Rennes, 23/10/2014

Cristina Onete

maria-cristina.onete@irisa.fr

Putting it all together: using multiple primitives together

Exercise 1

Say you have a signature scheme

SScheme = (KGen, Sign, Vf)

Say this scheme is unforgeable against CMA Modify the signature algorithm:

𝑆𝑖𝑔𝑛′𝑠𝑘 (𝑚 )=[𝑆𝑖𝑔𝑛𝑠𝑘(𝑚)|𝑚¿

Is this still unforgeable against CMA?

iff. & = 1

Cristina Onete || 23/10/2014 || 2

Exercise 2

We have an arbitrary unforgeable signature scheme:

SScheme = (KGen, Sign, Vf)

And we also have any IND-CCA encryption scheme

Say we want to ensure that a confidential message comes from a given party. Can we send:

• ?

EScheme = (KGen, Enc, Dec)

• ?

• ?

Cristina Onete || 23/10/2014 || 3

Cristina Onete || 23/10/2014 || 4

Interlude

What would we use in order to:

• Send a confidential message

• Encrypt a large document

• Send a confidential AND authenticated message

• Authenticate a message with non-repudiation

• Authenticate a message without non-repudiation

Find correspondences• Confidentiality

• Authenticity

• Integrity

• Collision-resistance

• Non-repudiation

Hash function MAC code Symmetric encryption PK Encryption Digital Signatures

Cristina Onete || 23/10/2014 || 5

Exercise 3

The Hash paradigm for signatures :

• Improves the security of signature schemes

• Improves efficiency for signatures, making their size the same, irrespective of the message length

Can we do the same for encryption schemes, i.e. use instead of

Can we send just instead of

Cristina Onete || 23/10/2014 || 6

Exercise 4

Symmetric encryption is faster than PK encryption

Suppose Amélie generates a symmetric encryption key (e.g. for AES 128) and encrypts a message for Baptiste with this key.

Baptiste does not know the secret key.

By using one (or more) of the following mechanisms, show how Amélie can ensure that Baptiste can decrypt.

• A public key encryption scheme

• A symmetric encryption scheme

• A signature scheme

• A MAC scheme

• A hash scheme

Cristina Onete || 23/10/2014 || 7

Exercise 5

Amélie and Baptiste share a secret key for a MAC scheme

Amélie Baptiste

They exchange some messages, without signing each one, but at the end, each party will send a MAC of the message: {<Name> || || || || … || }

𝑏1𝑎1

𝑏2𝑎2

………

How does CBC-mode symmetric encryption work? Why would this method be indicated for long conversations?

Cristina Onete || 23/10/2014 || 8

Exercise 6

Consider the DSA signature scheme

Say Amélie signs two different messages with the same ephemeral value (and obviously the same private key )

Show how to retrieve given the two signatures for and

How would an attacker know from the signatures that the same ephemeral value was used for both signatures?

Cristina Onete || 23/10/2014 || 9

Exercise 7

Amélie wants to do online shopping, say on Ebay She needs to establish a secure channel with an Ebay

server, i.e. be able to exchange message confidentially and integrally/authentically with its server

This is actually done by sharing one MAC key and one symmetric encryption key between them

The server has a certified RSA public encryption key, but Amélie does not

How can Amélie make sure they share the two secret keys?

How can they check that they are sharing the same keys?

Cristina Onete || 23/10/2014 || 10

Exercise 8

List the properties of a hash function. Think of: input size, output size, who can compute it etc.

Imagine we have a public key encryption scheme. We generate and , but throw away and publish

• Should the PKE scheme be deterministic or probabilistic?

We implement a hash scheme by using the PKE scheme, by using

• Assume the generic PKE scheme ensures that a plaintext cannot be recovered from the ciphertext. Which properties of the hash scheme does the PKE scheme guarantee?

• Analyse the case of Textbook RSA as the encryption scheme. Which properties of the hash function are guaranteed?

Cristina Onete || 23/10/2014 || 11

Exercise 9

A pseudo-random generator is a deterministic function that takes as input a fixed-length string (a seed) and which outputs a much longer string , such that looks random to any adversary

Assume Amélie and Baptiste share a seed

Consider symmetric encryption with key , where encryption is done as , for messages of length equal to that of (and padded otherwise)

• Is this scheme deterministic or probabilistic?

• Show that this scheme is insecure if the adversary can request the decryption of even a single ciphertext.

• How can we make it secure even if the adversary can decrypt arbitrary ciphertexts?

CIDRE

Thanks!