# 密码学 Cryptography COMP3077

0

$$\begin{array}{ccc} \text { Alice } & & \text { Bob } \ a & \stackrel{[a] G}{\longrightarrow} & {[a] G} \ {[b] G} & \stackrel{[b] G}{\longleftrightarrow} & b \end{array}$$
Alice can now compute
$$K_{A}=[a]([b] G)=[a b] G$$
and Bob can now compute
$$K_{B}=[b]([a] G)=[a b] G .$$

## COMP3077 COURSE NOTES ：

INPUT: Message $m$ and public key $Y$.
OUTPUT: The ciphertext $(U, c, r)$.

1. Choose $k \in_{R}{1, \ldots, q-1}$.
2. $U \leftarrow[k] G$.
3. $T \leftarrow[k] Y$.
4. $\left(k_{1} | k_{2}\right) \leftarrow K D(T, l)$.
5. Encrypt the message, $c \leftarrow E_{k_{1}}(m)$.
6. Compute the MAC on the ciphertext, $r \leftarrow M A C_{k_{2}}(c)$.
7. Dutput $(U, c, r)$.

# 密码学| CM30173 Cryptography代写

0

There are various solutions that students might put forward. They should note the requirement for Diffiffiffie-Hellman key exchange and assumptions regarding the fact that attackers can not currently broadcast so that they are assuming that no man in the middle attack can take place. They should note that there is no way to avoid having to make this assumption and may even conclude that it increases risks to trust a system where this is a fundamental issue and that management should wait til summer.

• $\mathcal{P}=\mathcal{C}=\mathbb{Z}_{2}$
• $\mathcal{K}=\mathbb{Z}{2}$ and we generate a keystream $k{1} k_{2} k_{3} \ldots$ with $k_{i} \in \mathcal{K}$.
• We encrypt plaintext $x=x_{1} x_{2} x_{3} \ldots$ with the keystream thus
$$e_{k_{i}}\left(x_{i}\right)=\left(x_{i}+k_{i}\right) \quad \bmod 2$$
(the exclusive-or of $x_{i}$ and $k_{i}$ this is also written $x_{i} \oplus k_{i}$ ) and decrypt
$$d_{k_{i}}\left(y_{i}\right)=\left(y_{i}+k_{i}\right) \quad \bmod 2$$

## CM30173 COURSE NOTES ：

We can use the cipher block chaining (CBC) mode for a block cipher with a fixed public $I V$ to create a MAC.
CBC mode a message $x=x_{1} x_{2} \ldots x_{n}$ split into blocks and calculates
\begin{aligned} y_{0} &=I V \ y_{i} &=e_{k}\left(y_{i-1} \oplus x_{i}\right) \quad i \geq 1 \end{aligned}
This idea is adapted to form CBC-MAC by carrying out the same series of calculations but only returning the output from the last loop:
Inputs: $x$, a block cipher such as DES
$$y_{0}=I V=00 \ldots 0$$
for $i$ from 1 to $n$ do
$$y_{i}=e_{k}^{\mathrm{DES}}\left(y_{i-1} \oplus x_{i}\right)$$
end do
return $y_{n}$