Cryptography 2017 Lecture 3

Similar documents
Cryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Security and Cryptography 1. Stefan Köpsell, Thorsten Strufe. Module 5: Pseudo Random Permutations and Block Ciphers

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

Goals of Modern Cryptography

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

Symmetric Encryption. Thierry Sans

Crypto: Symmetric-Key Cryptography

Introduction to Cryptography. Lecture 2. Benny Pinkas. Perfect Cipher. Perfect Ciphers. Size of key space

Symmetric Cryptography

Introduction to Cryptography. Lecture 3

Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24

Cryptography [Symmetric Encryption]

Stream Ciphers and Block Ciphers

Stream Ciphers and Block Ciphers

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Introduction to Cryptography. Lecture 3

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

Private-Key Encryption

Chapter 3 Block Ciphers and the Data Encryption Standard

Feedback Week 4 - Problem Set

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

Network Security Essentials Chapter 2

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Information Security CS526

Cryptography (cont.)

Cryptography Functions

Lecture 4: Symmetric Key Encryption

Lecture 3: Symmetric Key Encryption

Computer Security CS 526

3 Symmetric Cryptography

New Kid on the Block Practical Construction of Block Ciphers. Table of contents

Winter 2011 Josh Benaloh Brian LaMacchia

Scanned by CamScanner

Symmetric Cryptography

symmetric cryptography s642 computer security adam everspaugh

Lecture 2: Secret Key Cryptography

Symmetric-Key Cryptography

1 Achieving IND-CPA security

CSE 127: Computer Security Cryptography. Kirill Levchenko

CS155. Cryptography Overview

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

ECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Block Cipher Operation. CS 6313 Fall ASU

6 Block Ciphers. 6.1 Block Ciphers CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Block ciphers, stream ciphers

Block Ciphers and Data Encryption Standard. CSS Security and Cryptography

Cryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi

Cryptography: Symmetric Encryption [continued]

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Computational Security, Stream and Block Cipher Functions

Introduction to Symmetric Cryptography

symmetric cryptography s642 computer security adam everspaugh

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Introduction to Cryptology. Lecture 17

Symmetric key cryptography

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Symmetric Encryption Algorithms

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Lecture 5. Constructions of Block ciphers. Winter 2018 CS 485/585 Introduction to Cryptography

Some Aspects of Block Ciphers

ECE 646 Lecture 8. Modes of operation of block ciphers

PRNGs & DES. Luke Anderson. 16 th March University Of Sydney.

Secret Key Cryptography

Computer and Data Security. Lecture 3 Block cipher and DES

CSC574: Computer & Network Security

CIS 4360 Secure Computer Systems Symmetric Cryptography

ENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions

Solutions to exam in Cryptography December 17, 2013

CS 161 Computer Security. Week of September 11, 2017: Cryptography I

Symmetric Encryption 2: Integrity

CS155. Cryptography Overview

Authenticated Encryption

Lecture 1 Applied Cryptography (Part 1)

L3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015

Week 4. : Block Ciphers and DES

Practical Aspects of Modern Cryptography

Authenticated Encryption

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

Course Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here

Data Encryption Standard (DES)

Content of this part

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Symmetric Cryptography. Chapter 6

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Network Security Essentials

Introduction to Modern Symmetric-Key Ciphers

7. Symmetric encryption. symmetric cryptography 1

CS6701- CRYPTOGRAPHY AND NETWORK SECURITY UNIT 2 NOTES

ENEE 459-C Computer Security. Symmetric key encryption in practice: DES and AES algorithms

Block Ciphers. Secure Software Systems

CSC 474/574 Information Systems Security

Applied Cryptography Data Encryption Standard

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

Symmetric Key Cryptography

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

Transcription:

Cryptography 2017 Lecture 3 Block Ciphers - AES, DES Modes of Operation - ECB, CBC, CTR November 7, 2017 1 / 1

What have seen? What are we discussing today? What is coming later? Lecture 2 One Time Pad (OTP) Perfect Secrecy Stream Ciphers Pseudo Random Generators (PRG) (unpredictable) Attacks!! Lecture 3 PRGs, PRFs and PRPs Block Ciphers (definition) Block Ciphers (examples: DES, AES) Block Ciphers (modes of operation: ECB, CBC, CTR) Lecture 4 Attacks against Block Cipher Modes Intro to Public Key Cryptography November 7, 2017 2 / 1

Block ciphers: motivation OTP has perfect secrecy... But... the secret key as long as the message instead of exchanging the secret key, we could directly exchange the message! we should never re-use a key (e.g., avoid attacks like against the Venona project) long message What if... we expand the short secret key, to obtain several new keys split a long message, into small blocks, and use the new keys to encrypt each block of the message? M 4 M 3 M 2 M 1 M 0 bit N... bit 3 bit 2 bit 1 bit 0 E K C 4 C 3 C 2 C 1 C 0 ciphertext as long as the message Block Cipher K November 7, 2017 3 / 1

Block ciphers Definition A block cipher is a cipher (E,D) where: E : {0,1} k {0,1} n {0,1} n and for each K K = {0,1} k and m M = {0,1} n, E (K,m) is invertible and it holds: D(K,c) = E 1 (K,m). Invertible: given one output there is only one input that maps to that output. key K k bits Key expansion n bits Plaintext - Block Pre computation K 1 K 2 l rounds K n Post computation Ciphertext - Block n bits Maps n-bits of input to n-bits of output. Examples 3DES: n = 64 bits, k = 168 bits AES: n = 128 bits, k = 128,192,256 bits November 7, 2017 4 / 1

What determines a block cipher? A block cipher is determined by... 1. the key and block length (the length of the key is connected to the security of the cipher) 2. the key expansion function (must be a secure PRG) 3. the round function (encrypts the message iteratively for n rounds using the rounds keys e.g., for DES n = 16 and for AES n = 10.) November 7, 2017 5 / 1

Reminder: What is a secure PRG? Definition A function G : {0,1} l {0,1} n with l n (i.e., l much smaller than n), is a secure Pseudo Random Generator (PRG), if for any efficient statistical test D (Distinguisher), it holds that: Pr[D(G(s)) = 1] Pr[D(r) = 1] is negligible (i.e., too small) for every s R {0,1} l, r R {0,1} n selected uniformly at random. Intuition space of output k s G k 2 s 2...... space of key k 1 k 1 image s 1 x Does x belong in the image or not? {0,1} l {0,1} n An adversary that sees the output of G cannot distinguish it from something completely random (i.e., coming from the uniform distribution). November 7, 2017 6 / 1

Pseudorandom function Pseudorandom function (Intuition) A pseudorandom function (PRF) defined over (K,M,C) i.e., F : K M C such that there exists an efficient algorithm to compute F(k,m) = F k (m) for all k K and m M and F k (for a uniform key k) is indistinguishable from a function chosen uniformly at random from the set of all possible functions S f. Secure PRF - Intuition m M F F k f f(m) or F k (m) S F S F : set of all possible functions from MX to to Y C F : set of all possible PRF functions from MX to to Y C f S F and F k F A PRF is secure if a random function f S f is indistinguishable from a random function F k F. November 7, 2017 7 / 1

Pseudorandom Permutation (block cipher) Definition PRF F is called Pseudo Random Permutation (PRP) if it holds: 1. M = C (i.e., the sets of the plaintext and the ciphertext are the same) 2. the function F(k, m) is one-to-one 3. there exists an efficient, deterministic algorithm to compute F(k,m) = E(k,m) for any message m M. 4. there exists an efficient, deterministic algorithm (the inverse of F) to compute: F 1 (k,c) = D(k,c), for any ciphertext c C. set X x 1 x 2 x 3 x 4 x 5 set Y f(x 2) f(x 1) set X x 1 x 2 x 3 x 4 x 5 set Y g(x 1) g(x 2) g(x 3) g(x 4) g(x 5) Deterministic Function For the same input it will always give the same output. A one-to-one function is also invertible: given one output there is always one input that maps to that output. This is not a One-to-One function One-to-One function: for each x X there is a singley Y November 7, 2017 8 / 1

Pseudorandom Permutation (block cipher) Definition PRF F is called Pseudo Random Permutation (PRP) if it holds: 1. M = C (i.e., the sets of the plaintext and the ciphertext are the same) 2. the function F(k, m) is one-to-one 3. there exists an efficient, deterministic algorithm to compute F(k,m) = E(k,m) for any message m M. 4. there exists an efficient, deterministic algorithm (the inverse of F) to compute: F 1 (k,m) = D(k,m), for any ciphertext c C. Examples of block ciphers (PRPs): AES: K M C where K = M = C = {0,1} 128. 3DES: K M C where M = C = {0,1} 64, K = {0,1} 168. November 7, 2017 9 / 1

The Feistel Network The core of the DES block cipher! Given d functions f 1,...,f d : {0,1} n {0,1} n, build an invertible function F : {0,1} 2n {0,1} 2n "*.!%/& "*.!%/& ( -&, -&!"#$%& ( +& 0 +& ( 1&!&, +& 0 1& "!!&, 1& ( )*+&, )*+& 0 )&!& ( )&, )& '$%#$% F(L i,r i ) = (R i,f i+1 (R i ) L i ) = (L i+1,r i+1 ) Picture from Dan Boneh s online course November 7, 2017 10 / 1

The Feistel Network Given d functions f 1,...,f d : {0,1} n {0,1} n, build an invertible function F : {0,1} 2n {0,1} 2n F(L i,r i ) = (R i,f i+1 (R i ) L i ) = (L i+1,r i+1 ), for i = 1,...,d What is the inverse?! "#$%! "% ' "% "()*+,*%! "%!% ' "%! "#$% & "#$%!% & "% & "% & "#$% Lets write it: R i = L i+1 and L i = R i+1 f i+1(r i) = R i+1 f i+1(l i+1) (L i,r i ) = (f i+1 (L i+1 ) R i+1,l i+1 ) = F 1 (L i+1,r i+1 ) Picture from Dan Boneh s online course November 7, 2017 11 / 1

A Feistel Network with Keys A Feistel network is a general method for building invertible functions from arbitrary functions. It is used in many block ciphers (including DES). Theorem (Luby-Rackoff 85) If f : K {0,1} n {0,1} n is a secure PRF then a 3-round Feistel Network is a secure PRP (block cipher). DES: 16 round of Feistel Network However it has been badly broken! (not due to the Feistel network) 3 3 3 November 7, 2017 12 / 1

DES: the Data Encryption Standard key K k bits Key expansion K M C 56 bits 64 bits 64 bits 64 bits Plaintext - Block Initial Permutation K 1 K 2 K 16 16 rounds of Feistel network Inverse Permutation Ciphertext - Block 64 bits In order to invert use the round keys in reverse order. November 7, 2017 13 / 1

DES: the Data Encryption Standard 32 bits 48 bits x k i 48 bits expansion box replicates and moves bits around 48 f(k i,x) S-boxes (substitution boxes) S i : {0,1} 6 {0,1} 4 6 6 6 6 6 6 6 6 S 1 S 2 S 3 S 4 S 5 S 6 S 7 S 8 4 4 4 4 4 4 4 4 32 bits P permutation box 32 bits November 7, 2017 14 / 1

DES: the Data Encryption Standard - S-boxes S i : {0,1} 6 {0,1} 4 What is the output of 011011 in S 5? To guarantee security, the S-boxes should be chosen carefully. The output bits should be as far as possible from linear functions of the input bits. Choosing the S-boxes & the P-box at random would result in an insecure block cipher (key recovery after 2 24 outputs) Info from Dan Boneh s online course. November 7, 2017 15 / 1

DES challenge - Exhaustive search attacks! 64-bits 64-bits 64-bits msg = The unkn own mess age is: XXXX... CT = c 1 c 2 c 3 c 4 c 5 c 6 Goal Find k {0,1} 56 such that DES(K,m i) = c i for i = 1,2,3. History of the DES challenge 1997: Internet search 3 months 1998: EFF machine (deep crack) 3 days (250K$) 1999: combined search 22 hours 2006: COPACOBANA (120 FPGAs) 7 days (10K$) Conclusion: 56-bit ciphers should not be used! Badly Broken! Info from Dan Boneh s online course November 7, 2017 16 / 1

Strengthening DES: Triple DES Triple-DES (3DES) Let (E,D) be the DES cipher, we define 3DES: K 3 {0,1} 64 {0,1} 64 as: 3E((k 1,k 2,k 3),block) = E(k 1,D(k 2,E(k 3,block))) Main advantage Backwards compatibility: 3DES = DES when k 1 = k 2 = k 3 (e.g., for hardware implementations). Disadvantages 3DES is 3 times slower than DES A successful attack can be performed against 3DES that run in time 2 118 2 90 Despite the attack it is considered safe enough but not efficient! November 7, 2017 17 / 1

Quiz Question! Go to: http://socrative.com/ and use the code below or scan the QR code. Student Login Classroom: CRYPTOCHALMERS 3DES - Decryption How is defined the decryption algorithm of 3DES? A D ( k 3,E(k 2,D(k 1,c)) ) B D ( k 1,E(k 2,D(k 3,c)) ) C D ( k 1,D(k 2,D(k 3,c)) ) D E ( k 1,D(k 2,D(k 3,c)) ) Reminder: 3E((k 1,k 2,k 3),block) = E(k 1,D(k 2,E(k 3,block))) Answer: 3D ( (k 1,k 2,k 3),block ) = D(k 3,E(k 2,D(k 1,block))) November 7, 2017 18 / 1

Why not double DES? Double-DES is defined as follows 2E ( (k 1,k 2),block ) = E ( k 1,E(k 2,block) ) The key length for double-des is (56 2) = 112 Thus 2 112 possible keys! (big enough to avoid standard exhaustive search) Badly Broken! But... Double-DES is vulnerable to Meet-in-the-Middle Attacks Intuition: Rewrite E ( k 1,E(k 2,m) ) = c as E(k 2,m) = D(k 1,c) Build two lookup tables and check for the terms that match! Remember: This attack works for all double-encryption ciphers! November 7, 2017 19 / 1

The meet in the middle attack m c=e(k 1,E(k 2,m)) Alice Eve Bob Alice and Bob share two secret keys k 1 and k 2. Step 1: Eve gets access to a pair of plaintext, ciphertext (m,c). Remember: 2DES can be re-written as: E(k 2,m) = D(k 1,c) Step 2: Eve builds a table with all possible encryptions of m (using all possible values of k 2 ) and Step 3: Eve computes all possible decryptions of c (using all possible values of k 1 ). Question: What is Eve looking for in the table? Step 4: Eve looks for a match of the decryption to be equal to the encryption i.e., E(k 2,m) = D(k 1,c) Required time: 2 56 log(2 56 ) }{{} +256 log(2 56 ) }{{} <263 2 112 k 2 = k 0 E(k 0,m) k 0 D(k 0,c) k 1 E(k 1,m) k 1 D(k 1,c) build & sort a table search in a sorted table 2 63 This attack is feasible!! k i E(k i,m) k 1 = k i D(k i,c).... k 256 E(k 256,m) k 256 D(k 1,c) November 7, 2017 20 / 1

Evolution block ciphers Early 1970s: Horst Feistel designs Lucifer at IBM (key-length = 128 bits, block-length=128 bits) 1973: NBS (National Bureau of Standards) asks for block cipher proposals. (IBM submits variant of Lucifer) 1976: NBS adopts DES as a federal standard (key-length=56 bits, block-length=64 bits) 1997: DES broken by exhaustive search 1997: NIST (National Institute for Standards & Technology) publishes a request for new proposals (15 submissions and 5 finalists). 2000: NIST adopts Rijndael as AES (Advanced Encryption Standard) to replace DES Info from Dan Boneh s online course November 7, 2017 21 / 1

AES: the Advance Encryption Standard 128, 192 or 256 bits 128 bits 128 bits Key expansion K M C Plaintext Block K K 1 0 ByteSub Subrow ByteSub Subrow K 2 K 10 MixColumns MixColumns 128 bits 128 bits 4x4 bytes 4x4 bytes 10 rounds 10 rounds for 128-bit key 12 rounds for 192-bit key 14 rounds for 256-bit key ByteSub K 11... Subrow Ciphertext Block November 7, 2017 22 / 1

AES and its subroutines November 7, 2017 23 / 1

AES vs. DES AES Based on a substitution-permutation network. Due to the substitution network all bits are changed at every round! The substitution tables are invertible. The decryption is simply the inverse order of all operations performed during encryption. The known key recovery attack against AES-128 takes 2 126 time (infeasible). Related key attacks on AES-256 2 99 (still infeasible) DES Based on Feistel networks. Due to the Feistel Network half of the bits are not changed from round to round. The S-boxes are not invertible. The decryption is based on the invertibility of the Feistel network. Efficient but broken! (key is 56 bits long is too short). 3DES secure but 3 times slower! November 7, 2017 24 / 1

Modes of Operation How do basic block ciphers work? So now we know how to encrypt a block of a message with a block cipher. long message M 4 M 3 M 2 M 1 M 0 bit N... bit 3 bit 2 bit 1 bit 0 E K K C 4 C 3 C 2 C 1 C 0 ciphertext as long as the message Block Cipher But wait! How do we move from one block to the other? November 7, 2017 25 / 1

Modes of Operation Modes of operation: ECB (Electronic Code Book) ECB is the simplest mode of encryption for a block cipher. Each block of the plaintext is encrypted separately and with the same key! November 7, 2017 26 / 1

Modes of Operation Quiz Question! Go to: http://socrative.com/ and use the code below or scan the QR code. Student Login Classroom: CRYPTOCHALMERS ECB (Electronic Code Book) Suppose that in a plaintext we are encrypting two blocks are equal e.g., m 1 = m 2. How wound the corresponding ciphertext blocks c 1 and c 2 look like? A c 2 = c 1 m 1 B c 2 = m 1 m 2 C c 1 = c 2 D c 1 = m 2 Problem: Since the encryption is deterministic (not randomised), equal plaintext blocks will have equal ciphertext blocks. How to solve this and get different ciphertexts when using the same plaintext and the same key? November 7, 2017 27 / 1

Modes of Operation Modes of operation: ECB example Original Image Plaintext Encryption with ECB mode Encryption with other mode of operation November 7, 2017 28 / 1

Modes of Operation Modes of operation: Cipher Block Chaining (CBC) Let (E,D) be a block cipher. The CBC block cipher is defined as follows. E CBC (k,m): choose a random IV {0,1} nt and do: IV: random Initialisation Vector./& '()*& '(+*& '(,*& '(-*& & & & &!"#$ %&!"#$ %&!"#$ %&!"#$ %&./& 0()*& 0(+*& 0(,*& 0(-*& 0123456476& Each ciphertext-block is chained and XOR-ed to the next plaintext block. The ciphertext is longer than the plaintext due to the IV. Picture from Dan Boneh s online course. November 7, 2017 29 / 1

Modes of Operation Modes of operation: CBC - Decryption Circuit Let (E,D) be a block cipher. For the CBC block cipher the decryption is defined as follows: IV: random Initialisation Vector /0&.()*&.(+*&.(,*&.(-*&!"#$ %&!"#$ %&!"#$ %&!"#$ %& & & & & '()*& '(+*& '(,*& '(-*& Attention: In the next lecture we will show that CBC with random IV is not secure! Picture from Dan Boneh s online course. November 7, 2017 30 / 1

Modes of Operation Modes of operation: Nonce-based CBC Useful for the first home assignment! key = (k,k 1 ) Unique nonce means: (key,n) pair is used for only one message. nonce!"! m[0] m[1] m[2] m[3] IV: random Initialisation Vector E(k 1, ) E(k, ) E(k, ) E(k, ) E(k, ) nonce c[0] c[1] c[2] c[3] ciphertext The nonce is included in the ciphertext only if it is unknown to the recipient. Picture from Dan Boneh online course. November 7, 2017 31 / 1

Modes of Operation Modes of operation: Nonce-based CBC (Useful for 1st Home Assignment) What should we do when the last block of the message is shorter than the cipher s block size? Padding! IV: random Initialisation Vector IV!"!" m[0] m[1] m[2] m[3] ll pad E(k 1, ) E(k, ) E(k, ) E(k, ) E(k, ) IV c[0] c[1] c[2] c[3] In TLS we pad with n repetitions of the number n where n = block size - length of m[3] n n n! n if n=0 add a dummy block with all zeros #$%&'$() (*#+,-) ($.#/01&,) Picture from Dan Boneh online course. November 7, 2017 32 / 1

Modes of Operation Modes of operation: CTR (deterministic counter mode) Let (E,D) be a block cipher. The CTR block cipher is defined as follows: E(k,m): pick a random IV {0,1} nt and do: *+%!,-%!"#$%!"&$% '%!"#$%&'(!"#$%&)*'( '% IV: random Initialisation Vector!"($%!"#$%&)+'( % *+% )"#$% )"&$% '% )"($% )./0123143% Remember: The IV is chosen at random for every message! Note: parallelizable (unlike CBC) To guarantee F(k,x) is never used more than once, choose IV as: /01$ nonce 23$%&'($!"#$%&'($ )*+,'-.$ 23$%&'($ ('4.'($4'$5$ 6*.$-7-.8$9(:$ Picture from Dan Boneh online course. November 7, 2017 33 / 1

Modes of Operation Things to Remember Things to remember What is a block cipher? How does DES and AES work? How does the meet-in the middle attack work in double DES? How the different modes of operation in block ciphers work? November 7, 2017 34 / 1

Modes of Operation Announcement - Home Assignment 1 Home assignment 1, Cryptography course The assignment consists of two largely independent parts. In the first (and main) part you will study a well-known attack on an SSL channel and answer some questions. In the second part, you will encrypt your solution using gpg before submitting it. Home assignment 1 is on the web, ready to be attacked! Discusses side-channel attack on CBC mode. Shows vulnerability in widely used software (OpenSSL). Password to IMAP mail accounts discovered in less than one hour. Deadline: next Tuesday (November 14)! Remember: You must upload at least one solution to Home Assignment 1 Before next Tuesday (14/11/2017) at midnight! November 7, 2017 35 / 1

Modes of Operation Preview of MAC mentioned in Assignment 1 In the 1st Assignment we talk about MACs (Message Authentication Codes). Although you will not work with MACs directly, lets see what is a MAC! Alice! Generate tag: S(k,m) = tag Definition message tag Bob k Verify tag: V(k,m,tag)? = yes A MAC can be used in secret key cryptography to guarantee integrity of a message. Even if a message is long the MAC (tag) of a message is very short (e.g., 90 or 100 bits). A Message Authentication Code MAC = (S,V) is a pair of algorithms definer over (K, M, T ) with the following properties: S : K M T is a signing algorithm that takes as input a key k and a message m and outputs a tag t = S(k,m) V : K M T {yes,no} is a verification algorithm that checks if t is a valid tag for m under the key k. If so, the verification( outputs yes, ) otherwise it outputs no. Consistency requirement: k K, m M : V k,m,s(k,m) = yes November 7, 2017 36 / 1

Modes of Operation Conditional Probability used in Assignment 1 Let us consider two events: Event A: The forecast predicts rain for today. Event B: It rains today. Conditional Probability Conditional Probability P(A B) is the probability of observing event A given that event B is true. To calculate it we use the following rule: P(B A) = P(B A) P(A) November 7, 2017 37 / 1

Modes of Operation References: Cryptography and Network Security: Principles and practice (Chapters 3.1-3.5, 5.2-5.6, 7.1, 6.2, and 6.3.) Introduction to Modern Cryptography, Lindell and Katz (Chapter 6.2, 3.5.1, and 3.6.2) Thank you for your attention! November 7, 2017 38 / 1

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback