Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Modern Cryptography www.dziembowski.net/Studenti/BISS09 Lecture 3 Message Authentication and Hash Functions Stefan Dziembowski University of Rome La Sapienza BiSS 2009 Bertinoro International Spring School 2-6 March 2009 Plan 1. Introduction to message authentication codes (MACs). 2. Constructions of MACs: 1. from pairwise independent functions 2. from block ciphers 3. Hash functions 1. 2. 3. 4. 5. 6. a definition constructions the “birthday attack” concrete functions a construction of MACs from hash functions the random oracle model Message Authentication Integrity: M Alice interferes with the transmission (modifies the message, or inserts a new one) Bob How can Bob be sure that M really comes from Alice? 3 Sometimes: more important than secrecy! transfer 1000 $ to Bob Alice transfer 1000 $ to Eve Bank Of course: usually we want both secrecy and integrity. 4 Does encryption guarantee message integrity? Idea: 1. 2. Alice encrypts m and sends c=Enc(k,m) to Bob. Bob computes Dec(k,m), and if it “makes sense” accepts it. Intuiton: only Alice knows k, so nobody else can produce a valid ciphertext. It does not work! Example: one-time pad. plaintext transfer 1000 $ to Bob “Eve” xor “Bob” transfer 1000 $ to Eve key K xor ciphertext C 5 Message authentication verifies if t=Tagk(m) (m, t=Tagk(m)) m Alice Bob k k Eve can see (m, t=Tagk(m)) She should not be able to compute a valid tag t’ on any other message m’. 6 Message authentication – multiple messages m1 (m1, t=Tagk(m1)) m2 (m2, t=Tagk(m2)) ... ... Alice mt Bob (mw, t=Tagk(mw)) k k Eve should not be able to compute a valid tag t’ on any other message m’. 7 Message Authentication Codes – the idea m є {0,1}* (m, t=Tagk(m)) Vrfyk(m) є {yes,no} Alice Bob k k k is chosen randomly from some set T 8 A mathematical view K – key space M – plaintext space T - set of tags A MAC scheme is a pair (Tag, Vrfy), where Tag : K × M → T is an tagging algorithm, Ver: K × M × T → {yes, no} is an decryption algorithm. We will sometimes write Tagk(m) and Vrfyk(m,t) instead of Tag(k,m) and Vrfy(k,m,t). Correctness it should always holds that: Vrfyk(m,Tagk(m)) = yes. Conventions If Vrfyk(m,t) = yes then we say that t is a valid tag on the message m. If Tag is deterministic, then Vrfy just computes Tag and compares the result. In this case we do not need to define Vrfy explicitly. How to define security? We need to specify: 1. how the messages m1,...,mw are chosen, 2. what is the goal of the adversary. Good tradition: be as pessimistic as possible! Therefore we assume that 1. The adversary is allowed to chose m1,...,mw. 2. The goal of the adversary is to produce a valid tag on some m’ such that m’ ≠ m1,...,mw. 11 security parameter 1n adversary selects random a k Є {0,1}n m1 (m1, t=Tagk(m1)) oracle ... mw (mw, t=Tagk(mw)) We say that the adversary breaks the MAC scheme at the end she outputs (m’,t’) such that Vrfy(m’,t’) = yes and m’ ≠ m1,...,mw 12 The security definition We say that (Tag,Vrfy) is secure if P(A breaks it) is negligible (in n) A polynomial-time adversary A 13 Aren’t we too paranoid? Maybe it would be enough to require that: the adversary succeds only if he forges a message that “makes sense”. (e.g.: forging a message that consists of random noise should not count) Bad idea: • hard to define, • is application-dependent. 14 Warning: MACs do not offer protection against the “replay attacks”. (m, t) Alice Bob Since Vrfy has no state (or “memory”) there is no way to detect that (m,t) is not fresh! This problem has to be solved by the higher-level application (methods: time-stamping, sequence numbers...). 15 Authentication and Encryption Usually we want to authenticate and encrypt at the same time. What is the right way to do it? There are several options: • • • Encrypt-and-authenticate: c ← Enck1(m) and t ← Mack2 (m) Authenticate-then-encrypt: t ← Mack2 (m) and c ← Enck1(m||t) Encrypt-then-authenticate: c ← Enck1(m) and t ← Mack2 (c) wrong better the best By the way: never use the same key for Enc and Mac: k1 and k2 have to be “independent”! 16 Constructing a MAC 1. There exist MACs that are secure even if the adversary is infinitely-powerful. These constructions are not practical. 2. MACs can be constructed from the block-ciphers. We will now discuss to constructions: – simple (and not practical), – a little bit more complicated (and practical) – a CBC-MAC 1. MACs can also be constructed from the hash functions (NMAC, HMAC). 17 Plan 1. Introduction to message authentication codes (MACs). 2. Constructions of MACs: 1. from pairwise independent functions 2. from block ciphers 3. Hash functions 1. 2. 3. 4. 5. 6. a definition constructions the “birthday attack” concrete functions a construction of MACs from hash functions the random oracle model Information-theoretically secure MACs We now show a construction of informationtheoretically secure MACs, i.e.: MACs that are secure against an infinitelypowerful adversary Our construction will be secure only if the key is never reused. like in the one-time pad encryption... Observation (m, t=Tagk(m)) m Alice Bob Eve can see (m, t=Tagk(m)) She should not be able to compute a valid tag t’ on any other message m’. It is enough that any pair of variables in the set {Tm}m Є M where Tm := TagK(m) is independent. This is called a set of pairwise independent variables. We are now going to construct such a set... Pairwise independence A set {Tm}m Є M of variables is pairwise independent if for every m0, m1 the variables Tm0 and Tm1 are independent. This is not the same as saying that {Tm}m Є M are independent. Idea: Linear function over Zp (where p is a large prime) M = Zp K = Zp × Zp T = Zp for example p = 2107- 1 Tag((a,b), m) = am + b mod p Intuition: ... ? a ... b m0 m1 m0 m1 22 Lemma. Let (A,B) be distributed uniformly over Zp × Zp. Then for every distinct m0 and m1 the following variables are independent (A· m0 + B) and (A· m1 + B) . Clearly, each of those variables is distributed uniformly over Zp and hence of every (x,y) we have P (A · m0 + B = x)· P(A· m1 + B = y) = 1/p · 1/p = 1/p2 Therefore it suffices to show that P (A· m0 + B = x and A· m1 + B = y) = 1/p2 This is equivalent to the fact that the following system of linear equations (over Zp) has exactly one solution (where a and b are the unknowns): { a· m0 + b = x a· m1 + b = y Clearly if m0 ≠ m1 then det [ m0 1 m1 1 ] ≠0 Thus we are done 23 Can we reuse the same key many times? After seeing two values: Tag(k,m0) = A· m0 + B Tag(k,m1) = A· m0 + B (for m0 ≠ m1) the adversary can compute (A,B) by solving a system of linear equations. It can be shown that in general the length of the key has to be proportional to the total length of authenticated messages. 24 How to encrypt more messages with one short key k? Simple idea: For every new message mi generate pseudorandomly a new key ki for the one-time MAC. k PRG G k1 k2 k3 ... Tag(k1,m1) Tag(k2,m2) Tag(k3,m3) This can be proven secure! A new member of “Minicrypt” one-way functions exist this can be proven this we already knew computationally-secure MACs exist cryptographic PRGs exist this we have just proven Plan 1. Introduction to message authentication codes (MACs). 2. Constructions of MACs: 1. from pairwise independent functions 2. from block ciphers 3. Hash functions 1. 2. 3. 4. 5. 6. a definition constructions the “birthday attack” concrete functions a construction of MACs from hash functions the random oracle model A simple construction from a block cipher Let F : {0,1}n × {0,1}n → {0,1}n F(k,m) be a block cipher. We can now define a MAC scheme that works only for messages m Є {0,1}n as follows: k Fk • Mac(k,m) = F(k,m) m It can be proven that it is a secure MAC. How to generalize it to longer messages? 28 Idea 1 • divide the message in blocks m1,...,md • and authenticate each block separately F(k,m1) F(k,md) ... Fk Fk m1 md This doesn’t work! 29 What goes wrong? m: t = Tagk(m): perm m’ = perm(m): t’ = perm(t): Then t’ is a valid tag on m’. 30 Idea 2 Add a counter to each block. F(k,x1) F(k,xd) ... Fk 1 m1 x1 Fk d md xd This doesn’t work either! 31 i mi xi m: t = Tagk(m): m’ = a prefix of m: t’ = a prefix of t: Then t’ is a valid tag on m’. 32 Idea 3 Add l := |m| to each block F(k,x1) F(k,xd) ... Fk l 1 Fk m1 x1 l d md xd This doesn’t work either! 33 l 1 m1 xi What goes wrong? m: m’: t = Tagk(m): t’ = Tagk(m’): m’’ = first half from m || second half from m’ t’’ = first half from t || second half from t’ Then t’’ is a valid tag on m’’. 34 Idea 4 Add a fresh random value to each block! F(k,x1) F(k,xd) ... Fk r l Fk d x1 md r l d md xd This works! 35 tagk(m) r r F(k,x1) F(k,x2) Fk Fk l 1 m1 r l m1 m2 2 ... m2 |mi| = n/4 r l d md xd ... md m n – block length Fk ... x2 x1 r is chosen randomly F(k,xd) 000 l pad with zeroes if needed36 This construction can be proven secure Theorem Assuming that F : {0,1}n × {0,1}n → {0,1}n is a pseudorandom permutation the construction from the previous slide is a secure MAC. Proof idea: Suppose it is not a secure MAC. Let A be an adversary that breaks it with a non-negligible probability. We construct a distinguisher D that distinguishes F from a random permutation. 37 This construction is not practical Problem: The tag is 4 times longer than the message... We can do much better! 38 CBC-MAC F : {0,1}n × {0,1}n → {0,1}n - a block cipher tagk(m) Fk Fk Fk Fk |m| m1 m2 m3 Fk ... m md 0000 pad with zeroes if needed Other variants exist! 39 tagk(m) Fk Fk Fk Fk |m| m1 m2 m3 Fk ... md Why is this needed? Suppose we do not prepend |m|... 40 t1=tagk(m1) t2=tagk(m2) Fk Fk m1 m2 the adversary chooses: t’= tagk(m’) t1 now she can compute: Fk Fk m1 m2 xor t1 m’ t’ = t2 41 Some practictioners don’t like the CBCMAC We don’t want to authenticate using the block ciphers! What do you want to use instead? Hash functions! Why? 1. 2. Because: they are more efficient, they are not protected by the export regulations. 42 Plan 1. Introduction to message authentication codes (MACs). 2. Constructions of MACs: 1. from pairwise independent functions 2. from block ciphers 3. Hash functions 1. 2. 3. 4. 5. 6. a definition constructions the “birthday attack” concrete functions a construction of MACs from hash functions the random oracle model Another idea for authenticating long messages Fk(h(m)) k a block cipher Fk h(m) a “hash function” h long m By the way: a similar method is used in the public-key cryptography (it is called “hash-and-sign”). 44 How to formalize it? We need to define what is a “hash function”. The basic property that we require is: “collision resistance” Collision-resistant hash functions short H(m) a hash function H : {0,1}* → {0,1}L long m collision-resistance a “collision” Requirement: it should be hard to find a pair (m,m’) such that H(m) =H(m’) 46 Collisions always exist m domain range m’ Since the domain is larger than the range the collisions have to exist. 47 Hash functions are a bit simillar to the error-correcting codes Difference between the hash functions and the error correcting codes: • error-correcting codes are secure against the random errors. • collision-resistant hash functions are secure against the intentional errors. A bit like: pseudorandom generators vs. cryptographic pseudorandom generators. 48 “Practical definition” H is a collision-resistant hash function if it is “practically impossible to find collisions in H”. Popular hash funcitons: • MD5 (now considered broken) • SHA1 • ... 49 How to formally define “collision resitance”? Idea Say something like: H is a collision-resistant hash function if P(A finds a collision in H) is small A efficient adversary A Problem For a fixed H there always exist a constant-time algorithm that “finds a collision in H” in constant time. It may be hard to find such an algorithm, but it always exists! 50 Solution When we prove theorems we will always consider families of hash functions indexed by a key s {Hs} s є keys 51 informal description: “knows H” a protocol H H H s is chosen randomly formal model: a protocol s Hs Hs Hs 52 informal description: “knows H” a protocol H H H real-life implementation (example): “knows SHA1” a protocol SHA1 SHA1 SHA1 53 Hash functions – the functional definition A hash function is a probabilistic polynomial-time algorithm H such that: H takes as input a key s є {0,1}n and a message x є {0,1}* and outputs a string Hs(x) є {0,1}L(n) where L(n) is some fixed function. 54 Hash functions – the security definition [1/2] 1n s selects a random s є {0,1}n outputs (m,m’) We say that adversary A breaks the function H if Hs(m) = Hs(m’). 55 Hash functions – the security definition [2/2] H is a collision-resistant hash function if P(A breaks H) is negligible A polynomial-time adversary A 56 How to formalize our idea? Fk(h(m)) k a block cipher Fk h(m) a “hash function” h long m 57 Authentication scheme - formally A key for the MAC is a pair: a key for the hash function H (s,k) a key for the PRF F Tag((k,s),m) = Fk(Hs(m)) Theorem. If H and F are secure then Tag is secure. This is proven as follows. Suppose we have an adversary that breaks Tag. Then we can construct: a distinguisher for F simulates an adversary for H or simulates Do collision-resilient hash functions belong to minicrypt? collision-resilient hash functions exist easy exercise ? open problem one-way functions exist [D. Simon: Finding Collisions on a One-Way Street: Can Secure Hash Functions Be Based on General Assumptions? 1998]: there is no “black-box reduction”. Plan 1. Introduction to message authentication codes (MACs). 2. Constructions of MACs: 1. from pairwise independent functions 2. from block ciphers 3. Hash functions 1. 2. 3. 4. 5. 6. a definition constructions the “birthday attack” concrete functions a construction of MACs from hash functions the random oracle model A common method for constructing hash functions 1. Construct a “fixed-input-length” collision-resistant hash function L h(m) h : {0,1}2·L → {0,1}L m 2·L Call it: a collision-resistant compression function. 2. Use it to construct a hash function. 61 An idea pad with zeroes if needed t m m1 m2 0000 ... mB mi є {0,1}L ... h IV h h H(m) can be arbitrary This doesn’t work... 62 Why is it wrong? t m m1 0000 ... m2 mB If we set m’ = m || 0000 then H(m’) = H(m). Solution: add a block encoding “t”. t m m1 m2 0000 ... mB mB+1 := t 63 Merkle-Damgård transform given h : {0,1}2L → {0,1}L we construct H : {0,1}*→ {0,1}L doesn’t need to be know in advance (nice!) t m m1 0000 m2 mB mB+1 := t mi є {0,1} L ... IV h h h h H(m) 64 This construction is secure We would like to prove the following: Theorem If h : {0,1}2L → {0,1}L is a collision-resistant compression function then H : {0,1}*→ {0,1}L is a collision-resistant hash function. But wait…. It doesn’t make sense… 65 We need to consider the hash function families Suppose (gen,h) is a collision-resistant hash function such that for every s {0,1}n we have hs : {0,1}2L(n) → {0,1}L(n) L(n) h(m) h m 2·L(n) 66 We now show how to transform such an h into a hash function H. How? 1. The key s is the same in H as in h. 2. Use the same construction as before 67 Merkle-Damgård transform given h : {0,1}2L(n) → {0,1}L(n) we construct H : {0,1}* → {0,1}L(n) t m m1 0000 m2 mB mB+1 := t mi є {0,1} L(n) ... IV h h h h H(m) 68 This construction is secure Theorem If h is a collision-resistant hash function then H is a collision-resistant hash function. Proof Suppose A is a polynomial-time adversary that breaks H with a non-negligible probability. We construct a polynomial-time adversary a that breaks h with a non-negligible probability. 69 s ← {0,1}n s s a breaks hs by simulating A (m,m’) A breaks Hs now a should output a collision (x,y) in h a collision in Hs 70 How to compute a collision (x,y) in h from a collision (m,m’) in H? We consider two options: 1. |m| = |m’| 2. |m| ≠ |m’| 71 Option 1: |m| = |m’| t m m1 m2 0000 mB mB+1 := t t m m1 m2 0000 mB mB+1 := t 72 |m| = |m’| Some notation: m m1 0000 m2 mB mB+1 := t ... IV z 1 h h z2 h z3 zB h zB+1 H(m) 73 |m| = |m’| For m’: m’ m’1 0000 m’2 m’B m’B+1 := t ... IV z’ 1 h h z’2 h z’3 z’B h z’B+1 H(m’) 74 zB+2=H(m) equal zB+2=H(m’) mB+1 zB+1 m’B+1 z’B+1 mB zB m’B z’B ... ... z3 m2 z2 m1 z1 = IV z3 not equal m’2 z’2 m’1 z’1 = IV 75 zB+2=H(m) mB+1 mB equal zB+1 zB z2 m1 z1 = IV m’B+1 z’B+1 m’B z’B m’2 z’2 m’1 z’1 = IV ... ... m2 Let i* be the least i such that zB+2=H(m’) (mi,zi) = (m’i,z’i) (because m ≠ m’ such an i* > 1 always exists!) 76 So, we have found a collision! zi* equal z’i* h mi*-1 h zi*-1 not equal m’i*-1 z’i*-1 77 Option 2: |m| ≠ |m’| H(m) mB+1 equal zB+1 H(m’) m’B’+1 z’B’+1 ... ... the last block encodes the length on the message so these values cannot be equal! So, again we have found a collision! 78 Finalizing the proof So, if A breaks H with probability ε(n), then a breaks h with probability ε(n). If A runs in polynomial time, then a also runs in polynomial time. QED 79 Plan 1. Introduction to message authentication codes (MACs). 2. Constructions of MACs: 1. from pairwise independent functions 2. from block ciphers 3. Hash functions 1. 2. 3. 4. 5. 6. a definition constructions the “birthday attack” concrete functions a construction of MACs from hash functions the random oracle model Generic attacks on hash functions Remember the brute-force attacks on the encryption schemes? For the hash functions we can do something slightly smarter... It is called a “birthday attack”. 81 The birthday paradox Suppose we have a random function H:A→B Take n values x1,...,xn Let p(n) be the probability that there exist distinct i,j such that H(xi) = H(xj). If n ≥ |B| then trivially p(n) = 1. Question: How large n needs to be to get p(n) = 1/2 Answer: More precisely we have: n | B| n(n-1) n2 p(n) 4| B| 2 |B| 82 Why is it called “a birthday paradox”? Set: H : people → birthdays Q: How many random people you need to take to know that with probability 0.5 at least 2 of them have birthday on the same day? A: 23 is enough! Counterintuitive... 83 How does the birthday attack work? For a hash function H : {0,1}* → {0,1}L Take a random X – a subset of {0,1}2L, such that |X| = 2L/2. With probability around 0.5 there exists x,x’ є X, such that H(x) = H(x’). A pair (x,x’) can be found in time O(|X| log |X|) and space O(|X|). Moral L has to be such that an attack that needs 2L/2 steps is infeasible. 84 Plan 1. Introduction to message authentication codes (MACs). 2. Constructions of MACs: 1. from pairwise independent functions 2. from block ciphers 3. Hash functions 1. 2. 3. 4. 5. 6. a definition constructions the “birthday attack” concrete functions a construction of MACs from hash functions the random oracle model Concrete functions • MD5, • SHA-1, SHA-256,... • .... all use (variants of) Merkle-Damgård transformation. Hash functions can also be constructed using the number theory. 86 MD5 (Message-Digest Algorithm 5) • output length: 128 bits, • designed by Rivest in 1991, • in 1996, Dobbertin found collisions in the compresing function of MD5, • in 2004 a group of Chinese mathematicians designed a method for finding collisions in MD5, • there exist a tool that finds collisions in MD5 with a speed 1 collision / minute (on a laptop-computer) Is MD5 completely broken? The attack would be practical if the colliding documents “made sense”... In 2005 A. Lenstra, X. Wang, and B. de Weger found X.509 certificates with different public keys and the same MD5 hash. 87 SHA-1 (Secure Hash Algorithm) • output length: 160 bits, • designed in 1993 by the NSA, • in 2005 Xiaoyun Wang, Andrew Yao and Frances Yao presented an attack that runs in time 263. • Still rather secure, but new hash algorithms are needed! A US National Institute of Standards and Technology is currently running a competition for a new hash algorithm. 88 Plan 1. Introduction to message authentication codes (MACs). 2. Constructions of MACs: 1. from pairwise independent functions 2. from block ciphers 3. Hash functions 1. 2. 3. 4. 5. 6. a definition constructions the “birthday attack” concrete functions a construction of MACs from hash functions the random oracle model What the industry says about the “hash and authenticate” method? the block cipher is still there... Why don’t we just hash a message together with a key: MACk(m) = H(k || m) ? It’s not secure! 90 Suppose H was constructed using the MDtransform MACk(m||t) MACk(m) t+L MACk(m) t zB t zB m z2 m z2 k IV k IV L 91 A better idea M. Bellare, R. Canetti, and H. Krawczyk (1996): • NMAC (Nested MAC) • HMAC (Hash based MAC) have some “provable properites” They both use the Merkle-Damgård transform. Again, let h : {0,1}2L → {0,1}L be a compression function. 92 NMAC m m1 k1 h 0000 mB ... h mB+1 := |m| h k2 h NMAC(k1,k2) (m) 93 What can be proven Suppose that 1. h is collision-resistant 2. the following function is a secure MAC: m k2 h MACk2(m) Then NMAC is a secure MAC. 94 Looks better, but 1. our libraries do not permit to change the IV 2. the key is too long: (k1,k2) HMAC is the solution! 95 HMAC k xor ipad m1 mB+1 := |m| ipad = 0x36 repeated opad = 0x5C repeated IV h h ... IV h h h HMACk (m) k xor opad 96 HMAC – the properties Looks complicated, but it is very easy to implement (given an implementation of H): HMACk(m) = H((k xor opad) || H(k xor ipad || m)) It has some “provable properties” (slightly weaker than NMAC). We like it! Widely used in practice. 97 Plan 1. Introduction to message authentication codes (MACs). 2. Constructions of MACs: 1. from pairwise independent functions 2. from block ciphers 3. Hash functions 1. 2. 3. 4. 5. 6. a definition constructions the “birthday attack” concrete functions a construction of MACs from hash functions the random oracle model Other uses of “hash functions” Hash functions are used by practicioners to convert “non-uniform randomness” into a uniform one. Example: shorter “uniformly random” H(m) a hash function H : {0,1}* → {0,1}L user generated randomness X (key strokes, mouse movements, etc.) How to formalize it? Random oracle model [Bellare, Rogaway, Random Oracles are Practical: A Paradigm for Designing Efficient Protocols, 1993] Idea: model the hash function as a random oracle. x H(x) H : {0,1}* → {0,1}L a completely random function Remember the pseudorandom functions? A random function F: {0,1}m → {0,1}m Crucial difference: Also the adversary can query the oracle informal description: “knows H” a protocol H formal model: H : {0,1}* → {0,1}L Every call to H is replaced with a query to the oracle. a protocol also the adversary is allowed to query the oracle. 102 How would we use it in the proof? shorter “uniformly random” H(X) a hash function H : {0,1}* → {0,1}L user generated randomness X As long as the adversary never queried the oracle on X the value H(X) “looks completely random to him”. Criticism of the Random Oracle Model [Canetti, Goldreich, Halevi: The random oracle methodology, revisited. 1998] There exists a signature scheme that is • secure in ROM but • is not secure if the random oracle is replaced with any real hash function. This example is very artificial. No “realistic” example of this type is know. Terminology Model without the random oracles: •“plain model” •“cryptographic model” Random Oracle Model is also called: the “Random Oracle Heuristic”. Common view: a ROM proof is better than nothing. Plan 1. Introduction to message authentication codes (MACs). 2. Constructions of MACs: 1. from pairwise independent functions 2. from block ciphers 3. Hash functions 1. 2. 3. 4. 5. 6. a definition constructions the “birthday attack” concrete functions a construction of MACs from hash functions the random oracle model Let us look again at the plan of the course plan of the course: encryption private key public key authentication 1 private key encryption 2 private key authentication 3 public key encryption 4 signatures 5 advanced cryptographic protocols Outlook cryptography “information-theoretic”, “unconditional” • one time pad, • quantum cryptography, • ... “computational” based on 2 simultanious assumptions: 1. some problems are computationally difficult 2. our understanding of what “computational difficulty” means is correct. Symmetric cryptography symmetric cryptography encryption authentication Basic information-theoretic tools • xor (one-time pad) • two-wise independent functions Basic tools from the computational cryptography • • • • one-way functions pseudorandom generators pseudorandom functions/permutations hash functions A method for proving security: reductions minicrypt P ≠ NP hash functions one-way functions pseudorandom generators pseudorandom functions/permutations computationally-secure authentication computationally-secure encryption in general the picture is much more complicated! Plan for the next lectures plan of the course: encryption private key public key authentication 1 private key encryption 2 private key authentication 3 public key encryption 4 signatures 5 advanced cryptographic protocols we will now go here but first we need to have some number theory brush-up ©2009 by Stefan Dziembowski. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation.