1 / 12

# Putting it all together: using multiple primitives together - PowerPoint PPT Presentation

Putting it all together: using multiple primitives together. Exercise 1. Say you have a signature scheme. SScheme = ( KGen , Sign, Vf ). Say this scheme is unforgeable against CMA. Modify the signature algorithm:. iff . & = 1. Is this still unforgeable against CMA?. Exercise 2.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about 'Putting it all together: using multiple primitives together' - hamish-bryan

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### Putting it all together: using multiple primitives together

• Say you have a signature scheme

SScheme = (KGen, Sign, Vf)

• Say this scheme is unforgeable against CMA

• Modify the signature algorithm:

iff. &

= 1

• Is this still unforgeable against CMA?

• We have an arbitrary unforgeable signature scheme:

SScheme = (KGen, Sign, Vf)

• And we also have any IND-CCA encryption scheme

EScheme = (KGen, Enc, Dec)

• Say we want to ensure that a confidentialmessage comes from a given party. Can we send:

• ?

• ?

• ?

• What would we use in order to:

• Send a confidential message

• Encrypt a large document

• Send a confidential AND authenticated message

• Authenticate a message with non-repudiation

• Authenticate a message without non-repudiation

• Find correspondences

• Confidentiality

• Hash function

• Collision-resistance

• MAC code

• Authenticity

• Symmetric encryption

• Non-repudiation

• PK Encryption

• Integrity

• Digital Signatures

• The Hash paradigm for signatures :

• Improves the security of signature schemes

• Improves efficiency for signatures, making their size the same, irrespective of the message length

• Can we do the same for encryption schemes, i.e. use instead of

• Can we send just instead of

• Symmetric encryption is faster than PK encryption

• Suppose Amélie generates a symmetric encryption key (e.g. for AES 128) and encrypts a message for Baptiste withthis key.

• Baptiste does not know the secret key.

• By using one (or more) of the following mechanisms, show how Amélie can ensure that Baptiste can decrypt.

• A public key encryption scheme

• A symmetric encryption scheme

• A signature scheme

• A MAC scheme

• A hash scheme

• Amélie and Baptiste share a secret key for a MAC scheme

………

Amélie

Baptiste

• They exchange some messages, without signing each one, but at the end, each party will send a MAC of the message: {<Name> || || || || … || }

• How does CBC-mode symmetric encryption work? Why would this method be indicated for long conversations?

• Consider the DSA signature scheme

• Say Amélie signs two different messages with the sameephemeral value (and obviously the sameprivate key )

• How would an attacker know from the signatures that the same ephemeral value was used for both signatures?

• Show how to retrieve given the two signatures for and

• Amélie wants to do online shopping, say on Ebay

• She needs to establish a secure channel with an Ebay server, i.e. be able to exchange message confidentially and integrally/authentically with its server

• This is actually done by sharing one MAC key and one symmetric encryption key between them

• The server has a certified RSA public encryption key, but Amélie does not

• How can Amélie make sure they share the two secret keys?

• How can they check that they are sharing the same keys?

• List the properties of a hash function. Think of: input size, output size, who can compute it etc.

• Imagine we have a public key encryption scheme. We generate and , but throw away and publish

• We implement a hash scheme by using the PKE scheme, by using

• Should the PKE scheme be deterministic or probabilistic?

• Analyse the case of Textbook RSA as the encryption scheme. Which properties of the hash function are guaranteed?

• Assume the generic PKE scheme ensures that a plaintext cannot be recovered from the ciphertext. Which properties of the hash scheme does the PKE scheme guarantee?

• A pseudo-random generator is a deterministic function thattakes as input a fixed-length string (a seed) and which outputs a much longer string , suchthat looks random to anyadversary

• Assume Amélie and Baptiste share a seed

• Consider symmetric encryption with key , whereencryptionisdone as , for messages of lengthequal to that of (and paddedotherwise)

• Is this scheme deterministic or probabilistic?

• Show that this scheme is insecure if the adversary can request the decryption of even a single ciphertext.

• How can we make it secure even if the adversary can decrypt arbitrary ciphertexts?