Public-Seed Pseudorandom Permutations
|
|
- Marjory Harvey
- 5 years ago
- Views:
Transcription
1 Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB Joint work with Pratik Soni (UCSB) DIMACS Workshop New York June 8, 2017
2 We look at existing class of cryptographic primitives and introduce/study the first plausible assumptions on them. Pratik Soni, Stefano Tessaro Public-Seed Pseudorandom Permutations EUROCRYPT 2017
3 Cryptographic schemes often built from simpler building blocks M, M / M l K ipad M IV E + E + H H block cipher (e.g., AES) hash function (e.g., SHA-3) K opad Is there a universal and simple building block for efficient symmetric cryptography? Main motivation: Single object requiring optimized implementation!
4 Recent trend: = permutation Example. Sponge construction (as in SHA-3) [BDPvA] M r-bit blocks: M, M / M 3 r n r 0 0 π π π H(M) efficiently computable and invertible permutation
5 Several permutation-based constructions Hash functions, authenticated encryption schemes, PRNGs, garbling schemes
6 Permutation instantiations Ad-hoc designs e.g., in SHA-3, AE schemes, Designed to withstand cryptanalytic attacks against constructions using them! e.g., no collision attack Fixed-key block ciphers e.g., π x AES(0,/@, x) AES 0,/@ Faster hash functions [RS08], fast garbling [BHKR13]
7 Permutations assumptions What security properties do we expect from a permutation? Ideal goal: Standard-model reduction! If π satisfies X then C[π] satisfies Y. e.g., C = SHA 3; Y = Anything non-trivial X =??? S Q0 0 π π π Unfortunately: No standard-model proofs known under non-tautological assumptions!
8 Security of permutation-based crypto Provable security Random permutation model! π is random + adversary given oracle access to π and π R, clearly unachievable [CGH98] security against generic attacks! Cryptanalysis Application specific attacks Insights are hard to recycle for new applications Very little permutationspecific cryptanalysis
9 Example OWFs from permutations π: {0,1} X 0,1 X x π y = π x π R, π R, (y) Clearly: Cannot be one way! So, how do we make a oneway function out of π?
10 Naïve idea: Truncation f: 0,1 X 0,1 X// x π y z z Not one way: y: π R, (y, z) preimage of z Better candidate: g: 0,1 X// 0,1 X// x 0 x π y z z Conjectured one-way for π = SHA-3 permutation Wanted: Basic (succinct, non-tautological) security property satisfied by π which implies one-wayness of g?
11 Permutations vs hash functions ideal model standard model Hash functions Permutations random oracle random permutation CRHF, OWFs, UOWHFs, CI, UCEs What kind of cryptographic hardness can we expect from a permutation?
12 This work, in a nutshell First plausible and useful standard-model security assumption for permutations. Public-seed Pseudorandom Permutations (psprps) inspired by the UCE framework [BHK13] Two main questions: Can we get psprps at all? Are psprps useful?
13 psprps Landscape preview Deterministic & Hedged PKE Immunizing backdoored PRGs psprp Feistel e.g., Sponges psprp UCE Message-locked Encryption (MLE) Hardcore functions KDM-secure symmetric key Enc. Point-function Obfuscation CCA-secure Enc. Efficient garbling from fixed-key block-ciphers
14 Roadmap 1.Definitions 2.Constructions & Applications 3.Conclusions
15 Syntax: Seeded permutations π 0,1 X 0,1 X P = (Gen, π, π R, ) π h 1 i Gen s x π h x y π h R, π h R, y Seed generation Forward evaluation Backward evaluation (1) π h 0,1 X 0,1 X (2) x π h R, π h x = x
16 Secret-seed security: Pseudorandom permutations (PRPs) s Gen(1 i ) ρ Perms(n) π p / π h R, ρ/ρ R, D5 0/1 Stage 1: Oracle access Secret seed Limited information flow Stage 2: Learns seed No oracle access
17 UCE security h h s Gen(1 i ) f Func(, n) Bellare Hoang Keelveedh f source S H = (Gen, h) s L leakage distinguisher D 0/1
18 psprp security [This work] π h /π h R, s Gen(1 i ) ρ Perms(n) ρ/ρ R, Makes both forward and backward queries! source s S L P = (Gen, π, π R, ) distinguisher D 0/1
19 Observation: psprp-security impossible against all PPT sources! π h /π h R, ρ/ρ R, (+, 0 X ) y S y (+, 0 X ) Outputs 1 iff s L = y 1 D y = π h 0 X 1 with prob. 1 with prob. 1/2 X
20 Solution: Restrict class of considered sources! all sources π h /π h R, ρ/ρ R, S S s L D 0/1 Definition. P psprp[s]-secure: S S, PPT D: π h /π h R, ρ/ρ R,
21 Here: unpredictable and reset-secure sources reset-secure all sources S h h S hƒ unpredictable Both restrictions capture unpredictability of source queries! S hƒ S h h psprp S h h stronger assumption than psprp S hƒ
22 Source restrictions unpredictability σ {+, } (σ, x ) S ρ/ρ R, y A L Q Q {x, y } Goal: Must be hard for A to predict S s queries or their inverses Q Pr [ Q Q φ] = negl(λ) S hƒ : A is computationally unbounded, poly queries S ƒ : A is PPT io psprp[s ƒ ] impossible [BFM14]
23 Source restrictions reset-security S ρ/ρ R, S ρ/ρ R, L L R ρ/ρ R, R ρ /ρ R, 0/1 ρ Perms(n) 0/1 ρ, ρ Perms(n) S h h : R is computationally unbounded, poly queries S h : R is PPT Fact. S hƒ S h h
24 Recap Definitions Equally useful? Central assumptions in UCE theory
25 Roadmap 1.Definitions 2.Constructions & Applications 3.Conclusions
26 Example Truncation 0 y g h : 0,1 0,1 x x π h z z g h x = π h x, 0 XR [1.. k] Lemma. If π psprp[s hƒ ]-secure and m + ω log λ k n ω log λ, then g is PRG. Thus, also a OWF... s Gen(1 i ) x 0,1 XR (y, z) π h (x, 0) b D(s, z) (x, 0 XR ) π h S (y, z) s z D b
27 Proof Cont d π h ρ random! (x, 0 XR ) (y, z) s (x, 0 XR ) (y, z) s S z D b S z D b s Gen(1 i ) x 0,1 XR (y, z) π h (x, 0) b D(s, z) if S S hƒ s Gen z 0,1 b D(s, z)
28 Proof Unpredictability of S (x, 0 XR ) ρ (y, z) ρ/ρ R, q = poly(n) queries S z R Q Fact. Pr (x, 0 XR ), y, z Q φ ž / Ÿ + ž /
29 Next Can we get psprps at all? Are psprps useful? Constructions from UCEs Constructions of UCEs Heuristic Instantiations Common denominator: CP-sequential indifferentiability Direct applications Garbling from fixed-key block ciphers
30 How to build UCEs from psprps? H[P] π h /π h R, M 0,1 H H h (M) Ideal theorem. P psprp[s h h ]-secure H[P] UCE[S h h ]-secure. What does H need to satisfy for this to be true?
31 Indifferentiability [MRH04] f Funcs(, n) H f A A 0/1 ρ/ρ R, ρ Perms(n) 0/1? Sim Definition. H indiff. from RO if PPT Sim PPT A: H + ρ/ρ R, f + Sim
32 CP-sequential indifferentiability f Funcs(, n) A A, H, st A ρ/ρ R, A / / st f Sim 0/1 ρ Perms(n) 0/1 Def. H CP-indiff. from RO if PPT Sim PPT (A,, A / ): H + ρ/ρ R, f + Sim
33 From psprps to UCEs Theorem. P psprp[s h h ]-secure H CP-indiff from RO H[P] UCE[S h h ]-secure. Similar to [BHK14]. But: Needs full indifferentiability UCE domain extension π h /π h R, H Corollary. Every perm-based indiff. hash-function transforms a psprp into a UCE!
34 From psprps to UCEs Proof s Gen(1 i ) ρ Perms(n) S reset-secure H is CP-indiff from RO f Funcs(, n) π h /π h R, ρ/ρ R, H s H s f s S D S D S D S S by psprp[s h h ]- security if S S h h by CP-indiff.
35 Reset-security of S? S h ρ/ρ R, cpi f Sim R S R S R f f«sim R cpi ρ/ρ R, S h ρ /ρ R, S is reset-secure! S R S R
36 Good news #1 Corollary. Every perm-based indiff. hashfunction transforms a psprp into a UCE! Many practical hash designs from permutations are indifferentiable from RO! UCE is a meaningful security target several applications!
37 Examples Sponges M {0,1} M, M / M SQ r 0 r y n r 0 ρ ρ ρ π h π h π h Theorem. [BDVP08] Sponge indifferentiable from RO. Corollary, P psprp S h h -secure Sponge[P] UCE S h h -secure. Validates the Sponge paradigm for UCE applications!
38 Good news #2 No need for full indifferentiability Chop truncates n-bits to r-bits ρ n n r Not indifferentiable! For random y, get x = ρ R, (y) Query construction on x, check consistency with first r bits of y Chop A A ρ/ρ R, 0/1 0/1 f Sim
39 Chop Cont d truncates n-bits to r-bits ρ πh n n r Theorem. Chop is CP-indiff from RO when n r ω(log λ). psprp S hƒ UCE S hƒ Corollary. P psprp S h h -secure Chop[P] UCE[S h h ]- secure. From Chop P to VIL UCE: Domain extension techniques [BHK14]
40 What about the converse? psprps UCEs
41 psprps from UCEs Theorem. H UCE[S h h ]-secure P CP-indiff from RP P[H] psprp[s h h ]-secure. A, P A, st f A / A / st ρ/ρ R, Sim 0/1 0/1
42 From UCEs to psprps Feistel X {0,1} /X f, f / f ± f ² f ³ Y {0,1} /X ψ ³ [f] [DS16] [DKT16] [HKT11] [CPS08] impossible??? #rounds for indifferentiability Corollary. psprps exist iff UCEs exist!!!* * wrt reset-secure sources
43 Round-complexity of Feistel for UCE-to-psPRP transformation? This work!!! [DS16] [DSKT16] [HKT11] #rounds for CP-sequential indifferentiability Theorem. 5-round Feistel is CP-indiff from RP Corollary. H UCE S h h -secure ψ ³ [H] psprp[s h h ]- secure.
44 5-round proof is quite involved! Our 5-round Sim: Relies on chain completion techniques Heavily exploits query ordering Very different chain-completion strategy from previous works, no recursion needed detect detect X, X / X ± X ² X ³ X f, f / f ± f ² f ³ X Q forceval forceval X ³ Set Set uniform uniform Open: Do 4-rounds suffice? [LR88] impossible This work!!!??? [DS16] [DSKT16] [HKT11] #rounds of Feistel for psprp-security
45 A couple of extra results! (In passing!)
46 Heuristic Instantiations From block ciphers: π h x = E(s, x) Gen: E s {0,1} psprp S h h -secure Ideal-cipher model From seedless permutations: π h x = s π(s x) π psprp S hƒ -secure RP model Gen: s {0,1}
47 Fast Garbling from psprps x º Q, x º, x» Q, x», AND x ¼ Q, x ¼, Garbling scheme from [BHKR13] Only calls fixed-key block cipher x E(0, x) Very fast no key re-schedule Proof in RP model Garbled AND-Gate E 0 X, x Q º x Q» x Q º x Q Q» x ¼ E 0 X, x Q º x,» x Q º x, Q» x ¼ E 0 X, x, º x Q» x, º x Q Q» x ¼ E 0 X, x, º x,» x, º x,,» x ¼ Our variant: E 0, x π h (x), fresh seed s generated upon each garbling operation! Theorem. Secure when π s is psprp[s hƒ ].
48 Roadmap 1.Definitions 2.Constructions & Applications 3.Conclusions
49 Conclusion First (useful) standard model assumptions on permutations Applications psprps Constructions
50 (Some) open questions More on psprps: - More efficient constructions from UCEs? - Weaker assumptions? - Cryptanalysis? ps-pseudorandomness as a paradigm: - UCE = psprf - Applications of psx? Beyond psprps: - Simpler assumptions on permutations? Is SHA-3 a CRHF under any non-trivial assumption?
51 Thank you! Paper on eprint really soon For now:
Public-seed Pseudorandom Permutations EUROCRYPT 2017
Public-seed Pseudorandom Permutations Pratik Soni UC Santa Barbara Stefano Tessaro UC Santa Barbara EUROCRYPT 2017 Cryptographic schemes often built from generic building blocks Cryptographic schemes often
More informationPublic-Seed Pseudorandom Permutations
Public-Seed Pseudorandom Permutations Pratik Soni and Stefano Tessaro University of California, Santa Barbara {pratik soni,tessaro}@cs.ucsb.edu Abstract. A number of cryptographic schemes are built from
More informationThe Random Oracle Model and the Ideal Cipher Model are Equivalent
The Random Oracle Model and the Ideal Cipher Model are Equivalent Jean-ébastien Coron 1, Jacques Patarin 2, and Yannick eurin 2,3 (1) Univ. Luxembourg, (2) Univ. Versailles, (3)Orange Labs éminaire EN
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationReset Indifferentiability and its Consequences
Reset Indifferentiability and its Consequences ASIACRYPT 2013 Paul Baecher, Christina Brzuska, Arno Mittelbach Tel Aviv University & Darmstadt University of Technology; supported by DFG Heisenberg and
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationBuilding Secure Block Ciphers on Generic Attacks Assumptions
Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin University of Versailles and Orange Labs SAC 2008 August 14-15, 2008 the context security of symmetric primitives
More informationEx1 Ex2 Ex3 Ex4 Ex5 Ex6
Technische Universität München (I7) Winter 2012/13 Dr. M. Luttenberger / M. Schlund Cryptography Endterm Last name: First name: Student ID no.: Signature: If you feel ill, let us know immediately. Please,
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationAn introduction to Hash functions
An introduction to Hash functions Anna Rimoldi eriscs - Universitée de la Méditerranée, Marseille Secondo Workshop di Crittografia BunnyTN 2011 A. Rimoldi (eriscs) Hash function 12 September 2011 1 / 27
More informationLimits on the Efficiency of One-Way Permutation-Based Hash Functions
Limits on the Efficiency of One-Way Permutation-Based Hash Functions Jeong Han Kim Daniel R. Simon Prasad Tetali Abstract Naor and Yung show that a one-bit-compressing universal one-way hash function (UOWHF)
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationProvable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design
Practical Cryptography: Provable Security as a Tool for Protocol Design Phillip Rogaway UC Davis & Chiang Mai Univ rogaway@csucdavisedu http://wwwcsucdavisedu/~rogaway Summer School on Foundations of Internet
More informationIII. Pseudorandom functions & encryption
III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion:
More informationCodes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII
Codes and Cryptography MAMME, Fall 2015 PART XII Outline 1 Symmetric Encryption (II) 2 Construction Strategies Construction Strategies Stream ciphers: For arbitrarily long messages (e.g., data streams).
More informationBreaking Symmetric Cryptosystems Using Quantum Algorithms
Breaking Symmetric Cryptosystems Using Quantum Algorithms Gaëtan Leurent Joined work with: Marc Kaplan Anthony Leverrier María Naya-Plasencia Inria, France FOQUS Workshop Gaëtan Leurent (Inria) Breaking
More informationFoundation of Cryptography, Lecture 4 Pseudorandom Functions
Foundation of Cryptography, Lecture 4 Pseudorandom Functions Handout Mode Iftach Haitner, Tel Aviv University Tel Aviv University. March 11, 2014 Iftach Haitner (TAU) Foundation of Cryptography March 11,
More informationLecture 11: Hash Functions, Merkle-Damgaard, Random Oracle
CS 7880 Graduate Cryptography October 20, 2015 Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle Lecturer: Daniel Wichs Scribe: Tanay Mehta 1 Topics Covered Review Collision-Resistant Hash Functions
More informationnon-trivial black-box combiners for collision-resistant hash-functions don t exist
non-trivial black-box combiners for collision-resistant hash-functions don t exist Krzysztof Pietrzak (CWI Amsterdam) Eurocrypt May 21 2007 black-box combiners [H05,HKNRR05,PM06,BB06] C is a secure combiner
More informationSecurity Under Key-Dependent Inputs
Security Under Key-Dependent Inputs Shai Halevi Hugo Krawczyk IBM T.J. Watson Research Center shaih@alum.mit.edu, hugo@ee.technion.ac.il August 13, 2007 Abstract In this work we re-visit the question of
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationA survey on quantum-secure cryptographic systems
A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum
More informationMessage Authentication Codes from Unpredictable Block Ciphers
Message Authentication Codes from Unpredictable Block Ciphers Yevgeniy Dodis John Steinberger July 9, 2009 Abstract We design an efficient mode of operation on block ciphers, SS-NMAC. Our mode has the
More informationLectures 2+3: Provable Security
Lectures 2+3: Provable Security Contents 1 Motivation 1 2 Syntax 3 3 Correctness 5 4 Security Definitions 6 5 Important Cryptographic Primitives 8 6 Proofs of Security 10 7 Limitations of Provable Security
More informationFeistel Networks made Public, and Applications
Feistel Networks made Public, and Applications Yevgeniy Dodis Prashant Puniya February 11, 2007 Abstract Feistel Network, consisting of a repeated application of the Feistel Transform, gives a very convenient
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationMessage Authentication Codes from Unpredictable Block Ciphers
Message Authentication Codes from Unpredictable Block Ciphers Yevgeniy Dodis 1 and John Steinberger 2 1 Department of Computer Science, New York University. dodis@cs.nyu.edu 2 Department of Mathematics,
More informationHash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34
Hash Functions Ali El Kaafarani Mathematical Institute Oxford University 1 of 34 Outline 1 Definition and Notions of Security 2 The Merkle-damgård Transform 3 MAC using Hash Functions 4 Cryptanalysis:
More informationProvable Security in Symmetric Key Cryptography
Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X
More informationOn the Security of Hash Functions Employing Blockcipher Post-processing
On the Security of Hash Functions Employing Blockcipher Post-processing Donghoon Chang 1, Mridul Nandi 2, Moti Yung 3 1 National Institute of Standards and Technology (NIST), USA 2 C R Rao AIMSCS, Hyderabad,
More informationCryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley dbrumley@cmu.edu Carnegie Mellon University The Landscape Jargon in Cryptography 2 Good News: OTP has perfect secrecy Thm:
More informationCOS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7
COS 597C: Recent Developments in Program Obfuscation Lecture 7 10/06/16 Lecturer: Mark Zhandry Princeton University Scribe: Jordan Tran Notes for Lecture 7 1 Introduction In this lecture, we show how to
More informationLecture 14: Cryptographic Hash Functions
CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is
More information10-Round Feistel is Indifferentiable from an Ideal Cipher
10-Round Feistel is Indifferentiable from an Ideal Cipher Dana Dachman-Soled Jonathan Katz Aishwarya Thiruvengadam September 8, 2015 Abstract We revisit the question of constructing an ideal cipher from
More informationKnown and Chosen Key Differential Distinguishers for Block Ciphers
1/19 Known and Chosen Key Differential Distinguishers for Block Ciphers Josef Pieprzyk joint work with Ivica Nikolić, Przemys law Soko lowski, and Ron Steinfeld ASK 2011, August 29-31, 2011 2/19 Outline
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Last Time Hardcore Bits Hardcore Bits Let F be a one- way function with domain x, range y Definition: A function h:xà {0,1} is
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationLecture 7: CPA Security, MACs, OWFs
CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)
More informationSimple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)
Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia) Henry Ng Henry.Ng.a@gmail.com Abstract. A new cryptographic pseudorandom number generator Cilia is presented. It hashes
More informationInaccessible Entropy and its Applications. 1 Review: Psedorandom Generators from One-Way Functions
Columbia University - Crypto Reading Group Apr 27, 2011 Inaccessible Entropy and its Applications Igor Carboni Oliveira We summarize the constructions of PRGs from OWFs discussed so far and introduce the
More informationProvable Security of Cryptographic Hash Functions
Provable Security of Cryptographic Hash Functions Mohammad Reza Reyhanitabar Centre for Computer and Information Security Research University of Wollongong Australia Outline Introduction Security Properties
More informationDesign Paradigms for Building Multi-Property Hash Functions
Design Paradigms or Building Multi-Property Hash Functions Thomas Ristenpart UCSD Security and Cryptography Lab Lorentz Workshop June, 2008 Multi-property hash unctions One hash unction with many security
More informationAvoiding collisions Cryptographic hash functions. Table of contents
Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Davies-Meyer Hashes in Practice Hash
More informationContention in Cryptoland: Obfuscation, Leakage and UCE
Contention in Cryptoland: Obfuscation, Leakage and UCE Mihir Bellare 1, Igors Stepanovs 2, and Stefano Tessaro 3 1 Department of Computer Science and Engineering, University of California San Diego, USA.
More informationStream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida
Stream ciphers Pawel Wocjan Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu Definition of block ciphers Block ciphers: crypto work horse n bits
More informationG /G Introduction to Cryptography November 4, Lecture 10. Lecturer: Yevgeniy Dodis Fall 2008
G22.3210-001/G63.2170 Introduction to Cryptography November 4, 2008 Lecture 10 Lecturer: Yevgeniy Dodis Fall 2008 Last time we defined several modes of operation for encryption. Today we prove their security,
More informationBootstrapping Obfuscators via Fast Pseudorandom Functions
Bootstrapping Obfuscators via Fast Pseudorandom Functions Benny Applebaum October 26, 2013 Abstract We show that it is possible to upgrade an obfuscator for a weak complexity class WEAK into an obfuscator
More informationInstantiating Random Oracles via UCEs
A preliminary version of this paper appears in the proceedings of CRYPTO 2013. This is a revised and updated full version, available as IACR Cryptology eprint Archive Report 2013/424. Instantiating Random
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #5 Sep 7 th 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list by end of today Quiz #1 will be on Thursday,
More informationQuantum Differential and Linear Cryptanalysis
Quantum Differential and Linear Cryptanalysis Marc Kaplan 1,2 Gaëtan Leurent 3 Anthony Leverrier 3 María Naya-Plasencia 3 1 LTCI, Télécom ParisTech 2 School of Informatics, University of Edinburgh 3 Inria
More informationCryptanalysis of a Message Authentication Code due to Cary and Venkatesan
Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan Simon R. Blackburn and Kenneth G. Paterson Department of Mathematics Royal Holloway, University of London Egham, Surrey, TW20 0EX,
More informationRandomness-Dependent Message Security
Randomness-Dependent Message Security Eleanor Birrell Kai-Min Chung Rafael Pass Sidharth Telang December 28, 2012 Abstract Traditional definitions of the security of encryption schemes assume that the
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationSecurity of Permutation-based Compression Function lp231
Security of Permutation-based Compression Function lp231 Jooyoung Lee 1 and Daesung Kwon 2 1 Sejong University, Seoul, Korea, jlee05@sejong.ac.kr 2 The Attached Institute of Electronics and Telecommunications
More informationThe Generalized Randomized Iterate and its Application to New Efficient Constructions of UOWHFs from Regular One-Way Functions
The Generalized Randomized Iterate and its Application to New Efficient Constructions of UOWHFs from Regular One-Way Functions Scott Ames 1, Rosario Gennaro 2, and Muthuramakrishnan Venkitasubramaniam
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationStructural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128
Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Pierre-Alain Fouque 1 Jérémy Jean 2 Thomas Peyrin 3 1 Université de Rennes 1, France 2 École Normale Supérieure, France 3 Nanyang
More informationExtending Oblivious Transfers Efficiently
Extending Oblivious Transfers Efficiently Yuval Ishai Technion Joe Kilian Kobbi Nissim Erez Petrank NEC Microsoft Technion Motivation x y f(x,y) How (in)efficient is generic secure computation? myth don
More informationBEYOND POST QUANTUM CRYPTOGRAPHY
BEYOND POST QUANTUM CRYPTOGRAPHY Mark Zhandry Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical Beyond Post-Quantum Cryptography
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationOn High-Rate Cryptographic Compression Functions
On High-Rate Cryptographic Compression Functions Richard Ostertág and Martin Stanek Department o Computer Science Faculty o Mathematics, Physics and Inormatics Comenius University Mlynská dolina, 842 48
More informationCSA E0 235: Cryptography March 16, (Extra) Lecture 3
CSA E0 235: Cryptography March 16, 2015 Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Ajith S 1 Chosen Plaintext Attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which
More informationQuantum-secure symmetric-key cryptography based on Hidden Shifts
Quantum-secure symmetric-key cryptography based on Hidden Shifts Gorjan Alagic QMATH, Department of Mathematical Sciences University of Copenhagen Alexander Russell Department of Computer Science & Engineering
More informationPerfectly-Crafted Swiss Army Knives in Theory
Perfectly-Crafted Swiss Army Knives in Theory Workshop Hash Functions in Cryptology * supported by Emmy Noether Program German Research Foundation (DFG) Hash Functions as a Universal Tool collision resistance
More informationBuilding Quantum-One-Way Functions from Block Ciphers: Davies-Meyer and Merkle-Damgård Constructions
Building Quantum-One-Way Functions from Block Ciphers: Davies-Meyer and Merkle-Damgård Constructions Akinori Hosoyamada and Kan Yasuda NTT Secure Platform Laboratories, 3-9-, Midori-cho Musashino-shi,
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from
More informationLecture 2: Program Obfuscation - II April 1, 2009
Advanced Topics in Cryptography Lecture 2: Program Obfuscation - II April 1, 2009 Lecturer: S. Goldwasser, M. Naor Scribe by: R. Marianer, R. Rothblum Updated: May 3, 2009 1 Introduction Barak et-al[1]
More informationReset Indifferentiability and its Consequences
Reset Indifferentiability and its Consequences Paul Baecher 1 Christina Brzuska 2 Arno Mittelbach 1 1 Darmstadt University of Technology, Germany www.cryptoplexity.de 2 Tel-Aviv University, Israel www.christinabrzuska.de
More informationLecture 15 & 16: Trapdoor Permutations, RSA, Signatures
CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.
More informationTowards RSA-OAEP without Random Oracles
Towards RSA-OAEP without Random Oracles Nairen Cao 1 Adam O Neill 2 Mohammad Zaheri 3 November 28, 2018 In Memoriam: John C. O Neill (1953 2018). Abstract We give the first positive results about instantiability
More informationConstant-round Leakage-resilient Zero-knowledge from Collision Resistance *
Constant-round Leakage-resilient Zero-knowledge from Collision Resistance * Susumu Kiyoshima NTT Secure Platform Laboratories, Tokyo, Japan kiyoshima.susumu@lab.ntt.co.jp August 20, 2018 Abstract In this
More informationIndifferentiability of Iterated Even-Mansour Ciphers with Non-Idealized Key-Schedules: Five Rounds are Necessary and Sufficient
Indifferentiability of Iterated Even-Mansour Ciphers with Non-Idealized Key-Schedules: Five Rounds are Necessary and Sufficient Yuanxi Dai, Yannick Seurin, John Steinberger, and Aishwarya Thiruvengadam
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously Digital Signatures Algorithms: Gen() à (sk,pk) Sign(sk,m) à σ Ver(pk,m,σ) à 0/1 Correctness: Pr[Ver(pk,m,Sign(sk,m))=1:
More informationOn Quantum Indifferentiability
On Quantum Indifferentiability Tore Vincent Carstens, Ehsan Ebrahimi, Gelo Noel Tabia, and Dominique Unruh University of Tartu, Estonia March 8, 2018 Abstract We study the indifferentiability of classical
More informationMESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1
MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Mihir Bellare UCSD 1 Integrity and authenticity The goal is to ensure that M really originates with Alice and not someone else M has not been modified
More informationCOS598D Lecture 3 Pseudorandom generators from one-way functions
COS598D Lecture 3 Pseudorandom generators from one-way functions Scribe: Moritz Hardt, Srdjan Krstic February 22, 2008 In this lecture we prove the existence of pseudorandom-generators assuming that oneway
More informationPublic-Key Encryption
Public-Key Encryption 601.642/442: Modern Cryptography Fall 2017 601.642/442: Modern Cryptography Public-Key Encryption Fall 2017 1 / 14 The Setting Alice and Bob don t share any secret Alice wants to
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #6 Sep 8 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Quiz #1 later today Still some have not signed up for class mailing list Perhaps
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationDomain Extension of Public Random Functions: Beyond the Birthday Barrier
Domain Extension of Public Random Functions: Beyond the Birthday Barrier Ueli Maurer Stefano Tessaro Department of Computer Science ETH Zurich 8092 Zurich, Switzerland {maurer,tessaros}@inf.ethz.ch Abstract
More informationAnalysis of Random Oracle Instantiation Scenarios for OAEP and other Practical Schemes
Analysis of Random Oracle Instantiation Scenarios for OAEP and other Practical Schemes Alexandra Boldyreva 1 and Marc Fischlin 2 1 College of Computing, Georgia Institute of Technology, 801 Atlantic Drive,
More informationFrom Non-Adaptive to Adaptive Pseudorandom Functions
From Non-Adaptive to Adaptive Pseudorandom Functions Itay Berman Iftach Haitner January, 202 Abstract Unlike the standard notion of pseudorandom functions (PRF), a non-adaptive PRF is only required to
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationOptimal Constructions of Universal One-way Hash Functions from Special One-way Functions!
1896 1920 1987 2006 Optimal Constructions of Universal One-way Hash Functions from Special One-way Functions Yu Yu 1, Dawu Gu 1, Xiangxue Li 2, Jian Weng 3 1 Shanghai Jiao Tong University, China 2 East
More informationHash-based signatures & Hash-and-sign without collision-resistance
Hash-based signatures & Hash-and-sign without collision-resistance Andreas Hülsing 22.12.2016 Hash-based Signature Schemes [Mer89] Post quantum Only secure hash function Security well understood Fast 22-12-2016
More informationDan Boneh. Stream ciphers. The One Time Pad
Online Cryptography Course Stream ciphers The One Time Pad Symmetric Ciphers: definition Def: a cipher defined over is a pair of efficient algs (E, D) where E is often randomized. D is always deterministic.
More informationSymmetric Encryption
1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently
More informationLecture 1. Crypto Background
Lecture 1 Crypto Background This lecture Crypto background hash functions random oracle model digital signatures and applications Cryptographic Hash Functions Hash function takes a string of arbitrary
More informationLeftovers from Lecture 3
Leftovers from Lecture 3 Implementing GF(2^k) Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x): (1,1,0,1,1) *(0,1,0,1,1) = (1,1,0,0,1) For small size finite
More informationScribe for Lecture #5
CSA E0 235: Cryptography 28 January 2016 Scribe for Lecture #5 Instructor: Dr. Arpita Patra Submitted by: Nidhi Rathi 1 Pseudo-randomness and PRG s We saw that computational security introduces two relaxations
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationLecture 13: Private Key Encryption
COM S 687 Introduction to Cryptography October 05, 2006 Instructor: Rafael Pass Lecture 13: Private Key Encryption Scribe: Ashwin Machanavajjhala Till this point in the course we have learnt how to define
More informationInformation-theoretic Secrecy A Cryptographic Perspective
Information-theoretic Secrecy A Cryptographic Perspective Stefano Tessaro UC Santa Barbara WCS 2017 April 30, 2017 based on joint works with M. Bellare and A. Vardy Cryptography Computational assumptions
More information