Block ciphers, stream ciphers

Similar documents
Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Symmetric-Key Cryptography

Scanned by CamScanner

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

1 Achieving IND-CPA security

Computer Security CS 526

Introduction to Cryptography. Lecture 3

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

Introduction to Cryptography. Lecture 3

Cryptography [Symmetric Encryption]

Cryptology complementary. Symmetric modes of operation

CS 161 Computer Security

Information Security CS526

Symmetric Cryptography

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

ENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions

CS 6903 Modern Cryptography February 14th, Lecture 4: Instructor: Nitesh Saxena Scribe: Neil Stewart, Chaya Pradip Vavilala

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

Feedback Week 4 - Problem Set

Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage

CS 161 Computer Security. Week of September 11, 2017: Cryptography I

Bob k. Alice. CS 558 Lecture Deck(c) = c k. Continuation of Encryption

Information Security

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

Cryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39

Lecture 5. Constructions of Block ciphers. Winter 2018 CS 485/585 Introduction to Cryptography

Cryptography 2017 Lecture 3

Cryptography: Symmetric Encryption [continued]

Symmetric Encryption. Thierry Sans

Introduction to Cryptography. Lecture 2. Benny Pinkas. Perfect Cipher. Perfect Ciphers. Size of key space

CS408 Cryptography & Internet Security

Symmetric Cryptography

symmetric cryptography s642 computer security adam everspaugh

Relaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack

ISA 562: Information Security, Theory and Practice. Lecture 1

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Solutions to exam in Cryptography December 17, 2013

CIS 4360 Secure Computer Systems Symmetric Cryptography

Introduction to cryptology (GBIN8U16)

CS 495 Cryptography Lecture 6

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Authenticated Encryption

Chapter 3 : Private-Key Encryption

Automated Analysis and Synthesis of Modes of Operation and Authenticated Encryption Schemes

Lecture 8. 1 Some More Security Definitions for Encryption Schemes

Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24

Authenticated encryption

Security and Cryptography 1. Stefan Köpsell, Thorsten Strufe. Module 5: Pseudo Random Permutations and Block Ciphers

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Goals of Modern Cryptography

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Block Cipher Operation. CS 6313 Fall ASU

Cryptography (cont.)

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

Cryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

CSE 127: Computer Security Cryptography. Kirill Levchenko

10 Chosen Ciphertext Attacks

Lecture 15: Public Key Encryption: I

1 Defining Message authentication

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

Concrete Security of Symmetric-Key Encryption

Lecture Note 05 Date:

Distributed Key Management and Cryptographic Agility. Tolga Acar 24 Feb. 2011

Lectures 6+7: Zero-Leakage Solutions

CPS2323. Symmetric Ciphers: Stream Ciphers

Authenticated Encryption

Symmetric Encryption 2: Integrity

AWS Key Management Service (KMS) Handling cryptographic bounds for use of AES-GCM

symmetric cryptography s642 computer security adam everspaugh

Using block ciphers 1

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Cryptography. Andreas Hülsing. 6 September 2016

Chapter 6: Contemporary Symmetric Ciphers

Advanced Cryptography 1st Semester Symmetric Encryption

Stream Ciphers An Overview

Computational Security, Stream and Block Cipher Functions

ENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel

Encrypted databases. Tom Ristenpart CS 6431

Authenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol

Crypto: Symmetric-Key Cryptography

Cryptography and Network Security Chapter 7

Double-DES, Triple-DES & Modes of Operation

CS 161 Computer Security

Chapter 4. Symmetric Encryption. 4.1 Symmetric encryption schemes

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

Practical Aspects of Modern Cryptography

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Data Integrity & Authentication. Message Authentication Codes (MACs)

On Symmetric Encryption with Distinguishable Decryption Failures

Private-Key Encryption

Some Aspects of Block Ciphers

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

CS155. Cryptography Overview

Network Security Technology Project

Transcription:

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Jan 31, 2018

Announcements Project 1 is out, due Feb 14 midnight

Recall: Block cipher A function E : {0, 1} k {0, 1} n {0, 1} n. Once we fix the key K, we get E K : {0,1} n {0,1} n defined by E K (M) = E(K,M). Three properties: Correctness: E K (M) is a permutation (bijective/ one-to-one function) Efficiency Security

Security For an unknown key K, E K behaves like a random permutation For all polynomial-time attackers, for a randomly chosen key K, the attacker cannot distinguish E K from a random permutation

Block cipher: security game Attacker is given two boxes, one for E K and one for a random permutation (also called oracles ) Attacker does not know which is which (they were shuffled randomly) Attacker can give inputs to each box, look at the output, as many times as he/she desires Attacker must guess which is E K??? Which is E K??? input output E K input output rand perm

Security game For all polynomial-time attackers, Pr[attacker wins game] <= ½+negl

Use block ciphers to construct symmetric-key encryption Want two properties: IND-CPA security even when reusing the same key to encrypt many messages Can encrypt messages of any length

Desired security: Indistinguishability under chosen plaintext attack (IND-CPA) Strong security definition Nothing leaks about the encrypted value other than its length

IND-CPA (Indistinguishability under chosen plaintext attack) Challenger K random bit b Enc K Enc K M C M 0, M 1 Enc k (M b ) M C Difference from IND-KPA: no encryption tries (must be same length) Here is my guess: b

IND-CPA An encryption scheme is IND-CPA if for all polynomial-time adversaries Pr[Adv wins game] <= ½ + negligible Note that IND-CPA requires that the encryption scheme is randomized (An encryption scheme is deterministic if it outputs the same ciphertext when encrypting the same plaintext; a randomized scheme does not have this property)

Difference from knownplaintext attack from last time The extra queries to Enc K Q: Why is IND-CPA a stronger security? A: The attacker is given more capabilities so the IND-CPA scheme resists a more powerful attacker

Are block ciphers IND-CPA? Recall: E K : {0,1} n {0,1} n is a permutation (bijective)

Are block ciphers IND-CPA? No, because they are deterministic Here is an attacker that wins the IND-CPA game: Adv asks for encryptions of bread, receives C br Then, Adv provides (M 0 = bread, M 1 = honey) Adv receives C If C=C br, Adv says bit was 0 (for bread ), else Adv says says bit was 1 (for honey ) Chance of winning is 1

Original image

Eack block encrypted with a block cipher

Later (identical) message again encrypted

Modes of operation Chain block ciphers in certain modes of operation Certain output from one block feeds into next block Need some initial randomness IV (initialization vector) Why? To prevent the encryption scheme from being deterministic

Counter mode (CTR) Last time: ECB, CBC

CTR: Encryption Enc(K, plaintext): If n is the block size of the block cipher, split the plaintext in blocks of size n: P 1, P 2, P 3,.. Choose a random nonce Now compute: (Nonce = Same as IV) Important that nonce does not repeat across different encryptions (choose it at random from large space) P 1 P 2 P 3 C 1 C 2 C 3 The final ciphertext is (nonce, C 1, C 2, C 3 )

CTR: Decryption Dec(K, ciphertext=[nonce,c 1, C 2, C 3,.].): Take nonce out of the ciphertext If n is the block size of the block cipher, split the ciphertext in blocks of size n: C 1, C 2, C 3,.. Now compute this: C 1 C 2 C 3 P 1 P 2 P 3 Output the plaintext as the concatenation of P 1, P 2, P 3,... Note, CTR decryption uses block cipher s encryption, not decryption

Want to see CTR explained slowly on whiteboard?

Original image

Encrypted with CBC

CBC vs CTR Security: If no reuse of nonce, both are IND-CPA. Speed: Both modes require the same amount of computation, but CTR is parallelizable for encryption as well (CBC was parallelizable for decryption but not for encryption)

Pseudorandom generator (PRG)

Pseudorandom Generator (PRG) Given a seed, it outputs a sequence of random bits PRG(seed) -> random bits It can output arbitrarily many random bits

PRG security Can PRG(K) be truly random? No. Consider key length K =k. Have 2^k possible initial states of PRG. Deterministic from then on. A secure PRG suffices to look random ( pseudo ) to an attacker (no attacker can distinguish it from a random sequence)

Example of PRG: using block cipher in CTR mode If you want m random bits, and a block cipher with E k has n bits, apply the block cipher m/n times and concatenate the result: PRG(K, IV) = E k (IV 1), E k (IV 2), E k (IV 3) E k (IV ceil(m/n)), where is concatenation

Application of PRG: Stream ciphers Another way to construct encryption schemes Similar in spirit to one-time pad: it XORs the plaintext with some random bits But random bits are not the key (as in one-time pad) but are output of a pseudorandom generator PRG

Application of PRG: Stream cipher Enc(K, M): Choose a random value IV C = PRG(K, IV) XOR M Output (IV, C) Q: How decrypt? A: Compute PRG(K, IV) and XOR with ciphertext C Q: What is advantage of OTP? A: Can encrypt any message length because PRG can produce any number of random bits

Block ciphers summary Desirable security: IND-CPA Block ciphers have weaker security than IND-CPA Block ciphers can be used to build IND- CPA secure encryption schemes by chaining in careful ways Stream ciphers provide another way to encrypt, inspired from one-time pads

Start asymmetric cryptography on board

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback