Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dan Boneh Using block ciphers Modes of operation: one time key Online Cryptography Course Dan Boneh example: encrypted email, new key for every message.

Published byJavion Huxley Modified over 9 years ago

Similar presentations

Presentation on theme: "Dan Boneh Using block ciphers Modes of operation: one time key Online Cryptography Course Dan Boneh example: encrypted email, new key for every message."— Presentation transcript:

1 Dan Boneh Using block ciphers Modes of operation: one time key Online Cryptography Course Dan Boneh example: encrypted email, new key for every message.

2 Dan Boneh Using PRPs and PRFs Goal: build “secure” encryption from a secure PRP (e.g. AES). This segment: one-time keys 1.Adversary’s power: Adv sees only one ciphertext (one-time key) 2.Adversary’s goal: Learn info about PT from CT (semantic security) Next segment: many-time keys (a.k.a chosen-plaintext security)

3 Dan Boneh Incorrect use of a PRP Electronic Code Book (ECB): Problem: – if m 1 =m 2 then c 1 =c 2 PT: CT: m1m1 m2m2 c1c1 c2c2

4 Dan Boneh In pictures (courtesy B. Preneel)

5 Dan Boneh Semantic Security (one-time key) Adv SS [A,OTP] = | Pr[ EXP(0) =1 ] − Pr[ EXP(1) =1 ] | should be “neg.” Chal.Adv. A kKkK m 0, m 1  M : |m 0 | = |m 1 | c  E(k, m 0 ) b’  {0,1} EXP(0): Chal.Adv. A kKkK m 0, m 1  M : |m 0 | = |m 1 | c  E(k, m 1 ) b’  {0,1} EXP(1): one time key ⇒ adversary sees only one ciphertext

6 Dan Boneh ECB is not Semantically Secure ECB is not semantically secure for messages that contain more than one block. Two blocks Chal. b  {0,1} Adv. A kKkK (c 1,c 2 )  E(k, m b ) m 0 = “Hello World” m 1 = “Hello Hello” If c 1 =c 2 output 0, else output 1 Then Adv SS [A, ECB] = 1

7 Dan Boneh Secure Construction I Deterministic counter mode from a PRF F : E DETCTR (k, m) = ⇒ Stream cipher built from a PRF (e.g. AES, 3DES) m[0]m[1]… F(k,0)F(k,1)… m[L] F(k,L)  c[0]c[1]…c[L]

8 Dan Boneh Det. counter-mode security Theorem: For any L>0, If F is a secure PRF over (K,X,X) then E DETCTR is sem. sec. cipher over (K,X L,X L ). In particular, for any eff. adversary A attacking E DETCTR there exists a n eff. PRF adversary B s.t.: Adv SS [A, E DETCTR ] = 2  Adv PRF [B, F] Adv PRF [B, F] is negligible (since F is a secure PRF) Hence, Adv SS [A, E DETCTR ] must be negligible.

9 Dan Boneh Proof chal. adv. A kKkK m 0, m 1 c  b’ ≟ 1 chal. adv. A kKkK m 0, m 1 c  b’ ≟ 1 ≈p≈p ≈p≈p ≈p≈p  m0m0 F(k,0) … F(k,L)  m1m1 chal. adv. A f  Funs m 0, m 1 c  b’ ≟ 1  m0m0 f(0) … f(L) chal. adv. A r  {0,1} n m 0, m 1 c  b’ ≟ 1  m1m1 f(0) … f(L) ≈p≈p

10 Dan Boneh End of Segment

Download ppt "Dan Boneh Using block ciphers Modes of operation: one time key Online Cryptography Course Dan Boneh example: encrypted email, new key for every message."

Similar presentations

Chapter 4: Modes of Operation CS 472: Fall 2012. Encrypting a Large Massage 1.Electronic Code Book (ECB) 2.Cipher Block Chaining (CBC) 3.Output Feedback.

Chapter 4: Modes of Operation CS 472: Fall Encrypting a Large Massage 1.Electronic Code Book (ECB) 2.Cipher Block Chaining (CBC) 3.Output Feedback.
Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.

Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.
ElGamal Security Public key encryption from Diffie-Hellman

ElGamal Security Public key encryption from Diffie-Hellman
Trusted 3rd parties Basic key exchange

Trusted 3rd parties Basic key exchange
Dan Boneh Block ciphers Exhaustive Search Attacks Online Cryptography Course Dan Boneh.

Dan Boneh Block ciphers Exhaustive Search Attacks Online Cryptography Course Dan Boneh.
Cryptography: Block Ciphers

Cryptography: Block Ciphers
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Online Cryptography Course Dan Boneh

Online Cryptography Course Dan Boneh
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Cryptography: Review Day David Brumley Carnegie Mellon University.

Cryptography: Review Day David Brumley Carnegie Mellon University.
1 PRPs and PRFs CS255: Winter 2008 1.Abstract ciphers: PRPs and PRFs, 2.Security models for encryption, 3.Analysis of CBC and counter mode Dan Boneh, Stanford.

1 PRPs and PRFs CS255: Winter Abstract ciphers: PRPs and PRFs, 2.Security models for encryption, 3.Analysis of CBC and counter mode Dan Boneh, Stanford.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley Carnegie Mellon University.

Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley Carnegie Mellon University.
Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.

Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.
1 Brief PRP-PRF Recap CS255 Winter ‘06. 2 PRPs and PRFs PRF: F: K  X  Y such that: exists “efficient” algorithm to eval. F(k,x) PRP: E: K  X  X such.

1 Brief PRP-PRF Recap CS255 Winter ‘06. 2 PRPs and PRFs PRF: F: K  X  Y such that: exists “efficient” algorithm to eval. F(k,x) PRP: E: K  X  X such.
CMSC 414 Computer (and Network) Security Lecture 5 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 5 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Modes of Operation CS 795. Electronic Code Book (ECB) Each block of the message is encrypted with the same secret key Problems: If two identical blocks.

Modes of Operation CS 795. Electronic Code Book (ECB) Each block of the message is encrypted with the same secret key Problems: If two identical blocks.
1 Intro To Encryption Exercise 4. 2 Defining Pseudo-Random Permutation Let A be alg. with oracle to a function from {0,1} k to {0,1} k Notation: let A.

1 Intro To Encryption Exercise 4. 2 Defining Pseudo-Random Permutation Let A be alg. with oracle to a function from {0,1} k to {0,1} k Notation: let A.

Similar presentations

Ads by Google