduction to Post-Quantum Cryptography. Features Required from Today s Ciphers. Secret-key (Symmetric) Ciphers
CERG @ GMU http://cryptography.gmu.edu Introduction to Post-Quantum Cryptography 10 PhD students 3 MS students Features Required from Today s Ciphers Secret-key (Symmetric) Ciphers STRENGTH PERFORMANCE
More informationLecture 1 Applied Cryptography (Part 1)
Lecture 1 Applied Cryptography (Part 1) Patrick P. C. Lee Tsinghua Summer Course 2010 1-1 Roadmap Introduction to Security Introduction to Cryptography Symmetric key cryptography Hash and message authentication
More informationComputer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08. Cryptography Part II Paul Krzyzanowski Rutgers University Spring 2018 March 23, 2018 CS 419 2018 Paul Krzyzanowski 1 Block ciphers Block ciphers encrypt a block of plaintext at a
More informationCryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015
Cryptographic Hash Functions Rocky K. C. Chang, February 5, 2015 1 This set of slides addresses 2 Outline Cryptographic hash functions Unkeyed and keyed hash functions Security of cryptographic hash functions
More informationSymmetric Cryptography
CSE 484 (Winter 2010) Symmetric Cryptography Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials...
More informationHomework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING
UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING ENEE 457 Computer Systems Security Instructor: Charalampos Papamanthou Homework 2 Out: 09/23/16 Due: 09/30/16 11:59pm Instructions
More informationSummary on Crypto Primitives and Protocols
Summary on Crypto Primitives and Protocols Levente Buttyán CrySyS Lab, BME www.crysys.hu 2015 Levente Buttyán Basic model of cryptography sender key data ENCODING attacker e.g.: message spatial distance
More informationDigital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2
Digital Signatures KG November 3, 2017 Contents 1 Introduction 1 2 Digital Signatures 2 3 Hash Functions 3 3.1 Attacks.................................... 4 3.2 Compression Functions............................
More informationCS155. Cryptography Overview
CS155 Cryptography Overview Cryptography! Is n A tremendous tool n The basis for many security mechanisms! Is not n The solution to all security problems n Reliable unless implemented properly n Reliable
More informationIntegrity of messages
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 106 Integrity of messages Goal: Ensure change of message by attacker can be detected Key tool: Cryptographic hash function Definition
More informationStream Ciphers and Block Ciphers
Stream Ciphers and Block Ciphers 2MMC10 Cryptology Fall 2015 Ruben Niederhagen October 6th, 2015 Introduction 2/32 Recall: Public-key crypto: Pair of keys: public key for encryption, private key for decryption.
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Previously on COS 433 Confusion/Diffusion Paradigm f 1 f 2 f 3 f 4 f 5 f 6 Round π 1 f 7 f 8 f 9 f 10 f 11 f 12 π 2 Substitution
More informationRelated-key Attacks on Triple-DES and DESX Variants
Related-key Attacks on Triple-DES and DESX Variants Raphael C.-W. han Department of Engineering, Swinburne Sarawak Institute of Technology, 1st Floor, State Complex, 93576 Kuching, Malaysia rphan@swinburne.edu.my
More informationHash Functions, Public-Key Encryption CMSC 23200/33250, Autumn 2018, Lecture 6
Hash Functions, Public-Key Encryption CMSC 23200/33250, Autumn 2018, Lecture 6 David Cash University of Chicago Plan 1. A few points about hash functions 2. Introducing Public-Key Encryption 3. Math for
More informationPQ-Crypto Standardization Preparing today for the future of cryptography
PQ-Crypto Standardization Preparing today for the future of cryptography Workshop Quantum-Safe Cryptography for Industry (QsCI) Aline Gouget Principal researcher, Advanced Cryptography team Manager Embedded
More informationTechnological foundation
Technological foundation Carte à puce et Java Card 2010-2011 Jean-Louis Lanet Jean-louis.lanet@unilim.fr Cryptology Authentication Secure upload Agenda Cryptology Cryptography / Cryptanalysis, Smart Cards
More informationMerkle Signatures for Real-World Use
Merkle Signatures for Real-World Use ABSTRACT Hash-based signatures have seen little use in practice. We explore the possibility of using hash-based signatures as the signature mechanism used in certificates
More informationComputer Security 3/23/18
s s encrypt a block of plaintext at a time and produce ciphertext Computer Security 08. Cryptography Part II Paul Krzyzanowski DES & AES are two popular block ciphers DES: 64 bit blocks AES: 128 bit blocks
More informationNotes for Lecture 21. From One-Time Signatures to Fully Secure Signatures
U.C. Berkeley CS276: Cryptography Handout N21 Luca Trevisan April 7, 2009 Notes for Lecture 21 Scribed by Anand Bhaskar, posted May 1, 2009 Summary Today we show how to construct an inefficient (but efficiently
More informationCS155. Cryptography Overview
CS155 Cryptography Overview Cryptography Is n n A tremendous tool The basis for many security mechanisms Is not n n n n The solution to all security problems Reliable unless implemented properly Reliable
More informationPower Analysis Attacks
Power Analysis Attacks Elisabeth Oswald Computer Science Department Crypto Group eoswald@cs.bris.ac.uk Elisabeth.Oswald@iaik.tugraz.at Outline Working principle of power analysis attacks DPA Attacks on
More informationReminder: Homework 4. Due: Friday at the beginning of class
Reminder: Homework 4 Due: Friday at the beginning of class 1 Cryptography CS 555 Topic 33: Digital Signatures Part 2 2 Recap El-Gamal/RSA-OAEP Digital Signatures Similarities and differences with MACs
More informationח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms
Public Key Cryptography Kurose & Ross, Chapters 8.28.3 (5 th ed.) Slides adapted from: J. Kurose & K. Ross \ Computer Networking: A Top Down Approach (5 th ed.) AddisonWesley, April 2009. Copyright 19962010,
More informationCSC 5930/9010 Modern Cryptography: Public-Key Infrastructure
CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure Professor Henry Carter Fall 2018 Recap Digital signatures provide message authenticity and integrity in the public-key setting As well as public
More informationPublic-Key Cryptography
Computer Security Spring 2008 Public-Key Cryptography Aggelos Kiayias University of Connecticut A paradox Classic cryptography (ciphers etc.) Alice and Bob share a short private key using a secure channel.
More informationNIST Post- Quantum Cryptography Standardiza9on
NIST Post- Quantum Cryptography Standardiza9on Lily Chen Cryptographic Technology Group Computer Security Division, Informa9on Technology Lab Na9onal Ins9tute of Standards and Technology (NIST) NIST Crypto
More informationCryptography (cont.)
CSE 484 / CSE M 584 (Autumn 2011) Cryptography (cont.) Daniel Halperin Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others
More informationLecture 4: Authentication and Hashing
Lecture 4: Authentication and Hashing Introduction to Modern Cryptography 1 Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 1 These slides are based on Benny Chor s slides. Some Changes in Grading
More informationAPNIC elearning: Cryptography Basics
APNIC elearning: Cryptography Basics 27 MAY 2015 03:00 PM AEST Brisbane (UTC+10) Issue Date: Revision: Introduction Presenter Sheryl Hermoso Training Officer sheryl@apnic.net Specialties: Network Security
More informationCryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu
More informationSymmetric Encryption 2: Integrity
http://wwmsite.wpengine.com/wp-content/uploads/2011/12/integrity-lion-300x222.jpg Symmetric Encryption 2: Integrity With material from Dave Levin, Jon Katz, David Brumley 1 Summing up (so far) Computational
More informationCryptography and Network Security. Sixth Edition by William Stallings
Cryptography and Network Security Sixth Edition by William Stallings Chapter 9 Public Key Cryptography and RSA Misconceptions Concerning Public-Key Encryption Public-key encryption is more secure from
More informationIntroduction to Symmetric Cryptography
Introduction to Symmetric Cryptography Tingting Chen Cal Poly Pomona 1 Some slides are from Dr. Cliff Zou. www.cs.ucf.edu/~czou/cis3360-12/ch08-cryptoconcepts.ppt Basic Cryptography Private Key Cryptography
More informationGoals of Modern Cryptography
Goals of Modern Cryptography Providing information security: Data Privacy Data Integrity and Authenticity in various computational settings. Data Privacy M Alice Bob The goal is to ensure that the adversary
More informationCryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Outline Basic concepts in cryptography systems Secret key cryptography Public key cryptography Hash functions 2 Encryption/Decryption
More informationEncryption. INST 346, Section 0201 April 3, 2018
Encryption INST 346, Section 0201 April 3, 2018 Goals for Today Symmetric Key Encryption Public Key Encryption Certificate Authorities Secure Sockets Layer Simple encryption scheme substitution cipher:
More informationH must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls)
What is a hash function? mapping of: {0, 1} {0, 1} n H must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls) The Merkle-Damgård algorithm
More informationISA 662 Internet Security Protocols. Outline. Prime Numbers (I) Beauty of Mathematics. Division (II) Division (I)
Outline ISA 662 Internet Security Protocols Some Math Essentials & History Asymmetric signatures and key exchange Asymmetric encryption Symmetric MACs Lecture 2 ISA 662 1 2 Beauty of Mathematics Demonstration
More informationCSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography
CSCI 454/554 Computer and Network Security Topic 2. Introduction to Cryptography Outline Basic Crypto Concepts and Definitions Some Early (Breakable) Cryptosystems Key Issues 2 Basic Concepts and Definitions
More informationLecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422
Lecture 18 Message Integrity Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422 Cryptography is the study/practice of techniques for secure communication,
More informationSome Stuff About Crypto
Some Stuff About Crypto Adrian Frith Laboratory of Foundational Aspects of Computer Science Department of Mathematics and Applied Mathematics University of Cape Town This work is licensed under a Creative
More information