1 / 12

Putting it all together: using multiple primitives together

Putting it all together: using multiple primitives together. Exercise 1. Say you have a signature scheme. SScheme = ( KGen , Sign, Vf ). Say this scheme is unforgeable against CMA. Modify the signature algorithm:. iff . & = 1. Is this still unforgeable against CMA?. Exercise 2.

hamish-bryan
Télécharger la présentation

Putting it all together: using multiple primitives together

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Putting it all together: using multiple primitives together

  2. Exercise 1 • Say you have a signature scheme SScheme = (KGen, Sign, Vf) • Say this scheme is unforgeable against CMA • Modify the signature algorithm: iff. & = 1 • Is this still unforgeable against CMA?

  3. Exercise 2 • We have an arbitrary unforgeable signature scheme: SScheme = (KGen, Sign, Vf) • And we also have any IND-CCA encryption scheme EScheme = (KGen, Enc, Dec) • Say we want to ensure that a confidentialmessage comes from a given party. Can we send: • ? • ? • ?

  4. Interlude • What would we use in order to: • Send a confidential message • Encrypt a large document • Send a confidential AND authenticated message • Authenticate a message with non-repudiation • Authenticate a message without non-repudiation • Find correspondences • Confidentiality • Hash function • Collision-resistance • MAC code • Authenticity • Symmetric encryption • Non-repudiation • PK Encryption • Integrity • Digital Signatures

  5. Exercise 3 • The Hash paradigm for signatures : • Improves the security of signature schemes • Improves efficiency for signatures, making their size the same, irrespective of the message length • Can we do the same for encryption schemes, i.e. use instead of • Can we send just instead of

  6. Exercise 4 • Symmetric encryption is faster than PK encryption • Suppose Amélie generates a symmetric encryption key (e.g. for AES 128) and encrypts a message for Baptiste withthis key. • Baptiste does not know the secret key. • By using one (or more) of the following mechanisms, show how Amélie can ensure that Baptiste can decrypt. • A public key encryption scheme • A symmetric encryption scheme • A signature scheme • A MAC scheme • A hash scheme

  7. Exercise 5 • Amélie and Baptiste share a secret key for a MAC scheme ……… Amélie Baptiste • They exchange some messages, without signing each one, but at the end, each party will send a MAC of the message: {<Name> || || || || … || } • How does CBC-mode symmetric encryption work? Why would this method be indicated for long conversations?

  8. Exercise 6 • Consider the DSA signature scheme • Say Amélie signs two different messages with the sameephemeral value (and obviously the sameprivate key ) • How would an attacker know from the signatures that the same ephemeral value was used for both signatures? • Show how to retrieve given the two signatures for and

  9. Exercise 7 • Amélie wants to do online shopping, say on Ebay • She needs to establish a secure channel with an Ebay server, i.e. be able to exchange message confidentially and integrally/authentically with its server • This is actually done by sharing one MAC key and one symmetric encryption key between them • The server has a certified RSA public encryption key, but Amélie does not • How can Amélie make sure they share the two secret keys? • How can they check that they are sharing the same keys?

  10. Exercise 8 • List the properties of a hash function. Think of: input size, output size, who can compute it etc. • Imagine we have a public key encryption scheme. We generate and , but throw away and publish • We implement a hash scheme by using the PKE scheme, by using • Should the PKE scheme be deterministic or probabilistic? • Analyse the case of Textbook RSA as the encryption scheme. Which properties of the hash function are guaranteed? • Assume the generic PKE scheme ensures that a plaintext cannot be recovered from the ciphertext. Which properties of the hash scheme does the PKE scheme guarantee?

  11. Exercise 9 • A pseudo-random generator is a deterministic function thattakes as input a fixed-length string (a seed) and which outputs a much longer string , suchthat looks random to anyadversary • Assume Amélie and Baptiste share a seed • Consider symmetric encryption with key , whereencryptionisdone as , for messages of lengthequal to that of (and paddedotherwise) • Is this scheme deterministic or probabilistic? • Show that this scheme is insecure if the adversary can request the decryption of even a single ciphertext. • How can we make it secure even if the adversary can decrypt arbitrary ciphertexts?

  12. Thanks!

More Related