introduction to the theory of secret key cryptography
play

Introduction to the theory of secret key cryptography Andreas H - PowerPoint PPT Presentation

Dec 31, 2022 •349 likes •1.51k views

Introduction to the theory of secret key cryptography Andreas H ulsing Eindhoven University of Technology 17 June 2019 Secret key encryption MAC Main primitives of secret key / symmetric cryptography High-level primitives Low-level

  1. Secret key encryption MAC Attempt 1: Semantic security Definition (Semantic Security (SEM)) A secret key encryption scheme has semantic security if for any efficient adversary A there exists an efficient simulator S such that their probabilites of success playing Exp SEM E , A ( n ) are negligibly close to each other. For unbounded adversaries this is equivalent to perfect secrecy. This definition is cumbersome to work with! 11 / 50

  2. Secret key encryption MAC Attempt 2: Indistinguishable ciphertext security Exp IND E , A ( n ): 1 k ← Gen (1 n ) 12 / 50

  3. Secret key encryption MAC Attempt 2: Indistinguishable ciphertext security Exp IND E , A ( n ): 1 k ← Gen (1 n ) 2 m 0 , m 1 ← A (1 n ) with m 0 , m 1 ∈ M ∧ | m 0 | = | m 1 | 12 / 50

  4. Secret key encryption MAC Attempt 2: Indistinguishable ciphertext security Exp IND E , A ( n ): 1 k ← Gen (1 n ) 2 m 0 , m 1 ← A (1 n ) with m 0 , m 1 ∈ M ∧ | m 0 | = | m 1 | 3 b ← R { 0 , 1 } , c ← Enc k ( m b ) 12 / 50

  5. Secret key encryption MAC Attempt 2: Indistinguishable ciphertext security Exp IND E , A ( n ): 1 k ← Gen (1 n ) 2 m 0 , m 1 ← A (1 n ) with m 0 , m 1 ∈ M ∧ | m 0 | = | m 1 | 3 b ← R { 0 , 1 } , c ← Enc k ( m b ) 4 b ′ ← A ( c ) 12 / 50

  6. Secret key encryption MAC Attempt 2: Indistinguishable ciphertext security Exp IND E , A ( n ): 1 k ← Gen (1 n ) 2 m 0 , m 1 ← A (1 n ) with m 0 , m 1 ∈ M ∧ | m 0 | = | m 1 | 3 b ← R { 0 , 1 } , c ← Enc k ( m b ) 4 b ′ ← A ( c ) 5 Output 1 if b ′ = b , otherwise 0 12 / 50

  7. Secret key encryption MAC Attempt 2: Indistinguishable ciphertext security Exp IND E , A ( n ): 1 k ← Gen (1 n ) 2 m 0 , m 1 ← A (1 n ) with m 0 , m 1 ∈ M ∧ | m 0 | = | m 1 | 3 b ← R { 0 , 1 } , c ← Enc k ( m b ) 4 b ′ ← A ( c ) 5 Output 1 if b ′ = b , otherwise 0 Definition (Indistinguishable ciphertexts (IND)) A secret key encryption scheme E has indistinguishable ciphertexts if for all efficient adversaries A their advantage ε in winning above game is negligible = 1 � � Exp IND Pr E , A ( n ) = 1 2 + ε. This definition is a lot easier to work with and equivalent to SEM! 12 / 50

  8. Secret key encryption MAC Is IND efficiently achievable? We first need tooling. Definition (Pseudorandom generator (PRG)) Let ℓ be a polynomial and let G be a deterministic, efficient algorithm that implements a function G : { 0 , 1 } n → { 0 , 1 } ℓ ( n ) . We say G is a secure PRG if the following two conditions hold: 13 / 50

  9. Secret key encryption MAC Is IND efficiently achievable? We first need tooling. Definition (Pseudorandom generator (PRG)) Let ℓ be a polynomial and let G be a deterministic, efficient algorithm that implements a function G : { 0 , 1 } n → { 0 , 1 } ℓ ( n ) . We say G is a secure PRG if the following two conditions hold: 1 Expansion: For every n it holds that ℓ ( n ) > n . 13 / 50

  10. Secret key encryption MAC Is IND efficiently achievable? We first need tooling. Definition (Pseudorandom generator (PRG)) Let ℓ be a polynomial and let G be a deterministic, efficient algorithm that implements a function G : { 0 , 1 } n → { 0 , 1 } ℓ ( n ) . We say G is a secure PRG if the following two conditions hold: 1 Expansion: For every n it holds that ℓ ( n ) > n . 2 Pseudorandomness: For all efficient distinguishers D the advantage ε distinguishing outputs of G from random is negligible, where � � � � ε = r ← R { 0 , 1 } ℓ ( n ) [ D ( r ) = 1] − Pr s ← R { 0 , 1 } n [ D (G( s )) = 1] Pr � . � � � 13 / 50

  11. Secret key encryption MAC Is IND efficiently achievable? We first need tooling. Definition (Pseudorandom generator (PRG)) Let ℓ be a polynomial and let G be a deterministic, efficient algorithm that implements a function G : { 0 , 1 } n → { 0 , 1 } ℓ ( n ) . We say G is a secure PRG if the following two conditions hold: 1 Expansion: For every n it holds that ℓ ( n ) > n . 2 Pseudorandomness: For all efficient distinguishers D the advantage ε distinguishing outputs of G from random is negligible, where � � � � ε = r ← R { 0 , 1 } ℓ ( n ) [ D ( r ) = 1] − Pr s ← R { 0 , 1 } n [ D (G( s )) = 1] Pr � . � � � PRG’s exist if one-way functions exist. Will see examples later. 13 / 50

  12. Secret key encryption MAC Is IND efficiently achievable? Construction (PRG-ENC) Let n ∈ N be the security parameter, let M = { 0 , 1 } ℓ ( n ) (= C ) , and let G be a PRG as defined above. The PRG-ENC encryption scheme consists of the following three algorithms: Gen (1 n ) : Return k ← R { 0 , 1 } n . Enc k ( m ) : Return c = m ⊕ G( k ) . Dec k ( c ) : Return m ′ = c ⊕ G( k ) . 14 / 50

  13. Secret key encryption MAC Is IND efficiently achievable? Construction (PRG-ENC) Let n ∈ N be the security parameter, let M = { 0 , 1 } ℓ ( n ) (= C ) , and let G be a PRG as defined above. The PRG-ENC encryption scheme consists of the following three algorithms: Gen (1 n ) : Return k ← R { 0 , 1 } n . Enc k ( m ) : Return c = m ⊕ G( k ) . Dec k ( c ) : Return m ′ = c ⊕ G( k ) . Correctness Dec k ( Enc k ( m )) = ( m ⊕ G( k )) ⊕ G( k ) = m 14 / 50

  14. Secret key encryption MAC PRG-ENC is IND secure Proof by reduction. If there exists A that can distinguish ciphertexts of PRG-ENC in time t with advantage ε then the following algorithm D runs in time ≈ t and succeeds in distinguishing G with advantage ε ′ = ε . 15 / 50

  15. Secret key encryption MAC PRG-ENC is IND secure Proof by reduction. If there exists A that can distinguish ciphertexts of PRG-ENC in time t with advantage ε then the following algorithm D runs in time ≈ t and succeeds in distinguishing G with advantage ε ′ = ε . Construction (Distinguisher D ) Given as input a string w ∈ { 0 , 1 } ℓ ( n ) : 1 Run m 0 , m 1 ← A (1 n ) 2 Set b ← R { 0 , 1 } , c = m b ⊕ w 3 Run b ′ ← A ( c ) 4 Return 1 if b = b ′ , otherwise 0. 15 / 50

  16. Secret key encryption MAC Advantage of D Construction (Distinguisher D ) Given as input a string w ∈ { 0 , 1 } ℓ ( n ) : 1 Run m 0 , m 1 ← A (1 n ) 2 Set b ← R { 0 , 1 } , c = m b ⊕ w 3 Run b ′ ← A ( c ) 4 Return 1 if b = b ′ , otherwise 0. ε ′ = | Pr [ D ( r ) = 1] − Pr [ D (G( s )) = 1] | 16 / 50

  17. Secret key encryption MAC Advantage of D Construction (Distinguisher D ) Given as input a string w ∈ { 0 , 1 } ℓ ( n ) : 1 Run m 0 , m 1 ← A (1 n ) 2 Set b ← R { 0 , 1 } , c = m b ⊕ w 3 Run b ′ ← A ( c ) 4 Return 1 if b = b ′ , otherwise 0. ε ′ = | Pr [ D ( r ) = 1] − Pr [ D (G( s )) = 1] | = 1 � � Exp IND Pr [ D ( r ) = 1] = Pr OTP , A ( n ) = 1 2 16 / 50

  18. Secret key encryption MAC Advantage of D Construction (Distinguisher D ) Given as input a string w ∈ { 0 , 1 } ℓ ( n ) : 1 Run m 0 , m 1 ← A (1 n ) 2 Set b ← R { 0 , 1 } , c = m b ⊕ w 3 Run b ′ ← A ( c ) 4 Return 1 if b = b ′ , otherwise 0. ε ′ = | Pr [ D ( r ) = 1] − Pr [ D (G( s )) = 1] | = 1 � � Exp IND Pr [ D ( r ) = 1] = Pr OTP , A ( n ) = 1 2 = 1 � � Exp IND Pr [ D (G( s )) = 1] = Pr PRG − ENC , A ( n ) = 1 2 + ε 16 / 50

  19. Secret key encryption MAC Advantage of D Construction (Distinguisher D ) Given as input a string w ∈ { 0 , 1 } ℓ ( n ) : 1 Run m 0 , m 1 ← A (1 n ) 2 Set b ← R { 0 , 1 } , c = m b ⊕ w 3 Run b ′ ← A ( c ) 4 Return 1 if b = b ′ , otherwise 0. ε ′ = | Pr [ D ( r ) = 1] − Pr [ D (G( s )) = 1] | = 1 � � Exp IND Pr [ D ( r ) = 1] = Pr OTP , A ( n ) = 1 2 = 1 � � Exp IND Pr [ D (G( s )) = 1] = Pr PRG − ENC , A ( n ) = 1 2 + ε � �� 1 � 1 ε ′ = � � 2 − 2 + ε � = ε � � � 16 / 50

  20. Secret key encryption MAC PRG-ENC is IND secure Theorem If there exists A that can distinguish ciphertexts of PRG-ENC in time t with advantage ε then the algorithm D from above runs in time ≈ t and succeeds in breaking G with advantage ε ′ = ε . Hence, if G is a secure PRG, then PRG-ENC has indistinguishable ciphertexts. 17 / 50

  21. Secret key encryption MAC What did we achieve? SEM, IND, and perfect secrecy define A ’s goal 18 / 50

  22. Secret key encryption MAC What did we achieve? SEM, IND, and perfect secrecy define A ’s goal What about A ’s attack capabilities? 18 / 50

  23. Secret key encryption MAC What did we achieve? SEM, IND, and perfect secrecy define A ’s goal What about A ’s attack capabilities? In this sense they are unrealistic single message notions. 18 / 50

  24. Secret key encryption MAC Is this realistic? 19 / 50

  25. Secret key encryption MAC Or rather this. 20 / 50

  26. Secret key encryption MAC What can A learn? Often messages follow known format (MIME, HTML, XML,. . . ). 21 / 50

  27. Secret key encryption MAC What can A learn? Often messages follow known format (MIME, HTML, XML,. . . ). Often parts of messages are guessable: “To whom it may concern,” “Dear [Recipient],” “Best regards, \ n [Sender]” “Cheers, \ n [Sender]” 21 / 50

  28. Secret key encryption MAC What can A learn? Often messages follow known format (MIME, HTML, XML,. . . ). Often parts of messages are guessable: “To whom it may concern,” “Dear [Recipient],” “Best regards, \ n [Sender]” “Cheers, \ n [Sender]” Want to model the worst case: Let A choose messages that get encrypted! 21 / 50

  29. Secret key encryption MAC IND under chosen plaintext attacks (IND-CPA) 22 / 50

  30. Secret key encryption MAC IND under chosen plaintext attacks (IND-CPA). Exp IND − CPA ( n ): E , A 1 k ← Gen (1 n ) 2 m 0 , m 1 ← A Enc k ( · ) (1 n ) with m 0 , m 1 ∈ M ∧ | m 0 | = | m 1 | 3 b ← R { 0 , 1 } , c ← Enc k ( m b ) 4 b ′ ← A Enc k ( · ) ( c ) 5 Output 1 if b ′ = b , otherwise 0 23 / 50

  31. Secret key encryption MAC IND under chosen plaintext attacks (IND-CPA). Exp IND − CPA ( n ): E , A 1 k ← Gen (1 n ) 2 m 0 , m 1 ← A Enc k ( · ) (1 n ) with m 0 , m 1 ∈ M ∧ | m 0 | = | m 1 | 3 b ← R { 0 , 1 } , c ← Enc k ( m b ) 4 b ′ ← A Enc k ( · ) ( c ) 5 Output 1 if b ′ = b , otherwise 0 Definition (IND-CPA) A secret key encryption scheme E has indistinguishable ciphertexts under chosen plaintext attacks if for all efficient adversaries A their advantage ε in winning above game is negligible ≤ 1 � � Exp IND − CPA Pr ( n ) = 1 2 + ε. E , A 23 / 50

  32. Secret key encryption MAC IND under chosen plaintext attacks (IND-CPA). Exp IND − CPA ( n ): E , A 1 k ← Gen (1 n ) 2 m 0 , m 1 ← A Enc k ( · ) (1 n ) with m 0 , m 1 ∈ M ∧ | m 0 | = | m 1 | 3 b ← R { 0 , 1 } , c ← Enc k ( m b ) 4 b ′ ← A Enc k ( · ) ( c ) 5 Output 1 if b ′ = b , otherwise 0 Definition (IND-CPA) A secret key encryption scheme E has indistinguishable ciphertexts under chosen plaintext attacks if for all efficient adversaries A their advantage ε in winning above game is negligible ≤ 1 � � Exp IND − CPA Pr ( n ) = 1 2 + ε. E , A Note: This definition is equivalent to SEM-CPA. 23 / 50

  33. Secret key encryption MAC IND-CPA secure SKE Is the one-time pad IND-CPA-secure? 24 / 50

  34. Secret key encryption MAC IND-CPA secure SKE Is the one-time pad IND-CPA-secure? What about PRG-ENC? 24 / 50

  35. Secret key encryption MAC IND-CPA secure SKE Is the one-time pad IND-CPA-secure? What about PRG-ENC? Theorem A deterministic encryption scheme cannot be IND-CPA secure. 24 / 50

  36. Secret key encryption MAC IND-CPA secure SKE Is the one-time pad IND-CPA-secure? What about PRG-ENC? Theorem A deterministic encryption scheme cannot be IND-CPA secure. Proof idea. Send m 0 to Enc k ( · ) and compare result with challenge ciphertext. 24 / 50

  37. Secret key encryption MAC Pseudorandom function families A keyed function is a two input function F : K × X → Y where the first input is called the key and denoted k . We will write F k ( x ) def = F( k , x ). 25 / 50

  38. Secret key encryption MAC Pseudorandom function families A keyed function is a two input function F : K × X → Y where the first input is called the key and denoted k . We will write F k ( x ) def = F( k , x ). Definition (Pseudorandom function family (PRF)) Let F : { 0 , 1 } n × { 0 , 1 } n → { 0 , 1 } n be an efficient, length-preserving, keyed function. We say F is a pseudorandom function if for all efficient distinguishers D the distinguishing advantage ε is negligible, where � �� � � � D F k ( · ) (1 n ) = 1 D f n ( · ) (1 n ) = 1 � � ε = Pr − Pr � . � � k ← R { 0 , 1 } n f n ← R FUNC n � 25 / 50

  39. Secret key encryption MAC Pseudorandom function families A keyed function is a two input function F : K × X → Y where the first input is called the key and denoted k . We will write F k ( x ) def = F( k , x ). Definition (Pseudorandom function family (PRF)) Let F : { 0 , 1 } n × { 0 , 1 } n → { 0 , 1 } n be an efficient, length-preserving, keyed function. We say F is a pseudorandom function if for all efficient distinguishers D the distinguishing advantage ε is negligible, where � �� � � � D F k ( · ) (1 n ) = 1 D f n ( · ) (1 n ) = 1 � � ε = Pr − Pr � . � � k ← R { 0 , 1 } n f n ← R FUNC n � PRF’s exist if PRG’s exist [GGM’84]. For length doubling PRG G define F k ( x ) def � � = G . . . G (G( k ) x 1 ) x 2 . . . x n . 25 / 50

  40. Secret key encryption MAC Pseudorandom permutation families Formal model for block ciphers is PRP. Definition (Pseudorandom permutation family (PRP)) Let n ∈ N be the security parameter, F : { 0 , 1 } n × { 0 , 1 } n → { 0 , 1 } n be an efficient, length-preserving, keyed permutation. We say F is a family of pseudorandom permutations (PRP) if for all efficient distinguishers D the distinguishing advantage ε is negligible, where � � D F k ( · ) , F − 1 � � ( · ) (1 n ) = 1 ε = Pr k � k ← R { 0 , 1 } n � �� � D f n ( · ) , f − 1 ( · ) (1 n ) = 1 � − Pr n � , � f n ← R Perm n where Perm n denotes the set of all permutations over { 0 , 1 } n . A PRP is a PRF (Switching-Lemma) but not vice-versa. 26 / 50

  41. Secret key encryption MAC IND-CPA-secure SKE Construction (PRF-ENC) Let n ∈ N be the security parameter, let M = { 0 , 1 } n (= C = K ) , and let F be a length-preserving PRF as defined above. The PRF-ENC encryption scheme consists of the following three algorithms: Gen (1 n ) : Return k ← R { 0 , 1 } n . Enc k ( m ) : Sample r ← R { 0 , 1 } n , compute ¯ c = m ⊕ F k ( r ) , and return c = � r , ¯ c � . c � . Return m ′ = ¯ Dec k ( c ) : Parse c as � r , ¯ c ⊕ F k ( r ) . 27 / 50

  42. Secret key encryption MAC IND-CPA-secure SKE Construction (PRF-ENC) Let n ∈ N be the security parameter, let M = { 0 , 1 } n (= C = K ) , and let F be a length-preserving PRF as defined above. The PRF-ENC encryption scheme consists of the following three algorithms: Gen (1 n ) : Return k ← R { 0 , 1 } n . Enc k ( m ) : Sample r ← R { 0 , 1 } n , compute ¯ c = m ⊕ F k ( r ) , and return c = � r , ¯ c � . c � . Return m ′ = ¯ Dec k ( c ) : Parse c as � r , ¯ c ⊕ F k ( r ) . Correctness Dec k ( Enc k ( m )) = ( m ⊕ F k ( r )) ⊕ F k ( r ) = m 27 / 50

  43. Secret key encryption MAC PRF-ENC is IND-CPA secure Proof idea. Similar to PRG-ENC. Given A that breaks IND-CPA of PRF-ENC in time t , with advantage ε then the following algorithm D runs in time ≈ t and succeeds in distinguishing F with advantage ε ′ ≈ ε . 28 / 50

  44. Secret key encryption MAC PRF-ENC is IND-CPA secure Proof idea. Similar to PRG-ENC. Given A that breaks IND-CPA of PRF-ENC in time t , with advantage ε then the following algorithm D runs in time ≈ t and succeeds in distinguishing F with advantage ε ′ ≈ ε . Construction (Distinguisher D ) Given access to oracle O : { 0 , 1 } n → { 0 , 1 } n : 1 Run m 0 , m 1 ← A Enc ′ ( · ) (1 n ) 2 Set b ← R { 0 , 1 } , r ∗ ← R { 0 , 1 } n , ¯ c ∗ = m b ⊕ O ( r ∗ ) 3 Run b ′ ← A Enc ′ ( · ) ( � r ∗ , ¯ c ∗ � ) 4 Return 1 if b = b ′ , otherwise 0 where Enc ′ ( · ) computes r ← R { 0 , 1 } n , ¯ c = m b ⊕ O ( r ) and returns � r , ¯ c � . 28 / 50

  45. Secret key encryption MAC Advantage of D Construction (Distinguisher D ) Given access to oracle O : { 0 , 1 } n → { 0 , 1 } n : 2 Set b ← R { 0 , 1 } , r ∗ ← R { 0 , 1 } n , ¯ c ∗ = m b ⊕ O ( r ∗ ) where Enc ′ ( · ) computes r ← R { 0 , 1 } n , ¯ c = m b ⊕ O ( r ) and returns � r , ¯ c � . � �� ε ′ = � � � D F k ( · ) (1 n ) = 1 D f n ( · ) (1 n ) = 1 � � Pr − Pr � � k ← R { 0 , 1 } n f n ← R FUNC n � � 29 / 50

  46. Secret key encryption MAC Advantage of D Construction (Distinguisher D ) Given access to oracle O : { 0 , 1 } n → { 0 , 1 } n : 2 Set b ← R { 0 , 1 } , r ∗ ← R { 0 , 1 } n , ¯ c ∗ = m b ⊕ O ( r ∗ ) where Enc ′ ( · ) computes r ← R { 0 , 1 } n , ¯ c = m b ⊕ O ( r ) and returns � r , ¯ c � . � �� ε ′ = � � � D F k ( · ) (1 n ) = 1 D f n ( · ) (1 n ) = 1 � � Pr − Pr � � k ← R { 0 , 1 } n f n ← R FUNC n � � � �� � � � Exp IND − CPA Exp IND − CPA � � = � Pr PRF − ENC , A ( n ) = 1 − Pr PRF − ENC , A ( n ) = 1 � � � � 29 / 50

  47. Secret key encryption MAC Advantage of D Construction (Distinguisher D ) Given access to oracle O : { 0 , 1 } n → { 0 , 1 } n : 2 Set b ← R { 0 , 1 } , r ∗ ← R { 0 , 1 } n , ¯ c ∗ = m b ⊕ O ( r ∗ ) where Enc ′ ( · ) computes r ← R { 0 , 1 } n , ¯ c = m b ⊕ O ( r ) and returns � r , ¯ c � . � �� ε ′ = � � � D F k ( · ) (1 n ) = 1 D f n ( · ) (1 n ) = 1 � � Pr − Pr � � k ← R { 0 , 1 } n f n ← R FUNC n � � � �� � � � Exp IND − CPA Exp IND − CPA � � = � Pr PRF − ENC , A ( n ) = 1 − Pr PRF − ENC , A ( n ) = 1 � � � � � �� 1 � 1 2 + q � ε − q � � � � = 2 + ε − � = � � � � 2 n 2 n � � 29 / 50

  48. Secret key encryption MAC PRF-ENC is IND-CPA secure Theorem If there exists A that can distinguish ciphertexts of PRF-ENC during a CPA-experiment in time t with advantage ε then the algorithm D from above runs in time ≈ t and succeeds in breaking F with advantage ε ′ ≥ ε − q / 2 n . Hence, if F is a secure PRF, then PRF-ENC has indistinguishable ciphertexts under chosen plaintext attacks. 30 / 50

  49. Secret key encryption MAC Arbitrary length messages PRF-ENC only works for n -bit messages. 31 / 50

  50. Secret key encryption MAC Arbitrary length messages PRF-ENC only works for n -bit messages. Can repeat fixed-length scheme: For ℓ n -bit message m = ( m 1 � m 2 � . . . � m ℓ ) ciphertext is c = � r 1 , F k ( r 1 ) ⊕ m 1 , r 2 , F k ( r 2 ) ⊕ m 2 , . . . , r ℓ , F k ( r ℓ ) ⊕ m ℓ � 31 / 50

  51. Secret key encryption MAC Arbitrary length messages PRF-ENC only works for n -bit messages. Can repeat fixed-length scheme: For ℓ n -bit message m = ( m 1 � m 2 � . . . � m ℓ ) ciphertext is c = � r 1 , F k ( r 1 ) ⊕ m 1 , r 2 , F k ( r 2 ) ⊕ m 2 , . . . , r ℓ , F k ( r ℓ ) ⊕ m ℓ � Pretty inefficient! Solution: Modes of operation 31 / 50

  52. Secret key encryption MAC Electronic code book mode (ECB) 32 / 50

  53. Secret key encryption MAC Electronic code book mode (ECB) Deterministic! Even worse, not even IND for single message attacks! (Consider m 0 = m � m ; m 1 = m � m ′ for m , m ′ ∈ { 0 , 1 } n ) 32 / 50

  54. Secret key encryption MAC Cipher block chaining mode (CBC) 33 / 50

  55. Secret key encryption MAC Cipher block chaining mode (CBC) IND-CPA if F is a PRP. IV has to be random, if it is predictable CBC is vulnerable! 33 / 50

  56. Secret key encryption MAC Counter mode (CTR) 34 / 50

  57. Secret key encryption MAC Counter mode (CTR) IND-CPA if F is a PRF. 34 / 50

  58. Secret key encryption MAC What about active attacks? A might be able to learn decryption of ciphertexts at a later point by compromising the system. 35 / 50

  59. Secret key encryption MAC What about active attacks? A might be able to learn decryption of ciphertexts at a later point by compromising the system. A might even get access to a decryption oracle (lunch time attack). 35 / 50

  60. Secret key encryption MAC What about active attacks? A might be able to learn decryption of ciphertexts at a later point by compromising the system. A might even get access to a decryption oracle (lunch time attack). Want to model the worst case: Let A choose ciphertexts that get decrypted! 35 / 50

  61. Secret key encryption MAC IND under chosen ciphertext attacks Exp IND − CCA ( n ): E , A 1 k ← Gen (1 n ) 2 m 0 , m 1 ← A Enc k ( · ) , Dec k ( · ) (1 n ) with m 0 , m 1 ∈ M ∧ | m 0 = m 1 | 3 b ← R { 0 , 1 } , c ∗ ← Enc k ( m b ) 4 b ′ ← A Enc k ( · ) , Dec k ( · ) ( c ∗ ) with Dec k ( c ∗ ) = ⊥ 5 Output 1 if b ′ = b , otherwise 0 36 / 50

  62. Secret key encryption MAC IND under chosen ciphertext attacks Exp IND − CCA ( n ): E , A 1 k ← Gen (1 n ) 2 m 0 , m 1 ← A Enc k ( · ) , Dec k ( · ) (1 n ) with m 0 , m 1 ∈ M ∧ | m 0 = m 1 | 3 b ← R { 0 , 1 } , c ∗ ← Enc k ( m b ) 4 b ′ ← A Enc k ( · ) , Dec k ( · ) ( c ∗ ) with Dec k ( c ∗ ) = ⊥ 5 Output 1 if b ′ = b , otherwise 0 Definition (IND-CCA) A secret key encryption scheme E has indistinguishable ciphertexts under chosen ciphertext attacks if for all efficient adversaries A their advantage ε in winning above game is negligible ≤ 1 � � Exp IND − CCA Pr ( n ) = 1 2 + ε. E , A 36 / 50

  63. Secret key encryption MAC IND under chosen ciphertext attacks Exp IND − CCA ( n ): E , A 1 k ← Gen (1 n ) 2 m 0 , m 1 ← A Enc k ( · ) , Dec k ( · ) (1 n ) with m 0 , m 1 ∈ M ∧ | m 0 = m 1 | 3 b ← R { 0 , 1 } , c ∗ ← Enc k ( m b ) 4 b ′ ← A Enc k ( · ) , Dec k ( · ) ( c ∗ ) with Dec k ( c ∗ ) = ⊥ 5 Output 1 if b ′ = b , otherwise 0 Definition (IND-CCA) A secret key encryption scheme E has indistinguishable ciphertexts under chosen ciphertext attacks if for all efficient adversaries A their advantage ε in winning above game is negligible ≤ 1 � � Exp IND − CCA Pr ( n ) = 1 2 + ε. E , A This definition is equivalent to SEM-CCA. 36 / 50

  64. Secret key encryption MAC MAC 37 / 50

  65. Secret key encryption MAC Message authentication Sometimes we want more than secrecy! Acknowledgement of receipt, social communication, source of executable, . . . 38 / 50

  66. Secret key encryption MAC Message authentication Sometimes we want more than secrecy! Acknowledgement of receipt, social communication, source of executable, . . . We need integrity and authenticity! 38 / 50

  67. Secret key encryption MAC Message authentication Sometimes we want more than secrecy! Acknowledgement of receipt, social communication, source of executable, . . . We need integrity and authenticity! ? Encryption ⇒ Authenticity / integrity? 38 / 50

  68. Secret key encryption MAC Message authentication Sometimes we want more than secrecy! Acknowledgement of receipt, social communication, source of executable, . . . We need integrity and authenticity! ? Encryption ⇒ Authenticity / integrity? PRG-ENC, PRF-ENC, ... any stream cipher allows controlled bit-flips. If format is known this may be disastrous Block ciphers make similar attacks harder but no guarantees. ECB-mode allows to switch order of blocks, repeat blocks, etc. 38 / 50

  69. Secret key encryption MAC MAC 39 / 50

  70. Secret key encryption MAC Message authentication codes (MAC) Definition (message authentication code) A message authentication code or MAC is a tuple of probabilistic polynomial-time algorithms MAC = ( Gen , Mac , Vrfy ) over a message space M , fulfilling the following: Gen is a probabilistic algorithm that on input 1 n outputs a key k . The output space of Gen is called the key space K . Mac takes as input a key k ∈ K and a message m ∈ M , and outputs a tag t ∈ T . The output space of Mac is called tag space T . Vrfy is a deterministic algorithm that takes as inputs a key k ∈ K , a message m ∈ M , and a tag t ∈ T , and outputs a bit b ∈ { 0 , 1 } . Correctness: For every n , every k ← Gen (1 n ), and every m ∈ M it holds that Vrfy k ( m , Mac k ( m )) = 1 . 40 / 50

  71. Secret key encryption MAC Existential unforgeability under (adaptive) chosen message attacks (EU-CMA) 41 / 50

  72. Secret key encryption MAC Existential unforgeability under (adaptive) chosen message attacks (EU-CMA) Exp EU − CMA ( n ) MAC , A 1 k ← Gen (1 n ) 2 ( m , t ) ← A Mac k ( · ) (1 n ). Let { m i } q 1 denote A ’s queries to Mac k 3 If Vrfy k ( m , t ) := 1 and m �∈ { m i } q 1 return 1 4 Else return 0. 42 / 50

  73. Secret key encryption MAC Existential unforgeability under (adaptive) chosen message attacks (EU-CMA) Definition (EU-CMA) A message authentication code MAC = ( Gen , Mac , Vrfy ) over a message space M is existentially unforgeable under an adaptive chosen-message attack, or just secure, if for all efficient adversaries A the success probability ε in winning Exp EU − CMA ( n ) is MAC , A negligible, where � � Exp EU − CMA ε = Pr ( n ) = 1 MAC , A 43 / 50

  74. Secret key encryption MAC Remarks There exists a constant time attack with success probability 1 / |T | against every MAC ⇒ Tags must not be too short 44 / 50

  75. Secret key encryption MAC Remarks There exists a constant time attack with success probability 1 / |T | against every MAC ⇒ Tags must not be too short MAC’s do not prevent replay attacks! Replay attacks have to be handled on protocol level (e.g., using sequence numbers). 44 / 50

Recommend

Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing

Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing

Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing Constructions Moir Cryptography Issues Secret Sharing Secret Sharing Threshold Secret Sharing (Shamir, Blakely 1979) Motivation

1.32k views • 62 slides
Cryptography Basics Network Security Instructor: Haojin Zhu 1 Cryptography What is

Cryptography Basics Network Security Instructor: Haojin Zhu 1 Cryptography What is

Cryptography Basics Network Security Instructor: Haojin Zhu 1 Cryptography What is cryptography? Related fields: Cryptography ("secret writing"): Making secret messages Turning plaintext (an ordinary readable message)

1.2k views • 57 slides
Advanced Tools from Modern Cryptography Lecture 3 Secret-Sharing (ctd.) Secret-Sharing Last

Advanced Tools from Modern Cryptography Lecture 3 Secret-Sharing (ctd.) Secret-Sharing Last

Advanced Tools from Modern Cryptography Lecture 3 Secret-Sharing (ctd.) Secret-Sharing Last time (n,t) secret-sharing (n,n) via additive secret-sharing Shamir secret-sharing for general (n,t) Shamir secret-sharing is a linear

611 views • 14 slides
Cryptography Cryptography secret- secret -key and and public key and and public- -key

Cryptography Cryptography secret- secret -key and and public key and and public- -key

Cryptography Cryptography secret- secret -key and and public key and and public- -key technologies key technologies September 4, 2020 Administrative getting VM files getting VM files Administrative new 1 Administrative

736 views • 45 slides
Modeling the security of cryptography, part 1: secret-key cryptography D. J. Bernstein

Modeling the security of cryptography, part 1: secret-key cryptography D. J. Bernstein

Modeling the security of cryptography, part 1: secret-key cryptography D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tanja Lange Technische Universiteit Eindhoven

861 views • 70 slides
Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria,

Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria,

Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria, team-project SECRET April 9, 2018 introduction 1. Code based cryptography Difficult problem in coding theory Problem 1. [Decoding] Input: n, r,

800 views • 53 slides
Introduction to Symmetric Cryptography Lars R. Knudsen June 2014 L.R. Knudsen Introduction to

Introduction to Symmetric Cryptography Lars R. Knudsen June 2014 L.R. Knudsen Introduction to

Introduction to Symmetric Cryptography Lars R. Knudsen June 2014 L.R. Knudsen Introduction to Symmetric Cryptography What is cryptography? Cryptography is communication in the presence of an adversary Ron Rivest. Coding theory Detection and

877 views • 28 slides
1 I t Introduction d ti

1 I t Introduction d ti

Secret Sharing and Threshold Cryptography 1 I t Introduction d ti Story #1: A millionaire put all his estate in a safe and leaves y p the combination to his seven

690 views • 47 slides
Cryptography Cryptography secret- -key and and public key and and public- -key technologies

Cryptography Cryptography secret- -key and and public key and and public- -key technologies

Cryptography Cryptography secret- -key and and public key and and public- -key technologies key technologies secret September 4, 2020 Administrative getting VM files getting VM files Administrative new Administrative

1.1k views • 63 slides
Cryptography Intro and RSA Well, a gentle intro to cryptography, followed by a description of

Cryptography Intro and RSA Well, a gentle intro to cryptography, followed by a description of

Cryptography Intro and RSA Well, a gentle intro to cryptography, followed by a description of public key crypto and RSA. Fall 2018 CS 222: Discrete Structures 1 Definition Cryptology is the study of secret writing Concerned with

681 views • 54 slides
ECEN 5022 Cryptography Introduction Peter Mathys University of Colorado Spring 2008 Peter

ECEN 5022 Cryptography Introduction Peter Mathys University of Colorado Spring 2008 Peter

Introduction ECEN 5022 Cryptography Introduction Peter Mathys University of Colorado Spring 2008 Peter Mathys ECEN 5022 Cryptography Introduction Basic Definitions, Overview Historically, cryptography is the science and study of secret

670 views • 28 slides
Lecture 9: Secret Sharing, Threshold Cryptography, MPC Helger Lipmaa Helsinki University of

Lecture 9: Secret Sharing, Threshold Cryptography, MPC Helger Lipmaa Helsinki University of

T-79.159 Cryptography and Data Security Lecture 9: Secret Sharing, Threshold Cryptography, MPC Helger Lipmaa Helsinki University of Technology helger@tcs.hut.fi T-79.159 Cryptography and Data Security, 24.03.2004 Lecture 9: Secret Sharing,

1.45k views • 33 slides
Lecture 2: Secret Key Cryptography Helger Lipmaa Helsinki University of Technology

Lecture 2: Secret Key Cryptography Helger Lipmaa Helsinki University of Technology

T-79.159 Cryptography and Data Security Lecture 2: Secret Key Cryptography Helger Lipmaa Helsinki University of Technology helger@tcs.hut.fi T-79.159 Cryptography and Data Security, 28.01.2004 Lecture 2: Secret Key Cryptography, Helger Lipmaa

1.25k views • 34 slides
Private-Key Cryptography traditional private/secret/single key cryptography uses one key

Private-Key Cryptography traditional private/secret/single key cryptography uses one key

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Chapter 9 Public Key Cryptography and RSA Dr. Loai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Dr. Loai Tawalbeh Fall 2005 Private-Key

242 views • 12 slides
Cryptography I Exercises Luca Vigan` o Institut f ur Informatik

Cryptography I Exercises Luca Vigan` o Institut f ur Informatik

Cryptography I Exercises Luca Vigan` o Institut f ur Informatik Albert-Ludwigs-Universit at Freiburg IT-Security: Theory and Practice (WS02) Luca Vigan` o 1 Some definitions Cryptology: the study of secret writing.

1.19k views • 37 slides
Cryptography: Public Key Cryptography; Mathematical Preliminaries Greg Plaxton Theory in

Cryptography: Public Key Cryptography; Mathematical Preliminaries Greg Plaxton Theory in

Cryptography: Public Key Cryptography; Mathematical Preliminaries Greg Plaxton Theory in Programming Practice, Spring 2005 Department of Computer Science University of Texas at Austin Secure Communication Earlier we discussed the problems

202 views • 18 slides
Agreeing on a secret language : Diffie-Hellman Bobs secret language Alices public lock

Agreeing on a secret language : Diffie-Hellman Bobs secret language Alices public lock

Cryptography : how to talk in a secret language in public You broke ! my heart Agreeing on a secret language : Diffie-Hellman Bobs secret language Alices public lock box Only Alice Bob slams knows the the door combination

81 views • 7 slides
Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Klbl June 20th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do? Authentication

711 views • 47 slides
15-853:Algorithms in the Real World Cryptography #2 15-853 Page 1 Cryptography Outline

15-853:Algorithms in the Real World Cryptography #2 15-853 Page 1 Cryptography Outline

15-853:Algorithms in the Real World Cryptography #2 15-853 Page 1 Cryptography Outline Introduction: terminology, cryptanalysis, security Private-Key Algorithms: Rijndael, DES Number Theory Groups Public-Key Algorithms: RSA, ElGamal,

525 views • 26 slides
Public Key Cryptography Introduction Foundation of todays secure communication Allows

Public Key Cryptography Introduction Foundation of todays secure communication Allows

Public Key Cryptography Introduction Foundation of todays secure communication Allows communicating parties to obtain a shared secret key Public key (for encryption) and Private key (for decryption) Private key (for digital

1.15k views • 56 slides
Asymmetric crypto Symmetric Source: Wikipedia Before cryptography: exchanging keys Secret

Asymmetric crypto Symmetric Source: Wikipedia Before cryptography: exchanging keys Secret

Asymmetric crypto Symmetric Source: Wikipedia Before cryptography: exchanging keys Secret key Only Alice and Bob know the secret key Private key Only Alice's knows Alice's private key (Bob doesn't know and never finds out)

1.07k views • 35 slides
1 Symmetric algorithm Public key algorithm Secret key public key and private key C 1 = E

1 Symmetric algorithm Public key algorithm Secret key public key and private key C 1 = E

Cryptography security Cryptography may be a component of a secure system Cryptographic Systems Adding cryptography may not make a Authentication & Communication system secure Protocols Paul Krzyzanowski Distributed Systems

753 views • 23 slides
Cryptography Public-Key Cryptography Uwe Egly Vienna University of Technology Institute of

Cryptography Public-Key Cryptography Uwe Egly Vienna University of Technology Institute of

Cryptography Public-Key Cryptography Uwe Egly Vienna University of Technology Institute of Information Systems Knowledge-Based Systems Group 1 / 18 Overview Problem of symmetric procedures: Exchange of secret key Solution: public-key

884 views • 18 slides
Public ! key cryptography S"##ested )y Diffie . /ellman 1567 8nstead 9f 9ne secret,

Public ! key cryptography S"##ested )y Diffie . /ellman 1567 8nstead 9f 9ne secret,

Public ! key cryptography S"##ested )y Diffie . /ellman 1567 8nstead 9f 9ne secret, s=ared key ?@it= t=e ass9ciated pr9)lems 9f key distri)"ti9n)C Dse a key pair ? e,d ) f9r eac= "ser 9ne f9r encrypti9n, 9ne f9r

865 views • 22 slides

More recommend