Definitions Online Cryptography Course Dan Boneh Goals An authenticated encryption system ED is a cipher where As usual E K M N C ID: 757247
Download Presentation The PPT/PDF document "Authenticated Encryption" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Authenticated Encryption
Definitions
Online Cryptography Course Dan BonehSlide2
GoalsAn authenticated encryption system (E,D) is a cipher where As usual: E: K × M
× N ⟶ C
but D: K × C × N ⟶ M ∪{⊥}Security
: the system must provide
sem. security under a CPA attack, andciphertext integrity: attacker cannot create new
ciphertexts
that decrypt properly
c
iphertext
is rejectedSlide3
Ciphertext integrityLet (E,D) be a cipher with message space M.
Def
: (E,D) has ciphertext integrity if for all “efficient” A:
AdvCI[
A,E] = Pr[Chal. outputs 1] is
“
negligible.
”
Chal.
Adv.
k
K
c
m
1
M
c
1
E(
k,
m
1)
b
=1 if D(k,c) ≠⊥ and c { c1 , … , cq }b=0 otherwise
b
m
2
, …,
m
q
c2
, …,
c
qSlide4
Authenticated encryptionDef: cipher (E,D) provides authenticated encryption (AE) if it is
(1) semantically secure under CPA, and (2) has
ciphertext integrityBad example: CBC with rand. IV does not provide AED(k,⋅) never outputs ⊥, hence adv. easily wins CI gameSlide5
Implication 1: authenticityAttacker cannot fool Bob into thinking a message was sent from Alice
Alice
Bob
k
k
m
1
, …,
m
q
c
i
= E(k, m
i
)
c
Cannot create
valid c ∉ { c
1, …, cq }
⇒ if D(k,c) ≠⊥ Bob knows message is from someone who knows k
(but message could be a replay) Slide6
Implication 2Authenticated encryption ⇒ Security against chosen ciphertext
attacks (next segment)Slide7
End of Segment