Lecture 6-Authenticated Encryption Flashcards
When is nonce based encryption better than IV?
Nonce based encryption saves overhead
Merkle-Damgard Iterated Construction
a setup where you chain hashes of message blocks to make one big hash (idea of using a little hash thats secure to make a larger hash)
Davies-Meyer
basically a zoomed in version of the little h in merkle-damgard
-the benefit of Davies-Meyer is message is used as key so it will also be somewhat random and unique
Collision Resistant Compression Functions
The E in Davies Meyer: Shacal 2 for example has 18 rounds. We don’t use AES because it only outputs a 128-bit block which reduces collision resistance to a 64-bit block
Can you use something like Merkle-Damgard to create a large hash function to construct a MAC without relying on a PRF?
No because it won’t be secure. There can easily be an extension attack on just the merkle-damgard construction alone
HMAC
hash-mac basically builds a tag out of the merkle-damgard function. It is concatenated with an internal pad and results in the tag.
What are some key properties of the HMAC?
It is based on a cryptographic hash function instead of a block cipher. HMAC is assumed to be a secure prf
What is the HMAC verification timing attack?
If the verification is happening byte by byte on the tag, if the verification step takes longer that means the first byte is correct
How can the verification timing attack on HMAC padding be avoided?
Compute the HMAC for both the original and whats sent by the adversary, and then check if they are equal. This way you are comparing encrypted bytes and eve doesn’t know what’s being compared anymore.
What are the benefits of a merkle hash tree?
Proves integrity and validity of data, doesn’t require too much memory, to prove something requires only small amount of information to be transmitted across the network
What are the two types of verification with merkle tree?
Inclusion verification: is a data piece in there? Consistency verification: is new data being appended
What is the benefit of authenticated encryption?
Ensures both integrity and confidentiality
How can authenticated encryption be considered secure?
If it provides semantic security under a CPA attack and ciphertext integrity (attacker cannot create new ciphertexts that decrypt properly)
Would CBC with random IV provide authenticated encryption?
No because the decryption algorithm doesn’t output a unique symbol that shows whether ciphertext is rejected or not (doesn’t verify that the ciphertext actually doesn’t exist)
What are some limitations of Authenticated Encryption?
Cannot prevent replay attacks, does not account for side channels (timing attacks)
