Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dan Boneh Odds and ends Deterministic Encryption Online Cryptography Course Dan Boneh.

Published byPhebe Floyd Modified over 8 years ago

Similar presentations

Presentation on theme: "Dan Boneh Odds and ends Deterministic Encryption Online Cryptography Course Dan Boneh."— Presentation transcript:

1 Dan Boneh Odds and ends Deterministic Encryption Online Cryptography Course Dan Boneh

2 Dan Boneh The need for det. Encryption (no nonce) encrypted database Alice data k 1, k 2 Alice data Bob data ⋮ ??

3 Dan Boneh The need for det. Encryption (no nonce) encrypted database Alice data k 1, k 2 Bob data ⋮ ?? Later: Retrieve record E(k 1, “Alice”) Alice data det. enc. enables later lookup

4 Dan Boneh Problem: det. enc. cannot be CPA secure The problem: attacker can tell when two ciphertexts encrypt the same message ⇒ leaks information Leads to significant attacks when message space M is small. equal ciphertexts means same index

5 Dan Boneh Problem: det. enc. cannot be CPA secure The problem: attacker can tell when two ciphertexts encrypt the same message ⇒ leaks information Chal.Adv. kKkK m 0, m 1  M c  E(k, m b ) m 0, m 0  M c 0  E(k, m 0 ) output 0 if c = c 0 Attacker wins CPA game: b

6 Dan Boneh A solution: the case of unique messages Suppose encryptor never encrypts same message twice: the pair (k, m) never repeats This happens when encryptor: Chooses messages at random from a large msg space (e.g. keys) Message structure ensures uniqueness (e.g. unique user ID)

7 Dan Boneh Deterministic CPA security E = (E,D) a cipher defined over (K,M,C). For b=0,1 define EXP(b) as: Def: E is sem. sec. under det. CPA if for all efficient A: Adv dCPA [A, E ] = | Pr[EXP(0)=1] – Pr[EXP(1)=1] | is negligible. Chal. b Adv. kKkK b’  {0,1} m i,0, m i,1  M : |m i,0 | = |m i,1 | c i  E(k, m i,b ) where m 1,0, …, m q,0 are distinct and m 1,1, …, m q,1 are distinct for i=1,…,q:

8 Dan Boneh A Common Mistake CBC with fixed IV is not det. CPA secure. Let E: K × {0,1} n {0,1} n be a secure PRP used in CBC Chal.Adv. kKkK m 0 =0 n, m 1 = 1 n c  [ FIV, E(k, FIV) ] or 0 n 1 n, 0 n 1 n c 1  [ FIV, E(k, 0 n FIV), … ] output 0 if c[1] = c 1 [1] c  [ FIV, E(k, 1 n FIV) ] Leads to significant attacks in practice. b

9 Template vertLeftWhite2 Is counter mode with a fixed IV det. CPA secure? Yes No It depends message F(k, FIV) ll F(k, FIV+1) ll … ll F(k, FIV+L) ciphertext Chal. Adv. kKkK m 0, m 1 c’  m b F(k, FIV) m, mm, m c  mF(k, FIV) output 0 if cc’=mm 0 b

10 Dan Boneh End of Segment

Download ppt "Dan Boneh Odds and ends Deterministic Encryption Online Cryptography Course Dan Boneh."

Similar presentations

Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.

Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.
ElGamal Security Public key encryption from Diffie-Hellman

ElGamal Security Public key encryption from Diffie-Hellman
Dan Boneh Using block ciphers Modes of operation: one time key Online Cryptography Course Dan Boneh example: encrypted email, new key for every message.

Dan Boneh Using block ciphers Modes of operation: one time key Online Cryptography Course Dan Boneh example: encrypted , new key for every message.
Trusted 3rd parties Basic key exchange

Trusted 3rd parties Basic key exchange
Online Cryptography Course Dan Boneh

Online Cryptography Course Dan Boneh
Cryptography: Review Day David Brumley Carnegie Mellon University.

Cryptography: Review Day David Brumley Carnegie Mellon University.
1 PRPs and PRFs CS255: Winter 2008 1.Abstract ciphers: PRPs and PRFs, 2.Security models for encryption, 3.Analysis of CBC and counter mode Dan Boneh, Stanford.

1 PRPs and PRFs CS255: Winter Abstract ciphers: PRPs and PRFs, 2.Security models for encryption, 3.Analysis of CBC and counter mode Dan Boneh, Stanford.
Dan Boneh Authenticated Encryption Active attacks on CPA-secure encryption Online Cryptography Course Dan Boneh.

Dan Boneh Authenticated Encryption Active attacks on CPA-secure encryption Online Cryptography Course Dan Boneh.
Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.

Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.
Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.

Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.
1 Brief PRP-PRF Recap CS255 Winter ‘06. 2 PRPs and PRFs PRF: F: K  X  Y such that: exists “efficient” algorithm to eval. F(k,x) PRP: E: K  X  X such.

1 Brief PRP-PRF Recap CS255 Winter ‘06. 2 PRPs and PRFs PRF: F: K  X  Y such that: exists “efficient” algorithm to eval. F(k,x) PRP: E: K  X  X such.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Dan Boneh Basic key exchange The Diffie-Hellman protocol Online Cryptography Course Dan Boneh.

Dan Boneh Basic key exchange The Diffie-Hellman protocol Online Cryptography Course Dan Boneh.
Dan Boneh Basic key exchange Public-key encryption Online Cryptography Course Dan Boneh.

Dan Boneh Basic key exchange Public-key encryption Online Cryptography Course Dan Boneh.
Dan Boneh Public Key Encryption from trapdoor permutations The RSA trapdoor permutation Online Cryptography Course Dan Boneh.

Dan Boneh Public Key Encryption from trapdoor permutations The RSA trapdoor permutation Online Cryptography Course Dan Boneh.
Active attacks on CPA-secure encryption

Active attacks on CPA-secure encryption
Dan Boneh Authenticated Encryption Definitions Online Cryptography Course Dan Boneh.

Dan Boneh Authenticated Encryption Definitions Online Cryptography Course Dan Boneh.
Dan Boneh Authenticated Encryption Chosen ciphertext attacks Online Cryptography Course Dan Boneh.

Dan Boneh Authenticated Encryption Chosen ciphertext attacks Online Cryptography Course Dan Boneh.
Dan Boneh Public Key Encryption from trapdoor permutations Public key encryption: definitions and security Online Cryptography Course Dan Boneh.

Dan Boneh Public Key Encryption from trapdoor permutations Public key encryption: definitions and security Online Cryptography Course Dan Boneh.
Dan Boneh Authenticated Encryption Case study: TLS Online Cryptography Course Dan Boneh.

Dan Boneh Authenticated Encryption Case study: TLS Online Cryptography Course Dan Boneh.

Similar presentations

Ads by Google