Download presentation

Presentation is loading. Please wait.

Published byJavion Huxley Modified over 2 years ago

1
Dan Boneh Using block ciphers Modes of operation: one time key Online Cryptography Course Dan Boneh example: encrypted email, new key for every message.

2
Dan Boneh Using PRPs and PRFs Goal: build “secure” encryption from a secure PRP (e.g. AES). This segment: one-time keys 1.Adversary’s power: Adv sees only one ciphertext (one-time key) 2.Adversary’s goal: Learn info about PT from CT (semantic security) Next segment: many-time keys (a.k.a chosen-plaintext security)

3
Dan Boneh Incorrect use of a PRP Electronic Code Book (ECB): Problem: – if m 1 =m 2 then c 1 =c 2 PT: CT: m1m1 m2m2 c1c1 c2c2

4
Dan Boneh In pictures (courtesy B. Preneel)

5
Dan Boneh Semantic Security (one-time key) Adv SS [A,OTP] = | Pr[ EXP(0) =1 ] − Pr[ EXP(1) =1 ] | should be “neg.” Chal.Adv. A kKkK m 0, m 1 M : |m 0 | = |m 1 | c E(k, m 0 ) b’ {0,1} EXP(0): Chal.Adv. A kKkK m 0, m 1 M : |m 0 | = |m 1 | c E(k, m 1 ) b’ {0,1} EXP(1): one time key ⇒ adversary sees only one ciphertext

6
Dan Boneh ECB is not Semantically Secure ECB is not semantically secure for messages that contain more than one block. Two blocks Chal. b {0,1} Adv. A kKkK (c 1,c 2 ) E(k, m b ) m 0 = “Hello World” m 1 = “Hello Hello” If c 1 =c 2 output 0, else output 1 Then Adv SS [A, ECB] = 1

7
Dan Boneh Secure Construction I Deterministic counter mode from a PRF F : E DETCTR (k, m) = ⇒ Stream cipher built from a PRF (e.g. AES, 3DES) m[0]m[1]… F(k,0)F(k,1)… m[L] F(k,L) c[0]c[1]…c[L]

8
Dan Boneh Det. counter-mode security Theorem: For any L>0, If F is a secure PRF over (K,X,X) then E DETCTR is sem. sec. cipher over (K,X L,X L ). In particular, for any eff. adversary A attacking E DETCTR there exists a n eff. PRF adversary B s.t.: Adv SS [A, E DETCTR ] = 2 Adv PRF [B, F] Adv PRF [B, F] is negligible (since F is a secure PRF) Hence, Adv SS [A, E DETCTR ] must be negligible.

9
Dan Boneh Proof chal. adv. A kKkK m 0, m 1 c b’ ≟ 1 chal. adv. A kKkK m 0, m 1 c b’ ≟ 1 ≈p≈p ≈p≈p ≈p≈p m0m0 F(k,0) … F(k,L) m1m1 chal. adv. A f Funs m 0, m 1 c b’ ≟ 1 m0m0 f(0) … f(L) chal. adv. A r {0,1} n m 0, m 1 c b’ ≟ 1 m1m1 f(0) … f(L) ≈p≈p

10
Dan Boneh End of Segment

Similar presentations

OK

Dan Boneh Authenticated Encryption Definitions Online Cryptography Course Dan Boneh.

Dan Boneh Authenticated Encryption Definitions Online Cryptography Course Dan Boneh.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on kingdom monera examples Ppt on cleanliness in schools Ppt on nitrogen cycle and nitrogen fixation process Ppt on index numbers in business Ppt on endangered and endemic species in india Ppt on second law of thermodynamics Ppt online open course Ppt on accounting standards in india Ppt on jpeg image compression Ppt on abo blood grouping test