On Re-keying Mechanisms for Extending The Lifetime of Symmetric Keys draft-smyshlyaev-re-keying

Similar documents
On cryptographic properties of the CVV and PVV parameters generation procedures in payment systems

Re-keying Mechanisms for Symmetric Keys

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

symmetric cryptography s642 computer security adam everspaugh

The Extended Codebook (XCB) Mode of Operation

AWS Key Management Service (KMS) Handling cryptographic bounds for use of AES-GCM

The OCB Authenticated-Encryption Algorithm

On Symmetric Encryption with Distinguishable Decryption Failures

Multiple forgery attacks against Message Authentication Codes

Feedback Week 4 - Problem Set

Goals of Modern Cryptography

Concrete Security of Symmetric-Key Encryption

Computer Security CS 526

Authenticated Encryption in TLS

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

Permutation-based Authenticated Encryption

A Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security. T. Shrimpton October 18, 2004

Randomness Extractors. Secure Communication in Practice. Lecture 17

Practical Symmetric On-line Encryption

Misuse-resistant crypto for JOSE/JWT

Introduction to cryptology (GBIN8U16)

Advanced Cryptography 1st Semester Symmetric Encryption

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage

ALIKE: Authenticated Lightweight Key Exchange. Sandrine Agagliate, GEMALTO Security Labs

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Cryptography 2017 Lecture 3

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

ENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions

Private-Key Encryption

Summary on Crypto Primitives and Protocols

CS155. Cryptography Overview

symmetric cryptography s642 computer security adam everspaugh

Computational Security, Stream and Block Cipher Functions

Accredited Standards Committee X9, Incorporated

Cryptography: Symmetric Encryption [continued]

VTBPEKE: Verifier-based Tw o-basis Password Exponenti al Key Exchange

Message authentication codes

1 Achieving IND-CPA security

Proofs for Key Establishment Protocols

Pipelineable On-Line Encryption (POE)

Intel Software Guard Extensions (Intel SGX) Memory Encryption Engine (MEE) Shay Gueron

Some Aspects of Block Ciphers

Introduction to Cryptography. Lecture 3

Internet Engineering Task Force (IETF) Category: Standards Track March 2011 ISSN:

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

Using EAP-TLS with TLS 1.3 draft-mattsson-eap-tls IETF 101, EMU, MAR John Mattsson, MOHIT sethi

A Surfeit of SSH Cipher Suites

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Security. Communication security. System Security

CSCE 813 Internet Security Symmetric Cryptography

Information Security CS526

CSC 474/574 Information Systems Security

ENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel

Lecture 1 Applied Cryptography (Part 1)

Narrow-Bicliques: Cryptanalysis of Full IDEA. Gaetan Leurent, University of Luxembourg Christian Rechberger, DTU MAT

CSE 127: Computer Security Cryptography. Kirill Levchenko

How to Use Your Block Cipher? Palash Sarkar

Cryptographic Concepts

Midgame Attacks. (and their consequences) Donghoon Chang 1 and Moti Yung 2. IIIT-Delhi, India. Google Inc. & Columbia U., USA

Uses of Cryptography

Stream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91

Introduction to Cryptography. Lecture 2. Benny Pinkas. Perfect Cipher. Perfect Ciphers. Size of key space

Encryption from the Diffie-Hellman assumption. Eike Kiltz

Cryptography. Dr. Michael Schneider Chapter 10: Pseudorandom Bit Generators and Stream Ciphers

The Security and Performance of the Galois/Counter Mode (GCM) of Operation (Full Version)

Cryptology Part 1. Terminology. Basic Approaches to Cryptography. Basic Approaches to Cryptography: (1) Transposition (continued)

Block ciphers, stream ciphers

Content of this part

Concrete cryptographic security in F*

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

CS408 Cryptography & Internet Security

RSA. Public Key CryptoSystem

Lecture 4: Authentication and Hashing

CS155. Cryptography Overview

Report on Present State of CIPHERUNICORN-A Cipher Evaluation (full evaluation)

Cryptography and Network Security Chapter 12. Message Authentication. Message Security Requirements. Public Key Message Encryption

CIS 4360 Secure Computer Systems Applied Cryptography

Crypto for Hackers. Eijah. v1.00 August 7 th, 2015

The Security of Elastic Block Ciphers Against Key-Recovery Attacks

Intended status: Informational Expires: January 21, 2016 CRYPTO-PRO V. Podobaev FACTOR-TS I. Ustinov Cryptocom July 20, 2015

Lecture Note 05 Date:

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

Course Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

Provably Secure Public-Key Encryption for Length-Preserving Chaumian Mixes

On the Notions of PRP-RKA, KR and KR-RKA for Block Ciphers

Crypto: Symmetric-Key Cryptography

Cryptography. Andreas Hülsing. 6 September 2016

Elastic Block Ciphers: Method, Security and Instantiations

McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes

Symmetric Encryption 2: Integrity

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Cryptography [Symmetric Encryption]

Encryption Everywhere

A Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs, and Applications

Cryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39

Transcription:

On Re-keying Mechanisms for Extending The Lifetime of Symmetric Keys draft-smyshlyaev-re-keying Stanislav V. Smyshlyaev, Ph.D. Head of Information Security Department, CryptoPro LLC CryptoPro LLC (www.cryptopro.ru) 1 / 36

Motivation for re-keying 1 Motivation for re-keying 2 Key diversification (external re-keying) 3 Internal re-keying ( key meshing ) 4 Security bounds 5 Performance 6 Conclusion and open questions CryptoPro LLC (www.cryptopro.ru) 2 / 36

Motivation for re-keying Key capacity Key capacity the amount of data that is (directly) encrypted with the key. Must be limited (by some L) due to: general combinatorial properties of cipher modes of operation (recent example: Sweet32); estimations of key material needed for success of various cryptanalysis methods for a used cipher (linear, algebraic, differential, logical etc.); bounds following from side-channel cryptanalysis methods of block ciphers. What should be done, when it is exceeded (reaches L)? CryptoPro LLC (www.cryptopro.ru) 3 / 36

Motivation for re-keying Do a new key establishment A full new key establishment on sides keypairs...... or obtaining a new agreement key using VKO (hashing the result of DH, multiplied by random UKM see RFC 7836) with the same key pairs and other UKM...... with new IVs, etc. Advantages Starting a new life for the session keys no deep additional security analysis needed (except for the key establishment itself). Disadvantages Inserting key agreement operations between sections (of size L) would drastically reduce encryption performance. Multiple (and possibly related) operations with asymmetric crypto additional analysis for key establishment is need for the particular case. CryptoPro LLC (www.cryptopro.ru) 4 / 36

Key diversification (external re-keying) 1 Motivation for re-keying 2 Key diversification (external re-keying) 3 Internal re-keying ( key meshing ) 4 Security bounds 5 Performance 6 Conclusion and open questions CryptoPro LLC (www.cryptopro.ru) 5 / 36

Key diversification (external re-keying) Key diversification (external re-keying) Uses an initial (negotiated) key as a master key, which is never used directly for the encryption but is used for session key derivation. A new derived session key (and IV) for each section (of size L). size of processed data < L Message (1,1) Message (1,2)... Message (1,q) KDF KDF KDF K 1 K 2 size of processed data < L Message (2,1) Message (2,2)... Message (2,q) K... size of processed data < L K N Message (N,1) Message (N,2)... Message (N,q) CryptoPro LLC (www.cryptopro.ru) 6 / 36

Key diversification (external re-keying) NIST Special Publication 800-108 KDF in Counter Mode K i = PRF(K, [i] 2 label 0x00 Context [L] 2 ) KDF in Feedback Mode K i = PRF(K, K i 1 [i] 2 label 0x00 Context [L] 2 ) KDF in Double-Pipeline Iteration Mode A i = PRF(K, A i 1 ); K i = PRF(K, A i [i] 2 label 0x00 Context [L] 2 ) CryptoPro LLC (www.cryptopro.ru) 7 / 36

Key diversification (external re-keying) Re-keying in TLS 1.3 (draft-ietf-tls-tls13-18) KeyUpdate traffic_secret_n = HKDF Expand (traffic_secret_n 1, application traffic secret,, Hash.length) write_key = HKDF Expand (traffic_secret_n, key,, key_length) CryptoPro LLC (www.cryptopro.ru) 8 / 36

Key diversification (external re-keying) Security analysis «Increasing the Lifetime of a Key: A Comparative Analysis of the Security of Re-Keying Techniques», M. Abdalla, M. Bellare. Parallel variant: K i = PRF(K, i). Serial variant: K i = PRF(StateKey i, 0), StateKey i+1 = PRF(StateKey i, 1), StateKey 1 = K. The lifetime of keys drastically increases (independently of the encryption mode) complete and correct security proofs exist. CryptoPro LLC (www.cryptopro.ru) 9 / 36

Key diversification (external re-keying) Parallel variant: the capacity of the initial key If we have really hard restrictions on key capacity (e.g., an adversary with powerful side-channel analysis equipment), it can exceed even for the initial ( master ) key. NIST Special Publication 800-108: Key Hierarchy (Key Tree) An example: RootKey KDF( RootKey, i&mask1) KDF( KDF( RootKey, i&mask1), i&mask2) Key[i] = KDF( KDF( KDF( RootKey, i&mask1), i&mask2), i&mask3) CryptoPro LLC (www.cryptopro.ru) 10 / 36

Key diversification (external re-keying) Parallel variant: K i = PRF(K, i). Serial variant: K i = PRF(StateKey i, 0), StateKey i+1 = PRF(StateKey i, 1), StateKey 1 = K. Advantages The material encrypted on each derived key K i can be strictly limited by L without strict limits on the lifetime of the original key K. The adversary cannot combine the information (input-output behaviour, side-channel information...) obtained when observing work on several derived keys. The leakage of one derived key K i does not have any impact on other derived keys. The mechanism can be chosen independently of a mode of operation. CryptoPro LLC (www.cryptopro.ru) 11 / 36

Key diversification (external re-keying) Parallel variant: K i = PRF(K, i). Serial variant: K i = PRF(StateKey i, 0), StateKey i+1 = PRF(StateKey i, 1), StateKey 1 = K. Disadvantages In both variants K 1 K thus, we always have to make at least one PRF calculation, even for extremely short plaintexts (the proofs significantly depend on keeping some state (K and StateKey i ) unused with the cipher itself). An external mechanism: if L is restrictive, inconvenient restrictions on the size of an individual message (with its own header, IV, MAC etc.) appear. CryptoPro LLC (www.cryptopro.ru) 12 / 36

Key diversification (external re-keying) And what if we have chosen some certain mode of operation and want to 1) keep the properties of having the strong limits of the section that is explicitly encrypted with any symmetric key; impossibility of an adversary to combine the information obtained from different sections to limit the possibility of an adversary to study anything about any encryption key by one section; 2) obtain also the properties of being efficient on short plaintexts (without any additional operations on such); not restarting encryption with new IV s (and MAC calculation) frequently. CryptoPro LLC (www.cryptopro.ru) 13 / 36

Internal re-keying ( key meshing ) 1 Motivation for re-keying 2 Key diversification (external re-keying) 3 Internal re-keying ( key meshing ) 4 Security bounds 5 Performance 6 Conclusion and open questions CryptoPro LLC (www.cryptopro.ru) 14 / 36

Internal re-keying ( key meshing ) Internal re-keying ( key meshing ) K 1 = K, IV 1 = IV; (K i+1, IV i+1 ) = F(K i, IV i, i + 1). Message (1) K= F F F K 1 K 2 K 3... Message (2)... Message (q) section 1 section 2 section 3 size of sections = const = l, ql < L... CryptoPro LLC (www.cryptopro.ru) 15 / 36

Internal re-keying ( key meshing ) The proposed method of re-keying ( key meshing ) draft-smyshlyaev-re-keying For CTR/GCM with n-bit block, CTR i = (ICN counter), with c-bit counter value and (n c)-bit ICN. K i+1 = ACPKM-CTR(K i ) = MSB k (E Ki (W 1 )... E Ki (W J )), The section size MUST be less than 2 c/2 1 blocks. Lifetime of a Key = L Message (1) K= ACPKM ACPKM ACPKM K 1 K 2 K 3... Message (2)... Message (q) section 1 section 2 section 3 size of sections = const = l, ql < L... CryptoPro LLC (www.cryptopro.ru) 16 / 36

Internal re-keying ( key meshing ) draft-smyshlyaev-re-keying For CTR/GCM with n-bit block, CTR i = (ICN counter), with c-bit counter value and (n c)-bit ICN. K i+1 = ACPKM-CTR(K i ) = MSB k (E Ki (W 1 )... E Ki (W J )), The section size MUST be less than 2 c/2 1 blocks; (n c + 1)-th bit of each W j is 1; W j are defined for any block size n of 64 n 512, counter size c of 32 c 3 4 n, key size k of 128 k 512. W j are pairwise different fixed constants for all allowed n, c, k. CryptoPro LLC (www.cryptopro.ru) 17 / 36

Internal re-keying ( key meshing ) draft-smyshlyaev-re-keying K i+1 = ACPKM-CTR(K i ) = MSB k (E Ki (W 1 )... E Ki (W J )). Disandvantages The leakage of one section key K i will lead to a leakage of all following keys. The mechanism must not be chosen independently of a mode of operation. CryptoPro LLC (www.cryptopro.ru) 18 / 36

Internal re-keying ( key meshing ) draft-smyshlyaev-re-keying K i+1 = ACPKM-CTR(K i ) = MSB k (E Ki (W 1 )... E Ki (W J )). Advantages (Performance) There are no additional unnecessary operations for short plaintexts if the plaintext length is shorter than the section size, the initial key will be used; The plaintext size is not needed to be known in advance key transformations are made when and only when needed; Transparency: no need to restart the encryption process with new IV s (and GHASH calculation). CryptoPro LLC (www.cryptopro.ru) 19 / 36

Internal re-keying ( key meshing ) draft-smyshlyaev-re-keying K i+1 = ACPKM-CTR(K i ) = MSB k (E Ki (W 1 )... E Ki (W J )). Advantages (Security) The material encrypted on each section key K i can be strictly limited by L without strict limits on the lifetime of the original key K; The adversary cannot combine the information (input-output behaviour, side-channel information...) obtained when observing work on several section keys; The total lifetime of an initial key drastically increases. Really? CryptoPro LLC (www.cryptopro.ru) 20 / 36

Internal re-keying ( key meshing ) draft-smyshlyaev-re-keying K i+1 = ACPKM-CTR(K i ) = MSB k (E Ki (W 1 )... E Ki (W J )). Advantages (Security) The material encrypted on each section key K i can be strictly limited by L without strict limits on the lifetime of the original key K; The adversary cannot combine the information (input-output behaviour, side-channel information...) obtained when observing work on several section keys; The total lifetime of an initial key drastically increases. Really? CryptoPro LLC (www.cryptopro.ru) 20 / 36

Security bounds 1 Motivation for re-keying 2 Key diversification (external re-keying) 3 Internal re-keying ( key meshing ) 4 Security bounds 5 Performance 6 Conclusion and open questions CryptoPro LLC (www.cryptopro.ru) 21 / 36

Security bounds Security model Cipher mode with internal re-keying is considered as an extension of a base cipher mode of operation, since it affects the process of processing of every single message. Internal re-keying method must not be considered without specifying cipher mode of operation. CryptoPro LLC (www.cryptopro.ru) 22 / 36

Security bounds Security models Security models for block ciphers PRF «Pseudorandom function»; PRP-CPA «Pseudorandom permutation in chosen plaintext attack»; PRP-CCA «Pseudorandom permutation in chosen ciphertext attack». Security models for cipher modes LOR-CPA «Left Or Right in Chosen Plaintext Attack» (Bellare M., Desai A., Jokipii E., Rogaway P. A Concrete Security Treatment of Symmetric Encryption, 2000). CryptoPro LLC (www.cryptopro.ru) 23 / 36

Security bounds Known for CTR Adv LOR-CPA CTR (t, q, m) 2 Adv PRF E (t + q + nqm, qm). Main result for ACPKM (preprint: eprint.iacr.org/2016/628) ( Adv LOR-CPA ACPKM l (t, q, ml) 4m Adv PRP-CCA E t + mlq + q n 2, q l, k ) + n + 2m Adv PRF E (t + qml, ql) + 2mδ, where δ = 8ql+6 2 n + ( 4ql 2 n ) 2, if k = 4n, and δ = 4ql+1 2 n + ( 2ql 2 n ) 2, if k = 2n. CryptoPro LLC (www.cryptopro.ru) 24 / 36

Security bounds Comparison with CTR Base assumptions In case of the block cipher that has no specific methods to decrease the security, the values of adversary s advantages are bounded in the following way: Adv PRF E (t, q) t 2 k + q2 2 n, Adv PRP-CPA E (t, q) t 2 k, Adv PRP-CCA E (t, q) t 2 k. CryptoPro LLC (www.cryptopro.ru) 25 / 36

Security bounds Comparison Adv LOR-CPA CTR (t, q, ml) 2m2 q 2 l 2 2 n + t + q + nmql 2 k m 2 2q2 l 2 2 n, ( Adv LOR-CPA ACPKM l (t, q, ml) 2m 2 t + qml 2 k + q2 l 2 2 n + t + qml ) 2 k + δ m 2q2 l 2 2 n. CryptoPro LLC (www.cryptopro.ru) 26 / 36

Security bounds Comparison Adv LOR-CPA CTR (t, q, ml) 2m2 q 2 l 2 2 n + t + q + nmql 2 k m 2 2q2 l 2 2 n, ( Adv LOR-CPA ACPKM l (t, q, ml) 2m 2 t + qml 2 k + q2 l 2 2 n + t + qml ) 2 k + δ m 2q2 l 2 2 n. CryptoPro LLC (www.cryptopro.ru) 27 / 36

Performance 1 Motivation for re-keying 2 Key diversification (external re-keying) 3 Internal re-keying ( key meshing ) 4 Security bounds 5 Performance 6 Conclusion and open questions CryptoPro LLC (www.cryptopro.ru) 28 / 36

Performance Performance for AES Does not it reduce speed? Machine characteristics Intel Core i5-6500 CPU 3.20GHz, L1 D-Cache 32 KB x 4, L1 I-Cache 32 KB x 4, L2 Cache 256 KB x 4. Speed of the encryption (OpenSSL) process in the base CTR mode with the hardware supported AES-256 was: 3800 MB/s. KB 64 128 256 512 1024 2048 4096 MB/s 3700.4 3722.0 3753.7 3765.3 3770.0 3786.5 3795.2 % 2.6 2.1 1.2 0.9 0.8 0.4 0.2 The CTR-ACPKM mode with the AES-256 cipher (hardware support). CryptoPro LLC (www.cryptopro.ru) 29 / 36

Performance Performance for AES Does not it reduce speed? Machine characteristics Intel Core i5-6500 CPU 3.20GHz, L1 D-Cache 32 KB x 4, L1 I-Cache 32 KB x 4, L2 Cache 256 KB x 4. Speed of the encryption (OpenSSL) process in the base CTR mode with the hardware supported AES-256 was: 3800 MB/s. KB 64 128 256 512 1024 2048 4096 MB/s 3700.4 3722.0 3753.7 3765.3 3770.0 3786.5 3795.2 % 2.6 2.1 1.2 0.9 0.8 0.4 0.2 The CTR-ACPKM mode with the AES-256 cipher (hardware support). CryptoPro LLC (www.cryptopro.ru) 29 / 36

Performance Speed of the encryption process in the base CTR mode with the hardware supported AES-128 cipher is 5160 MB/s. KB 64 128 256 512 1024 2048 4096 MB/s 5040.4 5061.3 5080.6 5105.0 5120.1 5139.4 5150.2 % 2.3 1.9 1.0 0.9 0.7 0.4 0.2 The CTR-ACPKM mode with the AES-128 cipher (hardware support). CryptoPro LLC (www.cryptopro.ru) 30 / 36

Conclusion and open questions 1 Motivation for re-keying 2 Key diversification (external re-keying) 3 Internal re-keying ( key meshing ) 4 Security bounds 5 Performance 6 Conclusion and open questions CryptoPro LLC (www.cryptopro.ru) 31 / 36

Conclusion and open questions External and internal re-keying: allies or rivals? Two disandvantages to be eliminated by combination External: if L is restrictive, inconvenient restrictions on the size of an individual message (with its own header, IV, MAC etc.) appear. Internal: section key compromise compromise of all next ones. K KDF KDF Message (1,1)... Message (1,q) Message (2,1)... Message (2,q) size of section = const = l ACPKM ACPKM ACPKM K 1 =K 1,1 K 1,2 K 1,3... K 2 =K 2,1 K 2,2 K 2,3... ACPKM ACPKM ACPKM KDF Message (N,1)... Message (N,q) ACPKM ACPKM ACPKM K N =K N,1 K N,2 K N,3... CryptoPro LLC (www.cryptopro.ru) 32 / 36

Conclusion and open questions Summary External re-keying (defined independently of a mode): drastically increases the lifetime of keys (considering general bounds, classical and side-channel attacks on a used cipher); almost does not affect performance for long messages; provides forward and backward security of section keys; requires additional operations (KDFs) even for very short plaintexts; procedures (IVs,... ) must be handled separately not transparent; in case of restrictive L: 1) the message sizes can become inconvenient; 2) the key tree should be used it becomes less effective, if we do not use some additional techniques. Internal re-keying approach (defined for a particular mode): drastically increases the lifetime of keys (considering general bounds, classical and side-channel attacks on a used cipher); almost does not affect performance for long messages; does not affect short messages transformation at all; transparent (works like any encryption mode): does not require changes of IV s and restarting MACing; but does not provide backward security of section keys if needed, should be combined with ext. re-keying (for much larger sections). CryptoPro LLC (www.cryptopro.ru) 33 / 36

Conclusion and open questions Open questions Can we define a similar internal re-keying with no additional keys for CFB/CBC/OMAC/...? ( This type of method should work for a large class of schemes Mihir Bellare.) Alternative approaches for internal ( transparent ) re-keying? Do we need a CFRG RFC with various re-keying techniques (existing and new ones)? ( A menu of choices for developers Kenny Paterson.) CryptoPro LLC (www.cryptopro.ru) 34 / 36

Conclusion and open questions Thank you for your attention! Questions? Materials, questions, comments: svs@cryptopro.ru CryptoPro LLC (www.cryptopro.ru) 35 / 36

Conclusion and open questions A security model for the cipher mode (for encryption) LOR-CPA An adversary A has access to an oracle O LOR. Before starting the work the oracle O LOR chooses b U {0, 1}. The adversary A can make requests to the oracle O LOR. Each of these requests is a pair of strings (M 0, M 1 ), where M 0 = M 1. In response to the request (M 0, M 1 ) the oracle returns a string C that is a result of the processing of the string M b according to the SE cipher mode. CryptoPro LLC (www.cryptopro.ru) 36 / 36

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback