CSE207

CSE207 - AUTHENTICATED ENCRYPTION 1 / 55 So Far ... We have...

Info iconThis preview shows pages 1–10. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: AUTHENTICATED ENCRYPTION 1 / 55 So Far ... We have looked at methods to provide privacy and integrity/authenticity separately: Goal Primitive Security notions Data privacy symmetric encryption IND-CPA, IND-CCA Data integrity/authenticity MA scheme/MAC UF-CMA, SUF-CMA 2 / 55 Authenticated Encryption In practice we often want both privacy and integrity/authenticity. Example: A doctor wishes to send medical information M about Alice to the medical database. Then • We want data privacy to ensure Alice’s medical records remain confidential. • We want integrity/authenticity to ensure the person sending the information is really the doctor and the information was not modified in transit. We refer to this as authenticated encryption. 3 / 55 Authenticated Encryption Schemes Syntactically, an authenticated encryption scheme is just a symmetric encryption scheme AE = ( K , E , D ) where 4 / 55 Privacy of Authenticated Encryption Schemes The notions of privacy for symmetric encryption carry over: • IND-CPA • IND-CCA 5 / 55 Integrity of Authenticated Encryption Schemes Adversary’s goal is to get the receiver to accept a “non-authentic” ciphertext C . Two possible interpretations of “non-authentic:” • Integrity of plaintexts: M = D K ( C ) was never encrypted by the sender • Integrity of ciphertexts: C was never transmitted by the sender 6 / 55 INT-PTXT Let AE = ( K , E , D ) be a symmetric encryption scheme and A an adversary. Game INTPTXT AE procedure Initialize K $ ← K ; S ← ∅ procedure Enc ( M ) C $ ← E K ( M ) S ← S ∪ { M } return C procedure Dec ( C ) M ← D K ( C ) if ( M negationslash∈ S ∧ M negationslash = ⊥ ) then win ← true return win procedure Finalize return win The int-ptxt advantage of A is Adv int- ptxt AE ( A ) = Pr[INTPTXT A AE ⇒ true] 7 / 55 INT-CTXT Let AE = ( K , E , D ) be a symmetric encryption scheme and A an adversary. Game INTCTXT AE procedure Initialize K $ ← K ; S ← ∅ procedure Enc ( M ) C $ ← E K ( M ) S ← S ∪ { C } return C procedure Dec ( C ) M ← D K ( C ) if ( C negationslash∈ S ∧ M negationslash = ⊥ ) then win ← true return win procedure Finalize return win The int-ctxt advantage of A is Adv int- ctxt AE ( A ) = Pr[INTCTXT A AE ⇒ true] 8 / 55 INT-CTXT ⇒ INT-PTXT If AE = ( K , E , D ) is INT-CTXT secure then it is also INT-PTXT secure. Why? Suppose A makes Enc queries M 1 , . . . , M q resulting in ciphertexts C 1 $ ← E K ( M 1 ) , . . . , C q $ ← E K ( M q ) suppose A makes query Dec ( C ), and let M = D K ( C ). Fact: M negationslash∈ { M 1 , . . . , M q } ⇒ C negationslash∈ { C 1 , . . . , C q } So if A wins INT-PTXT AE it also wins INT-CTXT AE . Theorem: For any adversary A, Adv int- ptxt AE ( A ) ≤ Adv int- ctxt AE ( A ) ....
View Full Document

This note was uploaded on 08/31/2011 for the course CSE 207 taught by Professor Daniele during the Winter '08 term at UCSD.

Page1 / 73

CSE207 - AUTHENTICATED ENCRYPTION 1 / 55 So Far ... We have...

This preview shows document pages 1 - 10. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online