Perfectly-Crafted Swiss Army Knives in Theory
|
|
- Henry Newton
- 5 years ago
- Views:
Transcription
1 Perfectly-Crafted Swiss Army Knives in Theory Workshop Hash Functions in Cryptology * supported by Emmy Noether Program German Research Foundation (DFG)
2 Hash Functions as a Universal Tool collision resistance (second) preimage resistance pseudorandom generator pseudorandom function key derivation Page 2
3 NIST s Request for Candidates besides standard security requirements candidates will be compared for security for source: Federal Register / Vol. 72, No. 212 / November 2 nd, 2007 Page 3
4 Another View on Swiss Army Knives collision resistance pseudorandom generator (second) preimage resistance and more pseudorandom function key derivation Page 4
5 Theme of the talk What are the properties my hash function should have? What are the non-standard properties needed in in standard applications? Page 5
6 Agenda Fiat-Shamir transformation OAEP HMAC and RMX Summary Page 6 Fiat-Shamir Transformation
7 Fiat-Shamir Transformation, 1986 Alice public: p; g; q and y hash function H Bob knows x 2 Z q s.t. y = g x mod p choose r à Z q compute R = g r mod p compute c = H (R; m) compute t=r cxmodq R c ( R, t) choose c à Z q check correctness Page 7 ) Fiat-Shamir Transformation
8 Security of the Fiat-Shamir Transformation Alice public: p; g; q and y hash function H Bob knows x 2 Z q s.t. y = g x mod p choose r à Z q compute R = g r mod p compute c = H (R; m) compute t=r cxmodq Pointcheval, Stern, 1996: Signature scheme is is existentially unforgeable under adaptive chosen message attacks (under DL DL assumption) in in random oracle model of of Bellare, Rogaway, ( R, t) check correctness Page 8 ) Fiat-Shamir Transformation
9 Insufficient Hash Function Properties Alice knows x 2 Z q s.t. y = g x mod p choose r à Z q compute R = g r mod p collision public: p; g; resistance q and y is is not not enough! hash function H Bob suppose 8 >< 00:::0 if R = 1 H(R;m) = and m = m 0 >: 1kH (R;m) else then then (1,0) (1,0) valid valid signature for for m 0 0 compute c = H (R; m) compute t=r cxmodq ( R, t) check correctness Page 9 ) Fiat-Shamir Transformation
10 Hash Function Properties for Fiat-Shamir sufficient properties for H to make Fiat-Shamir secure? Goldwasser-Tauman Kalai, 2003: no efficient hash function will do the job! Page 10 Fiat-Shamir Transformation
11 Idea of Impossibility Result of Goldwasser-Kalai Alice public: p; g; q and y Bob knows x 2 Z q s.t. y = g x mod p choose r à Z q compute R = g r mod p compute t=r cxmodq Page 11 R c t Com= commit to short program P (supposedly computing c from R and Com) or decommit to P to show that program does compute c choose c à Z q accept if R; c; t valid or P (R; Com) = c Fiat-Shamir Transformation
12 GK modification preserves interactive security Alice public: p; g; q and y Bob knows x 2 Z q s.t. y = g x mod p in in the the choose interactive r à Zprotocol: q compute R = g r mod p challenge c random, so so malicious Alice Alice cannot cannot really really use use alternative strategy to to compute make make Bob Bob accept accept t=r cxmodq Page 12 R c t Com= commit to short program P (supposedly computing c from R and Com) or decommit to P to show that program does compute c choose c à Z q accept if R; c; t valid or P (R; Com) = c Fiat-Shamir Transformation
13 and of Fiat-Shamir with Random Oracles Alice public: p; g; q and y hash function H Bob knows x 2 Z q s.t. y = g x mod p choose r à Z q compute R = g r mod p Com=commit to some program P in in the the random oracle oracle model: model: still still secure secure signature scheme computec= H(R;Com;m) compute t=r cxmodq ( R;Com, t ), Page 13 reveal P accept if R; c; t valid or P (R; Com) = c for c= H(R;Com;m) Fiat-Shamir Transformation
14 but not of Fiat-Shamir w/out Random Oracles! Alice pick message m pick arbitrary R; t public: p; g; q and y hash function SHA1 Com = commit to P( ; )= SHA1( ; ;m) instantiaton Bob with with efficiently computable function: malicious Alice Alice can can easily easily use use alternative strategy and and forge forge signatures ( R;Com, t ) + Page 14 ) decommit to SHA1( ; ;m) accept if R; c; t valid or P (R; Com) = c c= SHA1(R;Com;m) Fiat-Shamir Transformation
15 Properties for Special Fiat-Shamir Protocols? result by Goldwasser-Kalai for artificial protocol still some hope for common cases (DL, RSA, ) Page 15 Fiat-Shamir Transformation
16 Seed Incompressibility Halevi, Myers,Rackoff, 2008 compress(s) seed s example collision resistance: x i f s (x i ) output x 1 ;x 2 ;:::;f s (x 1 );f s (x 2 );::: satisfying some evasive relation f s ( ) seed incompressibility: Pr [ success ] 0 s= hashfunction description (key) compress(s) = collision x 1 6=x 2 s.t. jx 1 j+ jx 2 j< jsj relation = check x 1 6=x 2 and f s (x 1 )= f s (x 2 ) Page 16 Fiat-Shamir Transformation
17 Seed Incompressibility and Fiat-Shamir compress(s) x i f s (x i ) seed s f s ( ) s= hashfunction description (key) c= f s (pk;r) in protocol compress(s) = (pk; R; t ) s.t. j(pk;r;t)j < jsj output x 1 ;x 2 ;:::;f s (x 1 );f s (x 2 );::: satisfying some evasive relation Page 17 relation = parse x 1 =(pk;r),x 2 =t, c= f s (x 1 ), and check that Bob accepts(pk;r;c;t) Fiat-Shamir Transformation
18 Seed Incompressibility and GK Separation Alice pick message m pick arbitrary R; t public: p; g; q and y hash function SHA1 Com = commit to P( ; )= SHA1( ; ;m) Bob doesn t doesn t contradict Goldwasser-Kalai result: result: there, there, communication > s ( R;Com, t ) + Page 18 ) decommit to SHA1( ; ;m) accept if R; c; t valid or P (R; Com) = c c= SHA1(R;Com;m) Fiat-Shamir Transformation
19 Limitations of Seed Incompressibility only gives a non-interactive zero-knowledge argument, not proof of knowledge, as required for signatures can only be used once securely do seed incompressibility functions exist??? Page 19 Fiat-Shamir Transformation
20 Summary Fiat-Shamir Methodology no (efficient) hash function works for all protocols situation for common protocols (DL, RSA, ) unclear seed incompressibility nice property, maybe useful elsewhere Page 20 Fiat-Shamir Transformation
21 Agenda Fiat-Shamir transformation OAEP HMAC and RMX Summary Page 21 OAEP
22 OAEP Encryption (Bellare, Rogaway, 1994) m 0 k r ciphertext C of message m: G H pad message to m 0 k and pick random string r s t s = G(r) m 0 k t = H(s) r f f ( s t ) C = f ( s t ) Page 22 OAEP
23 OAEP Decryption m 0 k r m z=0 k r? G G H H s= G(r) m 0 k t=h(s) r s t f f ( s t ) f 1 f ( s t ) Page 23 OAEP
24 Security of OAEP history: [BR94] [S01] [FOPS01] Fujisaki, Okamoto, Pointcheval, Stern [FOPS01]: OAEP is IND-CCA2 secure if G, H are modeled as random oracles f partial one-way trapdoor permutation Page 24 OAEP
25 Partial One-Wayness m 0 k r s s f f G H lsb G(r) f t partial one-wayness: hard to recover parts of s t from f(s t) OAEP also IND-CCA2 if f only applied to s-part (f =g ID for trapdoor perm. g) f only to s-part, s w/o k least significant bits f ( s ) f ( f s () s lsb t ) G(r) t Page 25 OAEP
26 Necessary Properties for G and H? both should be good pseudorandom generators necessary for both: some kind of non-malleability (or, make assumptions about f) Boldyreva, F, 2005 Page 26 OAEP
27 Malleability: Idea Changing the container carefully adjusts the content properly. Page 27 OAEP
28 Malleability: Example y=g xx mod p y*=y g mod p x x*=x+1 mod q Page 28 OAEP
29 Non-Malleability non-malleability: having the container should not help to to produce related content some kind of animal (same success probability with or or w/o container) Page 29 OAEP
30 Non-Malleability of Hash Functions see Boldyreva, Cash, F, Warinschi y=h(x) chooses distribution transforms (1 st stage) adversary A y* x transforms (2 nd stage) x* such that y*=h(x*) and x x* satisfy some relation Page 30 OAEP
31 Non-Malleability of Hash Functions II transforms (1 st stage) non-malleability: y=h(x) for for any any A there is is S such that that Pr[A Pr[Awins] Pr[S y* Pr[Swins] simulator S chooses distribution outputs immediately transforms (2 nd stage) x x* such that y*=h(x*) and x x* satisfy some relation Page 31 OAEP
32 Non-malleability for G is necessary m 0 k r flip flip G H flip flip assume: f(x) = f(x ±) G(x) =G(x ± ) OAEP with xor-malleable f, G, ciphertext C=f(s t) of m s t flip bit in C, affecting only t f f ( s t ) yields valid C* for m* m Page 32 OAEP
33 Towards a sufficient condition for G Boldyreva, F, 2006 OAEP (for random oracle H) is IND-CCA2 if G is near-collision resistant pseudorandom generator f applied to s-part is one-way and t-part output in clear s t f f(s) t near-collision resistant pseudorandom generator G near-coll.resistant: if r r* then lsb k G(r) lsb k G(r*) Page 33 OAEP
34 Why near-collision resistance helps m 0 k r flip flip G flip flip recall attack if G xor-malleable (s*=s, distinct r* r) H near-collision resistance of G s lsb G(r) t bits in 0 k are flipped to 1 f derived ciphertext invalid f ( s ) t Page 34 OAEP
35 Towards a secure full instantiation m 0 k r G dependency problem: s = m 0 k G(r) input to H, H(s) masks r in t = H(s) r H idea 1: assume m random s s f f f ( s ) f ( s ) lsb G(r) lsb G(r) t t idea 2: output lsb k G(r) in clear, incorporate trapdoor, allowing to recover r (can be built from standard assumptions) Page 35 OAEP
36 Security of full instantiation full instantiation of OAEP is OW-CPA (one-way for random messages) if H non-malleable pseudorandom generator G near-coll. resistant trapdoor pseudorandom generator f applied to s-part only is one-way (and lsb G(r) and t output in clear) Bleichenbacher s attack on PKCS #1 v1.5 doesn t work Page 36 OAEP
37 Summary for OAEP non-malleability necessary for hash functions (for G special case near-collision resistance) partly also sufficient notion of non-malleability hard to check for designers ( for any adversary there is a simulator ) Page 37 OAEP
38 Summary for OAEP (cont) relaxed non-malleability notion: some non-trivial distribution y=h(x) Page 38 x outputs δ, Δ 0 and wins if y Δ = H(x δ) unfortunately: non-malleability of compression function non-malleability of hash function OAEP
39 Agenda Fiat-Shamir transformation OAEP HMAC and RMX Summary Page 39 HMAC and RMX
40 Bellare, Canetti, Krawczyk, 1996 HMAC and NMAC: Technically blocks of padded message given hash function H with compression function h m 1 m 2 m n h iter (k in,m 1 m n ) (also add padding) k in h h h = random for NMAC = h(iv,k ipad) for HMAC k out h = random for NMAC = h(iv,k opad) for HMAC NMAC(k in,k out, M) HMAC(k in,k out, M) What are the requirements on the compression function? Page 40 HMAC and RMX
41 Security without collision resistance (PRF) Bellare, 2006 m 1 m 2 m n k in h h h h NMAC(k in,k out, M) k out (PRF ) computational almost universal (cau) pseudorandom function (PRF) If h is cau and PRF, then NMAC is PRF Page 41 HMAC and RMX
42 Security without collision resistance (MAC) m 1 m 2 m n k in h h h h NMAC(k in,k out, M) k out (PRF ) computational almost universal (cau) (PRF ) privacy-prsrv. MAC (ppmac) If h is cau and ppmac, then NMAC is MAC Page 42 HMAC and RMX
43 NMAC: Assumptions and Implications assumption on h level of security publication wcr, PRF PRF [BCK96] wcr, MAC MAC [BCK96] cau, PRF PRF [B06] cau, ppmac MAC [B06] PRF = pseudorandom function wcr = weakly collision resistant MAC = message authentication code cau = computational almost universal (note: PRF MAC, ppmac, cau) ppmac = privacy-preserving MAC Page 43 HMAC and RMX
44 NMAC: Assumptions and Implications assumption on h level of security publication wcr, PRF PRF [BCK96] wcr, MAC MAC [BCK96] cau, PRF PRF [B06] cau, ppmac MAC [B06] non-malleable, unpredictable MAC [F08] PRF = pseudorandom function wcr = weakly collision resistant MAC = message authentication code cau = computational almost universal (note: PRF MAC, ppmac, cau) ppmac = privacy-preserving MAC Page 44 HMAC and RMX
45 Unpredictability of Compression Function 1. adversary B chooses y and m 1 m n 2. pick secret key k 3. B wins if y= h iter (k,m 1 m n ) unpredictability: Pr[B wins] 0 for for any B Page 45 HMAC and RMX
46 Non-Malleability + Unpredictability MAC M i t i key k in ;k out NMAC non-malleability: \containers\ t i do not help producing t output new M with valid tag t unpredictability: predicting NMAC from scratch infeasible Page 46 HMAC and RMX
47 Relationship of Notions (compression function) does not imply in general PRF implies implies does not imply in general ppmac non-malleable (for HMAC case) + unpredictable incomparable Page 47 HMAC and RMX
48 Weaker assumption interesting? compression function should be good PRF anyway hence, would also be non-malleable + unpredictable verifying simpler properties still useful: safety net property is advantage of hash function possibly easier to check Page 48 HMAC and RMX
49 Randomized Hashing and RMX Halevi, Krawczyk, 2006 idea: add random salt to hash in hash-and-sign schemes random salt r (fresh for each signing) message m H H r (m) sign signature (including r) goal: relax assumption about collision-resistance of H Page 49 HMAC and RMX
50 enhanced target collision resistance (etcr) M r H H r (M) H r* (M*) sign signature try to find M M* with H(M)=H(M*) collision-resistance infeasible try to find M, get r, find (M,r) (M*,r*) with H r (M)=H r* (M*) etcr infeasible Page 50 HMAC and RMX
51 RMX The hash function H r (m) = H (r, r m 1, r m 2,, r m n ) is etcr if compression function is one-way and chosen second-preimage resistant (c-spr). c-spr: infeasible to win the following game: receive random m find c,c*,m* such that (c,m) (c*,m*) and h(c,m)=h(c*,m*) Page 51 HMAC and RMX
52 Summary good compression function should be PRF and CR sufficient for HMAC and (randomized) hash-and-sign weaker requirements NM and c-spr still interesting Page 52 HMAC and RMX
53 Agenda Fiat-Shamir transformation OAEP HMAC and RMX Summary Page 53 Summary
54 Other Applications key derivation based on HMAC PRF-like assumption on compression function suffices Dodis et al., Crypto 2004 / Fouque et al. AsiaCCS 2008 FDH full domain hash (see next talk) and RSA-PSS Page 54 Summary
55 Other Applications (cont) client puzzles server picks random x server gives client y=h(x) as well as x except for 20 bits client should return x assumption: hard to even find those 20 bits faster than exhaustive search Page 55 source: Federal Register / Vol. 72, No. 212 / November 2 nd, 2007 Summary
56 Applications and Properties standard applications (like FIPS hash-and-sign) key derivation (SP A) SP (random bit generators) FIPS 198 (hash-based MACs) SP (randomized hashing) HMAC-PRF other PRFs OAEP Fiat-Shamir collision-resistance preimage resistance second preimage resistance PRF (compression function) PRG (hash function) etcr / c-spr PRF (hash function) non-malleability (compression f.) non-malleability (hash function) seed incompressiblity Page 56 Summary
57 What s left to do? design hash functions with all properties numerous theoretical questions still open, like: NM compression function NM hash function further applications of seed incompressibility practical design guidelines for theoretical requirements see c-spr, non-malleability, seed incompressibility Page 57 Summary
58 Thank You! Page 58 Summary
Analysis of Random Oracle Instantiation Scenarios for OAEP and other Practical Schemes
Analysis of Random Oracle Instantiation Scenarios for OAEP and other Practical Schemes Alexandra Boldyreva 1 and Marc Fischlin 2 1 College of Computing, Georgia Institute of Technology, 801 Atlantic Drive,
More informationModels and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5
Models and analysis of security protocols 1st Semester 2009-2010 Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: September 29th 2009 1 / 60 Last Time (I) Security
More informationNotes for Lecture 9. 1 Combining Encryption and Authentication
U.C. Berkeley CS276: Cryptography Handout N9 Luca Trevisan February 17, 2009 Notes for Lecture 9 Notes scribed by Joel Weinberger, posted March 1, 2009 Summary Last time, we showed that combining a CPA-secure
More informationNew Proofs for NMAC and HMAC: Security without Collision-Resistance
A preliminary version of this paper appears in Advances in Cryptology CRYPTO 06, Lecture Notes in Computer Science Vol. 4117, C. Dwork ed., Springer-Verlag, 2006. This is the full version. New Proofs for
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationHash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34
Hash Functions Ali El Kaafarani Mathematical Institute Oxford University 1 of 34 Outline 1 Definition and Notions of Security 2 The Merkle-damgård Transform 3 MAC using Hash Functions 4 Cryptanalysis:
More informationUninstantiability of Full-Domain Hash
Uninstantiability of based on On the Generic Insecurity of, Crypto 05, joint work with Y.Dodis and R.Oliveira Krzysztof Pietrzak CWI Amsterdam June 3, 2008 Why talk about this old stuff? Why talk about
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationSecurity without Collision-Resistance
A preliminary version of this paper appears in Advances in Cryptology CRYPTO 06, Lecture Notes in Computer Science Vol. 4117, C. Dwork ed., Springer-Verlag, 2006. This is the full version. New Proofs for
More informationMarch 19: Zero-Knowledge (cont.) and Signatures
March 19: Zero-Knowledge (cont.) and Signatures March 26, 2013 1 Zero-Knowledge (review) 1.1 Review Alice has y, g, p and claims to know x such that y = g x mod p. Alice proves knowledge of x to Bob w/o
More informationMESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1
MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Mihir Bellare UCSD 1 Integrity and authenticity The goal is to ensure that M really originates with Alice and not someone else M has not been modified
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationRSA-OAEP and Cramer-Shoup
RSA-OAEP and Cramer-Shoup Olli Ahonen Laboratory of Physics, TKK 11th Dec 2007 T-79.5502 Advanced Cryptology Part I: Outline RSA, OAEP and RSA-OAEP Preliminaries for the proof Proof of IND-CCA2 security
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationIntroduction to Cryptography
B504 / I538: Introduction to Cryptography Spring 2017 Lecture 12 Recall: MAC existential forgery game 1 n Challenger (C) k Gen(1 n ) Forger (A) 1 n m 1 m 1 M {m} t 1 MAC k (m 1 ) t 1 m 2 m 2 M {m} t 2
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationSECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL. Mark Zhandry Stanford University
SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL Mark Zhandry Stanford University Random Oracle Model (ROM) Sometimes, we can t prove a scheme secure in the standard model. Instead,
More informationFull Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
Full Attacks on HMAC/NMAC- and NMAC-MD5 Pierre-Alain Fouque, Gaëtan Leurent, Phong Nguyen Laboratoire d Informatique de l École Normale Supérieure CRYPTO 2007 1/26 WhatisaMACalgorithm? M Alice wants to
More informationModels and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5
Models and analysis of security protocols 1st Semester 2010-2011 Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: October 11th 2010 1 / 61 Last Time (I) Security
More informationNew Proofs for NMAC and HMAC: Security without Collision-Resistance
New Proofs for NMAC and HMAC: Security without Collision-Resistance Mihir Bellare Dept. of Computer Science & Engineering 0404, University of California San Diego 9500 Gilman Drive, La Jolla, CA 92093-0404,
More informationDigital Signature Schemes and the Random Oracle Model. A. Hülsing
Digital Signature Schemes and the Random Oracle Model A. Hülsing Today s goal Review provable security of in use signature schemes. (PKCS #1 v2.x) PAGE 1 Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/dsa.jpg
More informationChosen-Ciphertext Security without Redundancy
This is the full version of the extended abstract which appears in Advances in Cryptology Proceedings of Asiacrypt 03 (30 november 4 december 2003, Taiwan) C. S. Laih Ed. Springer-Verlag, LNCS 2894, pages
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationLecture 14 - CCA Security
Lecture 14 - CCA Security Boaz Barak November 7, 2007 Key exchange Suppose we have following situation: Alice wants to buy something from the well known website Bob.com Since they will exchange private
More informationDigital Signatures. p1.
Digital Signatures p1. Digital Signatures Digital signature is the same as MAC except that the tag (signature) is produced using the secret key of a public-key cryptosystem. Message m MAC k (m) Message
More informationENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions
ENEE 457: Computer Systems Security 09/19/16 Lecture 6 Message Authentication Codes and Hash Functions Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationSemantic Security of RSA. Semantic Security
Semantic Security of RSA Murat Kantarcioglu Semantic Security As before our goal is to come up with a public key system that protects against more than total break We want our system to be secure against
More informationFrom Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes
From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 2001, vol. 2020 of Lecture Notes in Computer
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationMerkle-Damgård Revisited : how to Construct a Hash Function
Merkle-Damgård Revisited : how to Construct a Hash Function Jean-Sébastien Coron 1, Yevgeniy Dodis 2, Cécile Malinaud 3, and Prashant Puniya 2 1 University of Luxembourg coron@clipper.ens.fr 2 New-York
More informationAn introduction to Hash functions
An introduction to Hash functions Anna Rimoldi eriscs - Universitée de la Méditerranée, Marseille Secondo Workshop di Crittografia BunnyTN 2011 A. Rimoldi (eriscs) Hash function 12 September 2011 1 / 27
More informationPractice Exam Winter 2018, CS 485/585 Crypto March 14, 2018
Practice Exam Name: Winter 2018, CS 485/585 Crypto March 14, 2018 Portland State University Prof. Fang Song Instructions This exam contains 8 pages (including this cover page) and 5 questions. Total of
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationIntroduction to Cryptography Lecture 4
Data Integrity, Message Authentication Introduction to Cryptography Lecture 4 Message authentication Hash functions Benny Pinas Ris: an active adversary might change messages exchanged between and M M
More informationFoundations of Non-Malleable Hash and One-Way Functions
Foundations of Non-Malleable Hash and One-Way Functions Alexandra Boldyreva 1 and David Cash 1 and Marc Fischlin 2 and Bogdan Warinschi 3 1 Georgia Institute of Technology, USA {aboldyre,cdc}@cc.gatech.edu
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More informationLecture 10: NMAC, HMAC and Number Theory
CS 6903 Modern Cryptography April 10, 2008 Lecture 10: NMAC, HMAC and Number Theory Instructor: Nitesh Saxena Scribes: Jonathan Voris, Md. Borhan Uddin 1 Recap 1.1 MACs A message authentication code (MAC)
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationDesign Paradigms for Building Multi-Property Hash Functions
Design Paradigms or Building Multi-Property Hash Functions Thomas Ristenpart UCSD Security and Cryptography Lab Lorentz Workshop June, 2008 Multi-property hash unctions One hash unction with many security
More informationCLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD
CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without
More informationA survey on quantum-secure cryptographic systems
A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum
More informationLecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004
CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationExam Security January 19, :30 11:30
Exam Security January 19, 2016. 8:30 11:30 You can score a maximum of 100. Each question indicates how many it is worth. You are NOT allowed to use books or notes, or a (smart) phone. You may answer in
More informationDigital signature schemes
Digital signature schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction digital signature scheme security of digital
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #6 Sep 8 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Quiz #1 later today Still some have not signed up for class mailing list Perhaps
More informationRSA OAEP is Secure under the RSA Assumption
RSA OAEP is Secure under the RSA Assumption Eiichiro Fujisaki 1, Tatsuaki Okamoto 1, David Pointcheval 2, and Jacques Stern 2 1 NTT Labs, 1-1 Hikarino-oka, Yokosuka-shi, 239-0847 Japan. E-mail: {fujisaki,okamoto}@isl.ntt.co.jp.
More informationHomework 7 Solutions
Homework 7 Solutions Due: March 22, 2018 CS 151: Intro. to Cryptography and Computer Security 1 Fun with PRFs a. F a s = F 0 k(x) F s (x) is not a PRF, for any choice of F. Consider a distinguisher D a
More informationSecure and Practical Identity-Based Encryption
Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.
More informationRandom Oracle Reducibility
Random Oracle Reducibility Paul Baecher Marc Fischlin Darmstadt University of Technology, Germany www.minicrypt.de Abstract. We discuss a reduction notion relating the random oracles in two cryptographic
More informationDistinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework
Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework Zheng Yuan 1,2,3, Haixia Liu 1, Xiaoqiu Ren 1 1 Beijing Electronic Science and Technology Institute, Beijing 100070,China
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationLeftovers from Lecture 3
Leftovers from Lecture 3 Implementing GF(2^k) Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x): (1,1,0,1,1) *(0,1,0,1,1) = (1,1,0,0,1) For small size finite
More informationExtractable Perfectly One-way Functions
Extractable Perfectly One-way Functions Ran Canetti 1 and Ronny Ramzi Dakdouk 2 1 IBM T. J. Watson Research Center, Hawthorne, NY. canetti@watson.ibm.com 2 Yale University, New Haven, CT. dakdouk@cs.yale.edu
More informationAdvanced Cryptography 1st Semester Public Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 1st 2007 1 / 64 Last Time (I) Indistinguishability Negligible function Probabilities Indistinguishability
More informationHASH FUNCTIONS 1 /62
HASH FUNCTIONS 1 /62 What is a hash function? By a hash function we usually mean a map h : D {0,1} n that is compressing, meaning D > 2 n. E.g. D = {0,1} 264 is the set of all strings of length at most
More informationRSA and Rabin Signatures Signcryption
T-79.5502 Advanced Course in Cryptology RSA and Rabin Signatures Signcryption Alessandro Tortelli 26-04-06 Overview Introduction Probabilistic Signature Scheme PSS PSS with message recovery Signcryption
More informationDesign Validations for Discrete Logarithm Based Signature Schemes
Proceedings of the 2000 International Workshop on Practice and Theory in Public Key Cryptography (PKC 2000) (18 20 january 2000, Melbourne, Australia) H. Imai and Y. Zheng Eds. Springer-Verlag, LNCS 1751,
More informationLecture 10: NMAC, HMAC and Number Theory
CS 6903 Modern Cryptography April 13, 2011 Lecture 10: NMAC, HMAC and Number Theory Instructor: Nitesh Saxena Scribes: Anand Desai,Manav Singh Dahiya,Amol Bhavekar 1 Recap 1.1 MACs A Message Authentication
More informationCryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley dbrumley@cmu.edu Carnegie Mellon University The Landscape Jargon in Cryptography 2 Good News: OTP has perfect secrecy Thm:
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #4 Sep 2 nd 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list Quiz #1 will be on Thursday, Sep 9 th
More informationMessage Authentication Codes from Unpredictable Block Ciphers
Message Authentication Codes from Unpredictable Block Ciphers Yevgeniy Dodis John Steinberger July 9, 2009 Abstract We design an efficient mode of operation on block ciphers, SS-NMAC. Our mode has the
More informationIntroduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes
Introduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 03 13 More
More informationTowards RSA-OAEP without Random Oracles
Towards RSA-OAEP without Random Oracles Nairen Cao 1 Adam O Neill 2 Mohammad Zaheri 3 November 28, 2018 In Memoriam: John C. O Neill (1953 2018). Abstract We give the first positive results about instantiability
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationSchnorr Signature. Schnorr Signature. October 31, 2012
. October 31, 2012 Table of contents Salient Features Preliminaries Security Proofs Random Oracle Heuristic PKS and its Security Models Hardness Assumption The Construction Oracle Replay Attack Security
More informationLecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers
1 Winter 2018 CS 485/585 Introduction to Cryptography Lecture 6 Portland State University Jan. 25, 2018 Lecturer: Fang Song Draft note. Version: February 4, 2018. Email fang.song@pdx.edu for comments and
More informationProvable Security of Cryptographic Hash Functions
Provable Security of Cryptographic Hash Functions Mohammad Reza Reyhanitabar Centre for Computer and Information Security Research University of Wollongong Australia Outline Introduction Security Properties
More informationMessage Authentication Codes from Unpredictable Block Ciphers
Message Authentication Codes from Unpredictable Block Ciphers Yevgeniy Dodis 1 and John Steinberger 2 1 Department of Computer Science, New York University. dodis@cs.nyu.edu 2 Department of Mathematics,
More informationPublic-key cryptography and the Discrete-Logarithm Problem. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J.
Public-key cryptography and the Discrete-Logarithm Problem Tanja Lange Technische Universiteit Eindhoven with some slides by Daniel J. Bernstein Cryptography Let s understand what our browsers do. Schoolbook
More informationLecture Note 3 Date:
P.Lafourcade Lecture Note 3 Date: 28.09.2009 Security models 1st Semester 2007/2008 ROUAULT Boris GABIAM Amanda ARNEDO Pedro 1 Contents 1 Perfect Encryption 3 1.1 Notations....................................
More informationRandom Oracles in a Quantum World
Dan Boneh 1 Özgür Dagdelen 2 Marc Fischlin 2 Anja Lehmann 3 Christian Schaffner 4 Mark Zhandry 1 1 Stanford University, USA 2 CASED & Darmstadt University of Technology, Germany 3 IBM Research Zurich,
More informationPublic-Seed Pseudorandom Permutations
Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB Joint work with Pratik Soni (UCSB) DIMACS Workshop New York June 8, 2017 We look at existing class of cryptographic primitives and introduce/study
More informationAnonymous Signatures Made Easy
Anonymous Signatures Made Easy Marc Fischlin Darmstadt University of Technology, Germany marc.fischlin @ gmail.com www.fischlin.de Abstract. At PKC 2006, Yang, Wong, Deng and Wang proposed the notion of
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationChosen Ciphertext Security with Optimal Ciphertext Overhead
Chosen Ciphertext Security with Optimal Ciphertext Overhead Masayuki Abe 1, Eike Kiltz 2 and Tatsuaki Okamoto 1 1 NTT Information Sharing Platform Laboratories, NTT Corporation, Japan 2 CWI Amsterdam,
More informationQuestion 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +
Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 14 October 16, 2013 CPSC 467, Lecture 14 1/45 Message Digest / Cryptographic Hash Functions Hash Function Constructions Extending
More informationCommunication-Efficient Non-Interactive Proofs of Knowledge with Online Extractors
Communication-Efficient Non-Interactive Proofs of Knowledge with Online Extractors Marc Fischlin Institute for Theoretical Computer Science, ETH Zürich, Switzerland marc.fischlin @ inf.ethz.ch http://www.fischlin.de/
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationOnline Cryptography Course. Message integrity. Message Auth. Codes. Dan Boneh
Online Cryptography Course Message integrity Message Auth. Codes Message Integrity Goal: integrity, no confiden>ality. Examples: Protec>ng public binaries on disk. Protec>ng banner ads on web pages. Message
More informationOn Seed-Incompressible Functions
On Seed-Incompressible Functions Shai Halevi 1, Steven Myers 2, and Charles Rackoff 3 1 IBM Research shaih@alum.mit.edu 2 Indiana University samyers@indiana.edu 3 University of Toronto rackoff@cs.toronto.edu
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationWeek : Public Key Cryptosystem and Digital Signatures
Week 10-11 : Public Key Cryptosystem and Digital Signatures 1. Public Key Encryptions RSA, ElGamal, 2 RSA- PKC(1/3) 1st public key cryptosystem R.L.Rivest, A.Shamir, L.Adleman, A Method for Obtaining Digital
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #5 Sep 7 th 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list by end of today Quiz #1 will be on Thursday,
More informationTHE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY
THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY Mark Zhandry - Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 27 Previously on COS 433 Security Experiment/Game (One- time setting) b m, m M c Challenger k ß K c ß Enc(k,m b ) b IND-Exp b ( )
More informationPractical Verifiable Encryption and Decryption of Discrete Logarithms
Practical Verifiable Encryption and Decryption of Discrete Logarithms Jan Camenisch IBM Zurich Research Lab Victor Shoup New York University p.1/27 Verifiable encryption of discrete logs Three players:
More informationHow to Enhance the Security of Public-Key. Encryption at Minimum Cost 3. NTT Laboratories, 1-1 Hikarinooka Yokosuka-shi Kanagawa Japan
How to Enhance the Security of Public-Key Encryption at Minimum Cost 3 Eiichiro Fujisaki Tatsuaki Okamoto NTT Laboratories, 1-1 Hikarinooka Yokosuka-shi Kanagawa 239-0847 Japan ffujisaki,okamotog@isl.ntt.co.jp
More informationWeek 12: Hash Functions and MAC
Week 12: Hash Functions and MAC 1. Introduction Hash Functions vs. MAC 2 Hash Functions Any Message M Hash Function Generate a fixed length Fingerprint for an arbitrary length message. No Key involved.
More informationOutline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.
Provable Security in the Computational Model III Signatures David Pointcheval Ecole normale supérieure, CNRS & INRI Public-Key Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions
More information