Dan Boneh Authenticated Encryption Chosen ciphertext attacks Online Cryptography Course Dan Boneh.

Slides:



Advertisements
Similar presentations
Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.
Advertisements

ElGamal Security Public key encryption from Diffie-Hellman
Dan Boneh Using block ciphers Modes of operation: one time key Online Cryptography Course Dan Boneh example: encrypted , new key for every message.
Online Cryptography Course Dan Boneh
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.
Cryptography: Review Day David Brumley Carnegie Mellon University.
CS 395T Formal Models of Cryptography: Symmetric Encryption.
1 PRPs and PRFs CS255: Winter Abstract ciphers: PRPs and PRFs, 2.Security models for encryption, 3.Analysis of CBC and counter mode Dan Boneh, Stanford.
Dan Boneh Authenticated Encryption Active attacks on CPA-secure encryption Online Cryptography Course Dan Boneh.
Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.
Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.
1 Brief PRP-PRF Recap CS255 Winter ‘06. 2 PRPs and PRFs PRF: F: K  X  Y such that: exists “efficient” algorithm to eval. F(k,x) PRP: E: K  X  X such.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
How To Not Make a Secure Protocol WEP Dan Petro.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
1 Intro To Encryption Exercise 4. 2 Defining Pseudo-Random Permutation Let A be alg. with oracle to a function from {0,1} k to {0,1} k Notation: let A.
Dan Boneh Basic key exchange Public-key encryption Online Cryptography Course Dan Boneh.
Active attacks on CPA-secure encryption
Dan Boneh Authenticated Encryption Definitions Online Cryptography Course Dan Boneh.
Dan Boneh Public Key Encryption from trapdoor permutations Public key encryption: definitions and security Online Cryptography Course Dan Boneh.
Dan Boneh Authenticated Encryption Case study: TLS Online Cryptography Course Dan Boneh.
Dan Boneh Stream ciphers The One Time Pad Online Cryptography Course Dan Boneh.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
Dan Boneh Using block ciphers Modes of operation: many time key (CTR) Online Cryptography Course Dan Boneh Example applications: 1. File systems: Same.
Attacks on OTP and stream ciphers
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Dan Boneh Using block ciphers Modes of operation: many time key (CBC) Online Cryptography Course Dan Boneh Example applications: 1. File systems: Same.
IND-CPA and IND-CCA Concepts Summary  Basic Encryption Security Definition: IND-CPA  Strong Encryption Security Definition: IND-CCA  IND-CPA, IND-CCA.
Dan Boneh Stream ciphers Pseudorandom Generators Online Cryptography Course Dan Boneh.
Dan Boneh Message Integrity CBC-MAC and NMAC Online Cryptography Course Dan Boneh.
Odds and ends Tweakable encryption
Cryptography: Review Day David Brumley Carnegie Mellon University.
Template vertLeftWhite2 Authenticated Encryption Attacking non-atomic decryption Online Cryptography Course Dan Boneh.
Cryptography Lecture 4 Arpita Patra.
Dan Boneh Stream ciphers Stream ciphers are semantically secure Online Cryptography Course Dan Boneh Goal: secure PRG ⇒ semantically secure stream cipher.
Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012.
CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.
Tae-Joon Kim Jong yun Jun
Dan Boneh Basic key exchange Trusted 3 rd parties Online Cryptography Course Dan Boneh.
1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.
Dan Boneh Odds and ends Deterministic Encryption Online Cryptography Course Dan Boneh.
Online Cryptography Course Dan Boneh
Dan Boneh Public Key Encryption from trapdoor permutations Constructions Online Cryptography Course Dan Boneh Goal: construct chosen-ciphertext secure.
Cryptography Lecture 8 Arpita Patra © Arpita Patra.
Dan Boneh Authenticated Encryption CBC paddings attacks Online Cryptography Course Dan Boneh.
Dan Boneh Authenticated Encryption Constructions from ciphers and MACs Online Cryptography Course Dan Boneh.
Cryptography Lecture 10 Arpita Patra © Arpita Patra.
Cryptography Lecture 6 Arpita Patra. Quick Recall and Today’s Roadmap >> MAC for fixed-length messages >> Domain Extension for MAC >> Authenticated Encryption:
Using block ciphers Review: PRPs and PRFs
Authenticated encryption
Group theory exercise.
Secrecy of (fixed-length) stream ciphers
PRPs and PRFs CS255: Winter 2017
Cryptography Lecture 9.
Topic 11: Authenticated Encryption + CCA-Security
Cryptography Lecture 12.
Cryptography Lecture 10.
Cryptography Lecture 11.
Cryptography Lecture 12 Arpita Patra © Arpita Patra.
Cryptography Lecture 11.
Cryptography Lecture 9.
Cryptography Lecture 12.
Padding Oracle Attacks
Cryptography Lecture 9.
Cryptography Lecture 11.
Cryptography Lecture 10.
Presentation transcript:

Dan Boneh Authenticated Encryption Chosen ciphertext attacks Online Cryptography Course Dan Boneh

Dan Boneh Example chosen ciphertext attacks Adversary has ciphertext c that it wants to decrypt Often, adv. can fool server into decrypting certain ciphertexts (not c) Often, adversary can learn partial information about plaintext dest = 25 data data TCP/IP packet ACK if valid checksum

Dan Boneh Chosen ciphertext security Adversary’s power: both CPA and CCA Can obtain the encryption of arbitrary messages of his choice Can decrypt any ciphertext of his choice, other than challenge (conservative modeling of real life) Adversary’s goal: Break sematic security

Dan Boneh Chosen ciphertext security: definition E = (E,D) cipher defined over (K,M,C). For b=0,1 define EXP(b): Chal. b Adv. kKkK b’  {0,1} m i,0, m i,1  M : |m i,0 | = |m i,1 | c i  E(k, m i,b ) for i=1,…,q: (1) CPA query: (2) CCA query: c i  C : c i ∉ {c 1, …, c i-1 } m i  D(k, c i )

Dan Boneh Chosen ciphertext security: definition E is CCA secure if for all “efficient” A: Adv CCA [A, E ] = | Pr[EXP(0)=1] – Pr[EXP(1)=1] | is “negligible.” Example: CBC with rand. IV is not CCA-secure Chal. b Adv. kKkK m 0, m 1 : |m 0 | = |m 1 |=1 c  E(k, m b ) = (IV, c[0]) c’ = (IV1, c[0]) D(k, c’ ) = m b 1 b

Dan Boneh Authenticated enc. ⇒ CCA security Thm:Let (E,D) be a cipher that provides AE. Then (E,D) is CCA secure ! In particular, for any q-query eff. A there exist eff. B 1, B 2 s.t. Adv CCA [A,E] ≤ 2q ⋅ Adv CI [B 1,E] + Adv CPA [B 2,E]

Dan Boneh Proof by pictures Chal.Adv. kKkK CPA query: m i,0, m i,1 CCA query: c i c i =E(k,m i, 0 ) D(k,c i ) Chal.Adv. kKkK CPA query: m i,0, m i,1 CCA query: c i c i =E(k,m i, 1 ) D(k,c i ) CPA query: m i,0, m i,1 Chal.Adv. kKkK c i =E(k,m i, 0 ) Chal.Adv. kKkK CPA query: m i,0, m i,1 c i =E(k,m i, 1 ) ⊥ CCA query: c i ⊥ ≈p≈p ≈p≈p ≈p≈p ≈p≈p

Dan Boneh So what? Authenticated encryption: ensures confidentiality against an active adversary that can decrypt some ciphertexts Limitations: does not prevent replay attacks does not account for side channels (timing)

Dan Boneh End of Segment

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.