COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Similar documents
Feedback Week 4 - Problem Set

Authenticated Encryption

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

CS155. Cryptography Overview

Authenticated Encryption

1 Defining Message authentication

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

CS155. Cryptography Overview

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

Symmetric Crypto MAC. Pierre-Alain Fouque

Authenticated encryption

Symmetric Encryption 2: Integrity

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Message Authentication ( 消息认证 )

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

Homework 3: Solution

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage

CS 495 Cryptography Lecture 6

Introduction to Cryptography. Lecture 3

Block ciphers, stream ciphers

Message authentication codes

symmetric cryptography s642 computer security adam everspaugh

Introduction to Cryptography. Lecture 3

Cryptography Overview

Data Integrity & Authentication. Message Authentication Codes (MACs)

1 Achieving IND-CPA security

11 Message Authentication Codes

Katz, Lindell Introduction to Modern Cryptrography

Cryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39

COMP4109 : Applied Cryptography

Data Integrity & Authentication. Message Authentication Codes (MACs)

Goals of Modern Cryptography

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

ENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions

Automated Analysis and Synthesis of Modes of Operation and Authenticated Encryption Schemes

Lecture 8 - Message Authentication Codes

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Symmetric-Key Cryptography

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Cryptography 2017 Lecture 3

Cryptography Overview

Computer Security CS 526

Scanned by CamScanner

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

1 One-Time Pad. 1.1 One-Time Pad Definition

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

CS 6903 Modern Cryptography February 14th, Lecture 4: Instructor: Nitesh Saxena Scribe: Neil Stewart, Chaya Pradip Vavilala

CS408 Cryptography & Internet Security

Authenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol

Lecture 8 Message Authentication. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Lecture 07: Private-key Encryption. Private-key Encryption

symmetric cryptography s642 computer security adam everspaugh

10 Chosen Ciphertext Attacks

Introduction to Cryptography. Lecture 6

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Lecture 4: Authentication and Hashing

Overview of Cryptography

Defining Encryption. Lecture 2. Simulation & Indistinguishability

Symmetric Cryptography

Information Security CS526

Lecture 8. 1 Some More Security Definitions for Encryption Schemes

Chapter 3 : Private-Key Encryption

: Practical Cryptographic Systems March 25, Midterm

Ac,ve a4acks on CPA- secure encryp,on

Cryptology complementary. Symmetric modes of operation

Cryptographic hash functions and MACs

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

Cryptography. Andreas Hülsing. 6 September 2016

Cryptographic Hash Functions

Concrete cryptographic security in F*

Solutions to exam in Cryptography December 17, 2013

CSC 5930/9010 Modern Cryptography: Cryptographic Hashing

The OCB Authenticated-Encryption Algorithm

Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm

Lecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model

Reminder: Homework 4. Due: Friday at the beginning of class

Chosen-Ciphertext Security (II)

CLOC: Authenticated Encryption

Lecture 1: Perfect Security

ECE 646 Lecture 8. Modes of operation of block ciphers

The ElGamal Public- key System

Cryptography [Symmetric Encryption]

Lecture 5. Constructions of Block ciphers. Winter 2018 CS 485/585 Introduction to Cryptography

Multiple forgery attacks against Message Authentication Codes

Lecture 15: Public Key Encryption: I

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

Lecture 8: Cryptography in the presence of local/public randomness

How to Use Your Block Cipher? Palash Sarkar

Lecture 9 Authenticated Encryption

A Surfeit of SSH Cipher Suites

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

Cryptography. Lecture 03

Symmetric and Password- based encrypdon. CS642: Computer Security. Professor Ristenpart h9p:// rist at cs dot wisc dot edu

The Magic of ELFs. Mark Zhandry Princeton University (Work done while at MIT)

Misuse-resistant crypto for JOSE/JWT

Transcription:

COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017

Message Authentication Codes Syntax: Key space K λ Message space M Tag space T λ MAC(k,m) à σ Ver(k,m,σ) à 0/1 Correctness: m,k, Ver(k,m, MAC(k,m) ) = 1

Message Authentication Codes m m,σ m,σ k k Ver(k,m,σ ) Goal: If Eve changed m, Bob should reject

Security For MACs m i M (m*,σ*) k ß K λ σ i σ ß MAC(k,m i ) CMA-Adv(, λ) = Pr[ outputs 1] Output 1 iff: m* {m 1, } Ver(k,m*,σ*) = 1

Constructing MACs Use a PRF F:K M à T MAC(k,m) = F(k,m) Ver(k,m,σ) = (F(k,m) == σ) Theorem: (MAC,Ver) is CMA secure assuming 1/ T is negligible

CBC- MAC IV = 0 ( ) k F k F k F k F k F Theorem: CBC- MAC is a secure PRF for fixed- length messages

Today Improving Efficiency of MACs Authenticated Encryption: combining secrecy and integrity

Improving efficiency

Limitations of CBC- MAC Many block cipher evaluations Sequential

Carter Wegman MAC k = (k,h) where: k is a PRF key for F:K Rà Y h is sampled from a pairwise independent function family MAC(k,m): Choose a random rß R Set σ = (r, F(k,r) h(m))

Theorem: The Carter Wegman MAC is strongly CMA secure

Proof Assume toward contradiction a PPT Hybrids

Proof Hybrid 0 m i M σ i =(r i,t i ) (m*,r*,t*) kß K h r i ß R t i ß F(k,r) h(m) Output 1 iff: (m*,r *,t*) {(m i,r i,t i )} F(k,r*) h(m*)=t*

Proof Hybrid 1 m i M σ i =(r i,t i ) (m*,r*,t*) kß K h (Distinct r i ) r i ß R t i ß F(k,r) h(m) Output 1 iff: (m*,r *,t*) {(m i,r i,t i )} F(k,r*) h(m*)=t*

Proof Hybrid 2 m i M σ i =(r i,t i ) (m*,r*,t*) Hß Funcs h (Distinct r i ) r i ß R t i ß H(r) h(m) Output 1 iff: (m*,r *,t*) {(m i,r i,t i )} H(r*) h(m*)=t*

Proof Claim: In Hybrid 2, negligible success probability Possibilities: r* {r i }: then value of H(r*) hidden from adversary, so Pr[H(r*) h(m*)=t*] is 1/ Y r*=r i for some i: then m* m i (why?) h completely hidden from adversary Pr[H(r*) h(m*)=t*] = Pr[h(m*)=t* t i h(m i )] = 1/ Y

Proof Hybrid 1 and 2 are indistinguishable PRF security Hybrid 0 and 1 are indistinguishable W.h.p. random r i will be distinct Therefore, negligible success probability in Hybrid 0

Efficiency of CW MAC MAC(k,m): Choose a random rß R Set σ = (r, F(k,r) h(m)) h much more efficient that PRFs PRF applied only to small nonce r h applied to large message m

PMAC: A Parallel MAC ( ) 0 1 2 3 4 k p k p k p k p k p k F k F k F k F k F k F σ

Authenticated Encryption

Authenticated Encryption attackatdawn c c k k attackatdusk Goal: Eve cannot learn nor change plaintext Authenticated Encryption will satisfy two security properties

Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m

Unforgeability m i M c* k ß K λ c i c ß Enc(k,m i ) Output 1 iff: c* {c 1, } Dec(k,c*)

Definition: An encryption scheme (Enc,Dec) is an authenticated encryption scheme if it is unforgeable and CPA secure

Constructing Authenticated Encryption Three possible generic constructions: 1. MAC- then- Encrypt (SSL) k = (k Enc,k MAC ) m MAC(k MAC, m) σ Enc(k Enc, (m,σ) ) c Dec(k Enc, c) m σ Ver(k MAC, m, σ) m Accept Reject

Constructing Authenticated Encryption Three possible generic constructions: 2. Encrypt- then- MAC (IPsec) m k = (k Enc,k MAC ) Enc(k Enc, m) c σ c MAC(k MAC, c )

Constructing Authenticated Encryption Three possible generic constructions: 3. Encrypt- and- MAC (SSH) k = (k Enc,k MAC ) m Enc(k Enc, m) c MAC(k MAC, m) σ c

Constructing Authenticated Encryption 1. MAC- then- Encrypt 2. Encrypt- then- MAC 3. Encrypt- and- MAC Which one(s) always provides authenticated encryption (assuming strongly secure MAC)?

Constructing Authenticated Encryption MAC- then- Encrypt?

Constructing Authenticated Encryption Encrypt- then- MAC?

Constructing Authenticated Encryption Encrypt- and- MAC?

Constructing Authenticated Encryption Just because MAC- then- Encrypt and Encrypt- and- MAC are insecure for some MACs/encryption schemes, they may be secure in some settings Ex: MAC- then- Encrypt with CTR or CBC encryption For CTR, any one- time MAC is actually sufficient

Theorem: MAC- then- Encrypt with any one- time MAC and CTR- mode encryption is an authenticated encryption scheme

Proof CPA security: straightforward CPA security of encryption scheme guarantees message + mac is hidden

Proof Integrity: assume towards contradiction a PPT ciphertext forger Hybrids

Proof Hybrid 0: k MAC ß K MAC k PRF ß K PRF m i M (r i,c i ) (r*,c*) Standard forgery experiment σ i ß MAC(k MAC,m i ) r i ß R c i ß F(k PRF,r) (m i,σ i ) Output 1 iff: (r*,c*) {(r 1,c 1 ), } Ver(k MAC, m*,σ*)=1 where (m*,σ*)ß F(k PRF,r*) c*

Proof Hybrid 1: k MAC ß K MAC H ß Funcs m i M (r i,c i ) (r*,c*) σ i ß MAC(k MAC,m i ) r i ß R c i ß H(r) (m i,σ i ) Output 1 iff: (r*,c*) {(r 1,c 1 ), } Ver(k MAC, m*,σ*)=1 where (m*,σ*)ß H(r*) c*

Proof Hybrid 2: k MAC ß K MAC H ß Funcs m i M (r i,c i ) (r*,c*) σ i ß MAC(k MAC,m i ) r i ß R (distinct) c i ß H(r) (m i,σ i ) Output 1 iff: (r*,c*) {(r 1,c 1 ), } Ver(k MAC, m*,σ*)=1 where (m*,σ*)ß H(r*) c*

Proof Hybrid 3: k MAC ß K MAC H ß Funcs m i M (r i,c i ) (r*,c*) σ i ß MAC(k MAC,m i ) r i ß R (distinct) c i ß H(r) (m i,σ i ) Output 1 iff: (r*,c*) {(r 1,c 1 ), } r* {r 1, } Ver(k MAC, m*,σ*)=1 where (m*,σ*)ß H(r*) c*

Proof Hybrid 0 and Hybrid 1 are indistinguishable by PRF security Hybrid 1 and Hybrid 2 are indistinguishable since the r s are distinct with overwhelming probability Hybrid 2 and Hybrid 3 are indistinguishable since if r* {r 1, }, then H(r*) hidden from adversary s view For any c*, (m*,σ*)=h(r*) c* truly random à forgery with negligible probability

Proof Suppose non- negligible prob of forgery in Hyb 3 Pick random i* {1,,q} m i (r i,c i ) (r*,c*) If i i*, choose random (r i,c i ) If i=i*, Choose random r i*, k* c i* ß k* (m i,σ) If r* r i*, abort If r* = r i*, (m*,σ*)ß k* c* m i σ (m*,σ*)

Proof Analysis Regardless of which i* picks, sees truly random ciphertexts (with distinct r) Therefore, i* independent of view of forges exactly when forges AND guessed correct i* Prob forges is non- negligible

Chosen Ciphertext Attacks

Chosen Ciphertext Attacks Often, adversary can fool server into decrypting certain ciphertexts Even if adversary only learns partial information (e.g. whether ciphertext decrypted successfully), can use info to decrypt entire message Therefore, want security even if adversary can mount decryption queries

Chosen Plaintext Security b m c k ß K c ß Enc(k,m) m 0, m 1 c c ß Enc(k,m b ) b m c c ß Enc(k,m) CPA-Exp b (, λ)

Chosen Ciphertext Security? m c c m b k ß K c ß Enc(k,m) m ß Dec(k,c) m 0 *, m 1 * c* c*ß Enc(k,m b *) m c c b m

Lunch- time CCA (CCA1) m c c m m 0 *, m 1 * c* m c b b k ß K c ß Enc(k,m) m ß Dec(k,c) c*ß Enc(k,m b *)

Full CCA (CCA2) m c m 0 *, m 1 * c m c* b k ß K c ß Enc(k,m) m ß Dec(k,c) c*ß Enc(k,m b *) b m c c* c m

Theorem: If (Enc,Dec) is an authenticated encryption scheme, then it is also CCA secure

Proof Sketch For any decryption query, two cases 1. Was the result of a CPA query In this case, we know the answer already! 2. Was not the result of an encryption query In this case, we have a ciphertext forgery

CCA vs Auth Enc We know Auth Enc implies CCA security What about the other direction? For now, always strive for Authenticated Encryption

MAC- then- Encrypt with CBC Even though MAC- then- Encrypt is secure for CBC encryption (which we did not prove), still hard to implement securely Recall: need padding for CBC Therefore, two possible sources of error Padding error MAC error If possible to tell which one, then can attack

Using Same Key for Encrypt and MAC Suppose we re combining CBC encryption and CBC- MAC Can I use the same key for both?

IV k F IV Attack? k F k F

Using Same Key for Encrypt and MAC In general, do not use same key for multiple purposes Schemes may interact poorly when using the same key However, some modes of operation do allow same key to be used for both authentication and encryption

CCM Mode CCM = Counter Mode with CBC- MAC in Authenticate- then- Encrypt combination Possible to show that using same key for authentication and encryption still provides security

Efficiency So far, all modes seen require two block cipher operations per block 1 for encryption 1 for authentication Ideally, would have only 1 block cipher op per block

OCB Mode

OCB Mode Twice as fast as other block cipher modes of operation However, not used much in practice Patents!

Other Modes GCM: Roughly CTR mode then Carter- Wegman MAC EAX: CTR mode then CMAC (variant of CBC- MAC)

Deterministic Encryption

Deterministic Encryption So far, we have insisted on CPA/CCA/Auth Enc security, which implies scheme must be randomized However, sometimes deterministic encryption is necessary E.g. encrypting database records How to resolve discrepancy?

Deterministic CPA Security b m 0 (i), m 1 (i) c (i) Challenger k ß K λ c (i) ß Enc(k,m b (i) ) b Where m 1 (1),,m 1 (q) are distinct and m 1 (1),,m 1 (q) are distinct

Achieving Det. CPA Security Idea? used fixed det. IV CTR mode? CBC mode? Better options: Derive IV as IV = PRF(k,m) If using Auth Enc, get Det. Auth Enc Use large PRP: c = PRP(k,m) Can get Det. Auth Enc by padding message

Next Time Collision resistant hashing Reminder: Starting at 3pm, midterm will be posted on Blackboard (though not on course webpage) Due 1pm on Wednesday

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback