On the Selective-Opening Security of DHIES
|
|
- Melina Floyd
- 5 years ago
- Views:
Transcription
1 On the Selective-Opening Security of DHIES and other practical encryption schemes UbiCrypt Research Retreat, Schloss Raesfeld: 29.& 30. Sep Felix Heuer, Tibor Jager, Eike Kiltz, Sven Schäge Horst Görtz Institute for IT Security Ruhr University Bochum
2 1 Selective-Opening Security 2 DHIES 3 DHIES is SIM-SO-CPA secure 4 Results SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
3 Selective-Opening Attacks c 1 = Enc pk (m 1 ; r 1 ) c 1 sk c 2. c n c 2 = Enc pk (m 2 ; r 2 ). Image source: xkcd.com c n = Enc pk (m n ; r n ) SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
4 Selective-Opening Attacks c 1 = Enc pk (m 1 ; r 1 ) c 1 sk c 2. c n c 2 = Enc pk (m 2 ; r 2 ). Image source: xkcd.com c n = Enc pk (m n ; r n ) SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
5 SIM-SO-CPA security definition real game (pk,sk) $ Gen(1 κ ) (m 1,...,m n) {0,1} l (r 1,...,r n) $ R c i :=Enc pk (m i ;r i ) pk (c 1,...,c n) A choose ribution I:=I {i} Output: (m 1,...,m n,,i,out A ) Open(i) (m i,r i ) out A compute output out A SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
6 SIM-SO-CPA security definition ideal game (pk,sk) $ Gen(1 κ ) (m 1,...,m n) {0,1} l (r 1,...,r n) $ R c i :=Enc pk (m i ;r i ) pk (c 1,...,c n) S choose ribution I:=I {i} Output: (m 1,...,m n,,i,out S ) Open(i) (m i,r i ) out S compute output out S SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
7 SIM-SO-CPA security definition ideal game (pk,sk) $ Gen(1 κ ) (m 1,...,m n) {0,1} l (r 1,...,r n) $ R c i :=Enc pk (m i ;r i ) pk (c 1,...,c n) S choose ribution I:=I {i} Output: (m 1,...,m n,,i,out S ) Open(i) (m i,r i ) out S compute output out S SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
8 SIM-SO-CPA security definition ideal game (pk,sk) $ Gen(1 κ ) (m 1,...,m n) {0,1} l (r 1,...,r n) $ R c i :=Enc pk (m i ;r i ) pk (c 1,...,c n) S choose ribution I:=I {i} Output: (m 1,...,m n,,i,out S ) Open(i) (m i,r i ) out S compute output out S SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
9 SIM-SO-CPA security definition ideal game S (m 1,...,m n) {0,1} l choose ribution I:=I {i} Open(i) m i Output: (m 1,...,m n,,i,out S ) out S compute output out S SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
10 SIM-SO-CPA security definition Definition 1 (SIM-SO-CPA security) Let PKE be a public key encryption scheme. PKE is SIM-SO-CPA secure if for every PPT adversary A there exists a PPT simulator S := S(A) such that the ributions induced by A run in the real game and S run in the ideal game are computationally ininguishable. SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
11 DHIES Let g be a generator of a group of size p, {0, 1} l a message space and H : g {0, 1} l a hash function. SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
12 DHIES Let g be a generator of a group of size p, {0, 1} l a message space and H : g {0, 1} l a hash function. Gen x $ Z p X := g x pk := (g, p, X, H) sk := x Return pk SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
13 DHIES Let g be a generator of a group of size p, {0, 1} l a message space and H : g {0, 1} l a hash function. Gen x $ Z p X := g x pk := (g, p, X, H) sk := x Return pk Enc pk (m) $ r Z p c 1 := g r c 2 := H(X r ) m Return (c 1, c 2 ) SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
14 DHIES Let g be a generator of a group of size p, {0, 1} l a message space and H : g {0, 1} l a hash function. Gen x $ Z p X := g x pk := (g, p, X, H) sk := x Return pk Enc pk (m) $ r Z p c 1 := g r c 2 := H(X r ) m Return (c 1, c 2 ) Dec sk (c 1, c 2 ) Return H(c 1 x ) c 2 SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
15 DHIES Let g be a generator of a group of size p, {0, 1} l a message space and H : g {0, 1} l a hash function. Gen x $ Z p X := g x pk := (g, p, X, H) sk := x Return pk Enc pk (m) $ r Z p c 1 := g r c 2 := H(X r ) m Return (c 1, c 2 ) Dec sk (c 1, c 2 ) Return H(c 1 x ) c 2 Notice, that we have to provide A oracle access to H. SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
16 SIM-SO-CPA security game for DHIES real game (pk,sk) $ Gen(1 κ ) (r 1,...,r n) $ R (m 1,...,m n) {0,1} l c i :=(g r i,h(x r i ) m i ) I:=I {i} Output: (m 1,...,m n,,i,out A ) pk=(g,p,x) Hash(h) H(h) (c 1,...,c n) Open(i) or Hash(h) (m i,r i ) or H(h) out A A choose ribution compute output out A Notice, that we sample r i in advance. SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
17 Theorem 2 The DHIES encryption scheme is SIM-SO-CPA secure in the random oracle model, if the CDH assumption holds. SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
18 Theorem 2 The DHIES encryption scheme is SIM-SO-CPA secure in the random oracle model, if the CDH assumption holds. real A ideal S A Usual idea: Proceed in a sequence of games until a simulator can take over and run A on its own. SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
19 Theorem 2 The DHIES encryption scheme is SIM-SO-CPA secure in the random oracle model, if the CDH assumption holds. real A ideal S A Our approach: We try to construct a simulator right away to see where we run into pitfalls. SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
20 Proof. ideal game S A (pk,sk) $ Gen(1 κ ) (r 1,...,r n) $ R pk=(g,p,x) Hash(h) m i H(h) {0,1} l m i {0,1} l c i :=(g r i,h(x r (c 1,...,c i n) ) m i ) I:=I {i} Open(i) m i Open(i) or Hash(h) (m i,r i ) or H(h) Output: (m i,,i,out A ) out S out A out A SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
21 Proof. ideal game S A (pk,sk) $ Gen(1 κ ) (r 1,...,r n) $ R pk=(g,p,x) Hash(h) m i H(h) {0,1} l m i {0,1} l c i :=(g r i,h(x r (c 1,...,c i n) ) m i ) I:=I {i} Open(i) m i Open(i) or Hash(h) (m i,r i ) or H(h) Output: (m i,,i,out A ) out S out A out A Step 1) Make H(X r i ) m i uniformly random. SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
22 Proof. Step 1) Make H(X r i ) m i uniformly random. SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
23 Proof. Step 1) Make H(X r i ) m i uniformly random. Abort condition (earlyabort) We abort A if A should query some H(X r i ) before sending. Pr[earlyAbort] negl. SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
24 Proof. Step 1) Make H(X r i ) m i uniformly random. Abort condition (earlyabort) We abort A if A should query some H(X r i ) before sending. Pr[earlyAbort] negl. Statistical argument suffices. SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
25 Proof. ideal game S A (pk,sk) $ Gen(1 κ ) (r 1,...,r n) $ R pk=(g,p,x) Hash(h) m i H(h) {0,1} l m i {0,1} l c i :=(g r i,h(x r (c 1,...,c i n) ) m i ) I:=I {i} Open(i) m i Open(i) or Hash(h) (m i,r i ) or H(h) Output: (m i,,i,out A ) out S out A out A Step 2) Change encryption SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
26 Proof. ideal game S A (pk,sk) $ Gen(1 κ ) (r 1,...,r n) $ R pk=(g,p,x) Hash(h) m i H(h) $ {0,1} l $ i {0,1} l c i :=(g r (c 1,...,c i n),$ i ) I:=I {i} Open(i) m i Open(i) or Hash(h) (m i,r i ) or H(h) Output: (m i,,i,out A ) out S out A out A Step 2) Change encryption SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
27 Proof. ideal game S A (pk,sk) $ Gen(1 κ ) (r 1,...,r n) $ R pk=(g,p,x) Hash(h) m i H(h) $ {0,1} l $ i {0,1} l c i :=(g r (c 1,...,c i n),$ i ) I:=I {i} Open(i) m i Open(i) or Hash(h) (m i,r i ) or H(h) Output: (m i,,i,out A ) out S out A out A Step 3) How to process Hash(X r i ) queries? SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
28 Proof. ideal game S A (pk,sk) $ Gen(1 κ ) (r 1,...,r n) $ R pk=(g,p,x) Hash(h) m i H(h) $ {0,1} l $ i {0,1} l c i :=(g r (c 1,...,c i n),$ i ) I:=I {i} Open(i) Open(i) or Hash(h) m i H(X r i ):=m i $ i (m i,r i ) or H(h) Output: (m i,,i,out A ) out S out A out A Case 1) A called Open(i) before querying Hash(X r i ). SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
29 Proof. ideal game S A (pk,sk) $ Gen(1 κ ) (r 1,...,r n) $ R pk=(g,p,x) Hash(h) m i H(h) $ {0,1} l $ i {0,1} l c i :=(g r (c 1,...,c i n),$ i ) I:=I {i} Open(i) m i Open(i) or Hash(h) (m i,r i ) or H(h) Output: (m i,,i,out A ) out S out A out A Case 2) A did not called Open(i) before querying Hash(X r i ). SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
30 Proof. ideal game S A (pk,sk) $ Gen(1 κ ) (r 1,...,r n) $ R pk=(g,p,x) Hash(h) m i H(h) $ {0,1} l $ i {0,1} l c i :=(g r (c 1,...,c i n),$ i ) I:=I {i} Open(i) m i Open(i) or Hash(h) (m i,r i ) or H(h) Output: (m i,,i,out A ) out S out A out A Case 2) A did not called Open(i) before querying Hash(X r i ). S can neither call Open(i), SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
31 Proof. ideal game S A (pk,sk) $ Gen(1 κ ) (r 1,...,r n) $ R pk=(g,p,x) Hash(h) m i H(h) $ {0,1} l $ i {0,1} l c i :=(g r (c 1,...,c i n),$ i ) I:=I {i} Open(i) m i Open(i) or Hash(h) (m i,r i ) or H(h) Output: (m i,,i,out A ) out S out A out A Case 2) A did not called Open(i) before querying Hash(X r i ). S can neither call Open(i), nor answer A s query. SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
32 Proof. Abort condition (AbortH) We abort A if A calls H(X r i ) and did not call Open(i) before. Pr[AbortH] negl. SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
33 Proof. CDH challenger g, p Reduction g, p, U A u, v $ Z p U := g u V := g v U, V c i := (g r i, $ i ) (c 1,...,c n) Open(i)/Hash(h) (m i,r i )/H(h) SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
34 Proof. CDH challenger g, p Reduction g, p, U A u, v $ Z p U := g u V := g v U, V c i := (g r i, $ i ) i $ [n], j $ [q h ] c i := (V, $ i ) (c 1,...,c n) Open(i)/Hash(h) (m i,r i )/H(h) SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
35 Proof. CDH challenger g, p Reduction g, p, U A u, v $ Z p U := g u V := g v U, V c i := (g r i, $ i ) i $ [n], j $ [q h ] c i := (V, $ i ) (c 1,...,c n) Open(i)/Hash(h) U r i Abort on j th query (m i,r i )/H(h) Hash(U r i ) We have to hide our own challenge in the right ciphertext: 1/n SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
36 Proof. CDH challenger g, p Reduction g, p, U A u, v $ Z p U := g u V := g v U, V c i := (g r i, $ i ) i $ [n], j $ [q h ] c i := (V, $ i ) (c 1,...,c n) Open(i)/Hash(h) U r i Abort on j th query (m i,r i )/H(h) Hash(U r i ) We have to hide our own challenge in the right ciphertext: 1/n Have to abort on the right query: 1/q h SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
37 Proof. CDH challenger g, p Reduction g, p, U A u, v $ Z p U := g u V := g v U, V c i := (g r i, $ i ) i $ [n], j $ [q h ] c i := (V, $ i ) (c 1,...,c n) Open(i)/Hash(h) U r i Abort on j th query (m i,r i )/H(h) Hash(U r i ) We have to hide our own challenge in the right ciphertext: 1/n Have to abort on the right query: 1/q h Pr[AbortH] n q h Adv CDH g (B) SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
38 Proof. ideal game S A (pk,sk) $ Gen(1 κ ) (r 1,...,r n) $ R pk=(g,p,x) Hash(h) m i H(h) $ {0,1} l $ i {0,1} l c i :=(g r (c 1,...,c i n),$ i ) I:=I {i} Open(i) Open(i) or Hash(h) m i H(X r i ):=m i $ i (m i,r i ) or H(h) Output: (m i,,i,out A ) out S out A out A SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
39 Results DHIES is SIM-SO-CPA secure in the ROM. SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
40 Results DHIES is SIM-SO-CPA secure in the ROM. Actually, DHIES is SIM-SO-CCA secure in the ROM. SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
41 Results DHIES is SIM-SO-CPA secure in the ROM. Actually, DHIES is SIM-SO-CCA secure in the ROM. Actually, there is a well known transformation OW-CPA KEM + suf-cma MAC IND-CCA PKE we can proof to achieve SIM-SO-CCA security in the ROM without additional assumptions. SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
42 Results DHIES is SIM-SO-CPA secure in the ROM. Actually, DHIES is SIM-SO-CCA secure in the ROM. Actually, there is a well known transformation OW-CPA KEM + suf-cma MAC IND-CCA PKE we can proof to achieve SIM-SO-CCA security in the ROM without additional assumptions. Actually, we (Jager, Schäge) can proof the widely used RSA OAEP to be SIM-SO-CCA secure in the ROM as well. SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
43 Results DHIES is SIM-SO-CPA secure in the ROM. Actually, DHIES is SIM-SO-CCA secure in the ROM. Actually, there is a well known transformation OW-CPA KEM + suf-cma MAC IND-CCA PKE we can proof to achieve SIM-SO-CCA security in the ROM without additional assumptions. Actually, we (Jager, Schäge) can proof the widely used RSA OAEP to be SIM-SO-CCA secure in the ROM as well. SIM-SO-CCA security for free in the ROM Image source: xkcd.com SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
44 Many thanks for your attention! QUESTIONS? SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16
CPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More informationPost-Quantum Security of the Fujisaki-Okamoto (FO) and OAEP Transforms
Post-Quantum Security of the Fujisaki-Okamoto (FO) and OAEP Transforms Made by: Ehsan Ebrahimi Theory of Cryptography Conference, Beijing, China Oct. 31 - Nov. 3, 2016 Joint work with Dominique Unruh Motivation:
More informationOn the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups
On the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups Goichiro Hanaoka, Takahiro Matsuda, Jacob C.N. Schuldt Research Institute for Secure Systems (RISEC)
More informationThe Cramer-Shoup Cryptosystem
The Cramer-Shoup Cryptosystem Eileen Wagner October 22, 2014 1 / 28 The Cramer-Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationOn Post-Quantum Cryptography
On Post-Quantum Cryptography Ehsan Ebrahimi Quantum Cryptography Group University of Tartu, Estonia 15 March 2018 Information Security and Cryptography Group Seminar Post-Quantum Cryptography Users intend
More informationStrong Security Models for Public-Key Encryption Schemes
Strong Security Models for Public-Key Encryption Schemes Pooya Farshim (Joint Work with Manuel Barbosa) Information Security Group, Royal Holloway, University of London, Egham TW20 0EX, United Kingdom.
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationIII. Pseudorandom functions & encryption
III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion:
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More information14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption. Victor Shoup New York University
14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption Victor Shoup New York University A Historical Perspective The wild years (mid 70 s-mid 80 s): Diffie-Hellman, RSA, ElGamal The
More informationTightly Secure CCA-Secure Encryption without Pairings
Tightly Secure CCA-Secure Encryption without Pairings Romain Gay 1,, Dennis Hofheinz 2,, Eike Kiltz 3,, and Hoeteck Wee 1, 1 ENS, Paris, France rgay,wee@di.ens.fr 2 Ruhr-Universität Bochum, Bochum, Germany
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationOn the Impossibility of Tight Cryptographic Reductions
On the Impossibility of Tight Cryptographic Reductions Christoph Bader, Tibor Jager, Yong Li, and Sven Schäge Horst Görtz Institute for IT Security, Ruhr-University Bochum Abstract. The existence of tight
More informationBounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts
Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts Stefano Tessaro (UC Santa Barbara) David A. Wilson (MIT) Bounded-Collusion IBE from Semantically-Secure
More informationINDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator
INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator EXAMINATION ( End Semester ) SEMESTER ( Spring ) Roll Number Section Name Subject Number C S 6 0 0 8 8 Subject Name Foundations
More information5.4 ElGamal - definition
5.4 ElGamal - definition In this section we define the ElGamal encryption scheme. Next to RSA it is the most important asymmetric encryption scheme. Recall that for a cyclic group G, an element g G is
More informationChosen-Ciphertext Security (I)
Chosen-Ciphertext Security (I) CS 601.442/642 Modern Cryptography Fall 2018 S 601.442/642 Modern Cryptography Chosen-Ciphertext Security (I) Fall 2018 1 / 20 Recall: Public-Key Encryption Syntax: Genp1
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationA ROBUST AND PLAINTEXT-AWARE VARIANT OF SIGNED ELGAMAL ENCRYPTION
A ROBUST AND PLAINTEXT-AWARE VARIANT OF SIGNED ELGAMAL ENCRYPTION Joana Treger ANSSI, France. Session ID: CRYP-W21 Session Classification: Advanced ELGAMAL ENCRYPTION & BASIC CONCEPTS CDH / DDH Computational
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationII. Digital signatures
II. Digital signatures Alice m Bob Eve 1. Did Bob send message m, or was it Eve? 2. Did Eve modify the message m, that was sent by Bob? 1 Digital signatures Digital signature - are equivalent of handwritten
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationLecture 7: CPA Security, MACs, OWFs
CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationRSA-OAEP and Cramer-Shoup
RSA-OAEP and Cramer-Shoup Olli Ahonen Laboratory of Physics, TKK 11th Dec 2007 T-79.5502 Advanced Cryptology Part I: Outline RSA, OAEP and RSA-OAEP Preliminaries for the proof Proof of IND-CCA2 security
More informationChosen-Ciphertext Security from Subset Sum
Chosen-Ciphertext Security from Subset Sum Sebastian Faust 1, Daniel Masny 1, and Daniele Venturi 2 1 Horst-Görtz Institute for IT Security and Faculty of Mathematics, Ruhr-Universität Bochum, Bochum,
More informationNon-malleability under Selective Opening Attacks: Implication and Separation
Non-malleability under Selective Opening Attacks: Implication and Separation Zhengan Huang 1, Shengli Liu 1, Xianping Mao 1, and Kefei Chen 2,3 1. Department of Computer Science and Engineering, Shanghai
More informationPublic-Key Encryption Resistant to Parameter Subversion and its Realization from Efficiently-Embeddable Groups
A preliminary version of this paper appears in the proceedings of PKC 2018. This is the full version. Public-Key Encryption Resistant to Parameter Subversion and its Realization from Efficiently-Embeddable
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationSmooth Projective Hash Function and Its Applications
Smooth Projective Hash Function and Its Applications Rongmao Chen University of Wollongong November 21, 2014 Literature Ronald Cramer and Victor Shoup. Universal Hash Proofs and a Paradigm for Adaptive
More informationLecture 15 & 16: Trapdoor Permutations, RSA, Signatures
CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.
More informationLecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge
CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationChosen Ciphertext Security with Optimal Ciphertext Overhead
Chosen Ciphertext Security with Optimal Ciphertext Overhead Masayuki Abe 1, Eike Kiltz 2 and Tatsuaki Okamoto 1 1 NTT Information Sharing Platform Laboratories, NTT Corporation, Japan 2 CWI Amsterdam,
More informationPublic-Key Encryption
Public-Key Encryption 601.642/442: Modern Cryptography Fall 2017 601.642/442: Modern Cryptography Public-Key Encryption Fall 2017 1 / 14 The Setting Alice and Bob don t share any secret Alice wants to
More informationReport on Learning with Errors over Rings-based HILA5 and its CCA Security
Report on Learning with Errors over Rings-based HILA5 and its CCA Security Jesús Antonio Soto Velázquez January 24, 2018 Abstract HILA5 is a cryptographic primitive based on lattices that was submitted
More informationA New Paradigm of Hybrid Encryption Scheme
A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa 1 and Yvo Desmedt 2 1 Ibaraki University, Japan kurosawa@cis.ibaraki.ac.jp 2 Dept. of Computer Science, University College London, UK, and Florida
More informationGentry IBE Paper Reading
Gentry IBE Paper Reading Y. Jiang 1 1 University of Wollongong September 5, 2014 Literature Craig Gentry. Practical Identity-Based Encryption Without Random Oracles. Advances in Cryptology - EUROCRYPT
More informationLecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]
CMSC 858K Advanced Topics in Cryptography February 19, 2004 Lecturer: Jonathan Katz Lecture 8 Scribe(s): Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan 1 Introduction Last time we introduced
More informationSearchable encryption & Anonymous encryption
Searchable encryption & Anonymous encryption Michel Abdalla ENS & CNS February 17, 2014 MPI - Course 2-12-1 Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, 2014 1 /
More informationModels and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5
Models and analysis of security protocols 1st Semester 2009-2010 Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: September 29th 2009 1 / 60 Last Time (I) Security
More informationStandard Security Does Not Imply Indistinguishability Under Selective Opening
Standard Security Does Not Imply Indistinguishability Under Selective Opening Dennis Hofheinz 1, Vanishree Rao 2, and Daniel Wichs 3 1 Karlsruhe Institute of Technology, Germany, dennis.hofheinz@kit.edu
More informationNotes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.
COS 533: Advanced Cryptography Lecture 9 (October 11, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Udaya Ghai Notes for Lecture 9 1 Last Time Last time, we introduced zero knowledge proofs
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationEx1 Ex2 Ex3 Ex4 Ex5 Ex6
Technische Universität München (I7) Winter 2012/13 Dr. M. Luttenberger / M. Schlund Cryptography Endterm Last name: First name: Student ID no.: Signature: If you feel ill, let us know immediately. Please,
More informationIdentity-based encryption
Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages
More informationOptimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample
Optimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample Fuchun Guo 1, Rongmao Chen 2, Willy Susilo 1, Jianchang Lai 1, Guomin Yang 1, and Yi Mu 1 1 Institute
More informationA Posteriori Openable Public Key Encryption *
A Posteriori Openable Public Key Encryption * Xavier Bultel 1, Pascal Lafourcade 1, CNRS, UMR 6158, LIMOS, F-63173 Aubière, France Université Clermont Auvergne, LIMOS, BP 10448, 63000 Clermont-Ferrand,
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More informationCSA E0 312: Secure Computation September 09, [Lecture 9-10]
CSA E0 312: Secure Computation September 09, 2015 Instructor: Arpita Patra [Lecture 9-10] Submitted by: Pratik Sarkar 1 Summary In this lecture we will introduce the concept of Public Key Samplability
More informationOn the CCA1-Security of Elgamal and Damgård s Elgamal
On the CCA1-Security of Elgamal and Damgård s Elgamal Cybernetica AS, Estonia Tallinn University, Estonia October 21, 2010 Outline I Motivation 1 Motivation 2 3 Motivation Three well-known security requirements
More informationModern symmetric-key Encryption
Modern symmetric-key Encryption Citation I would like to thank Claude Crepeau for allowing me to use his slide from his crypto course to mount my course. Some of these slides are taken directly from his
More informationPublic-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP
Public-Key Cryptography Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP Diffie-Hellman Key-exchange Secure under DDH: (g x,g x,g xy ) (g x,g x,g r ) Random x {0,..,
More informationTightly CCA-Secure Encryption without Pairings. Romain Gay, ENS Dennis Hofheinz, KIT Eike Kiltz, RUB Hoeteck Wee, ENS
Tightly CCA-Secure Encryption without Pairings Romain Gay, ENS Dennis Hofheinz, KIT Eike Kiltz, RUB Hoeteck Wee, ENS Security of encryption pk Alice Enc(pk, m) Bob sk Security of encryption pk Alice Enc(pk,
More informationEl Gamal A DDH based encryption scheme. Table of contents
El Gamal A DDH based encryption scheme Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction El Gamal Practical Issues The El Gamal encryption
More informationStructure Preserving CCA Secure Encryption
Structure Preserving CCA Secure Encryption presented by ZHANG Tao 1 / 9 Introduction Veriable Encryption enable validity check of the encryption (Camenisch et al. @ CRYPTO'03): veriable encryption of discrete
More informationLecture Note 3 Date:
P.Lafourcade Lecture Note 3 Date: 28.09.2009 Security models 1st Semester 2007/2008 ROUAULT Boris GABIAM Amanda ARNEDO Pedro 1 Contents 1 Perfect Encryption 3 1.1 Notations....................................
More informationChapter 11 : Private-Key Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 1 Chapter 11 Public-Key Encryption Apologies: all numbering
More informationAdaptive partitioning. Dennis Hofheinz (KIT, Karlsruhe)
Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Public-Key Encryption Accepted security
More informationOblivious Transfer (OT) and OT Extension
Oblivious Transfer (OT) and OT Extension School on Secure Multiparty Computation Arpita Patra Arpita Patra Roadmap o Oblivious Transfer - Construction from `special PKE o OT Extension - IKNP OT extension
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationA Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM
A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM Paulo S. L. M. Barreto Bernardo David Rafael Dowsley Kirill Morozov Anderson C. A. Nascimento Abstract Oblivious Transfer
More informationDigital Signature Schemes and the Random Oracle Model. A. Hülsing
Digital Signature Schemes and the Random Oracle Model A. Hülsing Today s goal Review provable security of in use signature schemes. (PKCS #1 v2.x) PAGE 1 Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/dsa.jpg
More informationJohn Hancock enters the 21th century Digital signature schemes. Table of contents
John Hancock enters the 21th century Digital signature schemes Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents From last time: Good news and bad There
More informationBlock ciphers And modes of operation. Table of contents
Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationEncryption Schemes Secure Against Chosen-Ciphertext Selective Opening Attacks
Encryption Schemes Secure Against Chosen-Ciphertext Selective Opening Attacks Serge Fehr 1 and Dennis Hofheinz 2 and Eike Kiltz 1 and Hoeteck Wee 3 1 CWI, Amsterdam 2 Karlsruhe Institute of Technology
More informationA Strong Identity Based Key-Insulated Cryptosystem
A Strong Identity Based Key-Insulated Cryptosystem Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275, P.R.China
More informationarxiv: v2 [cs.cr] 14 Feb 2018
Code-based Key Encapsulation from McEliece s Cryptosystem Edoardo Persichetti arxiv:1706.06306v2 [cs.cr] 14 Feb 2018 Florida Atlantic University Abstract. In this paper we show that it is possible to extend
More informationChosen-Ciphertext Secure Key-Encapsulation Based on Gap Hashed Diffie-Hellman
A preliminary version of this paper appears in the proceedings of the 10th International Workshop on Practice and Theory in Public Key Cryptography, PKC 2007, Lecture Notes in Computer Science Vol.???,
More informationG /G Advanced Cryptography November 11, Lecture 10. defined Adaptive Soundness and Adaptive Zero Knowledge
G22.3220-001/G63.2180 Advanced Cryptography November 11, 2009 Lecture 10 Lecturer: Yevgeniy Dodis Scribe: Adriana Lopez Last time we: defined Adaptive Soundness and Adaptive Zero Knowledge defined Unbounded
More informationStronger Public Key Encryption Schemes
Stronger Public Key Encryption Schemes Withstanding RAM Scraper Like Attacks Prof. C.Pandu Rangan Professor, Indian Institute of Technology - Madras, Chennai, India-600036. C.Pandu Rangan (IIT Madras)
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationPublic-Key Encryption with Simulation-Based Selective-Opening Security and Compact Ciphertexts
Public-Key Encryption with Simulation-Based Selective-Opening Security and Compact Ciphertexts Dennis Hofheinz 1, Tibor Jager 2, and Andy Rupp 1 1 Karlsruhe Institute of Technology, Germany {dennis.hofheinz,andy.rupp}@kit.edu
More informationModels and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5
Models and analysis of security protocols 1st Semester 2010-2011 Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: October 11th 2010 1 / 61 Last Time (I) Security
More informationConstructions Secure against Receiver Selective Opening and Chosen Ciphertext Attacks
Constructions Secure against Receiver Selective Opening and Chosen Ciphertext Attacks Dingding Jia 1,2, Xianhui Lu 1,2, and Bao Li 1,2 1 State Key Laboratory of Information Security, Institute of Information
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationPractice Exam Winter 2018, CS 485/585 Crypto March 14, 2018
Practice Exam Name: Winter 2018, CS 485/585 Crypto March 14, 2018 Portland State University Prof. Fang Song Instructions This exam contains 8 pages (including this cover page) and 5 questions. Total of
More informationCONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS
CONSRUCIONS SECURE AGAINS RECEIVER SELECIVE OPENING AND CHOSEN CIPHEREX AACKS Dingding Jia, Xianhui Lu, Bao Li jiadingding@iie.ac.cn C-RSA 2017 02-17 Outline Background Motivation Our contribution Existence:
More informationSimulation-based Selective Opening CCA Security for PKE from Key Encapsulation Mechanisms
Simulation-based Selective Opening CCA Security for PKE from Key Encapsulation Mechanisms Shengli Liu 1 and Kenneth G. Paterson 2 1 Department of Computer Science and Engineering, Shanghai Jiao Tong University,
More informationTighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)
1 Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shuichi Katsumata (The University of Tokyo /AIST) Shota Yamada (AIST) Takashi Yamakawa
More informationTightly SIM-SO-CCA Secure Public Key Encryption from Standard Assumptions
Tightly SIM-SO-CCA Secure Public Key Encryption from Standard Assumptions Lin Lyu 1,2, Shengli Liu 1,2,3( ), Shuai Han 1,2,4, and Dawu Gu 5,1 1 Dept. of Computer Science and Engineering, Shanghai Jiao
More informationKDM-CCA Security from RKA Secure Authenticated Encryption
KDM-CCA Security from RKA Secure Authenticated Encryption Xianhui Lu 1,2, Bao Li 1,2, Dingding Jia 1,2 1. Data Assurance and Communication Security Research Center, Chinese Academy of Sciences, Beijing,
More informationAdvanced Cryptography 1st Semester Public Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 1st 2007 1 / 64 Last Time (I) Indistinguishability Negligible function Probabilities Indistinguishability
More informationNotes on Property-Preserving Encryption
Notes on Property-Preserving Encryption The first type of specialized encryption scheme that can be used in secure outsourced storage we will look at is property-preserving encryption. This is encryption
More informationMTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Zero-knowledge Proofs Sven Laur University of Tartu Formal Syntax Zero-knowledge proofs pk (pk, sk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) (pk,sk)? R
More informationNon-Adaptive Programmability of Random Oracle
Non-Adaptive Programmability of Random Oracle Rishiraj Bhattacharyya Pratyay Mukherjee Abstract Random Oracles serve as an important heuristic for proving security of many popular and important cryptographic
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018
Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationOn The Security of The ElGamal Encryption Scheme and Damgård s Variant
On The Security of The ElGamal Encryption Scheme and Damgård s Variant J. Wu and D.R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, ON, Canada {j32wu,dstinson}@uwaterloo.ca
More information