Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Intro To Encryption Exercise 4. 2 Defining Pseudo-Random Permutation Let A be alg. with oracle to a function from {0,1} k to {0,1} k Notation: let A.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Intro To Encryption Exercise 4. 2 Defining Pseudo-Random Permutation Let A be alg. with oracle to a function from {0,1} k to {0,1} k Notation: let A."— Presentation transcript:

1 1 Intro To Encryption Exercise 4

2 2 Defining Pseudo-Random Permutation Let A be alg. with oracle to a function from {0,1} k to {0,1} k Notation: let A f denote A with oracle to f:{0,1} k  {0,1} k Let where key  R {0,1} k and r is a random function over {0,1} k  Notation: x  R X means x is chosen randomly from set X Let ADV PRP E,k (t)=MAX{ADV PRP A,E,k } for A limited to time t  Should be negligible for feasible t  Ideally: ADV PRP E,k (t)=constant /(2 k -t) Adversary controls plaintext  chosen plaintext attack  modify definition to allow also chosen ciphertext

3 3 Solution Let f’ :{0,1} k  {0,1} k be an inverse function to f, meaning f’=f -1.  (for each cipher text we now have a reverse function to give us the plain text) Let r’ be a reversible function to r.  Why?  (If we want to fool adversary with a random function we must have a reversible function) Notation: let A f,f’ denote A with oracle to both f, f’

4 4 Solution Let where key  R {0,1} k and r is a random function over {0,1} k  Notation: x  R X means x is chosen randomly from set X Adversary controls plaintext and ciphertext

5 5 Problem You wish for your users to access a remote server via user and password. All of the users have modems and you trust the phone company to have secured phone lines (no eaves dropping on the line). All the users must use “good” passwords. 1. What is a “good” password? 2. What is the problem with “good” passwords? 3. How can you build a device that can help the user? Hint: the device may generate the passwords

6 6 Problem Construct a PRF from a random oracle.

7 7 Solution Let A be the Random oracle, which receives input x. Use PRF k (x)=A(k||x) Is this a sufficient solution?

8 8 Problem Does random oracle provide CRHF and OWF properties?

9 9 Solution Yes!! By counting arguments  Consider the random function as being defined incrementally  When the oracle is asked for f(x) for the first time, it selects random value  Example: OWF Let x 1,x 2,…x m be the queries of the adversary, with x m being the adversary’s reply (i.e. success if f(x m )=f(x)). Claim: for every i=1,…,m, Prob(f(x i )=f(x))<i/2 n Proof: By induction…

10 10 Problem What are the differences between PRF and Universal Hash Functions?

11 11 Problem construct a PRP from a random oracle.

12 12 Solution Construct PRF from Random Oracle. Use Feistel rounds to build a PRP. How many rounds? How many rounds?

13 13 Problem construct CPA-IND secure cryptosystem from random oracle.

14 14 Solution Build a PRP from random oracle Use CBC construction for the PRP.

15 15 Problem construct OWF h() from PRF F k ()

16 16 Solution In order to build h(x) use:  h(x)=PRF x (0)

17 17 Problem can we use OWF to construct PRF like we used random oracle?

18 18 Solution NO!!!! Evaluate the following:  h(x) is OWF.  h’(x)=001100||h(x)  Clearly h’ is OWF but can be distinguished from a random output.

19 19 Problem Is every (weak) CRHF also a OWF

Download ppt "1 Intro To Encryption Exercise 4. 2 Defining Pseudo-Random Permutation Let A be alg. with oracle to a function from {0,1} k to {0,1} k Notation: let A."

Similar presentations

6.1.2 Overview DES is a block cipher, as shown in Figure 6.1.

6.1.2 Overview DES is a block cipher, as shown in Figure 6.1.
Dan Boneh Using block ciphers Modes of operation: one time key Online Cryptography Course Dan Boneh example: encrypted email, new key for every message.

Dan Boneh Using block ciphers Modes of operation: one time key Online Cryptography Course Dan Boneh example: encrypted , new key for every message.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
1 PRPs and PRFs CS255: Winter 2008 1.Abstract ciphers: PRPs and PRFs, 2.Security models for encryption, 3.Analysis of CBC and counter mode Dan Boneh, Stanford.

1 PRPs and PRFs CS255: Winter Abstract ciphers: PRPs and PRFs, 2.Security models for encryption, 3.Analysis of CBC and counter mode Dan Boneh, Stanford.
1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.

1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley Carnegie Mellon University.

Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley Carnegie Mellon University.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.

Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.
1 Brief PRP-PRF Recap CS255 Winter ‘06. 2 PRPs and PRFs PRF: F: K  X  Y such that: exists “efficient” algorithm to eval. F(k,x) PRP: E: K  X  X such.

1 Brief PRP-PRF Recap CS255 Winter ‘06. 2 PRPs and PRFs PRF: F: K  X  Y such that: exists “efficient” algorithm to eval. F(k,x) PRP: E: K  X  X such.
Rachana Y. Patil 1 Data Encryption Standard (DES) (DES)

Rachana Y. Patil 1 Data Encryption Standard (DES) (DES)
Data Encryption Standard (DES)

Data Encryption Standard (DES)
Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.
Intro To Secure Comm. Exercise 2. Problem  You wish for your users to access a remote server via user and password.  All of the users have modems and.

Intro To Secure Comm. Exercise 2. Problem  You wish for your users to access a remote server via user and password.  All of the users have modems and.
1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.

1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.
Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.

Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.
Practical Techniques for Searches on Encrypted Data Author:Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀汶承.

Practical Techniques for Searches on Encrypted Data Author:Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀汶承.
1 Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research.

1 Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research.

Similar presentations

Ads by Google