/
Authenticated Encryption Authenticated Encryption

Authenticated Encryption - PowerPoint Presentation

ellena-manuel
ellena-manuel . @ellena-manuel
Follow
343 views
Uploaded On 2019-03-17

Authenticated Encryption - PPT Presentation

Definitions Online Cryptography Course Dan Boneh Goals An authenticated encryption system ED is a cipher where As usual E K M N C ID: 757247

authenticated encryption ciphertext message encryption authenticated message ciphertext security bob cipher adv outputs chal implication create cpa integrity provide alice system segment

Share:

Link:

Embed:

Download Presentation from below link

Download Presentation The PPT/PDF document "Authenticated Encryption" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

Slide1

Authenticated Encryption

Definitions

Online Cryptography Course Dan BonehSlide2

GoalsAn authenticated encryption system (E,D) is a cipher where As usual: E: K × M

× N ⟶ C

but D: K × C × N ⟶ M ∪{⊥}Security

: the system must provide

sem. security under a CPA attack, andciphertext integrity: attacker cannot create new

ciphertexts

that decrypt properly

c

iphertext

is rejectedSlide3

Ciphertext integrityLet (E,D) be a cipher with message space M.

Def

: (E,D) has ciphertext integrity if for all “efficient” A:

AdvCI[

A,E] = Pr[Chal. outputs 1] is

negligible.

Chal.

Adv.

k

K

c

m

1

 M

c

1

E(

k,

m

1)

b

=1 if D(k,c) ≠⊥ and c  { c1 , … , cq }b=0 otherwise

b

m

2

, …,

m

q

c2

, …,

c

qSlide4

Authenticated encryptionDef: cipher (E,D) provides authenticated encryption (AE) if it is

(1) semantically secure under CPA, and (2) has

ciphertext integrityBad example: CBC with rand. IV does not provide AED(k,⋅) never outputs ⊥, hence adv. easily wins CI gameSlide5

Implication 1: authenticityAttacker cannot fool Bob into thinking a message was sent from Alice

Alice

Bob

k

k

m

1

, …,

m

q

c

i

= E(k, m

i

)

c

Cannot create

valid c ∉ { c

1, …, cq }

⇒ if D(k,c) ≠⊥ Bob knows message is from someone who knows k

(but message could be a replay) Slide6

Implication 2Authenticated encryption ⇒ Security against chosen ciphertext

attacks (next segment)Slide7

End of Segment