Putting it all together: using multiple primitives together

1 / 12

# Putting it all together: using multiple primitives together - PowerPoint PPT Presentation

Putting it all together: using multiple primitives together. Exercise 1. Say you have a signature scheme. SScheme = ( KGen , Sign, Vf ). Say this scheme is unforgeable against CMA. Modify the signature algorithm:. iff . &amp; = 1. Is this still unforgeable against CMA?. Exercise 2.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about ' Putting it all together: using multiple primitives together' - hamish-bryan

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### Putting it all together: using multiple primitives together

Exercise 1
• Say you have a signature scheme

SScheme = (KGen, Sign, Vf)

• Say this scheme is unforgeable against CMA
• Modify the signature algorithm:

iff. &

= 1

• Is this still unforgeable against CMA?
Exercise 2
• We have an arbitrary unforgeable signature scheme:

SScheme = (KGen, Sign, Vf)

• And we also have any IND-CCA encryption scheme

EScheme = (KGen, Enc, Dec)

• Say we want to ensure that a confidentialmessage comes from a given party. Can we send:
• ?
• ?
• ?
Interlude
• What would we use in order to:
• Send a confidential message
• Encrypt a large document
• Send a confidential AND authenticated message
• Authenticate a message with non-repudiation
• Authenticate a message without non-repudiation
• Find correspondences
• Confidentiality
• Hash function
• Collision-resistance
• MAC code
• Authenticity
• Symmetric encryption
• Non-repudiation
• PK Encryption
• Integrity
• Digital Signatures
Exercise 3
• The Hash paradigm for signatures :
• Improves the security of signature schemes
• Improves efficiency for signatures, making their size the same, irrespective of the message length
• Can we do the same for encryption schemes, i.e. use instead of
• Can we send just instead of
Exercise 4
• Symmetric encryption is faster than PK encryption
• Suppose Amélie generates a symmetric encryption key (e.g. for AES 128) and encrypts a message for Baptiste withthis key.
• Baptiste does not know the secret key.
• By using one (or more) of the following mechanisms, show how Amélie can ensure that Baptiste can decrypt.
• A public key encryption scheme
• A symmetric encryption scheme
• A signature scheme
• A MAC scheme
• A hash scheme
Exercise 5
• Amélie and Baptiste share a secret key for a MAC scheme

………

Amélie

Baptiste

• They exchange some messages, without signing each one, but at the end, each party will send a MAC of the message: {<Name> || || || || … || }
• How does CBC-mode symmetric encryption work? Why would this method be indicated for long conversations?
Exercise 6
• Consider the DSA signature scheme
• Say Amélie signs two different messages with the sameephemeral value (and obviously the sameprivate key )
• How would an attacker know from the signatures that the same ephemeral value was used for both signatures?
• Show how to retrieve given the two signatures for and
Exercise 7
• Amélie wants to do online shopping, say on Ebay
• She needs to establish a secure channel with an Ebay server, i.e. be able to exchange message confidentially and integrally/authentically with its server
• This is actually done by sharing one MAC key and one symmetric encryption key between them
• The server has a certified RSA public encryption key, but Amélie does not
• How can Amélie make sure they share the two secret keys?
• How can they check that they are sharing the same keys?
Exercise 8
• List the properties of a hash function. Think of: input size, output size, who can compute it etc.
• Imagine we have a public key encryption scheme. We generate and , but throw away and publish
• We implement a hash scheme by using the PKE scheme, by using
• Should the PKE scheme be deterministic or probabilistic?
• Analyse the case of Textbook RSA as the encryption scheme. Which properties of the hash function are guaranteed?
• Assume the generic PKE scheme ensures that a plaintext cannot be recovered from the ciphertext. Which properties of the hash scheme does the PKE scheme guarantee?
Exercise 9
• A pseudo-random generator is a deterministic function thattakes as input a fixed-length string (a seed) and which outputs a much longer string , suchthat looks random to anyadversary
• Assume Amélie and Baptiste share a seed
• Consider symmetric encryption with key , whereencryptionisdone as , for messages of lengthequal to that of (and paddedotherwise)
• Is this scheme deterministic or probabilistic?
• Show that this scheme is insecure if the adversary can request the decryption of even a single ciphertext.
• How can we make it secure even if the adversary can decrypt arbitrary ciphertexts?