### Slide - Cristina Onete

```Putting it all together: using multiple
primitives together
Cristina Onete
[email protected]/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */
Rennes, 23/10/2014
 Exercise 1
 Say you have a signature scheme
SScheme = (KGen, Sign, Vf)
 Say this scheme is unforgeable against CMA
 Modify the signature algorithm:
′   =  () ]
′ , ∗ ,  = 1 iff.  = ∗ &
(, ) = 1
 Is this still unforgeable against CMA?
Cristina Onete ||
23/10/2014
||
2
 Exercise 2
 We have an arbitrary unforgeable signature scheme:
SScheme = (KGen, Sign, Vf)
 And we also have any IND-CCA encryption scheme
EScheme = (KGen, Enc, Dec)
 Say we want to ensure that a confidential message
comes from a given party. Can we send:
•
?
•   ;
?
•  | ()
?
Cristina Onete ||
23/10/2014
||
3
 Interlude
 What would we use in order to:
• Send a confidential message
• Encrypt a large document
• Send a confidential AND authenticated message
• Authenticate a message with non-repudiation
• Authenticate a message without non-repudiation
 Find correspondences
• Confidentiality
 Hash function
• Collision-resistance
 MAC code
• Authenticity
 Symmetric encryption
• Non-repudiation
 PK Encryption
• Integrity
 Digital Signatures
Cristina Onete ||
23/10/2014
||
4
 Exercise 3
 The Hash paradigm for signatures    :
• Improves the security of signature schemes
• Improves efficiency for signatures, making their size the
same, irrespective of the message length
 Can we do the same for encryption schemes, i.e. use
 Can we send just (  ) instead of
Cristina Onete ||
23/10/2014
||
5
 Exercise 4
 Symmetric encryption is faster than PK encryption
 Suppose Amélie generates a symmetric encryption key
(e.g. for AES 128) and encrypts a message  for
Baptiste with this key.
 Baptiste does not know the secret key.
 By using one (or more) of the following mechanisms,
show how Amélie can ensure that Baptiste can decrypt.
• A public key encryption scheme
• A symmetric encryption scheme
• A signature scheme
• A MAC scheme
• A hash scheme
Cristina Onete ||
23/10/2014
||
6
 Exercise 5
 Amélie and Baptiste share a secret key for a MAC scheme
1
1
Amélie
………
Baptiste
2
2
 They exchange some messages, without signing each
one, but at the end, each party will send a MAC of the
message: {<Name> || 1 || 1 || 2 || 2 …  ||  }
 How does CBC-mode symmetric encryption work? Why
would this method be indicated for long conversations?
Cristina Onete ||
23/10/2014
||
7
 Exercise 6
 Consider the DSA signature scheme
 Say Amélie signs two different messages 1 ≠ 2 with
the same ephemeral value  (and obviously the same
private key )
 How would an attacker know from the signatures that
the same ephemeral value was used for both
signatures?
 Show how to retrieve  given the two signatures for
1 and 2
Cristina Onete ||
23/10/2014
||
8
 Exercise 7
 Amélie wants to do online shopping, say on Ebay
 She needs to establish a secure channel with an Ebay
server, i.e. be able to exchange message confidentially
and integrally/authentically with its server
 This is actually done by sharing one MAC key and one
symmetric encryption key between them
 The server has a certified RSA public encryption key, but
Amélie does not
 How can Amélie make sure they share the two secret
keys?
 How can they check that they are sharing the same keys?
Cristina Onete ||
23/10/2014
||
9
 Exercise 8
 List the properties of a hash function. Think of: input
size, output size, who can compute it etc.
 Imagine we have a public key encryption scheme. We
generate  and , but throw away  and publish
 We implement a hash scheme by using the PKE scheme,
by using   ∶=  ()
• Should the PKE scheme be deterministic or probabilistic?
• Analyse the case of Textbook RSA as the encryption scheme.
Which properties of the hash function are guaranteed?
• Assume the generic PKE scheme ensures that a plaintext
cannot be recovered from the ciphertext. Which properties of
the hash scheme does the PKE scheme guarantee?
Cristina Onete ||
23/10/2014
||
10
 Exercise 9
 A pseudo-random generator is a deterministic function
that takes as input a fixed-length string (a seed)  and
which outputs a much longer string , such that  looks
 Assume Amélie and Baptiste share a seed
 Consider symmetric encryption with key , where
encryption is done as   ≔    , for messages
of length equal to that of () (and padded otherwise)
• Is this scheme deterministic or probabilistic?
• Show that this scheme is insecure if the adversary can request
the decryption of even a single ciphertext.
• How can we make it secure even if the adversary can decrypt
arbitrary ciphertexts?
Cristina Onete ||
23/10/2014
||
11
Thanks!
CIDRE
```