Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ryan Henry I 538 /B 609 : Introduction to Cryptography.

Published byPaul Fitzgerald Modified over 8 years ago

Similar presentations

Presentation on theme: "Ryan Henry I 538 /B 609 : Introduction to Cryptography."— Presentation transcript:

1 Ryan Henry I 538 /B 609 : Introduction to Cryptography

2 Ryan Henry 1 Last Thursday’s lecture: Message authentication codes (MACs) Today’s lecture: Secure variants of CBC-MAC Hash functions

3 Ryan Henry Assignment 3 is on Tuesday, October 13 2 (That’s one week from today!) Please seek help before 2:30pm on Friday!

4 Ryan Henry Recall: MAC existential forgery game 3 Challenger (C) Forger (A) k ← Gen(1 s ) t 1 ← MAC k (m 1 ) 1 s1 s 1 s1 s m 1 t 1 t 2 ← MAC k (m 2 ) m 2 t 2 t n ← MAC k (m n ) m n t n

5 Ryan Henry Recall: Naïve CBC-MAC 4 m1m1    k k k... Q: Is naïve CBC-MAC existentially unforgeable? A: No! (By why?)

6 Ryan Henry CBC-MAC fix #1: Prepend the block-length 5 m1m1    k kk F k (n)... I V = F k ( b l o c k l e n g t h ) ( i n p u t p a d d e d t o b l o c k s i z e ) Intuitively, MAC on n-block message is useless for forging MACs on n’-block messages

7 Ryan Henry 6 m1m1    knkn knkn knkn... k e y = F k ( b l o c k l e n g t h ) ( i n p u t p a d d e d t o b l o c k s i z e ) CBC-MAC fix #2: Length-specific key Again, MAC on n-block message is useless for forging MACs on n’-block messages

8 Ryan Henry CBC-MAC fix #3: Nested CBC-MAC (NMAC) 7 m1m1    k1k1 k1k1 k1k1... k2k2 Compute Naïve CBC-MAC with first key MAC the Naïve CBC-MAC with second key

9 Ryan Henry CBC-MAC versus CBC mode encryption ▪C▪CBC mode encryption requires uniform random IV –O–Otherwise, it is not IND-CPA secure! ▪C▪CBC-MAC requires fixed IV –O–Otherwise, it is not existentially unforgeable! ▪C▪CBC mode encryption outputs each block –O–Otherwise, it is not correct! ▪C▪CBC-MAC only outputs a single block (the last one) –O–Otherwise, it is not existentially unforgeable ! ▪C▪CBC mode encryption requires a PRP –O–Otherwise, it is not correct! ▪C▪CBC-MAC only requires a PRF 8

10 Ryan Henry Hash functions Def n : A hash function is a PPT function H: {0, 1} * → {0, 1} s that maps arbitrary-length bit strings into fixed-length bit strings. 9 (Non-cryptographic) The output of a hash function is called a ”hash”, ”digest”, or ”fingerprint” of the input Alice Bob Charlie Eve 00 03 15 … 13 05 01 02 04 14 Hash function Fingerprints

11 Ryan Henry Hash function collisions 10 Pigeon-hole principle: If the domain of H is (much) larger than its range, then (many) collisions must exist! c o l l i s i o n more pigeons → more collisions "TooManyPigeons" by en:User:McKay - Transferred from en.wikipedia; Original text : Edited from Image:Pigeons-in-holes.jpg by en:User:BenFrantzDale. Licensed under CC BY-SA 3.0 via Wikimedia Commons - http://commons.wikimedia.org/wiki/File:TooManyPigeons.jpg#mediaviewer/File:TooManyPigeons.jpg

12 Ryan Henry Collision resistance ▪I▪Intuitively, we want to say that no PPT algorithm can find a collision for H, except with a probability that is negligible in s (the length of the output) Q: How do we formalize this notion? A: Very carefully… –D–Difficulty: once H is fixed, it is trivial to define a PPT algorithm that has a collision for H “hard-coded” 11

13 Ryan Henry Keyed hash functions 12 Idea: Define collision resistance to require that no PPT algorithm can find a collision for H when the key is selected at random, except with probability negligible in s.

14 Ryan Henry Collision-finding game 13 Challenger (C) Attacker (A) k ← Gen(1 s ) (m 0, m 1 ) 1 s1 s k Let E be the event that m 0 ≠ m 1 and H(k, m 0 ) = H(k, m 1 ) Define A’s advantage to be Adv collision (A) := Pr[E] 1 s1 s

15 Ryan Henry Second preimage resistance 14 a.k.a target collision resistance

16 Ryan Henry Second-preimage-finding game 15 Challenger (C) Attacker (A) k ← Gen(1 s ) m 1 1 s1 s k Let E be the event that m 0 ≠ m 1 and H(k, m 0 ) = H(k, m 1 ) Define A’s advantage to be Adv 2-preimage (A) := Pr[E]

17 Ryan Henry Second preimage resistance Thm: If (Gen, H) is collision resistant, then it is also second preimage resistant. 16 Proof: Just note that a second preimage is a collision. Q: Is the converse of this theorem true? A: No! (But why?)

18 Ryan Henry Preimage resistance 17 a.k.a one-wayness

19 Ryan Henry Preimage-finding game 18 Challenger (C) Attacker (A) k ← Gen(1 s ) m 1 s1 s k Let E be the event that H(k, m) = y Define A’s advantage to be Adv preimage (A) := Pr[E]

20 Ryan Henry Preimage resistance 19 Thm: If (Gen, H) is preimage resistant for randomly selected inputs, then it is also second preimage resistant. Proof (sketch): Suppose that A breaks preimage resistance. - Given k and m, compute y = H(k, m) - Now use A to find a preimage of y. - Since y has many preimages, with high probability that preimage that A finds will not be m! Q: Is the converse of this theorem true? A: No! (But why?)

21 Ryan Henry That’s all for today, folks! 20

Download ppt "Ryan Henry I 538 /B 609 : Introduction to Cryptography."

Similar presentations

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.

Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Goal Ensure integrity of messages, even in presence of

Goal Ensure integrity of messages, even in presence of
1 Message Integrity CS255 Winter ‘06. 2 Message Integrity Goal: provide message integrity. No confidentiality. –ex: Protecting public binaries on disk.

1 Message Integrity CS255 Winter ‘06. 2 Message Integrity Goal: provide message integrity. No confidentiality. –ex: Protecting public binaries on disk.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)

CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.

Ryan Henry I 538 /B 609 : Introduction to Cryptography.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.

Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.
Foundations of Cryptography Lecture 6 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 6 Lecturer: Moni Naor.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
CSCI 172/283 Fall 2010 Hash Functions, HMACs, and Digital Signatures.

CSCI 172/283 Fall 2010 Hash Functions, HMACs, and Digital Signatures.
Cryptography Lecture 7 Arpita Patra. Quick Recall and Today’s Roadmap >> Hash Function: Various Security Notions >> Markle-Damgaard Domain Extension >>

Cryptography Lecture 7 Arpita Patra. Quick Recall and Today’s Roadmap >> Hash Function: Various Security Notions >> Markle-Damgaard Domain Extension >>

Similar presentations

Ads by Google