Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ryan Henry I 538 /B 609 : Introduction to Cryptography.

Published byRalph Griffith Modified over 8 years ago

Similar presentations

Presentation on theme: "Ryan Henry I 538 /B 609 : Introduction to Cryptography."— Presentation transcript:

1 Ryan Henry I 538 /B 609 : Introduction to Cryptography

2 Ryan Henry Last Thursday’s lecture: Signature schemes Today’s lecture: Random oracle model Public-key encryption in the ROM Signature schemes in the ROM 1

3 Ryan Henry Assignment 6 is due Thursday, Dec 3 (Assignment 7 will be due on the same day!) 2 Thursday, December 10

4 Ryan Henry 3 Please complete the Online Course Questionnaire Reminder:

5 Ryan Henry Going forward Tuesday (11/17): Digitial signature schemes Thursday (11/19): Random oracle model **Thanksgiving break (11/22—11/29) ** Tuesday (12/01): Zero-knowledge proofs (and simulatability) Thursday (12/03): Anonymous credentials Tuesday (12/08): Secret sharing and PIR Thursday (12/10): Secure multiparty computation 4

6 Ryan Henry Alice Recall: Hash functions 5 (Non-cryptographic) The output of a hash function is called a ”hash”, ”digest”, or ”fingerprint” of the input Bob Charlie Eve 00 03 15 … 13 05 01 02 04 14 Hash function Fingerprints Def n : A hash function is a PPT function H:{0,1} * →{0,1} s that maps arbitrary-length bit strings into fixed-length bit strings.

7 Ryan Henry Recall: Collision-finding game 6 1s1s 1s1s (m 0 ,m 1 ) Let E be the event that m 0 ≠m 1 yet H(k,m 0 )≟H(k,m 1 ) Adv collision (A)≔Pr[E] k←Gen(1 s ) k

8 Ryan Henry Recall: Second-preimage resistance 7 1s1s 1s1s m1m1 Let E be the event that m 0 ≠m 1 yet H(k,m 0 )≟H(k,m 1 ) Adv 2-preimage (A)≔Pr[E] k←Gen(1 s ) k (Target pre-image resistance) m 0 ∈{0,1} * m0m0

9 Ryan Henry Recall: Preimage resistance 8 1s1s 1s1s m Let E be the event that H(k,m)≟y Adv preimage (A)≔Pr[E] k←Gen(1 s ) k (One-wayness) y∈{0,1} ℓ(s) y

10 Ryan Henry Recall: Hash functions 9 Def n : A (keyed) hash function with output length ℓ(s) is a pair of PPT algorithms (Gen,H) such that Gen(1 s ) outputs a random s-bit key k∊{0,1} s H(k,x) outputs a fingerprint (or digest) y∈{0,1} ℓ(|k|) A cryptographic hash function is a (keyed) hash function that is ( ⅰ ) collision-resistant, ( ⅱ ) preimage resistant, and ( ⅲ ) second-preimage resistant. (Cryptographic)

11 Ryan Henry The Random Oracle Model ▪ Many protocol use hash functions as a publicly accessible oracle that produces “random-looking” outputs – PRFs, PRGs, and PRPs also produce “random-looking” outputs, but they all assume the attacker doesn’t know the seed/key ▪ Intuitively, the random oracle model is what you get when you assume (in a security proof) that the hash function produces truly random outputs – No function can do this, so we model it by providing the challenger and attacker with access to a random oracle 10

12 Ryan Henry The Random Oracle Model 11 1s1s 1s1s

13 Ryan Henry Random oracles Q: Why might random oracles be useful? A: They allow us to use outputs of a hash function in places where a security definition requires uniform random values –I–If x has not been queried to H, then H(x) is uniform; thus, there is no strategy for adaptively choosing inputs to yield outputs with a desired relationship 12

14 Ryan Henry Extractability and programmability ▪ In a reduction proof, the reduction algorithm answers any random oracle queries – Extractability: The reduction can behave like a man-in-the-middle between the attacker and the RO The reduction algorithm gets to see all queries and responses – Programmability: The reduction algorithm can change responses from the RO If relationships between outputs make the reduction more powerful, the reduction algorithm can induce them ▪ H a hash function ⇒ no extractability or programmability 13

15 Ryan Henry Is the Random Oracle Model sound? Q: What do security proofs in the random oracle model guarantee about security the real world? A: The answer is unclear… – On the one hand, no hash function can implement an RO so such proofs say “nothing” about the real world – On the other hand, a proof of security in ROM implies (roughly) that any attack on system must exploit a weakness in the hash function – To date, no “real” system proven secure in the ROM has ever succumbed to attacks due to the non-randomness of the hash function 14

16 Ryan Henry CCA-secure RSA from ROs (RSA-OAEP) ▪ Let H 1 :{0,1} k 0 →{0,1} ℓ and H 2 :{0,1} ℓ →{0,1} k 0 be two independent random oracles and let G be an RSA instance generator. Message space is M={0,1} ℓ-k 1 for some k 1 <ℓ ▪ Gen(1 s ) computes (p,q,e)←G(1 s ), outputs k≔(pq,e) and t k ≔e -1 mod φ(pq) ▪ Enc(k,m) pads m with zeros to get m’≔m||0 k 1 – Chooses r∊{0,1} k 0 compute s≔m’⊕H 1 (r) and t≔r⊕H 2 (s) – Outputs the ciphertext c≔(s||t) e mod pq ▪ Dec(t k ,c) computes s||t=c t k mod pq – computes r=H 2 (s)⊕t and m’=H 1 (r)⊕s – If the low-order k 1 bits of m’ are not 0, output ⊥; otherwise, output the first ℓ-k 1 bits of m’ 15

17 Ryan Henry That’s all for today, folks! 16

Download ppt "Ryan Henry I 538 /B 609 : Introduction to Cryptography."

Similar presentations

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Cryptographic Hash Functions Rocky K. C. Chang, February 2013 1.

Cryptographic Hash Functions Rocky K. C. Chang, February
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Identity Based Encryption

Identity Based Encryption
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.

Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.
Overview of Cryptography Anupam Datta CMU Fall 2007-08 18739A: Foundations of Security and Privacy.

Overview of Cryptography Anupam Datta CMU Fall A: Foundations of Security and Privacy.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.

CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
8. Data Integrity Techniques

8. Data Integrity Techniques

Similar presentations

Ads by Google