introduction to the theory of secret key cryptography
play

Introduction to the theory of secret key cryptography Andreas H - PowerPoint PPT Presentation

Dec 31, 2022 •349 likes •1.51k views

Introduction to the theory of secret key cryptography Andreas H ulsing Eindhoven University of Technology 17 June 2019 Secret key encryption MAC Main primitives of secret key / symmetric cryptography High-level primitives Low-level

  1. Secret key encryption MAC Attempt 1: Semantic security Definition (Semantic Security (SEM)) A secret key encryption scheme has semantic security if for any efficient adversary A there exists an efficient simulator S such that their probabilites of success playing Exp SEM E , A ( n ) are negligibly close to each other. For unbounded adversaries this is equivalent to perfect secrecy. This definition is cumbersome to work with! 11 / 50

  2. Secret key encryption MAC Attempt 2: Indistinguishable ciphertext security Exp IND E , A ( n ): 1 k ← Gen (1 n ) 12 / 50

  3. Secret key encryption MAC Attempt 2: Indistinguishable ciphertext security Exp IND E , A ( n ): 1 k ← Gen (1 n ) 2 m 0 , m 1 ← A (1 n ) with m 0 , m 1 ∈ M ∧ | m 0 | = | m 1 | 12 / 50

  4. Secret key encryption MAC Attempt 2: Indistinguishable ciphertext security Exp IND E , A ( n ): 1 k ← Gen (1 n ) 2 m 0 , m 1 ← A (1 n ) with m 0 , m 1 ∈ M ∧ | m 0 | = | m 1 | 3 b ← R { 0 , 1 } , c ← Enc k ( m b ) 12 / 50

  5. Secret key encryption MAC Attempt 2: Indistinguishable ciphertext security Exp IND E , A ( n ): 1 k ← Gen (1 n ) 2 m 0 , m 1 ← A (1 n ) with m 0 , m 1 ∈ M ∧ | m 0 | = | m 1 | 3 b ← R { 0 , 1 } , c ← Enc k ( m b ) 4 b ′ ← A ( c ) 12 / 50

  6. Secret key encryption MAC Attempt 2: Indistinguishable ciphertext security Exp IND E , A ( n ): 1 k ← Gen (1 n ) 2 m 0 , m 1 ← A (1 n ) with m 0 , m 1 ∈ M ∧ | m 0 | = | m 1 | 3 b ← R { 0 , 1 } , c ← Enc k ( m b ) 4 b ′ ← A ( c ) 5 Output 1 if b ′ = b , otherwise 0 12 / 50

  7. Secret key encryption MAC Attempt 2: Indistinguishable ciphertext security Exp IND E , A ( n ): 1 k ← Gen (1 n ) 2 m 0 , m 1 ← A (1 n ) with m 0 , m 1 ∈ M ∧ | m 0 | = | m 1 | 3 b ← R { 0 , 1 } , c ← Enc k ( m b ) 4 b ′ ← A ( c ) 5 Output 1 if b ′ = b , otherwise 0 Definition (Indistinguishable ciphertexts (IND)) A secret key encryption scheme E has indistinguishable ciphertexts if for all efficient adversaries A their advantage ε in winning above game is negligible = 1 � � Exp IND Pr E , A ( n ) = 1 2 + ε. This definition is a lot easier to work with and equivalent to SEM! 12 / 50

  8. Secret key encryption MAC Is IND efficiently achievable? We first need tooling. Definition (Pseudorandom generator (PRG)) Let ℓ be a polynomial and let G be a deterministic, efficient algorithm that implements a function G : { 0 , 1 } n → { 0 , 1 } ℓ ( n ) . We say G is a secure PRG if the following two conditions hold: 13 / 50

  9. Secret key encryption MAC Is IND efficiently achievable? We first need tooling. Definition (Pseudorandom generator (PRG)) Let ℓ be a polynomial and let G be a deterministic, efficient algorithm that implements a function G : { 0 , 1 } n → { 0 , 1 } ℓ ( n ) . We say G is a secure PRG if the following two conditions hold: 1 Expansion: For every n it holds that ℓ ( n ) > n . 13 / 50

  10. Secret key encryption MAC Is IND efficiently achievable? We first need tooling. Definition (Pseudorandom generator (PRG)) Let ℓ be a polynomial and let G be a deterministic, efficient algorithm that implements a function G : { 0 , 1 } n → { 0 , 1 } ℓ ( n ) . We say G is a secure PRG if the following two conditions hold: 1 Expansion: For every n it holds that ℓ ( n ) > n . 2 Pseudorandomness: For all efficient distinguishers D the advantage ε distinguishing outputs of G from random is negligible, where � � � � ε = r ← R { 0 , 1 } ℓ ( n ) [ D ( r ) = 1] − Pr s ← R { 0 , 1 } n [ D (G( s )) = 1] Pr � . � � � 13 / 50

  11. Secret key encryption MAC Is IND efficiently achievable? We first need tooling. Definition (Pseudorandom generator (PRG)) Let ℓ be a polynomial and let G be a deterministic, efficient algorithm that implements a function G : { 0 , 1 } n → { 0 , 1 } ℓ ( n ) . We say G is a secure PRG if the following two conditions hold: 1 Expansion: For every n it holds that ℓ ( n ) > n . 2 Pseudorandomness: For all efficient distinguishers D the advantage ε distinguishing outputs of G from random is negligible, where � � � � ε = r ← R { 0 , 1 } ℓ ( n ) [ D ( r ) = 1] − Pr s ← R { 0 , 1 } n [ D (G( s )) = 1] Pr � . � � � PRG’s exist if one-way functions exist. Will see examples later. 13 / 50

  12. Secret key encryption MAC Is IND efficiently achievable? Construction (PRG-ENC) Let n ∈ N be the security parameter, let M = { 0 , 1 } ℓ ( n ) (= C ) , and let G be a PRG as defined above. The PRG-ENC encryption scheme consists of the following three algorithms: Gen (1 n ) : Return k ← R { 0 , 1 } n . Enc k ( m ) : Return c = m ⊕ G( k ) . Dec k ( c ) : Return m ′ = c ⊕ G( k ) . 14 / 50

  13. Secret key encryption MAC Is IND efficiently achievable? Construction (PRG-ENC) Let n ∈ N be the security parameter, let M = { 0 , 1 } ℓ ( n ) (= C ) , and let G be a PRG as defined above. The PRG-ENC encryption scheme consists of the following three algorithms: Gen (1 n ) : Return k ← R { 0 , 1 } n . Enc k ( m ) : Return c = m ⊕ G( k ) . Dec k ( c ) : Return m ′ = c ⊕ G( k ) . Correctness Dec k ( Enc k ( m )) = ( m ⊕ G( k )) ⊕ G( k ) = m 14 / 50

  14. Secret key encryption MAC PRG-ENC is IND secure Proof by reduction. If there exists A that can distinguish ciphertexts of PRG-ENC in time t with advantage ε then the following algorithm D runs in time ≈ t and succeeds in distinguishing G with advantage ε ′ = ε . 15 / 50

  15. Secret key encryption MAC PRG-ENC is IND secure Proof by reduction. If there exists A that can distinguish ciphertexts of PRG-ENC in time t with advantage ε then the following algorithm D runs in time ≈ t and succeeds in distinguishing G with advantage ε ′ = ε . Construction (Distinguisher D ) Given as input a string w ∈ { 0 , 1 } ℓ ( n ) : 1 Run m 0 , m 1 ← A (1 n ) 2 Set b ← R { 0 , 1 } , c = m b ⊕ w 3 Run b ′ ← A ( c ) 4 Return 1 if b = b ′ , otherwise 0. 15 / 50

  16. Secret key encryption MAC Advantage of D Construction (Distinguisher D ) Given as input a string w ∈ { 0 , 1 } ℓ ( n ) : 1 Run m 0 , m 1 ← A (1 n ) 2 Set b ← R { 0 , 1 } , c = m b ⊕ w 3 Run b ′ ← A ( c ) 4 Return 1 if b = b ′ , otherwise 0. ε ′ = | Pr [ D ( r ) = 1] − Pr [ D (G( s )) = 1] | 16 / 50

  17. Secret key encryption MAC Advantage of D Construction (Distinguisher D ) Given as input a string w ∈ { 0 , 1 } ℓ ( n ) : 1 Run m 0 , m 1 ← A (1 n ) 2 Set b ← R { 0 , 1 } , c = m b ⊕ w 3 Run b ′ ← A ( c ) 4 Return 1 if b = b ′ , otherwise 0. ε ′ = | Pr [ D ( r ) = 1] − Pr [ D (G( s )) = 1] | = 1 � � Exp IND Pr [ D ( r ) = 1] = Pr OTP , A ( n ) = 1 2 16 / 50

  18. Secret key encryption MAC Advantage of D Construction (Distinguisher D ) Given as input a string w ∈ { 0 , 1 } ℓ ( n ) : 1 Run m 0 , m 1 ← A (1 n ) 2 Set b ← R { 0 , 1 } , c = m b ⊕ w 3 Run b ′ ← A ( c ) 4 Return 1 if b = b ′ , otherwise 0. ε ′ = | Pr [ D ( r ) = 1] − Pr [ D (G( s )) = 1] | = 1 � � Exp IND Pr [ D ( r ) = 1] = Pr OTP , A ( n ) = 1 2 = 1 � � Exp IND Pr [ D (G( s )) = 1] = Pr PRG − ENC , A ( n ) = 1 2 + ε 16 / 50

  19. Secret key encryption MAC Advantage of D Construction (Distinguisher D ) Given as input a string w ∈ { 0 , 1 } ℓ ( n ) : 1 Run m 0 , m 1 ← A (1 n ) 2 Set b ← R { 0 , 1 } , c = m b ⊕ w 3 Run b ′ ← A ( c ) 4 Return 1 if b = b ′ , otherwise 0. ε ′ = | Pr [ D ( r ) = 1] − Pr [ D (G( s )) = 1] | = 1 � � Exp IND Pr [ D ( r ) = 1] = Pr OTP , A ( n ) = 1 2 = 1 � � Exp IND Pr [ D (G( s )) = 1] = Pr PRG − ENC , A ( n ) = 1 2 + ε � �� 1 � 1 ε ′ = � � 2 − 2 + ε � = ε � � � 16 / 50

  20. Secret key encryption MAC PRG-ENC is IND secure Theorem If there exists A that can distinguish ciphertexts of PRG-ENC in time t with advantage ε then the algorithm D from above runs in time ≈ t and succeeds in breaking G with advantage ε ′ = ε . Hence, if G is a secure PRG, then PRG-ENC has indistinguishable ciphertexts. 17 / 50

  21. Secret key encryption MAC What did we achieve? SEM, IND, and perfect secrecy define A ’s goal 18 / 50

  22. Secret key encryption MAC What did we achieve? SEM, IND, and perfect secrecy define A ’s goal What about A ’s attack capabilities? 18 / 50

  23. Secret key encryption MAC What did we achieve? SEM, IND, and perfect secrecy define A ’s goal What about A ’s attack capabilities? In this sense they are unrealistic single message notions. 18 / 50

  24. Secret key encryption MAC Is this realistic? 19 / 50

  25. Secret key encryption MAC Or rather this. 20 / 50

  26. Secret key encryption MAC What can A learn? Often messages follow known format (MIME, HTML, XML,. . . ). 21 / 50

  27. Secret key encryption MAC What can A learn? Often messages follow known format (MIME, HTML, XML,. . . ). Often parts of messages are guessable: “To whom it may concern,” “Dear [Recipient],” “Best regards, \ n [Sender]” “Cheers, \ n [Sender]” 21 / 50

  28. Secret key encryption MAC What can A learn? Often messages follow known format (MIME, HTML, XML,. . . ). Often parts of messages are guessable: “To whom it may concern,” “Dear [Recipient],” “Best regards, \ n [Sender]” “Cheers, \ n [Sender]” Want to model the worst case: Let A choose messages that get encrypted! 21 / 50

  29. Secret key encryption MAC IND under chosen plaintext attacks (IND-CPA) 22 / 50

  30. Secret key encryption MAC IND under chosen plaintext attacks (IND-CPA). Exp IND − CPA ( n ): E , A 1 k ← Gen (1 n ) 2 m 0 , m 1 ← A Enc k ( · ) (1 n ) with m 0 , m 1 ∈ M ∧ | m 0 | = | m 1 | 3 b ← R { 0 , 1 } , c ← Enc k ( m b ) 4 b ′ ← A Enc k ( · ) ( c ) 5 Output 1 if b ′ = b , otherwise 0 23 / 50

  31. Secret key encryption MAC IND under chosen plaintext attacks (IND-CPA). Exp IND − CPA ( n ): E , A 1 k ← Gen (1 n ) 2 m 0 , m 1 ← A Enc k ( · ) (1 n ) with m 0 , m 1 ∈ M ∧ | m 0 | = | m 1 | 3 b ← R { 0 , 1 } , c ← Enc k ( m b ) 4 b ′ ← A Enc k ( · ) ( c ) 5 Output 1 if b ′ = b , otherwise 0 Definition (IND-CPA) A secret key encryption scheme E has indistinguishable ciphertexts under chosen plaintext attacks if for all efficient adversaries A their advantage ε in winning above game is negligible ≤ 1 � � Exp IND − CPA Pr ( n ) = 1 2 + ε. E , A 23 / 50

  32. Secret key encryption MAC IND under chosen plaintext attacks (IND-CPA). Exp IND − CPA ( n ): E , A 1 k ← Gen (1 n ) 2 m 0 , m 1 ← A Enc k ( · ) (1 n ) with m 0 , m 1 ∈ M ∧ | m 0 | = | m 1 | 3 b ← R { 0 , 1 } , c ← Enc k ( m b ) 4 b ′ ← A Enc k ( · ) ( c ) 5 Output 1 if b ′ = b , otherwise 0 Definition (IND-CPA) A secret key encryption scheme E has indistinguishable ciphertexts under chosen plaintext attacks if for all efficient adversaries A their advantage ε in winning above game is negligible ≤ 1 � � Exp IND − CPA Pr ( n ) = 1 2 + ε. E , A Note: This definition is equivalent to SEM-CPA. 23 / 50

  33. Secret key encryption MAC IND-CPA secure SKE Is the one-time pad IND-CPA-secure? 24 / 50

  34. Secret key encryption MAC IND-CPA secure SKE Is the one-time pad IND-CPA-secure? What about PRG-ENC? 24 / 50

  35. Secret key encryption MAC IND-CPA secure SKE Is the one-time pad IND-CPA-secure? What about PRG-ENC? Theorem A deterministic encryption scheme cannot be IND-CPA secure. 24 / 50

  36. Secret key encryption MAC IND-CPA secure SKE Is the one-time pad IND-CPA-secure? What about PRG-ENC? Theorem A deterministic encryption scheme cannot be IND-CPA secure. Proof idea. Send m 0 to Enc k ( · ) and compare result with challenge ciphertext. 24 / 50

  37. Secret key encryption MAC Pseudorandom function families A keyed function is a two input function F : K × X → Y where the first input is called the key and denoted k . We will write F k ( x ) def = F( k , x ). 25 / 50

  38. Secret key encryption MAC Pseudorandom function families A keyed function is a two input function F : K × X → Y where the first input is called the key and denoted k . We will write F k ( x ) def = F( k , x ). Definition (Pseudorandom function family (PRF)) Let F : { 0 , 1 } n × { 0 , 1 } n → { 0 , 1 } n be an efficient, length-preserving, keyed function. We say F is a pseudorandom function if for all efficient distinguishers D the distinguishing advantage ε is negligible, where � �� � � � D F k ( · ) (1 n ) = 1 D f n ( · ) (1 n ) = 1 � � ε = Pr − Pr � . � � k ← R { 0 , 1 } n f n ← R FUNC n � 25 / 50

  39. Secret key encryption MAC Pseudorandom function families A keyed function is a two input function F : K × X → Y where the first input is called the key and denoted k . We will write F k ( x ) def = F( k , x ). Definition (Pseudorandom function family (PRF)) Let F : { 0 , 1 } n × { 0 , 1 } n → { 0 , 1 } n be an efficient, length-preserving, keyed function. We say F is a pseudorandom function if for all efficient distinguishers D the distinguishing advantage ε is negligible, where � �� � � � D F k ( · ) (1 n ) = 1 D f n ( · ) (1 n ) = 1 � � ε = Pr − Pr � . � � k ← R { 0 , 1 } n f n ← R FUNC n � PRF’s exist if PRG’s exist [GGM’84]. For length doubling PRG G define F k ( x ) def � � = G . . . G (G( k ) x 1 ) x 2 . . . x n . 25 / 50

  40. Secret key encryption MAC Pseudorandom permutation families Formal model for block ciphers is PRP. Definition (Pseudorandom permutation family (PRP)) Let n ∈ N be the security parameter, F : { 0 , 1 } n × { 0 , 1 } n → { 0 , 1 } n be an efficient, length-preserving, keyed permutation. We say F is a family of pseudorandom permutations (PRP) if for all efficient distinguishers D the distinguishing advantage ε is negligible, where � � D F k ( · ) , F − 1 � � ( · ) (1 n ) = 1 ε = Pr k � k ← R { 0 , 1 } n � �� � D f n ( · ) , f − 1 ( · ) (1 n ) = 1 � − Pr n � , � f n ← R Perm n where Perm n denotes the set of all permutations over { 0 , 1 } n . A PRP is a PRF (Switching-Lemma) but not vice-versa. 26 / 50

  41. Secret key encryption MAC IND-CPA-secure SKE Construction (PRF-ENC) Let n ∈ N be the security parameter, let M = { 0 , 1 } n (= C = K ) , and let F be a length-preserving PRF as defined above. The PRF-ENC encryption scheme consists of the following three algorithms: Gen (1 n ) : Return k ← R { 0 , 1 } n . Enc k ( m ) : Sample r ← R { 0 , 1 } n , compute ¯ c = m ⊕ F k ( r ) , and return c = � r , ¯ c � . c � . Return m ′ = ¯ Dec k ( c ) : Parse c as � r , ¯ c ⊕ F k ( r ) . 27 / 50

  42. Secret key encryption MAC IND-CPA-secure SKE Construction (PRF-ENC) Let n ∈ N be the security parameter, let M = { 0 , 1 } n (= C = K ) , and let F be a length-preserving PRF as defined above. The PRF-ENC encryption scheme consists of the following three algorithms: Gen (1 n ) : Return k ← R { 0 , 1 } n . Enc k ( m ) : Sample r ← R { 0 , 1 } n , compute ¯ c = m ⊕ F k ( r ) , and return c = � r , ¯ c � . c � . Return m ′ = ¯ Dec k ( c ) : Parse c as � r , ¯ c ⊕ F k ( r ) . Correctness Dec k ( Enc k ( m )) = ( m ⊕ F k ( r )) ⊕ F k ( r ) = m 27 / 50

  43. Secret key encryption MAC PRF-ENC is IND-CPA secure Proof idea. Similar to PRG-ENC. Given A that breaks IND-CPA of PRF-ENC in time t , with advantage ε then the following algorithm D runs in time ≈ t and succeeds in distinguishing F with advantage ε ′ ≈ ε . 28 / 50

  44. Secret key encryption MAC PRF-ENC is IND-CPA secure Proof idea. Similar to PRG-ENC. Given A that breaks IND-CPA of PRF-ENC in time t , with advantage ε then the following algorithm D runs in time ≈ t and succeeds in distinguishing F with advantage ε ′ ≈ ε . Construction (Distinguisher D ) Given access to oracle O : { 0 , 1 } n → { 0 , 1 } n : 1 Run m 0 , m 1 ← A Enc ′ ( · ) (1 n ) 2 Set b ← R { 0 , 1 } , r ∗ ← R { 0 , 1 } n , ¯ c ∗ = m b ⊕ O ( r ∗ ) 3 Run b ′ ← A Enc ′ ( · ) ( � r ∗ , ¯ c ∗ � ) 4 Return 1 if b = b ′ , otherwise 0 where Enc ′ ( · ) computes r ← R { 0 , 1 } n , ¯ c = m b ⊕ O ( r ) and returns � r , ¯ c � . 28 / 50

  45. Secret key encryption MAC Advantage of D Construction (Distinguisher D ) Given access to oracle O : { 0 , 1 } n → { 0 , 1 } n : 2 Set b ← R { 0 , 1 } , r ∗ ← R { 0 , 1 } n , ¯ c ∗ = m b ⊕ O ( r ∗ ) where Enc ′ ( · ) computes r ← R { 0 , 1 } n , ¯ c = m b ⊕ O ( r ) and returns � r , ¯ c � . � �� ε ′ = � � � D F k ( · ) (1 n ) = 1 D f n ( · ) (1 n ) = 1 � � Pr − Pr � � k ← R { 0 , 1 } n f n ← R FUNC n � � 29 / 50

  46. Secret key encryption MAC Advantage of D Construction (Distinguisher D ) Given access to oracle O : { 0 , 1 } n → { 0 , 1 } n : 2 Set b ← R { 0 , 1 } , r ∗ ← R { 0 , 1 } n , ¯ c ∗ = m b ⊕ O ( r ∗ ) where Enc ′ ( · ) computes r ← R { 0 , 1 } n , ¯ c = m b ⊕ O ( r ) and returns � r , ¯ c � . � �� ε ′ = � � � D F k ( · ) (1 n ) = 1 D f n ( · ) (1 n ) = 1 � � Pr − Pr � � k ← R { 0 , 1 } n f n ← R FUNC n � � � �� � � � Exp IND − CPA Exp IND − CPA � � = � Pr PRF − ENC , A ( n ) = 1 − Pr PRF − ENC , A ( n ) = 1 � � � � 29 / 50

  47. Secret key encryption MAC Advantage of D Construction (Distinguisher D ) Given access to oracle O : { 0 , 1 } n → { 0 , 1 } n : 2 Set b ← R { 0 , 1 } , r ∗ ← R { 0 , 1 } n , ¯ c ∗ = m b ⊕ O ( r ∗ ) where Enc ′ ( · ) computes r ← R { 0 , 1 } n , ¯ c = m b ⊕ O ( r ) and returns � r , ¯ c � . � �� ε ′ = � � � D F k ( · ) (1 n ) = 1 D f n ( · ) (1 n ) = 1 � � Pr − Pr � � k ← R { 0 , 1 } n f n ← R FUNC n � � � �� � � � Exp IND − CPA Exp IND − CPA � � = � Pr PRF − ENC , A ( n ) = 1 − Pr PRF − ENC , A ( n ) = 1 � � � � � �� 1 � 1 2 + q � ε − q � � � � = 2 + ε − � = � � � � 2 n 2 n � � 29 / 50

  48. Secret key encryption MAC PRF-ENC is IND-CPA secure Theorem If there exists A that can distinguish ciphertexts of PRF-ENC during a CPA-experiment in time t with advantage ε then the algorithm D from above runs in time ≈ t and succeeds in breaking F with advantage ε ′ ≥ ε − q / 2 n . Hence, if F is a secure PRF, then PRF-ENC has indistinguishable ciphertexts under chosen plaintext attacks. 30 / 50

  49. Secret key encryption MAC Arbitrary length messages PRF-ENC only works for n -bit messages. 31 / 50

  50. Secret key encryption MAC Arbitrary length messages PRF-ENC only works for n -bit messages. Can repeat fixed-length scheme: For ℓ n -bit message m = ( m 1 � m 2 � . . . � m ℓ ) ciphertext is c = � r 1 , F k ( r 1 ) ⊕ m 1 , r 2 , F k ( r 2 ) ⊕ m 2 , . . . , r ℓ , F k ( r ℓ ) ⊕ m ℓ � 31 / 50

  51. Secret key encryption MAC Arbitrary length messages PRF-ENC only works for n -bit messages. Can repeat fixed-length scheme: For ℓ n -bit message m = ( m 1 � m 2 � . . . � m ℓ ) ciphertext is c = � r 1 , F k ( r 1 ) ⊕ m 1 , r 2 , F k ( r 2 ) ⊕ m 2 , . . . , r ℓ , F k ( r ℓ ) ⊕ m ℓ � Pretty inefficient! Solution: Modes of operation 31 / 50

  52. Secret key encryption MAC Electronic code book mode (ECB) 32 / 50

  53. Secret key encryption MAC Electronic code book mode (ECB) Deterministic! Even worse, not even IND for single message attacks! (Consider m 0 = m � m ; m 1 = m � m ′ for m , m ′ ∈ { 0 , 1 } n ) 32 / 50

  54. Secret key encryption MAC Cipher block chaining mode (CBC) 33 / 50

  55. Secret key encryption MAC Cipher block chaining mode (CBC) IND-CPA if F is a PRP. IV has to be random, if it is predictable CBC is vulnerable! 33 / 50

  56. Secret key encryption MAC Counter mode (CTR) 34 / 50

  57. Secret key encryption MAC Counter mode (CTR) IND-CPA if F is a PRF. 34 / 50

  58. Secret key encryption MAC What about active attacks? A might be able to learn decryption of ciphertexts at a later point by compromising the system. 35 / 50

  59. Secret key encryption MAC What about active attacks? A might be able to learn decryption of ciphertexts at a later point by compromising the system. A might even get access to a decryption oracle (lunch time attack). 35 / 50

  60. Secret key encryption MAC What about active attacks? A might be able to learn decryption of ciphertexts at a later point by compromising the system. A might even get access to a decryption oracle (lunch time attack). Want to model the worst case: Let A choose ciphertexts that get decrypted! 35 / 50

  61. Secret key encryption MAC IND under chosen ciphertext attacks Exp IND − CCA ( n ): E , A 1 k ← Gen (1 n ) 2 m 0 , m 1 ← A Enc k ( · ) , Dec k ( · ) (1 n ) with m 0 , m 1 ∈ M ∧ | m 0 = m 1 | 3 b ← R { 0 , 1 } , c ∗ ← Enc k ( m b ) 4 b ′ ← A Enc k ( · ) , Dec k ( · ) ( c ∗ ) with Dec k ( c ∗ ) = ⊥ 5 Output 1 if b ′ = b , otherwise 0 36 / 50

  62. Secret key encryption MAC IND under chosen ciphertext attacks Exp IND − CCA ( n ): E , A 1 k ← Gen (1 n ) 2 m 0 , m 1 ← A Enc k ( · ) , Dec k ( · ) (1 n ) with m 0 , m 1 ∈ M ∧ | m 0 = m 1 | 3 b ← R { 0 , 1 } , c ∗ ← Enc k ( m b ) 4 b ′ ← A Enc k ( · ) , Dec k ( · ) ( c ∗ ) with Dec k ( c ∗ ) = ⊥ 5 Output 1 if b ′ = b , otherwise 0 Definition (IND-CCA) A secret key encryption scheme E has indistinguishable ciphertexts under chosen ciphertext attacks if for all efficient adversaries A their advantage ε in winning above game is negligible ≤ 1 � � Exp IND − CCA Pr ( n ) = 1 2 + ε. E , A 36 / 50

  63. Secret key encryption MAC IND under chosen ciphertext attacks Exp IND − CCA ( n ): E , A 1 k ← Gen (1 n ) 2 m 0 , m 1 ← A Enc k ( · ) , Dec k ( · ) (1 n ) with m 0 , m 1 ∈ M ∧ | m 0 = m 1 | 3 b ← R { 0 , 1 } , c ∗ ← Enc k ( m b ) 4 b ′ ← A Enc k ( · ) , Dec k ( · ) ( c ∗ ) with Dec k ( c ∗ ) = ⊥ 5 Output 1 if b ′ = b , otherwise 0 Definition (IND-CCA) A secret key encryption scheme E has indistinguishable ciphertexts under chosen ciphertext attacks if for all efficient adversaries A their advantage ε in winning above game is negligible ≤ 1 � � Exp IND − CCA Pr ( n ) = 1 2 + ε. E , A This definition is equivalent to SEM-CCA. 36 / 50

  64. Secret key encryption MAC MAC 37 / 50

  65. Secret key encryption MAC Message authentication Sometimes we want more than secrecy! Acknowledgement of receipt, social communication, source of executable, . . . 38 / 50

  66. Secret key encryption MAC Message authentication Sometimes we want more than secrecy! Acknowledgement of receipt, social communication, source of executable, . . . We need integrity and authenticity! 38 / 50

  67. Secret key encryption MAC Message authentication Sometimes we want more than secrecy! Acknowledgement of receipt, social communication, source of executable, . . . We need integrity and authenticity! ? Encryption ⇒ Authenticity / integrity? 38 / 50

  68. Secret key encryption MAC Message authentication Sometimes we want more than secrecy! Acknowledgement of receipt, social communication, source of executable, . . . We need integrity and authenticity! ? Encryption ⇒ Authenticity / integrity? PRG-ENC, PRF-ENC, ... any stream cipher allows controlled bit-flips. If format is known this may be disastrous Block ciphers make similar attacks harder but no guarantees. ECB-mode allows to switch order of blocks, repeat blocks, etc. 38 / 50

  69. Secret key encryption MAC MAC 39 / 50

  70. Secret key encryption MAC Message authentication codes (MAC) Definition (message authentication code) A message authentication code or MAC is a tuple of probabilistic polynomial-time algorithms MAC = ( Gen , Mac , Vrfy ) over a message space M , fulfilling the following: Gen is a probabilistic algorithm that on input 1 n outputs a key k . The output space of Gen is called the key space K . Mac takes as input a key k ∈ K and a message m ∈ M , and outputs a tag t ∈ T . The output space of Mac is called tag space T . Vrfy is a deterministic algorithm that takes as inputs a key k ∈ K , a message m ∈ M , and a tag t ∈ T , and outputs a bit b ∈ { 0 , 1 } . Correctness: For every n , every k ← Gen (1 n ), and every m ∈ M it holds that Vrfy k ( m , Mac k ( m )) = 1 . 40 / 50

  71. Secret key encryption MAC Existential unforgeability under (adaptive) chosen message attacks (EU-CMA) 41 / 50

  72. Secret key encryption MAC Existential unforgeability under (adaptive) chosen message attacks (EU-CMA) Exp EU − CMA ( n ) MAC , A 1 k ← Gen (1 n ) 2 ( m , t ) ← A Mac k ( · ) (1 n ). Let { m i } q 1 denote A ’s queries to Mac k 3 If Vrfy k ( m , t ) := 1 and m �∈ { m i } q 1 return 1 4 Else return 0. 42 / 50

  73. Secret key encryption MAC Existential unforgeability under (adaptive) chosen message attacks (EU-CMA) Definition (EU-CMA) A message authentication code MAC = ( Gen , Mac , Vrfy ) over a message space M is existentially unforgeable under an adaptive chosen-message attack, or just secure, if for all efficient adversaries A the success probability ε in winning Exp EU − CMA ( n ) is MAC , A negligible, where � � Exp EU − CMA ε = Pr ( n ) = 1 MAC , A 43 / 50

  74. Secret key encryption MAC Remarks There exists a constant time attack with success probability 1 / |T | against every MAC ⇒ Tags must not be too short 44 / 50

  75. Secret key encryption MAC Remarks There exists a constant time attack with success probability 1 / |T | against every MAC ⇒ Tags must not be too short MAC’s do not prevent replay attacks! Replay attacks have to be handled on protocol level (e.g., using sequence numbers). 44 / 50

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing

Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing

Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing Constructions Moir Cryptography Issues Secret Sharing Secret Sharing Threshold Secret Sharing (Shamir, Blakely 1979) Motivation

1.32k views • 62 slides
Cryptography Basics Network Security Instructor: Haojin Zhu 1 Cryptography What is

Cryptography Basics Network Security Instructor: Haojin Zhu 1 Cryptography What is

Cryptography Basics Network Security Instructor: Haojin Zhu 1 Cryptography What is cryptography? Related fields: Cryptography ("secret writing"): Making secret messages Turning plaintext (an ordinary readable message)

1.2k views • 57 slides
Advanced Tools from Modern Cryptography Lecture 3 Secret-Sharing (ctd.) Secret-Sharing Last

Advanced Tools from Modern Cryptography Lecture 3 Secret-Sharing (ctd.) Secret-Sharing Last

Advanced Tools from Modern Cryptography Lecture 3 Secret-Sharing (ctd.) Secret-Sharing Last time (n,t) secret-sharing (n,n) via additive secret-sharing Shamir secret-sharing for general (n,t) Shamir secret-sharing is a linear

611 views • 14 slides
Cryptography Cryptography secret- secret -key and and public key and and public- -key

Cryptography Cryptography secret- secret -key and and public key and and public- -key

Cryptography Cryptography secret- secret -key and and public key and and public- -key technologies key technologies September 4, 2020 Administrative getting VM files getting VM files Administrative new 1 Administrative

736 views • 45 slides
Modeling the security of cryptography, part 1: secret-key cryptography D. J. Bernstein

Modeling the security of cryptography, part 1: secret-key cryptography D. J. Bernstein

Modeling the security of cryptography, part 1: secret-key cryptography D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tanja Lange Technische Universiteit Eindhoven

861 views • 70 slides
Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria,

Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria,

Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria, team-project SECRET April 9, 2018 introduction 1. Code based cryptography Difficult problem in coding theory Problem 1. [Decoding] Input: n, r,

800 views • 53 slides
Introduction to Symmetric Cryptography Lars R. Knudsen June 2014 L.R. Knudsen Introduction to

Introduction to Symmetric Cryptography Lars R. Knudsen June 2014 L.R. Knudsen Introduction to

Introduction to Symmetric Cryptography Lars R. Knudsen June 2014 L.R. Knudsen Introduction to Symmetric Cryptography What is cryptography? Cryptography is communication in the presence of an adversary Ron Rivest. Coding theory Detection and

877 views • 28 slides
1 I t Introduction d ti

1 I t Introduction d ti

Secret Sharing and Threshold Cryptography 1 I t Introduction d ti Story #1: A millionaire put all his estate in a safe and leaves y p the combination to his seven

690 views • 47 slides
Cryptography Cryptography secret- -key and and public key and and public- -key technologies

Cryptography Cryptography secret- -key and and public key and and public- -key technologies

Cryptography Cryptography secret- -key and and public key and and public- -key technologies key technologies secret September 4, 2020 Administrative getting VM files getting VM files Administrative new Administrative

1.1k views • 63 slides
Cryptography Intro and RSA Well, a gentle intro to cryptography, followed by a description of

Cryptography Intro and RSA Well, a gentle intro to cryptography, followed by a description of

Cryptography Intro and RSA Well, a gentle intro to cryptography, followed by a description of public key crypto and RSA. Fall 2018 CS 222: Discrete Structures 1 Definition Cryptology is the study of secret writing Concerned with

681 views • 54 slides
ECEN 5022 Cryptography Introduction Peter Mathys University of Colorado Spring 2008 Peter

ECEN 5022 Cryptography Introduction Peter Mathys University of Colorado Spring 2008 Peter

Introduction ECEN 5022 Cryptography Introduction Peter Mathys University of Colorado Spring 2008 Peter Mathys ECEN 5022 Cryptography Introduction Basic Definitions, Overview Historically, cryptography is the science and study of secret

670 views • 28 slides
Lecture 9: Secret Sharing, Threshold Cryptography, MPC Helger Lipmaa Helsinki University of

Lecture 9: Secret Sharing, Threshold Cryptography, MPC Helger Lipmaa Helsinki University of

T-79.159 Cryptography and Data Security Lecture 9: Secret Sharing, Threshold Cryptography, MPC Helger Lipmaa Helsinki University of Technology helger@tcs.hut.fi T-79.159 Cryptography and Data Security, 24.03.2004 Lecture 9: Secret Sharing,

1.45k views • 33 slides
Lecture 2: Secret Key Cryptography Helger Lipmaa Helsinki University of Technology

Lecture 2: Secret Key Cryptography Helger Lipmaa Helsinki University of Technology

T-79.159 Cryptography and Data Security Lecture 2: Secret Key Cryptography Helger Lipmaa Helsinki University of Technology helger@tcs.hut.fi T-79.159 Cryptography and Data Security, 28.01.2004 Lecture 2: Secret Key Cryptography, Helger Lipmaa

1.25k views • 34 slides
Private-Key Cryptography traditional private/secret/single key cryptography uses one key

Private-Key Cryptography traditional private/secret/single key cryptography uses one key

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Chapter 9 Public Key Cryptography and RSA Dr. Loai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Dr. Loai Tawalbeh Fall 2005 Private-Key

242 views • 12 slides
Cryptography I Exercises Luca Vigan` o Institut f ur Informatik

Cryptography I Exercises Luca Vigan` o Institut f ur Informatik

Cryptography I Exercises Luca Vigan` o Institut f ur Informatik Albert-Ludwigs-Universit at Freiburg IT-Security: Theory and Practice (WS02) Luca Vigan` o 1 Some definitions Cryptology: the study of secret writing.

1.19k views • 37 slides
Cryptography: Public Key Cryptography; Mathematical Preliminaries Greg Plaxton Theory in

Cryptography: Public Key Cryptography; Mathematical Preliminaries Greg Plaxton Theory in

Cryptography: Public Key Cryptography; Mathematical Preliminaries Greg Plaxton Theory in Programming Practice, Spring 2005 Department of Computer Science University of Texas at Austin Secure Communication Earlier we discussed the problems

202 views • 18 slides
Cryptographically-Enforced Hierarchical scheme An unbounded Access Control with Multiple Keys

Cryptographically-Enforced Hierarchical scheme An unbounded Access Control with Multiple Keys

Preliminaries A bounded asynchronous Cryptographically-Enforced Hierarchical scheme An unbounded Access Control with Multiple Keys asynchronous scheme Concluding remarks Jason Crampton Questions Information Security Group Royal

673 views • 43 slides
Hash- Tables Introduction Dictionary Dictionary stores key-value pairs Find( k ) Insert( k

Hash- Tables Introduction Dictionary Dictionary stores key-value pairs Find( k ) Insert( k

Hash- Tables Introduction Dictionary Dictionary stores key-value pairs Find( k ) Insert( k , v ) Delete( k ) O ( n ) O ( 1 ) O ( n ) List O ( log n ) O ( n ) O ( n ) Sorted Array O ( log n ) O ( log n ) O ( log n ) Balanced BST

475 views • 26 slides
Session 3 Column-Oriented Model: Cassandra, HBase Sbastien Combfis Fall 2019 This work is

Session 3 Column-Oriented Model: Cassandra, HBase Sbastien Combfis Fall 2019 This work is

I404B NoSQL Session 3 Column-Oriented Model: Cassandra, HBase Sbastien Combfis Fall 2019 This work is licensed under a Creative Commons Attribution NonCommercial NoDerivatives 4.0 International License. Objectives

952 views • 61 slides
Postquantum Cryptography: what, why, and how? SIMBA Enric Florit Zacaras . . . . . . .

Postquantum Cryptography: what, why, and how? SIMBA Enric Florit Zacaras . . . . . . .

. . . . . . . . . . . . . . . . . Postquantum Cryptography: what, why, and how? SIMBA Enric Florit Zacaras . . . . . . . . . . . . . . . . . . . . . . . November 27, 2019 . . . . . . . . . . .

1.31k views • 77 slides
Many-core Architectures and Programming Models Using SHOC M. Graham Lopez Jeffrey Young Jeremy

Many-core Architectures and Programming Models Using SHOC M. Graham Lopez Jeffrey Young Jeremy

Examining Recent Many-core Architectures and Programming Models Using SHOC M. Graham Lopez Jeffrey Young Jeremy S. Meredith Philip C. Roth Mitchel Horton Jeffrey S. Vetter PMBS15 Sunday, 15 Nov 2015 ORNL is managed by UT-Battelle for

638 views • 33 slides
CSCI0170 An Integrated Introduction to Computer Science Prof. John Hughes Todays topics

CSCI0170 An Integrated Introduction to Computer Science Prof. John Hughes Todays topics

CSCI0170 An Integrated Introduction to Computer Science Prof. John Hughes Todays topics Racket review A little more arithmetic The string data type Tokenizing a program Describing legal programs Announcements Register via

712 views • 29 slides
The reaction keyword Sets the B(F) and B(GT) matrix elements for a cross section calculation

The reaction keyword Sets the B(F) and B(GT) matrix elements for a cross section calculation

reaction FILE The reaction keyword Sets the B(F) and B(GT) matrix elements for a cross section calculation The format of this command is FILE is the name (and full path, if needed) of a file that contains the evaluated matrix

430 views • 6 slides
There is no dichotomy between effectiveness and efficiency in keyword search over databases

There is no dichotomy between effectiveness and efficiency in keyword search over databases

School of Electrical Engineering and Computer Science There is no dichotomy between effectiveness and efficiency in keyword search over databases Vahid Ghadakchi, Arash Termehchy IDEA Lab Most users can not express their intent over databases

471 views • 8 slides

More recommend