Cryptography Foundations and Applications of Pseudo-Random Functions

foundations of cryptography n.w
1 / 18
Embed
Share

Explore the foundations of cryptography with authentication protocols, encryption, and one-way functions. Learn about pseudo-random functions, identification adversaries, unpredictability lemma, challenge-response protocols, and the authentication problem. Dive into message authentication codes (MACs) and more in this informative slideshow.

  • Cryptography
  • Authentication
  • Pseudo-Random Functions
  • Encryption
  • Security
rayaanacharya
ange_sly Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Foundations of Cryptography Authentication Slides by Vinod Vaikuntanathan (Edited): https://mit6875.github.io/

  2. TODAY Applications of Pseudo-Random Functions (PRF): a. Identification Protocols b. Authentication c. Encryption secure against Active Attacks One-way functions (OWF).

  3. Recall: Pseudorandom Functions Collection of functions ?= {??:{0,1} {0,1}?}? {0,1}? The random world The pseudorandom world ? ???? ?? ? ?(?) ? ??(?) ? Distinguisher D Distinguisher D

  4. Friend-or-Foe Identification Adversary: person-in-the-middle. Can listen to / modify the communications. Wants to impersonate Tim.

  5. A Simple Lemma about Unpredictability Let ??:{0,1} {0,1}? be a pseudorandom function. Consider an adversary who requests and obtains ???1, ,???? for a polynomial ? = ? ? . Can she predict ??? for some ? of her choosing where ? {?1, ,??}? How well can she do it? 1 Lemma: If PRF secure, then Pr[Success] 2?+ ????(?). = ????(?) // assuming ? = ?.

  6. Challenge-Response Protocol Random? (??,??? ) PRF Key ? (ID number ??, PRF Key ?) Proof : Adversary collects (??,????) for poly many ?? (potentially of her choosing). She eventually has to produce ??? for a fresh random ? when she is trying to impersonate. This is hard as long as the input and output lengths of the PRF are long enough, e.g. = ? = ?.

  7. The authentication problem m ? ? Bob Alice Key ? Can also alter/inject more messages! Key ? This is known as a man-in-the-middle attack. How can Bob check if the message is indeed from Alice?

  8. The authentication problem m ?,? or (?,?) Bob Alice Key ? Can essentially only send it along! Key ? We want Alice to generate a tag for the message m which is hard to generate without the secret key k.

  9. Message Authentication Codes (MACs) A triple of algorithms (Gen, MAC, Ver): Gen(1?): Produces a key ? ?. MAC(?,?): Outputs a tag ? (may be deterministic). Ver(?,?,?): Outputs Accept or Reject. Correctness: Pr[Ver ?,?,??? ?,? Security: Hard to forge. Intuitively, it should be hard to come up with a new pair (m , t ) such that Ver accepts. = Accept] = 1

  10. What is the power of the adversary? m (?,???(?,?)) (?,???(?,?)) or Bob Alice Can see many pairs ?,??? ?,? . Can access a MAC oracle ???(?, ) Obtain tags for message of choice. This is called a chosen message attack (CMA).

  11. Defining MAC Security Total break: The adversary should not be able to recover the key k. Universal break: The adversary can generate a valid tag for every message. Existential break: The adversary can generate a new valid tag t for some message m. We will require MACs to be secure against the existential break!!

  12. EUF-CMA Security Existentially Unforgeable against Chosen Message Attacks ?1 ?1= ???(?,?1) ? ? ?2 ?2= ???(?,?2) Accept if ?,? (??,??) for all ?, and ??? ?,?,? = 1. (?,?) Want: Pr( ?,? ???? ?, 1?,??? ?,?,? = 1, ?,? ?)) = ????(?). where ? is the set of queries ??,?? ? that ? makes.

  13. Wait Does encryption not solve this? m ???(?,?) Bob Alice Key ? Key ?

  14. Wait Does encryption not solve this? m ? ? ? ? Bob Alice Key ? Can toggle between m and m Key ? One-time pad (and encryption schemes in general) are malleable.

  15. Wait Does encryption not solve this? m (?,??? ? ) (?,??(?) ?) Bob Alice Key ? Can toggle between m and m Key ? One-time pad (and encryption schemes in general) are malleable. Privacy and Integrity are very different goals!

  16. Constructing a MAC m (?,????? ) Bob Alice Key ? Gen(1?): Produces a PRF key ? ?. MAC(?,?): Output ??(?). Ver(?,?,?): Accept if ??? = ?, reject otherwise. Key ? Security: Our earlier unpredictability lemma about PRFs essentially proves that this is secure!

  17. Dealing with Replay Attacks The adversary could send an old valid (m, tag) at a later time. In fact, our definition of security does not rule this out. In practice: Append a time-stamp to the message. Eg. (m, T, MAC(m, T)) where T = 21 Sep 2022, 1:47pm. Sequence numbers appended to the message (this requires the MAC algorithm to be stateful).

  18. Privacy and Integrity! m (? = ?,??? ? ,tag = ?? (?)) Bob Alice Keys ?,? Keys ?,? MACs give us integrity, but not (necessarily) privacy. Solution: Encrypt, then MAC!

Related


No related presentations.

More Related Content