introduction to symmetric cryptography
play

Introduction to symmetric cryptography Joan Daemen Institute for - PowerPoint PPT Presentation

Dec 08, 2023 •790 likes •1.38k views

Introduction to symmetric cryptography Joan Daemen Institute for Computing and Information Sciences Radboud University ibenik summer school 2016 Page 1 of 51 Joan Daemen ibenik summer school 2016 Symmetric Crypto Outline Security

  1. Introduction to symmetric cryptography Joan Daemen Institute for Computing and Information Sciences Radboud University Šibenik summer school 2016 Page 1 of 51 Joan Daemen Šibenik summer school 2016 Symmetric Crypto

  2. Outline Security services Stream encryption Authentication and authenticated encryption Building schemes with modes Building the primitives Example: Noekeon Page 2 of 51 Joan Daemen Šibenik summer school 2016 Symmetric Crypto

  3. Currently we are here... Security services Stream encryption Authentication and authenticated encryption Building schemes with modes Building the primitives Example: Noekeon

  4. Confidentiality To protect: ◮ • people’s privacy • company assets • enforcing business: no pay, no content • meta: PIN, password, cryptographic keys Data confidentiality ◮ • only authorised entities get access to the data • cryptographic operation: encryption Protection against traffic analysis ◮ • existence of communication between parties • frequency and statistics of communication • called metadata • no direct link with a basic cryptographic operation Page 3 of 51 Joan Daemen Šibenik summer school 2016 Symmetric Crypto Security services

  5. Data integrity and authentication Basic concepts: ◮ • data integrity: was not modified without proper authorization • entity authentication: entity is what it claims to be • data origin authentication: data received as it was sent • symmetric crypto operation: message authentication codes Freshness: ◮ • entity is there now • received message was written recently • mechanism: unpredictable challenge Protection against replay: ◮ • authenticated message was not just a copy of an earlier one • mechanism: nonce Page 4 of 51 Joan Daemen Šibenik summer school 2016 Symmetric Crypto Security services

  6. Secure channel cryptographically secured link between two entities ◮ data confidentiality and data origin authentication ◮ session-level authentication, protection against ◮ • insertion of messages • removal of messages shuffling of messages • can be one-directional or full-duplex ◮ can be online or store-and-forward ◮ can require freshness or just protection against replay ◮ examples: SSH, TLS, GP SCP03, . . . ◮ Page 5 of 51 Joan Daemen Šibenik summer school 2016 Symmetric Crypto Security services

  7. Symmetric cryptography operations Core business ◮ • encryption • MAC computation • authenticated encryption (including sessions) Requires secret key shared between sender and receiver ◮ key generation requires qualitative random generator • • key transfer between entities may require other keys • a lot can go wrong here! On the side ◮ • cryptographic hashing • deterministic random bit generation (DRBG), . . . Page 6 of 51 Joan Daemen Šibenik summer school 2016 Symmetric Crypto Security services

  8. Currently we are here... Security services Stream encryption Authentication and authenticated encryption Building schemes with modes Building the primitives Example: Noekeon

  9. Encryption: one-time pad Let P be a plaintext of n bits: P 1 to P n ◮ Assume Z is a shared secret of n bits: Z 1 to Z n ◮ Encryption to n -bit cryptogram C ◮ • ∀ i : C i = P i + Z i Decryption back to P ◮ • ∀ i : P i = C i + Z i Advantages ◮ • no expansion • very efficient • provably secure in information-theoretical sense! Disadvantage: requires 1 fresh secret bit per message bit encrypted ◮ Page 7 of 51 Joan Daemen Šibenik summer school 2016 Symmetric Crypto Stream encryption

  10. Stream cipher Generates arbitrary-length keystream Z from ◮ • K : short secret key, typically 128 or 256 bits • IV : initial value, for generating multiple keystreams per K Desired properties ◮ • knowing K : computing Z = SC [ K ]( IV ) shall be efficient • not knowing K : predicting Z shall be infeasible for any IV Page 8 of 51 Joan Daemen Šibenik summer school 2016 Symmetric Crypto Stream encryption

  11. Random oracle RO [Bellare-Rogaway 1993] A random oracle RO maps: ◮ • input of arbitrary length P • to an infinite output string Z RO supports queries of following type: ( P , ℓ ) ◮ • P : input ℓ : requested number of output bits • Response Z ◮ • string of ℓ bits • independently and uniformly distributed bits • self-consistent: equal inputs P give matching outputs Page 9 of 51 Joan Daemen Šibenik summer school 2016 Symmetric Crypto Stream encryption

  12. Security notion: Pseudorandom function (PRF) Distinguishing game (black box version) Adversary sends queries Q to system that is either: ◮ • stream cipher with unknown key K • RO Then based on responses Z must guess what system is ◮ • Pr ( success ) ≤ F ( | Q | ) : some bound on success probability • Advantage: Adv = 2 Pr ( success ) − 1 Page 10 of 51 Joan Daemen Šibenik summer school 2016 Symmetric Crypto Stream encryption

  13. Security notion: PRF (cont’d) Black box fails to model public concrete stream cipher ◮ We give additional query access to internal functions ◮ We model query complexity in two parts: ◮ • M : online complexity, represents data • N : offline complexity, represents computation and storage We express Advantage as Adv ( M , N ) ◮ Page 11 of 51 Joan Daemen Šibenik summer school 2016 Symmetric Crypto Stream encryption

  14. Implications of PRF property Informally: a function is a PRF if the advantage is negligible ◮ What really matters is the concrete bound ◮ A bound Adv ( M , N ) for stream cipher implies: ◮ • any adversary with resources M and N • will not learn anything about plaintext from ciphertext with probability 1 − Adv ( M , N ) . • but for concrete schemes we cannot prove such bounds! ◮ Page 12 of 51 Joan Daemen Šibenik summer school 2016 Symmetric Crypto Stream encryption

  15. Security claim Lack of proof leaves following questions on a concrete scheme: ◮ • what kind of security does it offer? • when does a demonstrated property break it? Addressed by a security claim ◮ • statement on expected security of a cryptographic scheme bound on distinguishing advantage from ideal scheme • For cryptanalysts: challenge ◮ • break: attack performing better than the claim For users: security specification ◮ • . . . as long as it is not broken Often claims are missing but implied by size parameters ◮ Page 13 of 51 Joan Daemen Šibenik summer school 2016 Symmetric Crypto Stream encryption

  16. How concrete schemes gain assurance The (open) cryptologic activity (70s - today): ◮ • cryptographic schemes are published • . . . and (academically) attacked by cryptanalysts • . . . and corrected/improved, • . . . and attacked again, etc. by researchers for prestige/career • This leads to ◮ • better understanding • ever improving cryptographic schemes Trust in cryptographic scheme depends on ◮ • perceived simplicity • perceived amount of analytic effort invested in it Page 14 of 51 Joan Daemen Šibenik summer school 2016 Symmetric Crypto Stream encryption

  17. Security strength Security strength of a cryptographic scheme ◮ • expected effort required to break it • expressed in bits s bits means best attack has expected complexity 2 s • Link with bound on distinguishing advantage ◮ amount of data and/or computation such that Adv becomes • significant • kind of coarse Current view on computational complexity ◮ • 80 bits: lightweight • 96 bits: solid • 128 bits: secure for the foreseable future • 256 bits: for the clueless See www.keylength.com Page 15 of 51 Joan Daemen Šibenik summer school 2016 Symmetric Crypto Stream encryption

  18. Limit to security strength: exhaustive key search Single-target: attacker gets couple ( IV , Z = SC [ K ]( IV )) ◮ attacker tries guesses K ′ until SC [ K ′ ]( IV ) = Z • expected effort 2 k − 1 , so strength k − 1 bits • • Implicit security claim: no attack better than this Multi-target: attacker gets m couples ( IV , Z i = SC [ K i ]( IV )) ◮ attacker tries guesses K ′ until ∃ K i , SC [ K ′ ]( IV ) = Z i • every key guess has success probability m / 2 k • expected effort 2 k / ( m + 1 ) , so strength ≈ k − log 2 ( m ) • key length does not equal security strength! ◮ • security erosion in case of multi-target • can be prevented by making IV global nonce Page 16 of 51 Joan Daemen Šibenik summer school 2016 Symmetric Crypto Stream encryption

  19. Currently we are here... Security services Stream encryption Authentication and authenticated encryption Building schemes with modes Building the primitives Example: Noekeon

  20. Message authentication code (MAC) functions Generates short tag T from ◮ • K : short secret key, typically 128 or 256 bits • M : arbitrary-length message Desired properties (informally) ◮ • knowing K : computing T = MF [ K ]( M ) shall be efficient • not knowing K : predicting T for any M shall be infeasible Page 17 of 51 Joan Daemen Šibenik summer school 2016 Symmetric Crypto Authentication and authenticated encryption

Recommend

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Klbl June 20th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do? Authentication

711 views • 47 slides
Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Klbl June 19th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security fail?

758 views • 72 slides
Introduction to Symmetric Cryptography Lars R. Knudsen June 2014 L.R. Knudsen Introduction to

Introduction to Symmetric Cryptography Lars R. Knudsen June 2014 L.R. Knudsen Introduction to

Introduction to Symmetric Cryptography Lars R. Knudsen June 2014 L.R. Knudsen Introduction to Symmetric Cryptography What is cryptography? Cryptography is communication in the presence of an adversary Ron Rivest. Coding theory Detection and

877 views • 28 slides
CPSC 418/MATH 318 Introduction to Cryptography Outline Course Technicalities, Symmetric

CPSC 418/MATH 318 Introduction to Cryptography Outline Course Technicalities, Symmetric

CPSC 418/MATH 318 Introduction to Cryptography Outline Course Technicalities, Symmetric Cryptosystems Course Technicalities Renate Scheidler 1 Department of Mathematics & Statistics Overview of Cryptography 2 Department of Computer

222 views • 9 slides
Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric cryptography CS 239 Asymmetric cryptography Computer Security January 26, 2005 Lecture 5 Lecture 5 Page 1 Page 2 CS 239, Winter 2005 CS 239,

321 views • 13 slides
Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric

Outline Cryptography and Encryption Uses of cryptography Algorithms Symmetric cryptography CS 239 Asymmetric cryptography Computer Security February 5, 2003 Lecture 7 Lecture 7 Page 1 Page 2 CS 239, Winter 2003 CS 239,

263 views • 11 slides
Introduction to Symmetric Cryptography Mar a Naya-Plasencia Inria, France Summer School on

Introduction to Symmetric Cryptography Mar a Naya-Plasencia Inria, France Summer School on

Introduction to Symmetric Cryptography Mar a Naya-Plasencia Inria, France Summer School on real-world crypto and privacy Sibenik, Croatia - June 11 2018 Outline Introduction One Time pad - Stream Ciphers Block Ciphers -

1.17k views • 82 slides
Symmetric Key Cryptography Lecture 8 Summary RECALL Symmetric-Key Encryption SIM-CCA Security

Symmetric Key Cryptography Lecture 8 Summary RECALL Symmetric-Key Encryption SIM-CCA Security

Symmetric Key Cryptography Lecture 8 Summary RECALL Symmetric-Key Encryption SIM-CCA Security Authentication not required. i.e., Adversary allowed to send own messages (possibly error) Key/ Key/ Recv Enc Dec Send Replay SIM-CCA

192 views • 16 slides
Session 2 Introduction to Cryptography and Symmetric Encryption Sbastien Combfis Fall 2019

Session 2 Introduction to Cryptography and Symmetric Encryption Sbastien Combfis Fall 2019

I5020 Computer Security Session 2 Introduction to Cryptography and Symmetric Encryption Sbastien Combfis Fall 2019 This work is licensed under a Creative Commons Attribution NonCommercial NoDerivatives 4.0 International License.

1.25k views • 49 slides
Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein

Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein

Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein University of Illinois at Chicago, Technische Universiteit Eindhoven CHES 2012 paper Practical leakage-resilient symmetric cryptography (Faust,

669 views • 30 slides
Background Bas c Cryptography Background: Basic Cryptography Symmetric Key System

Background Bas c Cryptography Background: Basic Cryptography Symmetric Key System

Background Bas c Cryptography Background: Basic Cryptography Symmetric Key System Symmetric Key System a shared symmetric key Examples: DES IDEA RC4 AES Examples: DES, IDEA, RC4, AES Asymmetric Key System y y y a pair

661 views • 38 slides
CSCE 790 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2020

CSCE 790 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2020

CSCE 790 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2020 Previous Class Classical Cryptography Frequency analysis Never use home-made cryptography Goals of Cryptography

527 views • 26 slides
Cryptography Crash Course Symmetric Key Cryptography School on Secure IoT, 2016 Dr. Ir. Jens

Cryptography Crash Course Symmetric Key Cryptography School on Secure IoT, 2016 Dr. Ir. Jens

Cryptography Crash Course Symmetric Key Cryptography School on Secure IoT, 2016 Dr. Ir. Jens Hermans KU Leuven/COSIC Cryptology: basic principles Eve Alice Bob CRYP CRYP Clear Clear %^C& %^C& TOB TOB @&^( @&^(

1.32k views • 119 slides
Symmetric and Asymmetric Key Cryptography(Part 2) By Radhika B S Contents Asymmetric Key

Symmetric and Asymmetric Key Cryptography(Part 2) By Radhika B S Contents Asymmetric Key

Symmetric and Asymmetric Key Cryptography(Part 2) By Radhika B S Contents Asymmetric Key Cryptography Security Requirements Advantages Modes of Use Diffie-Hellman Key Exchange RSA Cryptosystem ElGamal

584 views • 32 slides
Introduction to Public-Key Cryptography Nadia Heninger University of Pennsylvania June 11, 2018

Introduction to Public-Key Cryptography Nadia Heninger University of Pennsylvania June 11, 2018

Introduction to Public-Key Cryptography Nadia Heninger University of Pennsylvania June 11, 2018 We stand today on the brink of a revolution in cryptography. Diffie and Hellman, 1976 Symmetric cryptography AES k ( m ) * Toy

935 views • 50 slides
Report on Evaluation of Symmetric-Key Cryptographic Techniques May 22, 2003 Toshinobu Kaneko

Report on Evaluation of Symmetric-Key Cryptographic Techniques May 22, 2003 Toshinobu Kaneko

Report on Evaluation of Symmetric-Key Cryptographic Techniques May 22, 2003 Toshinobu Kaneko Chair, Symmetric-Key Cryptography Subcommittee (Science University of Tokyo) 1 Symmetric-Key Cryptography Subcommittee(2002) K.Araki (TIT)

998 views • 20 slides
Quantum Attacks on Symmetric Cryptography Gregor Leander (joint work with Alex May) MMC 2017

Quantum Attacks on Symmetric Cryptography Gregor Leander (joint work with Alex May) MMC 2017

Introduction Quantum Basics Grover Grover and Simon on Symmetric Crypto The FX Construction Conclusion Quantum Attacks on Symmetric Cryptography Gregor Leander (joint work with Alex May) MMC 2017 Introduction Quantum Basics Grover Grover

1.45k views • 97 slides
Symmetric Cryptography Nadia Heninger and Deian Stefan Some slides adopted from Kirill Levchenko

Symmetric Cryptography Nadia Heninger and Deian Stefan Some slides adopted from Kirill Levchenko

CSE 127: Computer Security Symmetric Cryptography Nadia Heninger and Deian Stefan Some slides adopted from Kirill Levchenko and Dan Boneh Cryptography Cryptography Is: A tremendous tool The basis for many security mechanisms

783 views • 67 slides
Symmetric Cryptography CS461/ECE422 Fall 2009 1 Outline Overview of Cryptosystem design

Symmetric Cryptography CS461/ECE422 Fall 2009 1 Outline Overview of Cryptosystem design

Symmetric Cryptography CS461/ECE422 Fall 2009 1 Outline Overview of Cryptosystem design Commercial Symmetric systems DES AES Modes of block and stream ciphers 2 Reading Chapter 9 from Computer Science: Art and

794 views • 62 slides
Symmetric Cryptography CS461/ECE422 Fall 2010 1 Outline Overview of Cryptosystem design

Symmetric Cryptography CS461/ECE422 Fall 2010 1 Outline Overview of Cryptosystem design

Symmetric Cryptography CS461/ECE422 Fall 2010 1 Outline Overview of Cryptosystem design Commercial Symmetric systems DES AES Modes of block and stream ciphers 2 Reading Chapter 9 from Computer Science: Art and

882 views • 62 slides
Cryptography: Symmetric Encryption (continued), Hash Functions,

Cryptography: Symmetric Encryption (continued), Hash Functions,

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (continued), Hash Functions, Message Authentication Codes Spring

676 views • 23 slides
Exercise - Symmetric Key Cryptography Summer School on Post-Quantum Cryptography 2017 June 20,

Exercise - Symmetric Key Cryptography Summer School on Post-Quantum Cryptography 2017 June 20,

Exercise - Symmetric Key Cryptography Summer School on Post-Quantum Cryptography 2017 June 20, 2017 1 Classic Ciphers Consider a cipher where we substitute each letter of the alphabet with a different letter of the same alphabet. We call such a

281 views • 3 slides
Modern cryptography CSCI 470: Web Science Keith Vertanen Overview Modern cryptography

Modern cryptography CSCI 470: Web Science Keith Vertanen Overview Modern cryptography

Modern cryptography CSCI 470: Web Science Keith Vertanen Overview Modern cryptography Symmetric cryptography DES 3DES AES Asymmetric cryptography Diffie-Hellman key exchange 2 Modern cryptography Moving into

338 views • 16 slides
Security CSC 249 April 10, 2018 Network Security Symmetric Key Cryptography Caesar cipher DES

Security CSC 249 April 10, 2018 Network Security Symmetric Key Cryptography Caesar cipher DES

Security CSC 249 April 10, 2018 Network Security Symmetric Key Cryptography Caesar cipher DES and AES Public Key Cryptography 2 1 Cryptographic Keys Alices Bobs K A encryption decryption K B key key ciphertext encryption

381 views • 12 slides

More recommend