Dan Boneh Odds and ends Deterministic Encryption Online Cryptography Course Dan Boneh.

Slides:



Advertisements
Similar presentations
Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.
Advertisements

ElGamal Security Public key encryption from Diffie-Hellman
Dan Boneh Using block ciphers Modes of operation: one time key Online Cryptography Course Dan Boneh example: encrypted , new key for every message.
Trusted 3rd parties Basic key exchange
Online Cryptography Course Dan Boneh
Cryptography: Review Day David Brumley Carnegie Mellon University.
1 PRPs and PRFs CS255: Winter Abstract ciphers: PRPs and PRFs, 2.Security models for encryption, 3.Analysis of CBC and counter mode Dan Boneh, Stanford.
Dan Boneh Authenticated Encryption Active attacks on CPA-secure encryption Online Cryptography Course Dan Boneh.
Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.
Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.
1 Brief PRP-PRF Recap CS255 Winter ‘06. 2 PRPs and PRFs PRF: F: K  X  Y such that: exists “efficient” algorithm to eval. F(k,x) PRP: E: K  X  X such.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Dan Boneh Basic key exchange The Diffie-Hellman protocol Online Cryptography Course Dan Boneh.
Dan Boneh Basic key exchange Public-key encryption Online Cryptography Course Dan Boneh.
Dan Boneh Public Key Encryption from trapdoor permutations The RSA trapdoor permutation Online Cryptography Course Dan Boneh.
Active attacks on CPA-secure encryption
Dan Boneh Authenticated Encryption Definitions Online Cryptography Course Dan Boneh.
Dan Boneh Authenticated Encryption Chosen ciphertext attacks Online Cryptography Course Dan Boneh.
Dan Boneh Public Key Encryption from trapdoor permutations Public key encryption: definitions and security Online Cryptography Course Dan Boneh.
Dan Boneh Authenticated Encryption Case study: TLS Online Cryptography Course Dan Boneh.
Dan Boneh Odds and ends Key Derivation Online Cryptography Course Dan Boneh.
Dan Boneh Stream ciphers The One Time Pad Online Cryptography Course Dan Boneh.
Cryptography Lecture 8 Stefan Dziembowski
Dan Boneh Public key encryption from Diffie-Hellman The ElGamal Public-key System Online Cryptography Course Dan Boneh.
Dan Boneh Odds and ends Format preserving encryption Online Cryptography Course Dan Boneh.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
Dan Boneh Using block ciphers Modes of operation: many time key (CTR) Online Cryptography Course Dan Boneh Example applications: 1. File systems: Same.
Attacks on OTP and stream ciphers
Dan Boneh Public Key Encryption from trapdoor permutations PKCS 1 Online Cryptography Course Dan Boneh.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Dan Boneh Using block ciphers Modes of operation: many time key (CBC) Online Cryptography Course Dan Boneh Example applications: 1. File systems: Same.
Modes of Operation INSTRUCTOR: DANIA ALOMAR. Modes of Operation A block cipher can be used in various methods for data encryption and decryption; these.
Dan Boneh Stream ciphers Pseudorandom Generators Online Cryptography Course Dan Boneh.
Dan Boneh Collision resistance Introduction Online Cryptography Course Dan Boneh.
Dan Boneh Public key encryption from Diffie-Hellman The ElGamal Public-key System Online Cryptography Course Dan Boneh.
Dan Boneh Basic key exchange Merkle Puzzles Online Cryptography Course Dan Boneh.
Dan Boneh Message Integrity CBC-MAC and NMAC Online Cryptography Course Dan Boneh.
Odds and ends Tweakable encryption
Cryptography: Review Day David Brumley Carnegie Mellon University.
Dan Boneh Stream ciphers Stream ciphers are semantically secure Online Cryptography Course Dan Boneh Goal: secure PRG ⇒ semantically secure stream cipher.
CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.
Dan Boneh Basic key exchange Trusted 3 rd parties Online Cryptography Course Dan Boneh.
Dan Boneh Introduction Course Overview Online Cryptography Course Dan Boneh.
Dan Boneh Collision resistance The Merkle-Damgard Paradigm Online Cryptography Course Dan Boneh.
Dan Boneh Stream ciphers PRG Security Defs Online Cryptography Course Dan Boneh.
CS555Spring 2012/Topic 81 Cryptography CS 555 Topic 8: Pseudorandom Functions and CPA Security.
Online Cryptography Course Dan Boneh
Dan Boneh Public Key Encryption from trapdoor permutations Constructions Online Cryptography Course Dan Boneh Goal: construct chosen-ciphertext secure.
Dan Boneh Authenticated Encryption CBC paddings attacks Online Cryptography Course Dan Boneh.
Dan Boneh Authenticated Encryption Constructions from ciphers and MACs Online Cryptography Course Dan Boneh.
Dan Boneh Public Key Encryption from trapdoor permutations Public key encryption: definitions and security Online Cryptography Course Dan Boneh.
Encryption and Integrity
Boneh-Franklin Identity Based Encryption Scheme
Using block ciphers Review: PRPs and PRFs
Authenticated encryption
PRPs and PRFs CS255: Winter 2017
Cryptography Lecture 9.
Introduction to modern cryptology
Topic 11: Authenticated Encryption + CCA-Security
B504/I538: Introduction to Cryptography
Block cipher and modes of encryptions
Cryptography Lecture 7.
Cryptography Lecture 11.
Cryptography Lecture 8.
Cryptography Lecture 11.
Cryptography Lecture 9.
Cryptography Lecture 10.
Presentation transcript:

Dan Boneh Odds and ends Deterministic Encryption Online Cryptography Course Dan Boneh

Dan Boneh The need for det. Encryption (no nonce) encrypted database Alice data k 1, k 2 Alice data Bob data ⋮ ??

Dan Boneh The need for det. Encryption (no nonce) encrypted database Alice data k 1, k 2 Bob data ⋮ ?? Later: Retrieve record E(k 1, “Alice”) Alice data det. enc. enables later lookup

Dan Boneh Problem: det. enc. cannot be CPA secure The problem: attacker can tell when two ciphertexts encrypt the same message ⇒ leaks information Leads to significant attacks when message space M is small. equal ciphertexts means same index

Dan Boneh Problem: det. enc. cannot be CPA secure The problem: attacker can tell when two ciphertexts encrypt the same message ⇒ leaks information Chal.Adv. kKkK m 0, m 1  M c  E(k, m b ) m 0, m 0  M c 0  E(k, m 0 ) output 0 if c = c 0 Attacker wins CPA game: b

Dan Boneh A solution: the case of unique messages Suppose encryptor never encrypts same message twice: the pair (k, m) never repeats This happens when encryptor: Chooses messages at random from a large msg space (e.g. keys) Message structure ensures uniqueness (e.g. unique user ID)

Dan Boneh Deterministic CPA security E = (E,D) a cipher defined over (K,M,C). For b=0,1 define EXP(b) as: Def: E is sem. sec. under det. CPA if for all efficient A: Adv dCPA [A, E ] = | Pr[EXP(0)=1] – Pr[EXP(1)=1] | is negligible. Chal. b Adv. kKkK b’  {0,1} m i,0, m i,1  M : |m i,0 | = |m i,1 | c i  E(k, m i,b ) where m 1,0, …, m q,0 are distinct and m 1,1, …, m q,1 are distinct for i=1,…,q:

Dan Boneh A Common Mistake CBC with fixed IV is not det. CPA secure. Let E: K × {0,1} n {0,1} n be a secure PRP used in CBC Chal.Adv. kKkK m 0 =0 n, m 1 = 1 n c  [ FIV, E(k, FIV) ] or 0 n 1 n, 0 n 1 n c 1  [ FIV, E(k, 0 n FIV), … ] output 0 if c[1] = c 1 [1] c  [ FIV, E(k, 1 n FIV) ] Leads to significant attacks in practice. b

Template vertLeftWhite2 Is counter mode with a fixed IV det. CPA secure? Yes No It depends message F(k, FIV) ll F(k, FIV+1) ll … ll F(k, FIV+L) ciphertext Chal. Adv. kKkK m 0, m 1 c’  m b F(k, FIV) m, mm, m c  mF(k, FIV) output 0 if cc’=mm 0 b

Dan Boneh End of Segment

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.