Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dan Boneh Authenticated Encryption Chosen ciphertext attacks Online Cryptography Course Dan Boneh.

Published byHarry Davis Modified over 9 years ago

Similar presentations

Presentation on theme: "Dan Boneh Authenticated Encryption Chosen ciphertext attacks Online Cryptography Course Dan Boneh."— Presentation transcript:

1 Dan Boneh Authenticated Encryption Chosen ciphertext attacks Online Cryptography Course Dan Boneh

2 Dan Boneh Example chosen ciphertext attacks Adversary has ciphertext c that it wants to decrypt Often, adv. can fool server into decrypting certain ciphertexts (not c) Often, adversary can learn partial information about plaintext dest = 25 data data TCP/IP packet ACK if valid checksum

3 Dan Boneh Chosen ciphertext security Adversary’s power: both CPA and CCA Can obtain the encryption of arbitrary messages of his choice Can decrypt any ciphertext of his choice, other than challenge (conservative modeling of real life) Adversary’s goal: Break sematic security

4 Dan Boneh Chosen ciphertext security: definition E = (E,D) cipher defined over (K,M,C). For b=0,1 define EXP(b): Chal. b Adv. kKkK b’  {0,1} m i,0, m i,1  M : |m i,0 | = |m i,1 | c i  E(k, m i,b ) for i=1,…,q: (1) CPA query: (2) CCA query: c i  C : c i ∉ {c 1, …, c i-1 } m i  D(k, c i )

5 Dan Boneh Chosen ciphertext security: definition E is CCA secure if for all “efficient” A: Adv CCA [A, E ] = | Pr[EXP(0)=1] – Pr[EXP(1)=1] | is “negligible.” Example: CBC with rand. IV is not CCA-secure Chal. b Adv. kKkK m 0, m 1 : |m 0 | = |m 1 |=1 c  E(k, m b ) = (IV, c[0]) c’ = (IV1, c[0]) D(k, c’ ) = m b 1 b

6 Dan Boneh Authenticated enc. ⇒ CCA security Thm:Let (E,D) be a cipher that provides AE. Then (E,D) is CCA secure ! In particular, for any q-query eff. A there exist eff. B 1, B 2 s.t. Adv CCA [A,E] ≤ 2q ⋅ Adv CI [B 1,E] + Adv CPA [B 2,E]

7 Dan Boneh Proof by pictures Chal.Adv. kKkK CPA query: m i,0, m i,1 CCA query: c i c i =E(k,m i, 0 ) D(k,c i ) Chal.Adv. kKkK CPA query: m i,0, m i,1 CCA query: c i c i =E(k,m i, 1 ) D(k,c i ) CPA query: m i,0, m i,1 Chal.Adv. kKkK c i =E(k,m i, 0 ) Chal.Adv. kKkK CPA query: m i,0, m i,1 c i =E(k,m i, 1 ) ⊥ CCA query: c i ⊥ ≈p≈p ≈p≈p ≈p≈p ≈p≈p

8 Dan Boneh So what? Authenticated encryption: ensures confidentiality against an active adversary that can decrypt some ciphertexts Limitations: does not prevent replay attacks does not account for side channels (timing)

9 Dan Boneh End of Segment

Download ppt "Dan Boneh Authenticated Encryption Chosen ciphertext attacks Online Cryptography Course Dan Boneh."

Similar presentations

Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.

Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.
ElGamal Security Public key encryption from Diffie-Hellman

ElGamal Security Public key encryption from Diffie-Hellman
Dan Boneh Using block ciphers Modes of operation: one time key Online Cryptography Course Dan Boneh example: encrypted email, new key for every message.

Dan Boneh Using block ciphers Modes of operation: one time key Online Cryptography Course Dan Boneh example: encrypted , new key for every message.
Online Cryptography Course Dan Boneh

Online Cryptography Course Dan Boneh
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.

Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.
Cryptography: Review Day David Brumley Carnegie Mellon University.

Cryptography: Review Day David Brumley Carnegie Mellon University.
CS 395T Formal Models of Cryptography: Symmetric Encryption.

CS 395T Formal Models of Cryptography: Symmetric Encryption.
1 PRPs and PRFs CS255: Winter 2008 1.Abstract ciphers: PRPs and PRFs, 2.Security models for encryption, 3.Analysis of CBC and counter mode Dan Boneh, Stanford.

1 PRPs and PRFs CS255: Winter Abstract ciphers: PRPs and PRFs, 2.Security models for encryption, 3.Analysis of CBC and counter mode Dan Boneh, Stanford.
Dan Boneh Authenticated Encryption Active attacks on CPA-secure encryption Online Cryptography Course Dan Boneh.

Dan Boneh Authenticated Encryption Active attacks on CPA-secure encryption Online Cryptography Course Dan Boneh.
Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.

Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.
Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.

Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.
1 Brief PRP-PRF Recap CS255 Winter ‘06. 2 PRPs and PRFs PRF: F: K  X  Y such that: exists “efficient” algorithm to eval. F(k,x) PRP: E: K  X  X such.

1 Brief PRP-PRF Recap CS255 Winter ‘06. 2 PRPs and PRFs PRF: F: K  X  Y such that: exists “efficient” algorithm to eval. F(k,x) PRP: E: K  X  X such.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
How To Not Make a Secure Protocol 802.11 WEP Dan Petro.

How To Not Make a Secure Protocol WEP Dan Petro.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
1 Intro To Encryption Exercise 4. 2 Defining Pseudo-Random Permutation Let A be alg. with oracle to a function from {0,1} k to {0,1} k Notation: let A.

1 Intro To Encryption Exercise 4. 2 Defining Pseudo-Random Permutation Let A be alg. with oracle to a function from {0,1} k to {0,1} k Notation: let A.
Dan Boneh Basic key exchange Public-key encryption Online Cryptography Course Dan Boneh.

Dan Boneh Basic key exchange Public-key encryption Online Cryptography Course Dan Boneh.
Active attacks on CPA-secure encryption

Active attacks on CPA-secure encryption
Dan Boneh Authenticated Encryption Definitions Online Cryptography Course Dan Boneh.

Dan Boneh Authenticated Encryption Definitions Online Cryptography Course Dan Boneh.

Similar presentations

Ads by Google