real-world crypto and privacy. June 2016 Copy of speaker slides from - PowerPoint PPT Presentation

Copy of speaker slides from a summer school in Croatia on Authenticated Encryption (AE) real-world crypto and privacy. June 2016 Part 1: 14:00 – 15:00 Kind thanks to the Part 2: 15:00 – 16:00 organizers of this Copy of speaker slides from a summer school in Croatia on lovely summer school real-world crypto and privacy. June 2016 for the invitation to Phillip Rogaway come talk. University of California, Davis, USA Copy of speaker slides from a summer school in Croatia on real-world crypto and privacy. June 2016 Copy of speaker slides from a summer school in Croatia on real-world crypto and privacy. June 2016 Copy of speaker slides from a summer school in Croatia on Today : Summer school on Definitions and techniques for AE real-world crypto and privacy. June 2016 Real-World Crypto 1. pE – prob enc achieving semantic security and Privacy 2. pAE – prob AE Copy of speaker slides from a summer school in Croatia on 3. nAE – nonce-based AE with associated data (AEAD) Tuesday, 7 Jun 2016 4. MRAE – misuse-resistant AE real-world crypto and privacy. June 2016 Šibenik, Croatia 5. RAE – robust AE 1/72 1/72 Authenticated Encryption – 7 June 2016 – Šibenik, Croatia – Phillip Rogaway

Copy of speaker slides from a summer school in Croatia on Symmetric encryption scheme real-world crypto and privacy. June 2016 M Copy of speaker slides from a summer school in Croatia on real-world crypto and privacy. June 2016 ??? E 1. What security notion should a symmetric ? Copy of speaker slides from a summer school in Croatia on encryption scheme aim to C real-world crypto and privacy. June 2016 satisfy? Copy of speaker slides from a summer school in Croatia on This is a real-world crypto and privacy. June 2016 2. How can we make pragmatic efficient schemes we question Copy of speaker slides from a summer school in Croatia on believe to satisfy our real-world crypto and privacy. June 2016 chosen notion? Copy of speaker slides from a summer school in Croatia on real-world crypto and privacy. June 2016 2/72 Authenticated Encryption – 7 June 2016 – Šibenik, Croatia – Phillip Rogaway

Secure asymmetric encryption: IND-CPA Copy of speaker slides from a summer school in Croatia on [Goldwasser-Micali 1982] Classical view real-world crypto and privacy. June 2016 M Copy of speaker slides from a summer school in Croatia on $ pk (  ) $ real-world crypto and privacy. June 2016 E pk ( $ |  | ) E C C A Copy of speaker slides from a summer school in Croatia on 1 or 0 pk real-world crypto and privacy. June 2016 PRIV Fake Real Adv ( A , k ) = Pr[ A (pk)  1 ] - Pr[ A (pk)  1 ] Copy of speaker slides from a summer school in Croatia on P real-world crypto and privacy. June 2016 A public-key encryption scheme P is secure if for P = ( K , E , D ) Copy of speaker slides from a summer school in Croatia on all PPT A , the advantage above is negligible . a probabilistic real-world crypto and privacy. June 2016 public-key encryption scheme C pk M Copy of speaker slides from a summer school in Croatia on $ D E M C K $ k real-world crypto and privacy. June 2016 pk sk sk 3/72 Authenticated Encryption – 7 June 2016 – Šibenik, Croatia – Phillip Rogaway

Secure symmetric encryption: pE Copy of speaker slides from a summer school in Croatia on [Bellare-Desai-Jokippi-Rogaway 1997] Classical view real-world crypto and privacy. June 2016 Following [GM82] M Copy of speaker slides from a summer school in Croatia on $ K (  ) $ real-world crypto and privacy. June 2016 E K ( $ |  | ) E C C A Copy of speaker slides from a summer school in Croatia on real-world crypto and privacy. June 2016 1 or 0 pE Real Fake Adv ( A ) = Pr[ A  1 ] - Pr[ A  1 ] Copy of speaker slides from a summer school in Croatia on P real-world crypto and privacy. June 2016 A symmetric encryption scheme P is secure if for Copy of speaker slides from a summer school in Croatia on all PPT A , the advantage above is negligible . P = ( K , E , D ) real-world crypto and privacy. June 2016 a probabilistic symmetric encryption scheme Copy of speaker slides from a summer school in Croatia on C M $ real-world crypto and privacy. June 2016 $ D E M C K K K K 4/72 Authenticated Encryption – 7 June 2016 – Šibenik, Croatia – Phillip Rogaway

Achieving pE: CTR$ Copy of speaker slides from a summer school in Croatia on real-world crypto and privacy. June 2016 M Copy of speaker slides from a summer school in Croatia on real-world crypto and privacy. June 2016 IV+ 1 IV+ 2 IV+ 3 IV+ 4 Copy of speaker slides from a summer school in Croatia on E K E K E K E K real-world crypto and privacy. June 2016 $ Copy of speaker slides from a summer school in Croatia on real-world crypto and privacy. June 2016 ’ Copy of speaker slides from a summer school in Croatia on IV C real-world crypto and privacy. June 2016 C Copy of speaker slides from a summer school in Croatia on real-world crypto and privacy. June 2016 5/72 Authenticated Encryption – 7 June 2016 – Šibenik, Croatia – Phillip Rogaway

Copy of speaker slides from a summer school in Croatia on [GGM84,LR95,BKR04] Formalizing Blockciphers real-world crypto and privacy. June 2016 E : K  {0,1} n  {0,1} n each E K (  ) = E ( K ,  ) a permutation Copy of speaker slides from a summer school in Croatia on A random permutation real-world crypto and privacy. June 2016 on n bits p E K Copy of speaker slides from a summer school in Croatia on X X real-world crypto and privacy. June 2016 Y = p ( X ) A Y = E K ( X ) Copy of speaker slides from a summer school in Croatia on real-world crypto and privacy. June 2016 1 or 0 prp Adv ( A ) = Pr [ A E K  1] – Pr [ A p  1] Copy of speaker slides from a summer school in Croatia on E real-world crypto and privacy. June 2016 -1 ±prp -1 Adv ( A ) = Pr [ A E K E K  1] – Pr [ A p p  1] Copy of speaker slides from a summer school in Croatia on E real-world crypto and privacy. June 2016 6/72 Authenticated Encryption – 7 June 2016 – Šibenik, Croatia – Phillip Rogaway

Copy of speaker slides from a summer school in Croatia on [Bellare-Desai-Jokippi-Rogaway 1997] M real-world crypto and privacy. June 2016 IV+ 1 IV+ 2 IV+ 3 IV+ 4 Security of CTR$ E K E K E K E K Copy of speaker slides from a summer school in Croatia on $ real-world crypto and privacy. June 2016 R x B ’ IV C A Copy of speaker slides from a summer school in Croatia on Adversary Adversary real-world crypto and privacy. June 2016 attacking CTR$[ E ] attacking E Breaks it with Breaks it with advantage d advantage f ( Resources , d ) Copy of speaker slides from a summer school in Croatia on in the pE-sense in the PRP-sense real-world crypto and privacy. June 2016 Thm . There exists a reduction Rx with the following property. Copy of speaker slides from a summer school in Croatia on Let E : K  {0,1} n  {0,1} n be a blockcipher and let A be an adversary using real-world crypto and privacy. June 2016 s blocks attacking P = CTR$[ E ] with pE-advantage d . Copy of speaker slides from a summer school in Croatia on Then B = Rx ( A , E ) breaks E with PRP-advantage  d – s 2 2 - n real-world crypto and privacy. June 2016 using resources comparable to A ’s. 7/72 Authenticated Encryption – 7 June 2016 – Šibenik, Croatia – Phillip Rogaway

Traditional view of shared-key cryptography Copy of speaker slides from a summer school in Croatia on (until ~2000) real-world crypto and privacy. June 2016 Copy of speaker slides from a summer school in Croatia on K K real-world crypto and privacy. June 2016 Sender Receiver Copy of speaker slides from a summer school in Croatia on Authenticity Privacy real-world crypto and privacy. June 2016 (data-origin authentication) (confidentiality) Copy of speaker slides from a summer school in Croatia on Message Encryption Authenticated Encryption real-world crypto and privacy. June 2016 Authentication scheme Achieve both of these aims Code (MAC) Copy of speaker slides from a summer school in Croatia on real-world crypto and privacy. June 2016 Existential-unforgeability under ACMA IND-CPA [Goldwasser, Micali, Rivest 1984/1988], [Goldwasser, Micali 1982] [Bellare, Kilian, R 1994], [Bellare, Guerin, R 1995] [Bellare, Desai, Jokipii, R 1997] Copy of speaker slides from a summer school in Croatia on real-world crypto and privacy. June 2016 8/72 Authenticated Encryption – 7 June 2016 – Šibenik, Croatia – Phillip Rogaway

Needham-Schroeder Protocol (1978) Copy of speaker slides from a summer school in Croatia on Attacked by Denning-Saco (1981) real-world crypto and privacy. June 2016 Practioners never saw a b S ind-cpa as Copy of speaker slides from a summer school in Croatia on encryption’s real-world crypto and privacy. June 2016 intended goal A . B . N A Copy of speaker slides from a summer school in Croatia on {N A . B . s . { s . A } b } a real-world crypto and privacy. June 2016 1 2 Copy of speaker slides from a summer school in Croatia on b a { s . A } b B real-world crypto and privacy. June 2016 A 3 Copy of speaker slides from a summer school in Croatia on {N B } s 4 real-world crypto and privacy. June 2016 {N B - 1 } s 5 Copy of speaker slides from a summer school in Croatia on real-world crypto and privacy. June 2016 9/72 Authenticated Encryption – 7 June 2016 – Šibenik, Croatia – Phillip Rogaway