Lecture 5 Flashcards
What are some key qualities of nonce-based CBC?
nonce is unique, and you use two keys (one to encrypt the nonce to create a unique IV and one to do the rest of the encryption)
Why do you need extra encryption of nonce with independent key for nonce based cbc?
To prevent CPA attack..predictable IV will leak plaintext information
When is CBC padding needed?
When the message doesn’t fit the multiple of the block cipher block length
What is the problem with cbc padding?
You will need to pad an extra block after filling in the padding so that during decryption, message doesn’t get confused with padding (dummy block is major overhead)
Randomized CTR mode
Requires passing IV to the PRF when generating the pseudorandom pad for increased randomization (also no padding needed since no fixed block length)
Nonce CTR-mode
IV in this case is made up of nonce+counter. Tradeoff: constrained by how many counters
CTR vs CBC
CTR allows for parallel processing and doesn’t need padding and the error term is smaller so we have to change the key less often
Recap: examples of many-time key
Randomized cbc and Randomized ctr mode
One-time key examples
stream ciphers and deterministic CTR-mode
Message authentication code (MAC)
Has a signing and verification algorithm (create and verify the tag)
If you verify a tag with the same key you signed with, it should return true
How is MAC secure against CPA?
If Eve can’t produce a valid tag for a new message or a new tag for the same message
How can MAC be used for protecting system files?
If system gets hacked, you can recompute tags to make sure files are not modified. To make sure file order hasn’t been swapped, you can include filename in the tags.
Examples of MAC stemming from prf vs MACs from compression functions
CBC-MAC, NMAC, PMAC VS HMAC
What makes a MAC insecure?
If the tag is too short then Eve can guess it easily. Output of PRF needs to be large
NMAC
a key + first block of message produces ciphertext and we feed that to the next step as a key