1 Intro To Encryption Exercise 4. 2 Defining Pseudo-Random Permutation Let A be alg. with oracle to a function from {0,1} k to {0,1} k Notation: let A.

Slides:



Advertisements
Similar presentations
6.1.2 Overview DES is a block cipher, as shown in Figure 6.1.
Advertisements

Dan Boneh Using block ciphers Modes of operation: one time key Online Cryptography Course Dan Boneh example: encrypted , new key for every message.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
1 PRPs and PRFs CS255: Winter Abstract ciphers: PRPs and PRFs, 2.Security models for encryption, 3.Analysis of CBC and counter mode Dan Boneh, Stanford.
1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
CIS 5371 Cryptography 3b. Pseudorandomness.
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley Carnegie Mellon University.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.
1 Brief PRP-PRF Recap CS255 Winter ‘06. 2 PRPs and PRFs PRF: F: K  X  Y such that: exists “efficient” algorithm to eval. F(k,x) PRP: E: K  X  X such.
Rachana Y. Patil 1 Data Encryption Standard (DES) (DES)
Data Encryption Standard (DES)
Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.
Intro To Secure Comm. Exercise 2. Problem  You wish for your users to access a remote server via user and password.  All of the users have modems and.
1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.
Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.
Practical Techniques for Searches on Encrypted Data Author:Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀汶承.
1 Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research.
1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen.
Lecture 23 Symmetric Encryption
Foundations of Cryptography Lecture 10: Pseudo-Random Permutations and the Security of Encryption Schemes Lecturer: Moni Naor Announce home )deadline.
1 Intro To Encryption Exercise 6. 2 Problem Is every (weak) CRHF also a OWF.
1 Intro To Encryption Exercise 7. 2 Problem Show a OWHF and distribution of passwords s.t. both unix and S/Key fail.
Hybrid Cipher encryption Plain Text Key Cipher Text Key Plain Text IV Hybrid Cipher decryption Hybrid Cipher Note: IV used in encryption is not used in.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Dan Boneh Authenticated Encryption Chosen ciphertext attacks Online Cryptography Course Dan Boneh.
Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.
One-Time Pad Or Vernam Cipher Sayed Mahdi Mohammad Hasanzadeh Spring 2004.
Chapter 20 Symmetric Encryption and Message Confidentiality.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
1 Lect. 13 : Public Key Encryption RSA ElGamal. 2 Shamir Rivest Adleman RSA Public Key Systems  RSA is the first public key cryptosystem  Proposed in.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
Two New Online Ciphers Mridul Nandi National Institute of Standards and Technology, Gaithersburg, MD Indocrypt 2008, Kharagpur.
Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.
Public Key Encryption with keyword Search Author: Dan Boneh Rafail Ostroversity Giovanni Di Crescenzo Giuseppe Persiano Presenter: 陳昱圻.
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley Carnegie Mellon University.
Lecture 23 Symmetric Encryption
Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.
Tae-Joon Kim Jong yun Jun
Cryptography Lecture 6 Arpita Patra © Arpita Patra.
CS555Spring 2012/Topic 81 Cryptography CS 555 Topic 8: Pseudorandom Functions and CPA Security.
EE 122: Lecture 24 (Security) Ion Stoica December 4, 2001.
Dan Boneh Public Key Encryption from trapdoor permutations Constructions Online Cryptography Course Dan Boneh Goal: construct chosen-ciphertext secure.
Cryptography Lecture 10 Arpita Patra © Arpita Patra.
@Yuan Xue CS 285 Network Security Block Cipher Principle Fall 2012 Yuan Xue.
Digital signatures.
PRPs and PRFs CS255: Winter 2017
Cryptography Lecture 12.
Topic 5: Constructing Secure Encryption Schemes
Midterm Statistics Minimum Value 56.1 Maximum Value 93.8 Range 37.7
B504/I538: Introduction to Cryptography
Cryptography Lecture 19.
Topic 7: Pseudorandom Functions and CPA-Security
Cryptography Lecture 7.
B504/I538: Introduction to Cryptography
Function Notation “f of x” Input = x Output = f(x) = y.
Cryptography Lecture 12 Arpita Patra © Arpita Patra.
Cryptography Lecture 8.
Cryptography Lecture 12.
Homework #1 Chap. 1, 3, 4 J. H. Wang Oct. 2, 2018.
Topic 13: Message Authentication Code
Cryptography Lecture 6 Arpita Patra © Arpita Patra.
Cryptography Lecture 7.
Cryptography Lecture 6.
Cryptography Lecture 16.
Cryptography Lecture 15.
Presentation transcript:

1 Intro To Encryption Exercise 4

2 Defining Pseudo-Random Permutation Let A be alg. with oracle to a function from {0,1} k to {0,1} k Notation: let A f denote A with oracle to f:{0,1} k  {0,1} k Let where key  R {0,1} k and r is a random function over {0,1} k  Notation: x  R X means x is chosen randomly from set X Let ADV PRP E,k (t)=MAX{ADV PRP A,E,k } for A limited to time t  Should be negligible for feasible t  Ideally: ADV PRP E,k (t)=constant /(2 k -t) Adversary controls plaintext  chosen plaintext attack  modify definition to allow also chosen ciphertext

3 Solution Let f’ :{0,1} k  {0,1} k be an inverse function to f, meaning f’=f -1.  (for each cipher text we now have a reverse function to give us the plain text) Let r’ be a reversible function to r.  Why?  (If we want to fool adversary with a random function we must have a reversible function) Notation: let A f,f’ denote A with oracle to both f, f’

4 Solution Let where key  R {0,1} k and r is a random function over {0,1} k  Notation: x  R X means x is chosen randomly from set X Adversary controls plaintext and ciphertext

5 Problem You wish for your users to access a remote server via user and password. All of the users have modems and you trust the phone company to have secured phone lines (no eaves dropping on the line). All the users must use “good” passwords. 1. What is a “good” password? 2. What is the problem with “good” passwords? 3. How can you build a device that can help the user? Hint: the device may generate the passwords

6 Problem Construct a PRF from a random oracle.

7 Solution Let A be the Random oracle, which receives input x. Use PRF k (x)=A(k||x) Is this a sufficient solution?

8 Problem Does random oracle provide CRHF and OWF properties?

9 Solution Yes!! By counting arguments  Consider the random function as being defined incrementally  When the oracle is asked for f(x) for the first time, it selects random value  Example: OWF Let x 1,x 2,…x m be the queries of the adversary, with x m being the adversary’s reply (i.e. success if f(x m )=f(x)). Claim: for every i=1,…,m, Prob(f(x i )=f(x))<i/2 n Proof: By induction…

10 Problem What are the differences between PRF and Universal Hash Functions?

11 Problem construct a PRP from a random oracle.

12 Solution Construct PRF from Random Oracle. Use Feistel rounds to build a PRP. How many rounds? How many rounds?

13 Problem construct CPA-IND secure cryptosystem from random oracle.

14 Solution Build a PRP from random oracle Use CBC construction for the PRP.

15 Problem construct OWF h() from PRF F k ()

16 Solution In order to build h(x) use:  h(x)=PRF x (0)

17 Problem can we use OWF to construct PRF like we used random oracle?

18 Solution NO!!!! Evaluate the following:  h(x) is OWF.  h’(x)=001100||h(x)  Clearly h’ is OWF but can be distinguished from a random output.

19 Problem Is every (weak) CRHF also a OWF