from Standard Lattice Assumptions
|
|
- Myles McDowell
- 5 years ago
- Views:
Transcription
1 Watermarking Cryptographic Functionalities from Standard Lattice Assumptions Sam Kim and David J. Wu Stanford University
2 Digital Watermarking CRYPTO CRYPTO CRYPTO Often used to identify owner of content and prevent unauthorized distribution CRYPTO
3 Digital Watermarking CRYPTO CRYPTO CRYPTO CRYPTO Content is (mostly) viewable
4 Digital Watermarking CRYPTO CRYPTO CRYPTO CRYPTO Content is (mostly) viewable Watermark difficult to remove (without destroying the image)
5 Watermarking Programs [NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17] CRYPTO Embed a mark within a program If mark is removed, then program is corrupted Three algorithms: Setup 1 λ wsk: Samples the watermarking secret key wsk Mark wsk, C C : Takes a circuit C and outputs a marked circuit C Verify wsk, C 0,1 : Tests whether a circuit C is marked or not
6 Watermarking Programs [NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17] Extends to setting where watermark can be an (arbitrary) string: CRYPTO Embed a Marking mark within algorithm a takes a message If mark is removed, then program Verification algorithm either outputs a message program or (to is corrupted denote the program is not watermarked) [See paper for full details] Three algorithms: Setup 1 λ wsk: Samples the watermarking secret key wsk Mark wsk, C C : Takes a circuit C and outputs a marked circuit C Verify wsk, C 0,1 : Tests whether a circuit C is marked or not
7 Watermarking Programs [NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17] Mark CRYPTO Functionality-preserving: On input a program (modeled as a Boolean circuit C), the Mark algorithm outputs a circuit C where C x = C (x) on all but a negligible fraction of inputs x
8 Watermarking Programs [NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17] Mark Perfect functionality-preserving impossible assuming program obfuscation [BGIRSVY12] CRYPTO Functionality-preserving: On input a program (modeled as a Boolean circuit C), the Mark algorithm outputs a circuit C where C x = C (x) on all but a negligible fraction of inputs x
9 Watermarking Programs [NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17] Adversary has complete flexibility in crafting C CRYPTO Unremovability: Given a marked circuit C, no efficient adversary can construct a circuit C where C x = C (x) on all but a negligible fraction of inputs x Verify wsk, C = 0
10 Watermarking Programs [NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17] CRYPTO Unremovability: Given a marked circuit C, no efficient adversary can construct a circuit C whereminimally, we require that most programs are C x = C (x) on unmarked; all but a negligible only programs fraction of output inputs by x the marking Verify wsk, C = 0 algorithm should be considered marked [Also require unforgeability; see paper for details]
11 Watermarking Programs [NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17] CRYPTO Notion only achievable for functions that are not learnable Focus has been on cryptographic functions
12 Watermarking Cryptographic Programs [NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17] PRF(k, ) pseudorandom function Mark PRF(k, ) pseudorandom function CRYPTO Focus of this work: watermarking PRFs [CHNVW16, BLW17] A keyed function whose input-output behavior looks indistinguishable from a truly random function
13 Watermarking Cryptographic Programs [NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17] P k x : On input x, output PRF(k, x) Mark P k x : On input x, output PRF(k, x) CRYPTO Focus of this work: watermarking PRFs [CHNVW16, BLW17] Enables watermarking of symmetric primitives built from PRFs (e.g., encryption, MACs, etc.)
14 Main Result P k x : On input x, output PRF(k, x) Mark P k x : On input x, output PRF(k, x) The learning with errors (LWE) and the short integer solutions (SIS) assumptions CRYPTO This work: Under standard lattice assumptions, there exists a secretly-verifiable watermarkable family of PRFs
15 Blueprint for Watermarking PRFs [CHNVW16, BLW17] PRF key x 1 x 2 y 2 y 1 x 3 y 3 domain range Step 1: Evaluate PRF on test points x 1, x 2, x 3 (part of the watermarking secret key)
16 Blueprint for Watermarking PRFs [CHNVW16, BLW17] PRF key x 1 x 2 x 3 y2 y 3 y 1 x, y domain range Step 2: Derive a pair (x, y ) from y 1, y 2, y 3
17 Blueprint for Watermarking PRFs [CHNVW16, BLW17] PRF key x 1 x 2 y2 y 1 x, y x 3 x domain y 3 range PRF k, x Step 3: Marked key is a circuit that implements the PRF at all points, except at x, the output is changed to y
18 Blueprint for Watermarking PRFs [CHNVW16, BLW17] x 1 x 2 marked key Defer implementation details for now y2 y 1 x 3 x domain y y 3 range PRF k, x Step 3: Marked key is a circuit that implements the PRF at all points, except at x, the output is changed to y
19 Blueprint for Watermarking PRFs [CHNVW16, BLW17] x 1 x 2 marked key Defer implementation details for now y2 y 1 x 3 x domain y y 3 range PRF k, x Verification: Evaluate function at x 1, x 2, x 3, derive (x, y ) and check if the value at x matches y
20 Blueprint for Watermarking PRFs [CHNVW16, BLW17] x 1 x 2 marked key Defer implementation details for now y2 y 1 x 3 x y y 3 Functionality-preserving: function differs at a single point
21 Blueprint for Watermarking PRFs [CHNVW16, BLW17] x 1 x 2 marked key Defer implementation details for now y2 y 1 x 3 x y y 3 Functionality-preserving: function differs at a single point Unremovable: as long as adversary cannot tell that x, y is special
22 Blueprint for Watermarking PRFs [CHNVW16, BLW17] Prior solutions: use obfuscation to hide x, y x y How to implement this functionality?
23 Blueprint for Watermarking PRFs [CHNVW16, BLW17] Obfuscated program: P x,y (x): if x = x, output y else, output PRF(k, x) Prior solutions: use obfuscation to hide x, y Obfuscated program has PRF key embedded inside and outputs PRF(k, x) on all inputs x x and y when x = x How to implement this functionality?
24 Blueprint for Watermarking PRFs [CHNVW16, BLW17] Obfuscated program: P x,y (x): if x = x, output y else, output PRF(k, x) Prior solutions: use obfuscation to hide x, y Obfuscated program has PRF key embedded inside and outputs PRF(k, x) on all inputs x x and y when x = x Essentially relies on secretly re-programming the value at x How to implement this functionality?
25 Blueprint for Watermarking PRFs [CHNVW16, BLW17] Obfuscated program: P x,y (x): if x = x, output y else, output PRF(k, x) Prior solutions: use obfuscation to hide x, y Obfuscated program has PRF key embedded inside and outputs PRF(k, x) on all inputs x x and y when x = x Key technical challenge: How to hide x, y within the watermarked key (without obfuscation)?
26 Blueprint for Watermarking PRFs [CHNVW16, BLW17] Obfuscated program: P x,y (x): if x = x, output y else, output PRF(k, x) Prior solutions: use obfuscation to hide x, y Obfuscated program has PRF key Has an embedded obfuscation inside flavor: and need outputs to embed PRF(k, a secret x) on inside all inputs a piece x x of code and that y cannot when x be = removed x Key technical challenge: How to hide x, y within the watermarked key (without obfuscation)?
27 Blueprint for Watermarking PRFs [CHNVW16, BLW17] Obfuscated program: P x,y (x): if x = x, output y else, output PRF(k, x) Prior solutions: use obfuscation to hide x, y Obfuscated program has PRF key embedded inside and outputs PRF(k, x) on all inputs x x Obfuscation and y is when a very x strong = x tool and the security of existing candidates is not well understood Key technical challenge: How to hide x, y within the watermarked key (without obfuscation)?
28 Blueprint for Watermarking PRFs [CHNVW16, BLW17] Obfuscated program: P x,y (x): if x = x, output y else, output PRF(k, x) Prior solutions: use obfuscation to hide x, y Obfuscated program has PRF key embedded inside and outputs PRF(k, x) on all inputs x x and y when x = x This work: Under standard lattice assumptions, there exists a secretly-verifiable watermarkable family of PRFs
29 Starting Point: Private Puncturable PRFs [BLW17, BKM17, CC17] x y Watermarked PRF implements PRF at all but a single point Structurally very similar to a puncturable PRF [BW13, BGI13, KPTZ13] Puncturable PRF: PRF key Puncture x punctured key
30 Starting Point: Private Puncturable PRFs [BLW17, BKM17, CC17] x Puncturable PRF: y Watermarked PRF implements PRF at all but a single point Structurally very similar to a puncturable PRF [BW13, BGI13, KPTZ13] Can be used to evaluate the PRF on all points x x PRF key Puncture x punctured key
31 Starting Point: Private Puncturable PRFs [BLW17, BKM17, CC17] Puncture x PRF key punctured key Recall general approach for watermarking: 1. Derive x, y from input/output behavior of PRF 2. Give out a key that agrees with PRF everywhere, except has value y at x = x PRF key punctured at x However, punctured key does not necessarily hide x, which allows adversary to remove watermark
32 Starting Point: Private Puncturable PRFs [BLW17, BKM17, CC17] Puncture x PRF key punctured key Punctured keys typically do not provide flexibility in programming value at Recall general approach for watermarking: punctured 1. Derive x point:, y difficult to test if a program is watermarked from input/output or not behavior of PRF 2. Give out a key that agrees with PRF everywhere, except has value y at x = x However, punctured key does not PRF key punctured at x necessarily hide x, which allows adversary to remove watermark
33 Starting Point: Private Puncturable PRFs [BLW17, BKM17, CC17] Puncture x PRF key punctured key Problem 1: Punctured keys do not hide the punctured point x Use private puncturable PRFs Problem 2: Difficult to test whether a value is the result of using a punctured key to evaluate at the punctured point
34 Starting Point: Private Puncturable PRFs [BLW17, BKM17, CC17] PRF key Puncture x punctured key In existing lattice-based private puncturable PRF constructions [BKM17, CC17], value of punctured key Problem 1: Punctured at punctured keys do point not is hide a deterministic the punctured function point xof Use privately puncturable PRFs the PRF key Problem 2: Difficult to test whether a value is the result of using a punctured key to evaluate at the punctured point
35 Starting Point: Private Puncturable PRFs [BLW17, BKM17, CC17] Puncture x PRF key punctured key Problem 1: Punctured keys do not hide the punctured point x Use privately puncturable PRFs Problem 2: Difficult to test whether a value is the result of using a punctured key to evaluate at the punctured point Relax programmability requirement
36 Private Translucent PRFs PRF key x 1 x 2 y 2 y 1 x 3 x y 3 PRF k, x Private puncturable PRF family with the property that output of any punctured key on a punctured point lies in a sparse, hidden subspace
37 Private Translucent PRFs punctured key x 1 x 2 y 2 y 1 x 3 x y y 3 Private puncturable PRF family with the property that output of any punctured key on a punctured point lies in a sparse, hidden subspace
38 Private Translucent PRFs punctured key x 1 x 2 x 3 x y 2 y 1 Secret testing key associated with the PRF family can be used to test for Private puncturable PRF family with membership the property in the that hidden output subspace of any punctured key on a punctured point lies in a sparse, hidden subspace y y 3
39 Private Translucent PRFs punctured key x 1 x 2 y 2 y 1 x 3 Sets satisfying such properties are called translucent [CDNO97] x y y 3 Values in special set looks indistinguishable from a random value (without secret testing key) Indistinguishable even though it is easy to sample values from the set
40 Watermarking from Private Translucent PRFs PRF key x 1 x 2 y 2 y 1 x 3 x y 3 PRF k, x Watermarking secret key (wsk): test points x 1,, x d and testing key for private translucent PRF
41 To mark a PRF key k, derive special point x and puncture k at x ; watermarked key is a program that evaluates using the punctured key Watermarking from Private Translucent PRFs marked key x 1 x 2 y 2 y 1 x 3 x y y 3
42 Watermarking from Private Translucent PRFs marked key x 1 x 2 y 2 y 1 x 3 x y y 3 To test whether a program C is watermarked, derive test point x and check whether C x is in the translucent set (using the testing key for the private translucent PRF)
43 Constructing Private Translucent PRFs
44 Blueprint Lattice PRFs Private Translucent PRF Puncturable PRF [BV15] Private Puncturable PRF [BKM17, CC17, BTVW17]
45 Learning with Errors (LWE) [Reg05] A, s T A + e T c A, u T A R Z q n m, s R Z q n, e R χ m, u R Z q m
46 Learning with Rounding (LWR) [BPR12] Replace random errors with deterministic rounding: A, උs T Aඇ A, උ ඇ p c u T p A R Z q n m, s R Z q n, u R Z q m Hardness reducible to LWE (for suitable parameter settings) More suitable starting point for constructing lattice PRFs
47 Lattice PRFs [BPR12, BLMR13, BP14, BV15, BFPPS15, BKM17, BTVW17] Intuition: set s to be the secret key for the PRF and derive A as a function of the input A, උs T Aඇ p c A, උ ඇ u T p
48 Lattice PRFs [BPR12, BLMR13, BP14, BV15, BFPPS15, BKM17, BTVW17] A, උs T Aඇ p c A, උ ඇ u T p Secret key: LWE secret vector s Zn q PRF evaluation: on input x 0,1 l, derive a matrix A x from x PRF s, x උs T A x ඇ p Question: how to derive A x?
49 Homomorphic Matrix Embeddings [BGGHNSVV14] A way to encode x 0,1 l as a collection of LWE samples take LWE matrices A 1,, A l Z q n m and a secret s Z q n : s T A 1 + x 1 G + e 1 encoding of x 1 with respect to A 1
50 LWE matrix associated with each input bit Homomorphic Matrix Embeddings [BGGHNSVV14] A way to encode x G 0,1 Z n m l q as is a fixed collection of LWE samples take LWE matrices A 1,, A l Z n m q and a secret s Z n q : gadget matrix s T A 1 + x 1 G + e 1 encoding of x 1 with respect to A 1 s T A l + x l G + e l
51 Homomorphic Matrix Embeddings [BGGHNSVV14] A way to encode x 0,1 l as a collection of LWE samples take LWE matrices A 1,, A l Z n m q and a secret s Z n q : Function of f and A 1,, A l only: s T A 1 + x 1 G + e 1 s T A l + x l G + e l f, A 1,, A l A f s T A f + f x G + noise Encodings support homomorphic operations Encoding of x Encoding of f(x)
52 Puncturable PRFs from LWE [BV15] PRF evaluation: on input x 0,1 l, derive A x from A 1, A l and output PRF s, x උs T A x ඇ p Question: how to derive A x? Let A 1,, A l be matrices associated with bits of x 0,1 l Define PRF evaluation with respect to equality function eq x x 1, x = x = ቊ 0, x x Let A x be matrix associated with evaluating eq x on A 1,, A l
53 Puncturable PRFs from LWE [BV15] PRF s, x උs T A eqx ඇ p To puncture the key s at a point x, give out encodings of x : s T A 1 + x 1 G + e 1 s T A l + x l G + e l s T A eqx + eq x (x ) G + noise PRF evaluation (at x) using punctured key
54 Puncturable PRFs from LWE [BV15] PRF s, x උs T A eqx ඇ p To puncture the key s at a point x, give out encodings of x : s T A 1 + x 1 G + e 1 s T A l + x l G + e l If x x, eq x x = 0, so s T A eqx + eq x (x ) G + noise PRF evaluation (at x) using punctured key උs T A eqx + noiseඇ = උs T A ඇ p eqx = PRF(s, x) p
55 Puncturable PRFs from LWE [BV15] PRF s, x උs T A eqx ඇ p To puncture the key s at a point x, give out encodings of x : s T A 1 + x 1 G + e 1 s T A l + x l G + e l If x = x, eq x x = 1, so s T A eqx + eq x (x ) G + noise PRF evaluation (at x) using punctured key ቔs T (A eqx + G) + noiseቓ ቔs T A eqx ቓ = PRF(s, x ) p p
56 Puncturable PRFs from LWE [BV15] PRF s, x උs T A eqx ඇ p To puncture the key s at a point x, give out encodings of x : s T A 1 + x 1 G + e 1 s T A l + x l G + e l s T A eqx + eq x (x ) G + noise PRF evaluation (at x) using punctured key This construction gives a puncturable PRF from LWE
57 Puncturable PRFs from LWE [BV15] PRF s, x උs T A eqx ඇ p To puncture the key s at a point x, give out encodings of x : s T A 1 + x 1 G + e 1 s T A l + x l G + e l s T A eqx + eq x (x ) G + noise Combine with FHE to obtain private puncturing [BKM17, BTVW17] PRF evaluation (at x) using punctured key This construction gives a puncturable PRF from LWE
58 Private Translucent PRFs Goal: detect whether a punctured key is used to evaluate at a punctured point (this is essential for embedding the watermark)
59 Private Translucent PRFs Goal: detect whether a punctured key is used Omitting to evaluate several at a technicalities punctured point (this is essential for embedding the watermark) related to FHE evaluation Real PRF evaluation: PRF s, x උs T A eqx ඇ p Punctured PRF evaluation: උs T A eqx + eq x x G ඇ p [See paper for details] Difficulty: no control over value at punctured point
60 Private Translucent PRFs Goal: detect whether a punctured key is used to evaluate at a punctured point (this is essential for embedding the watermark) Real PRF evaluation: PRF s, x උs T A eqx ඇ p Punctured PRF evaluation: උs T A eqx + eq x x G ඇ p Idea: define PRF with respect to scaled equality circuit: eq x x, w = ቊ w, x = x 0, x x
61 Private Translucent PRFs PRF s, x උs T A eqx ඇ p Evaluating the punctured key at the punctured point x yields: s T A eqx + w G + noise Scaling factor w is chosen when key is punctured and can be chosen to adjust the value at the punctured point
62 Private Translucent PRFs Evaluating the punctured key at the punctured point yields: s T A eqx + w G + noise Can now consider many instances of this PRF with many different w i s: s T A eqx,1 + w 1 G 1 + noise s T A eqx,n + w N G N + noise Different gadget matrices G 1,, G N [See paper for construction]
63 Private Translucent PRFs Evaluating the punctured key at the punctured point yields: s T A eqx + w G + noise Can now consider many instances of this PRF with many different w i s: s T A eqx,1 + w 1 G 1 + noise s T A eqx,n + w N G N + noise At puncturing time, choose w 1,, w N such that W = i [N] A eqx,i + i [N] w i G i
64 Private Translucent PRFs Evaluating the punctured key at the punctured point yields: s T A eqx + w G + noise Can now consider many instances of this PRF with many different w i s: W is a fixed public matrix included in the public parameters of the PRF family s T A eqx,1 + w 1 G 1 + noise s T A eqx,n + w N G N + noise At puncturing time, choose w 1,, w N such that W = i [N] A eqx,i + i [N] w i G i
65 Private Translucent PRFs Define real PRF evaluation to be sum of each independent evaluation: PRF s, x ඍ s T i N A eqx,i ඉ p When evaluating at punctured point x : s T A eqx,i + w i G i = s T W i N i N
66 Private Translucent PRFs Define real PRF evaluation to be sum of each independent evaluation: PRF s, x Output ඍ s T at punctured A eqx,iඉ point is an LWE sample with i Nrespect to W (fixed public p matrix) critical for implementing a When evaluating at punctured point x : translucent set s T A eqx,i + w i G i = s T W i N i N
67 Private Translucent PRFs Define real PRF evaluation to be sum of each independent evaluation: PRF s, x ඍ s T A eqx,i Testing key is a short vector z where ඉ Wz = 0: When evaluating at punctured point x : i N උs T Wඇ p, z උs T Wzඇ p = 0 p s T A eqx,i + w i G i = s T W i N i N [See paper for details and security analysis]
68 Conclusions private puncturable PRFs [BKM17, CC17, BTVW17] watermarking [CHNVW16, BLW17] lattice-based assumptions indistinguishability obfuscation
69 Conclusions private puncturable PRFs [BKM17, CC17, BTVW17] watermarking (via private translucent PRFs) this work lattice-based assumptions indistinguishability obfuscation
70 Open Problems Publicly-verifiable watermarking without obfuscation? Current best construction relies on io [CHNVW16] Additional applications of private translucent PRFs? Thank you!
Watermarking Cryptographic Functionalities from Standard Lattice Assumptions
Watermarking Cryptographic Functionalities from Standard Lattice Assumptions Sam Kim Stanford University Joint work with David J. Wu Digital Watermarking 1 Digital Watermarking Content is (mostly) viewable
More informationPrivate Puncturable PRFs from Standard Lattice Assumptions
Private Puncturable PRFs from Standard Lattice Assumptions Sam Kim Stanford University Joint work with Dan Boneh and Hart Montgomery Pseudorandom Functions (PRFs) [GGM84] Constrained PRFs [BW13, BGI13,
More informationPrivate Puncturable PRFs From Standard Lattice Assumptions
Private Puncturable PRFs From Standard Lattice Assumptions Dan Boneh Stanford University dabo@cs.stanford.edu Sam Kim Stanford University skim13@cs.stanford.edu Hart Montgomery Fujitsu Laboratories of
More informationCOS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7
COS 597C: Recent Developments in Program Obfuscation Lecture 7 10/06/16 Lecturer: Mark Zhandry Princeton University Scribe: Jordan Tran Notes for Lecture 7 1 Introduction In this lecture, we show how to
More informationPublicly Verifiable Software Watermarking
Publicly Verifiable Software Watermarking Aloni Cohen Justin Holmgren Vinod Vaikuntanathan April 22, 2015 Abstract Software Watermarking is the process of transforming a program into a functionally equivalent
More informationConstraining Pseudorandom Functions Privately
Constraining Pseudorandom Functions Privately Dan Boneh, Kevin Lewi, and David J. Wu Stanford University {dabo,klewi,dwu4}@cs.stanford.edu Abstract In a constrained pseudorandom function (PRF), the master
More informationNew and Improved Key-Homomorphic Pseudorandom Functions
New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1 Georgia Institute of Technology CRYPTO 14 19 August 2014 Outline 1 Introduction 2 Construction, Parameters
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationConstrained Keys for Invertible Pseudorandom Functions
Constrained Keys or Invertible Pseudorandom Functions Dan Boneh, Sam Kim, and David J. Wu Stanord University {dabo,skim13,dwu4}@cs.stanord.edu Abstract A constrained pseudorandom unction (PRF) is a secure
More informationTowards Tightly Secure Lattice Short Signature and Id-Based Encryption
Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li QUT Asiacrypt 16 2016-12-06 1 / 19 Motivations 1. Short lattice signature with tight security reduction w/o
More informationLecture 3: Interactive Proofs and Zero-Knowledge
CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationBootstrapping Obfuscators via Fast Pseudorandom Functions
Bootstrapping Obfuscators via Fast Pseudorandom Functions Benny Applebaum October 26, 2013 Abstract We show that it is possible to upgrade an obfuscator for a weak complexity class WEAK into an obfuscator
More informationLattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationFUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS. Elette Boyle Shafi Goldwasser Ioana Ivan
FUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS Elette Boyle Shafi Goldwasser Ioana Ivan Traditional Paradigm: All or Nothing Encryption [DH76] Given SK, can decrypt. Otherwise, can t distinguish encryptions
More informationConstrained PRFs for NC 1 in Traditional Groups
Constrained PFs for NC 1 in Traditional Groups Nuttapong Attrapadung 1, Takahiro Matsuda 1, yo Nishimaki 2, Shota Yamada 1, Takashi Yamakawa 2 1 National Institute of Advanced Industrial Science and Technology
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationTHE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY
THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY Mark Zhandry - Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical
More informationQuantum-secure symmetric-key cryptography based on Hidden Shifts
Quantum-secure symmetric-key cryptography based on Hidden Shifts Gorjan Alagic QMATH, Department of Mathematical Sciences University of Copenhagen Alexander Russell Department of Computer Science & Engineering
More informationLecture 2: Program Obfuscation - II April 1, 2009
Advanced Topics in Cryptography Lecture 2: Program Obfuscation - II April 1, 2009 Lecturer: S. Goldwasser, M. Naor Scribe by: R. Marianer, R. Rothblum Updated: May 3, 2009 1 Introduction Barak et-al[1]
More informationCLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD
CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationMultiparty Computation (MPC) Arpita Patra
Multiparty Computation (MPC) Arpita Patra MPC offers more than Traditional Crypto! > MPC goes BEYOND traditional Crypto > Models the distributed computing applications that simultaneously demands usability
More informationBEYOND POST QUANTUM CRYPTOGRAPHY
BEYOND POST QUANTUM CRYPTOGRAPHY Mark Zhandry Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical Beyond Post-Quantum Cryptography
More informationA Lattice-Based Universal Thresholdizer for Cryptographic Systems
A Lattice-Based Universal Thresholdizer for Cryptographic Systems Dan Boneh Rosario Gennaro Steven Goldfeder Sam Kim Abstract We develop a general approach to thresholdizing a large class of (non-threshold)
More informationSampling Lattice Trapdoors
Sampling Lattice Trapdoors November 10, 2015 Today: 2 notions of lattice trapdoors Efficient sampling of trapdoors Application to digital signatures Last class we saw one type of lattice trapdoor for a
More informationWeak Zero-Knowledge Beyond the Black-Box Barrier
Weak Zero-Knowledge Beyond the Black-Box Barrier Nir Bitansky Dakshita Khurana Omer Paneth November 9, 2018 Abstract The round complexity of zero-knowledge protocols is a long-standing open question, yet
More informationModern symmetric-key Encryption
Modern symmetric-key Encryption Citation I would like to thank Claude Crepeau for allowing me to use his slide from his crypto course to mount my course. Some of these slides are taken directly from his
More informationLinear Multi-Prover Interactive Proofs
Quasi-Optimal SNARGs via Linear Multi-Prover Interactive Proofs Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Interactive Arguments for NP L C = x C x, w = 1 for some w P(x, w) V(x) accept / reject
More informationFrom FE Combiners to Secure MPC and Back
From FE Combiners to Secure MPC and Back Prabhanjan Ananth Saikrishna Badrinarayanan Aayush Jain Nathan Manohar Amit Sahai Abstract Functional encryption (FE) has incredible applications towards computing
More informationOutput Compression, MPC, and io for Turing Machines
Output Compression, MPC, and io for Turing Machines Saikrishna Badrinarayanan Rex Fernando Venkata Koppula Amit Sahai Brent Waters Abstract In this work, we study the fascinating notion of output-compressing
More informationPseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions
Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions Crypto 2011 Daniele Micciancio Petros Mol August 17, 2011 1 Learning With Errors (LWE) secret public: integers n,
More informationFully Bideniable Interactive Encryption
Fully Bideniable Interactive Encryption Ran Canetti Sunoo Park Oxana Poburinnaya January 1, 19 Abstract While standard encryption guarantees secrecy of the encrypted plaintext only against an attacker
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationCRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16
CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16 Groth-Sahai proofs helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Interactive zero knowledge from Σ-protocols
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationMore Efficient Lattice PRFs from Keyed Pseudorandom Synthesizers
More Efficient Lattice PRFs from Keyed Pseudorandom Synthesizers Hart Montgomery hmontgomery@us.fujitsu.com Fujitsu Laboratories of America November 5, 2018 Abstract We develop new constructions of lattice-based
More informationLossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationOn Two Round Rerunnable MPC Protocols
On Two Round Rerunnable MPC Protocols Paul Laird Dublin Institute of Technology, Dublin, Ireland email: {paul.laird}@dit.ie Abstract. Two-rounds are minimal for all MPC protocols in the absence of a trusted
More informationConstrained Pseudorandom Functions for Unconstrained Inputs
Constrained Pseudorandom Functions for Unconstrained Inputs Apoorvaa Deshpande acdeshpa@cs.brown.edu Venkata Koppula kvenkata@cs.utexas.edu Brent Waters bwaters@cs.utexas.edu Abstract A constrained pseudo
More informationPositive Results and Techniques for Obfuscation
Positive Results and Techniques for Obfuscation Benjamin Lynn Stanford University Manoj Prabhakaran Princeton University February 28, 2004 Amit Sahai Princeton University Abstract Informally, an obfuscator
More informationAttribute-based Encryption & Delegation of Computation
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin Attribute-based Encryption & Delegation of Computation April 9, 2013 Scribe: Steven Goldfeder We will cover the ABE
More informationOn the Communication Complexity of Secure Function Evaluation with Long Output
On the Communication Complexity of Secure Function Evaluation with Long Output Pavel Hubáček Daniel Wichs Abstract We study the communication complexity of secure function evaluation (SFE). Consider a
More informationFrom Secure MPC to Efficient Zero-Knowledge
From Secure MPC to Efficient Zero-Knowledge David Wu March, 2017 The Complexity Class NP NP the class of problems that are efficiently verifiable a language L is in NP if there exists a polynomial-time
More informationCS Topics in Cryptography January 28, Lecture 5
CS 4501-6501 Topics in Cryptography January 28, 2015 Lecture 5 Lecturer: Mohammad Mahmoody Scribe: Ameer Mohammed 1 Learning with Errors: Motivation An important goal in cryptography is to find problems
More informationFully Homomorphic Encryption from LWE
Fully Homomorphic Encryption from LWE Based on joint works with: Zvika Brakerski (Stanford) Vinod Vaikuntanathan (University of Toronto) Craig Gentry (IBM) Post-Quantum Webinar, November 2011 Outsourcing
More informationA survey on quantum-secure cryptographic systems
A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum
More informationRobust Non-Interactive Multiparty Computation Against Constant-Size Collusion
Robust Non-Interactive Multiparty Computation Against Constant-Size Collusion Fabrice Benhamouda, Hugo Krawczyk, and Tal Rabin IBM Research, Yorktown Heights, US Abstract. Non-Interactive Multiparty Computations
More informationLattice Cryptography
CSE 206A: Lattice Algorithms and Applications Winter 2016 Lattice Cryptography Instructor: Daniele Micciancio UCSD CSE Lattice cryptography studies the construction of cryptographic functions whose security
More informationCandidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation
Candidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation Dongxue Pan 1,2, Hongda Li 1,2, Peifang Ni 1,2 1 The Data Assurance and Communication
More informationObfuscating Point Functions with Multibit Output
Obfuscating Point Functions with Multibit Output Ran Canetti 1 and Ronny Ramzi Dakdouk 2 1 IBM T. J. Watson Research Center, Hawthorne, NY. canetti@watson.ibm.com 2 Yale University, New Haven, CT. dakdouk@cs.yale.edu
More informationConstructing Witness PRF and Offline Witness Encryption Without Multilinear Maps
Constructing Witness PRF and Offline Witness Encryption Without Multilinear Maps Tapas Pal, Ratna Dutta Department of Mathematics, Indian Institute of Technology Kharagpur, Kharagpur-721302, India tapas.pal@iitkgp.ac.in,ratna@maths.iitkgp.ernet.in
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationFully-secure Key Policy ABE on Prime-Order Bilinear Groups
Fully-secure Key Policy ABE on Prime-Order Bilinear Groups Luke Kowalczyk, Jiahui Liu, Kailash Meiyappan Abstract We present a Key-Policy ABE scheme that is fully-secure under the Decisional Linear Assumption.
More informationLecture 7: CPA Security, MACs, OWFs
CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)
More informationMultiparty Computation
Multiparty Computation Principle There is a (randomized) function f : ({0, 1} l ) n ({0, 1} l ) n. There are n parties, P 1,...,P n. Some of them may be adversarial. Two forms of adversarial behaviour:
More informationPractice Exam Winter 2018, CS 485/585 Crypto March 14, 2018
Practice Exam Name: Winter 2018, CS 485/585 Crypto March 14, 2018 Portland State University Prof. Fang Song Instructions This exam contains 8 pages (including this cover page) and 5 questions. Total of
More informationNotes on Property-Preserving Encryption
Notes on Property-Preserving Encryption The first type of specialized encryption scheme that can be used in secure outsourced storage we will look at is property-preserving encryption. This is encryption
More informationCutting-Edge Cryptography Through the Lens of Secret Sharing
Cutting-Edge Cryptography Through the Lens of Secret Sharing Ilan Komargodski Mark Zhandry Abstract Secret sharing is a mechanism by which a trusted dealer holding a secret splits the secret into many
More information16 Fully homomorphic encryption : Construction
16 Fully homomorphic encryption : Construction In the last lecture we defined fully homomorphic encryption, and showed the bootstrapping theorem that transforms a partially homomorphic encryption scheme
More informationFully Secure and Fast Signing from Obfuscation
Fully Secure and Fast Signing from Obfuscation Kim Ramchen University of Texas at ustin kramchen@cs.utexas.edu Brent Waters University of Texas at ustin bwaters@cs.utexas.edu bstract In this work we explore
More informationIndistinguishability Obfuscation for All Circuits from Secret-Key Functional Encryption
Indistinguishability Obfuscation for All Circuits from Secret-Key Functional Encryption Fuyuki Kitagawa 1 Ryo Nishimaki 2 Keisuke Tanaka 1 1 Tokyo Institute of Technology, Japan {kitagaw1,keisuke}@is.titech.ac.jp
More informationPublicly Verifiable Software Watermarking
Publicly Verifiable Software Watermarking Aloni Cohen Justin Holmgren Vinod Vaikuntanathan December 7, 2015 Abstract Software Watermarking is the process of transforming a program into a functionally equivalent
More information1 Secure two-party computation
CSCI 5440: Cryptography Lecture 7 The Chinese University of Hong Kong, Spring 2018 26 and 27 February 2018 In the first half of the course we covered the basic cryptographic primitives that enable secure
More informationOn Statistically Secure Obfuscation with Approximate Correctness
1 On Statistically Secure Obfuscation with Approximate Correctness Zvika Brakerski 1 Christina Brzuska 2 Nils Fleischhacker 3 1 Weizmann Institute of Science 2 Technical University Hamburg 3 Saarland University
More informationParallel Coin-Tossing and Constant-Round Secure Two-Party Computation
Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Yehuda Lindell Dept. of Computer Science and Applied Math. The Weizmann Institute of Science Rehovot 76100, Israel. lindell@wisdom.weizmann.ac.il
More informationSECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL. Mark Zhandry Stanford University
SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL Mark Zhandry Stanford University Random Oracle Model (ROM) Sometimes, we can t prove a scheme secure in the standard model. Instead,
More informationReducing Depth in Constrained PRFs: From Bit-Fixing to NC 1
Reducing Depth in Constrained PRFs: From Bit-Fixing to NC 1 Nishanth Chandran Srinivasan Raghuraman Dhinakaran Vinayagamurthy Abstract The candidate construction of multilinear maps by Garg, Gentry, and
More informationProvable Security for Program Obfuscation
for Program Obfuscation Black-box Mathematics & Mechanics Faculty Saint Petersburg State University Spring 2005 SETLab Outline 1 Black-box Outline 1 2 Black-box Outline Black-box 1 2 3 Black-box Perfect
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationLecture 13: Private Key Encryption
COM S 687 Introduction to Cryptography October 05, 2006 Instructor: Rafael Pass Lecture 13: Private Key Encryption Scribe: Ashwin Machanavajjhala Till this point in the course we have learnt how to define
More informationQuantum-Safe Crypto Why & How? JP Aumasson, Kudelski Security
Quantum-Safe Crypto Why & How? JP Aumasson, Kudelski Security Flight plan What s a quantum computer? How broken are your public keys? AES vs. quantum search Hidden quantum powers Defeating quantum computing
More informationPacking Messages and Optimizing Bootstrapping in GSW-FHE
Packing Messages and Optimizing Bootstrapping in GSW-FHE Ryo Hiromasa Masayuki Abe Tatsuaki Okamoto Kyoto University NTT PKC 15 April 1, 2015 1 / 13 Fully Homomorphic Encryption (FHE) c Enc(m) f, c ĉ Eval(
More informationQuantum-Secure Message Authentication Codes
Electronic Colloquium on Computational Complexity, Report No. 36 (202) Quantum-Secure Message Authentication Codes Dan Boneh Mark Zhandry Stanford University {dabo,zhandry}@cs.stanford.edu Abstract We
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationFrom Minicrypt to Obfustopia via Private-Key Functional Encryption
From Minicrypt to Obfustopia via Private-Key Functional Encryption Ilan Komargodski Weizmann Institute of Science Joint work with Gil Segev (Hebrew University) Functional Encryption [Sahai-Waters 05] Enc
More informationQuestion 1. The Chinese University of Hong Kong, Spring 2018
CSCI 5440: Cryptography The Chinese University of Hong Kong, Spring 2018 Homework 2 Solutions Question 1 Consider the following encryption algorithm based on the shortlwe assumption. The secret key is
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationCryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley dbrumley@cmu.edu Carnegie Mellon University The Landscape Jargon in Cryptography 2 Good News: OTP has perfect secrecy Thm:
More informationQUANTUM HOMOMORPHIC ENCRYPTION FOR POLYNOMIAL-SIZED CIRCUITS
QUANTUM HOMOMORPHIC ENCRYPTION FOR POLYNOMIAL-SIZED CIRCUITS Florian Speelman (joint work with Yfke Dulek and Christian Schaffner) http://arxiv.org/abs/1603.09717 QIP 2017, Seattle, Washington, Monday
More informationLecture Notes on Secret Sharing
COMS W4261: Introduction to Cryptography. Instructor: Prof. Tal Malkin Lecture Notes on Secret Sharing Abstract These are lecture notes from the first two lectures in Fall 2016, focusing on technical material
More informationLecture 11: Key Agreement
Introduction to Cryptography 02/22/2018 Lecture 11: Key Agreement Instructor: Vipul Goyal Scribe: Francisco Maturana 1 Hardness Assumptions In order to prove the security of cryptographic primitives, we
More informationDelegating RAM Computations with Adaptive Soundness and Privacy
Delegating RAM Computations with Adaptive Soundness and Privacy Prabhanjan Ananth Yu-Chi Chen Kai-Min Chung Huijia Lin Wei-Kai Lin November 7, 2015 Abstract We consider the problem of delegating RAM computations
More informationUniversal Samplers with Fast Verification
Universal Samplers with Fast Verification Venkata Koppula University of Texas at Austin kvenkata@csutexasedu Brent Waters University of Texas at Austin bwaters@csutexasedu January 9, 2017 Andrew Poelstra
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationBounded-Communication Leakage Resilience via Parity-Resilient Circuits
Bounded-Communication Leakage Resilience via Parity-Resilient Circuits Vipul Goyal Yuval Ishai Hemanta K. Maji Amit Sahai Alexander A. Sherstov September 6, 2016 Abstract We consider the problem of distributing
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 23 (rev. 1) Professor M. J. Fischer November 29, 2005 1 Oblivious Transfer Lecture Notes 23 In the locked
More informationQuantum-Secure Message Authentication Codes
Quantum-Secure Message Authentication Codes Dan Boneh Mark Zhandry Stanford University {dabo,zhandry}@cs.stanford.edu Abstract We construct the first Message Authentication Codes (MACs) that are existentially
More informationSymbolic Encryption with Pseudorandom Keys
Symbolic Encryption with Pseudorandom Keys Daniele Micciancio February 23, 2018 Abstract We give an efficient decision procedure that, on input two (acyclic) cryptographic expressions making arbitrary
More informationThreshold Cryptosystems From Threshold Fully Homomorphic Encryption
Threshold Cryptosystems From Threshold Fully Homomorphic Encryption Dan Boneh Rosario Gennaro Steven Goldfeder Aayush Jain Sam Kim Peter M. R. Rasmussen Amit Sahai Abstract We develop a general approach
More informationDelegating RAM Computations with Adaptive Soundness and Privacy
Delegating RAM Computations with Adaptive Soundness and Privacy Prabhanjan Ananth Yu-Chi Chen Kai-Min Chung Huijia Lin Wei-Kai Lin October 18, 2016 Abstract We consider the problem of delegating RAM computations
More informationAdaptively Secure Constrained Pseudorandom Functions
Adaptively Secure Constrained Pseudorandom Functions Dennis Hofheinz dennis.hofheinz@kit.edu Venkata Koppula University of Texas at Austin kvenkata@cs.utexas.edu Akshay Kamath University of Texas at Austin
More informationZAPs and Non-Interactive Witness Indistinguishability from Indistinguishability Obfuscation
ZAPs and Non-Interactive Witness Indistinguishability from Indistinguishability Obfuscation Nir Bitansky Omer Paneth February 12, 2015 Abstract We present new constructions of two-message and one-message
More informationLecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations
CMSC 858K Advanced Topics in Cryptography April 20, 2004 Lecturer: Jonathan Katz Lecture 22 Scribe(s): agaraj Anthapadmanabhan, Ji Sun Shin 1 Introduction to These otes In the previous lectures, we saw
More informationOn Perfect and Adaptive Security in Exposure-Resilient Cryptography. Yevgeniy Dodis, New York University Amit Sahai, Princeton Adam Smith, MIT
On Perfect and Adaptive Security in Exposure-Resilient Cryptography Yevgeniy Dodis, New York University Amit Sahai, Princeton Adam Smith, MIT 1 Problem: Partial Key Exposure Alice needs to store a cryptographic
More informationOblivious Transfer and Secure Multi-Party Computation With Malicious Parties
CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties Vitaly Shmatikov slide 1 Reminder: Oblivious Transfer b 0, b 1 i = 0 or 1 A b i B A inputs two bits, B inputs the index
More informationCertifying Trapdoor Permutations, Revisited
Certifying Trapdoor Permutations, Revisited Ran Canetti Amit Lichtenberg September 25, 2018 Abstract The modeling of trapdoor permutations has evolved over the years. Indeed, finding an appropriate abstraction
More information