Robust Password- Protected Secret Sharing
|
|
- Eustace Stokes
- 5 years ago
- Views:
Transcription
1 Robust Password- Protected Secret Sharing Michel Abdalla, Mario Cornejo, Anca Niţulescu, David Pointcheval École Normale Supérieure, CNRS and INRIA, Paris, France R E S E A R C H UNIVERSITY
2 PPSS: Motivation Cloud provider taxes medical records paychecks top secret documents
3 PPSS: Motivation Cloud provider taxes medical records paychecks top secret documents
4 PPSS: Motivation Cloud provider taxes medical records paychecks top secret documents Everyone might have access to the data
5 PPSS: Motivation Cloud provider taxes medical records paychecks top secret documents
6 PPSS: Motivation Cloud provider taxes medical records paychecks top secret documents Provider still has access to the data
7 PPSS: Motivation Cloud provider taxes medical records paychecks top secret documents
8 PPSS: Motivation Cloud provider taxes medical records paychecks top secret documents
9 PPSS: Motivation Cloud provider taxes medical records paychecks top secret documents We can remember just low-entropy passwords (and not too many). Humans cannot remember large secret keys. Provider/authorities might perform an offline dictionary attack.
10 PPSS: Motivation Cloud provider taxes medical records paychecks top secret documents USB Tokens might not be always available. Tokens might fall into the wrong hands. Large keys give better security.
11 PPSS: Password-Protected Secret Sharing Cloud provider taxes
12 PPSS: Password-Protected Secret Sharing Cloud provider User creates a cryptographic key. taxes
13 PPSS: Password-Protected Secret Sharing Cloud provider User creates a cryptographic key. Encrypts her data using this key. taxes
14 PPSS: Password-Protected Secret Sharing Cloud provider Keys store User creates a cryptographic key. Encrypts her data using this key. Stores her secret key into servers by using her password and some public information. n taxes
15 PPSS: Password-Protected Secret Sharing Cloud provider Keys store taxes User creates a cryptographic key. Encrypts her data using this key. Stores her secret key into servers by using her password and some public information. Stores the data into the provider. n
16 PPSS: Password-Protected Secret Sharing Cloud provider Keys store After t +1interactions using her password, the user can recover her secret key taxes
17 PPSS: Password-Protected Secret Sharing Cloud provider Keys store After t +1interactions using her password, the user can recover her secret key taxes
18 PPSS: Properties A PPSS scheme defines two steps: Initialization: Secret & password are processed Reconstruction: The user can recover the secret by interacting with a subset of t +1servers. Additional properties: Soundness: Even if the adversary cannot make the user recover a different secret. Robustness: The recovery is guaranteed if there are s t +1non-corrupt servers.
19 PPSS: Instantiations of PPSS Scheme Messages Client inter-server Robust ZKP BJSL11 4 PKI PKI No Costly CLLN14 10 Std PKI No Costly JKK14 2 CRS None Yes Costly JKKX16 2 CRS None No No
20 PPSS: Instantiations of PPSS Scheme Messages Client inter-server Robust ZKP BJSL11 4 PKI PKI No Costly CLLN14 10 Std PKI No Costly JKK14 2 CRS None Yes Costly JKKX16 2 CRS None No No This work 2 CRS None Yes No
21 Robust Password-Protected Secret Sharing PPSS OPRF Robust Gap Secret Sharing Secret Sharing Scheme
22 Robust Password-Protected Secret Sharing PPSS OPRF Robust Gap Secret Sharing Secret Sharing Scheme
23 Robust Password-Protected Secret Sharing PPSS OPRF Robust Gap Secret Sharing Secret Sharing Scheme
24 Robust Password-Protected Secret Sharing PPSS OPRF Robust Gap Secret Sharing Secret Sharing Scheme
25 PPSS: Secret Sharing Scheme s 1 s 2 Secret s 3 s n
26 PPSS: Secret Sharing Scheme s 1 s 2 s 3 Secret s n
27 PPSS: Robust Gap Secret Sharing Scheme How do we implement robustness?
28 PPSS: Robust Gap Secret Sharing Scheme Assume a set of valid shares from a Threshold SSS s 1 s 2 s 3 s n (s 1,...,s n )
29 PPSS: Robust Gap Secret Sharing Scheme Fingerprint function: Hash function s 1 1 s 2 2 s 3 3 s n n (s 1,...,s n ) ( 1,..., n)
30 PPSS: Robust Gap Secret Sharing Scheme Generate a prime number N 2 2k(n t r)+1 <Napple 2 2k(n t r)+2 s 1 1 s 2 2 s 3 3 S s n n (s 1,...,s n ) ( 1,..., n) S = Q n i=1 i mod N
31 PPSS: Robust Gap Secret Sharing Scheme Generate a prime number N 2 2k(n t r)+1 <Napple 2 2k(n t r)+2 s 1 s 2 s 3 Output: {s k } n = s 1 s 2 s 3 s n SSInfo =(S,N) { S, N } S s n n (s 1,...,s n ) ( 1,..., n) S = Q n i=1 i mod N
32 PPSS: Robust Gap Secret Sharing Scheme How can we decide which are the valid sets of shares to reconstruct?
33 PPSS: Robust Gap Secret Sharing Scheme Given SSInfo =(S,N) { S, N } s 1 s 2 s 3 s n
34 PPSS: Robust Gap Secret Sharing Scheme Given SSInfo =(S,N) { S, N } s 1 1 s 2 2 s 3 3 s n n
35 PPSS: Robust Gap Secret Sharing Scheme Given SSInfo =(S,N) { S, N } s 1 1 s 2 2 s 3 3 T s n n
36 PPSS: Robust Gap Secret Sharing Scheme Given SSInfo =(S,N) { S, N } = T S
37 PPSS: Robust Gap Secret Sharing Scheme Given SSInfo =(S,N) { S, N } T = = S n n
38 PPSS: Robust Gap Secret Sharing Scheme Given SSInfo =(S,N) { S, N } T = = S n T 0 = n S 0
39 PPSS: Robust Gap Secret Sharing Scheme Given SSInfo =(S,N) { S, N } T = = S n T 0 = n S 0 gcd( 1, T 0 ) 1
40 PPSS: Robust Gap Secret Sharing Scheme Given SSInfo =(S,N) { S, N } T = = S n T 0 = n S 0 gcd( 1, T 0 ) 1 Correct fingerprint!
41 PPSS: Robust Gap Secret Sharing Scheme Given SSInfo =(S,N) { S, N } T = = S n T 0 = n S 0 gcd( 1, T 0 ) 1 Correct fingerprint! gcd( 2, T 0 ) k Incorrect fingerprint!
42 PPSS: Robust Gap Secret Sharing Scheme Given SSInfo =(S,N) { S, N } T = = S n T 0 = n S 0 gcd( 1, T 0 ) 1 Correct fingerprint! gcd( 2, T 0 ) k Incorrect fingerprint! gcd( 3, T 0 ) 1 Correct fingerprint!
43 PPSS: Oblivious PRF pw sk F (sk, pw) F The output is indistinguishable from random The server learns nothing
44 PPSS: Password-Protected Secret Sharing Initialization phase
45 The user interacts with n PPSS: Initialization servers to obliviously evaluate the PRF (pk 1,sk 1 ) (pk 2,sk 2 ) (pk n,sk n )
46 The user interacts with n PPSS: Initialization servers to obliviously evaluate the PRF (pk 1,sk 1 ) (pk 2,sk 2 ) (pk n,sk n ) 1 = F sk1 (pw) pw
47 The user interacts with n PPSS: Initialization servers to obliviously evaluate the PRF (pk 1,sk 1 ) (pk 2,sk 2 ) (pk n,sk n ) 1 = F sk1 (pw) 2 = F sk2 (pw) pw
48 The user interacts with n PPSS: Initialization servers to obliviously evaluate the PRF (pk 1,sk 1 ) (pk 2,sk 2 ) (pk n,sk n ) 1 = F sk1 (pw) 2 = F sk2 (pw) n = F skn (pw) pw
49 PPSS: Initialization Each share is encrypted using the each PRF evaluation (pk 1,sk 1 ) (pk 2,sk 2 ) (pk n,sk n ) 1 = F sk1 (pw) 2 = F sk2 (pw) n = F skn (pw) R = K r pw { k } n {pk k } n
50 PPSS: Initialization Each share is encrypted using the each PRF evaluation (pk 1,sk 1 ) (pk 2,sk 2 ) (pk n,sk n ) 1 = F sk1 (pw) 2 = F sk2 (pw) n = F skn (pw) R = K r (s 1,...,s n, SSInfo) ShareGen(R) pw { k } n {pk k } n
51 PPSS: Initialization Each share is encrypted using the each PRF evaluation (pk 1,sk 1 ) (pk 2,sk 2 ) (pk n,sk n ) 1 = F sk1 (pw) 2 = F sk2 (pw) n = F skn (pw) R = K r (s 1,...,s n, SSInfo) ShareGen(R) k = k s k pw { k } n {pk k } n
52 The user computes a commitment PPSS: Initialization (pk 1,sk 1 ) (pk 2,sk 2 ) (pk n,sk n ) C = Commit(pw, H({pk k } n, { k } n, SSInfo,K); r) pw { k } n {pk k } n K r SSInfo { k } n
53 PPSS: Initialization The user uploads the encrypted data (pk 1,sk 1 ) (pk 2,sk 2 ) (pk n,sk n ) PInfo PInfo PInfo PInfo =({pk k } n, { k } n, SSInfo,C) pw { k } n {pk k } n K r SSInfo { k } n C
54 PPSS: Password-Protected Secret Sharing Reconstruction phase
55 PPSS: Reconstruction The user interacts with the server (pk 1,sk 1 ) (pk 2,sk 2 ) (pk n,sk n ) PInfo PInfo PInfo 1 = F sk1 (pw) PInfo pw
56 PPSS: Reconstruction The user interacts with the server (pk 1,sk 1 ) (pk 2,sk 2 ) (pk n,sk n ) PInfo PInfo PInfo 1 = F sk1 (pw) 2 = F sk2 (pw) PInfo pw
57 PPSS: Reconstruction The user interacts with the server (pk 1,sk 1 ) (pk 2,sk 2 ) (pk n,sk n ) PInfo PInfo PInfo 1 = F sk1 (pw) 2 = F sk2 (pw) n = F skn (pw) PInfo pw
58 PPSS: Reconstruction The user interacts with the server (pk 1,sk 1 ) (pk 2,sk 2 ) (pk n,sk n ) PInfo PInfo PInfo 1 = F sk1 (pw) 2 = F sk2 (pw) n = F skn (pw) 1 1 = s 1 pw
59 PPSS: Reconstruction The user interacts with the server (pk 1,sk 1 ) (pk 2,sk 2 ) (pk n,sk n ) PInfo PInfo PInfo 1 = F sk1 (pw) 2 = F sk2 (pw) n = F skn (pw) pw 1 1 = s = s 2
60 PPSS: Reconstruction The user interacts with the server (pk 1,sk 1 ) (pk 2,sk 2 ) (pk n,sk n ) PInfo PInfo PInfo 1 = F sk1 (pw) 2 = F sk2 (pw) n = F skn (pw) pw 1 1 = s = s = s 3
61 PPSS: Reconstruction The user interacts with the server (pk 1,sk 1 ) (pk 2,sk 2 ) (pk n,sk n ) PInfo PInfo PInfo 1 = F sk1 (pw) 2 = F sk2 (pw) n = F skn (pw) pw 1 1 = s = s = s 3 n n = s n
62 PPSS: Reconstruction The user interacts with the server (pk 1,sk 1 ) (pk 2,sk 2 ) (pk n,sk n ) PInfo PInfo PInfo 1 = F sk1 (pw) 2 = F sk2 (pw) n = F skn (pw) pw 1 1 = s = s Reconstruct( = s 3 )? = R = K r n n = s n
63 PPSS: Reconstruction The user interacts with the server (pk 1,sk 1 ) (pk 2,sk 2 ) (pk n,sk n ) PInfo PInfo PInfo 1 = F sk1 (pw) 2 = F sk2 (pw) n = F skn (pw) Commit(pw, H({pk k } n, { k } n, SSInfo,K); r)? = C pw
64 PPSS: Proof [Sketch] We build simulators for each PRFs Adversary s probability is bounded by:
65 PPSS: Proof [Sketch] We build simulators for each PRFs Adversary s probability is bounded by: Probability of guessing pw Pr[PWinC] = q u #Dict
66 PPSS: Proof [Sketch] We build simulators for each PRFs Adversary s probability is bounded by: Probability of breaking the OPRF Pr[PWinF] ="
67 PPSS: Comparison By using our robust threshold secret sharing we avoid the verifiability requirements for the OPRF. We reduce the communication to the half, because of the simplification of the OPRF. Our communication and computation complexities are asymptotically equivalent to [JKK14], in real life they are twice better.
68 Robust Password- Protected Secret Sharing Michel Abdalla, Mario Cornejo, Anca Niţulescu, David Pointcheval École Normale Supérieure, CNRS and INRIA, Paris, France R E S E A R C H UNIVERSITY
69 PPSS: Experimental Results Given SSInfo =(S,N) { S, N } T = = S n T 0 = n S 0
70 PPSS: Experimental Results Given SSInfo =(S,N) { S, N } T = = S n = n T 00 S 00 gcd( 1, ) =11 Correct fingerprint! T 00
71 PPSS: Experimental Results Given SSInfo =(S,N) { S, N } T = = S n = n T 00 S 00 gcd( 1, ) =11 Correct fingerprint! T 00 gcd( 1, ) =21 Correct fingerprint! T 00 gcd( 1, ) =31 Correct fingerprint! T 00
72 PPSS: Experimental Results 2 gcd(, ) = k1 Incorrect fingerprint! T 00 gcd(, ) = k1 1 Incorrect fingerprint! 2 T 00 gcd(, T 00 ) 1 Incorrect fingerprint! 2 = k 2
73 PPSS: CDH-based PRF (One-More Gap DH) pk = g sk pw sk A Z H 1 (pw) A B B A sk C B 1/ = H 1 (pw) sk F sk (pw) =H 2 (pw, pk,c)
74 PPSS: DDH-based PRF pk, {c i = Enc pk (a i )} 1}` x =(x 1,x 2,...,x`) 2 {0, G s sk 2 Z s C Enc pk ( a 0 Q ai x i ) C Proof(,x i ) G D G Dec sk (C) g D R G 1/
Flexible Group Key Exchange with On Demand Computation of Subgroup Keys
Flexible Group Key Exchange with On Demand Computation of Subgroup Keys Michel Abdalla 1, Celine Chevalier 2, Mark Manulis 3, David Pointcheval 1 1 École Normale Supérieure CNRS INRIA, Paris, France 2
More informationBasics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018
Basics in Cryptology II Distributed Cryptography David Pointcheval Ecole normale supérieure, CNRS & INRIA ENS Paris 2018 NS/CNRS/INRIA Cascade David Pointcheval 1/26ENS/CNRS/INRIA Cascade David Pointcheval
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationSecret Sharing CPT, Version 3
Secret Sharing CPT, 2006 Version 3 1 Introduction In all secure systems that use cryptography in practice, keys have to be protected by encryption under other keys when they are stored in a physically
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationQuestion 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +
Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(
More informationAutomatic, computational proof of EKE using CryptoVerif
Automatic, computational proof of EKE using CryptoVerif (Work in progress) Bruno Blanchet blanchet@di.ens.fr Joint work with David Pointcheval CNRS, École Normale Supérieure, INRIA, Paris April 2010 Bruno
More informationKeyword Search and Oblivious Pseudo-Random Functions
Keyword Search and Oblivious Pseudo-Random Functions Mike Freedman NYU Yuval Ishai, Benny Pinkas, Omer Reingold 1 Background: Oblivious Transfer Oblivious Transfer (OT) [R], 1-out-of-N [EGL]: Input: Server:
More informationLecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationMinimal Design for Decentralized Wallet. Omer Shlomovits
Minimal Design for Decentralized Wallet Omer Shlomovits 1 !2 Motivation Imagine we had a private key management system where: No single point of failure Move of assets (signing) cannot happen without Owner
More informationIncreased efficiency and functionality through lattice-based cryptography
Increased efficiency and functionality through lattice-based cryptography Michele Minelli ENS, CNRS, INRIA, PSL Research University RESEARCH UNIVERSITY PARIS ECRYPT-NET Cloud Summer School Leuven, Belgium
More informationSecurity of Symmetric Primitives under Incorrect Usage of Keys
Security of Symmetric Primitives under Incorrect Usage of Keys Pooya Farshim 1 Claudio Orlandi 2 Răzvan Roşie 1 1 ENS, CNRS, INRIA & PSL Research University, Paris, France 2 Aarhus University, Aarhus,
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationDisjunctions for Hash Proof Systems: New Constructions and Applications
Disjunctions for Hash Proof Systems: New Constructions and Applications Michel Abdalla, Fabrice Benhamouda, and David Pointcheval ENS, Paris, France Abstract. Hash Proof Systems were first introduced by
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationPassword-Authenticated Key Exchange David Pointcheval
Password-Authenticated Key Exchange Privacy and Contactless Services May 27th, 2015 AKE AKE: Authenticated Key Exchange allows two players to agree on a common key authentication of partners 2 Diffie-Hellman
More informationLecture 1. 1 Introduction. 2 Secret Sharing Schemes (SSS) G Exposure-Resilient Cryptography 17 January 2007
G22.3033-013 Exposure-Resilient Cryptography 17 January 2007 Lecturer: Yevgeniy Dodis Lecture 1 Scribe: Marisa Debowsky 1 Introduction The issue at hand in this course is key exposure: there s a secret
More informationIdentity-based encryption
Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages
More informationEfficient Smooth Projective Hash Functions and Applications
Efficient Smooth Projective Hash Functions and Applications David Pointcheval Joint work with Olivier Blazy, Céline Chevalier and Damien Vergnaud Ecole Normale Supérieure Isaac Newton Institute for Mathematical
More informationDivisible E-cash Made Practical
Divisible E-cash Made Practical Sébastien Canard (1), David Pointcheval (2), Olivier Sanders (1,2) and Jacques Traoré (1) (1) Orange Labs, Caen, France (2) École Normale Supérieure, CNRS & INRIA, Paris,
More informationEl Gamal A DDH based encryption scheme. Table of contents
El Gamal A DDH based encryption scheme Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction El Gamal Practical Issues The El Gamal encryption
More informationOn Tightly Secure Non-Interactive Key Exchange
On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universität Darmstadt) Dennis Hofheinz (Karlsruhe Institute of Technology) Lisa Kohl (Karlsruhe Institute of Technology) 1 Non-Interactive
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationOn the CCA1-Security of Elgamal and Damgård s Elgamal
On the CCA1-Security of Elgamal and Damgård s Elgamal Cybernetica AS, Estonia Tallinn University, Estonia October 21, 2010 Outline I Motivation 1 Motivation 2 3 Motivation Three well-known security requirements
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationRound-Optimal Password-Based Authenticated Key Exchange
Round-Optimal Password-Based Authenticated Key Exchange Jonathan Katz Vinod Vaikuntanathan Abstract We show a general framework for constructing password-based authenticated key-exchange protocols with
More informationMASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer
MASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer Tore Frederiksen Emmanuela Orsini Marcel Keller Peter Scholl Aarhus University University of Bristol 31 May 2016 Secure Multiparty
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationOblivious Transfer and Secure Multi-Party Computation With Malicious Parties
CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties Vitaly Shmatikov slide 1 Reminder: Oblivious Transfer b 0, b 1 i = 0 or 1 A b i B A inputs two bits, B inputs the index
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationExtending Oblivious Transfers Efficiently
Extending Oblivious Transfers Efficiently Yuval Ishai Technion Joe Kilian Kobbi Nissim Erez Petrank NEC Microsoft Technion Motivation x y f(x,y) How (in)efficient is generic secure computation? myth don
More informationEssam Ghadafi CT-RSA 2016
SHORT STRUCTURE-PRESERVING SIGNATURES Essam Ghadafi e.ghadafi@ucl.ac.uk Department of Computer Science, University College London CT-RSA 2016 SHORT STRUCTURE-PRESERVING SIGNATURES OUTLINE 1 BACKGROUND
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationOn the Security of One Password Authenticated Key Exchange Protocol
On the Security of One Password Authenticated Key Exchange Protocol Stanislav V. Smyshlyaev Igor B. Oshkin Evgeniy K. Alekseev Liliya R. Ahmetzyanova Abstract In this paper the Security Evaluated Standardized
More informationEfficient Password-based Authenticated Key Exchange without Public Information
An extended abstract of this paper appears in ESORICS 2007, J. Biskup and J. Lopez (Eds.), volume 4734 of LNCS, pp. 299-310, Sringer-Verlag, 2007. Efficient Password-based Authenticated Key Exchange without
More informationPassword Cracking: The Effect of Bias on the Average Guesswork of Hash Functions
Password Cracking: The Effect of Bias on the Average Guesswork of Hash Functions Yair Yona, and Suhas Diggavi, Fellow, IEEE Abstract arxiv:608.0232v4 [cs.cr] Jan 207 In this work we analyze the average
More informationNon-Interactive Zero-Knowledge Proofs of Non-Membership
Non-Interactive Zero-Knowledge Proofs of Non-Membership O. Blazy, C. Chevalier, D. Vergnaud XLim / Université Paris II / ENS O. Blazy (XLim) Negative-NIZK CT-RSA 2015 1 / 22 1 Brief Overview 2 Building
More informationSearchable encryption & Anonymous encryption
Searchable encryption & Anonymous encryption Michel Abdalla ENS & CNS February 17, 2014 MPI - Course 2-12-1 Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, 2014 1 /
More informationCryptography CS 555. Topic 24: Finding Prime Numbers, RSA
Cryptography CS 555 Topic 24: Finding Prime Numbers, RSA 1 Recap Number Theory Basics Abelian Groups φφ pppp = pp 1 qq 1 for distinct primes p and q φφ NN = Z N gg xx mod N = gg [xx mmmmmm φφ NN ] mod
More informationTwo More Efficient Variants of the J-PAKE Protocol
Two More Efficient Variants of the J-PAKE Protocol Jean Lancrenon, Marjan Škrobot and Qiang Tang SnT, University of Luxembourg {jean.lancrenon, marjan.skrobot, qiang.tang}@uni.lu April 14, 2016 Abstract
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationIntroduction to Modern Cryptography Lecture 11
Introduction to Modern Cryptography Lecture 11 January 10, 2017 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00
More informationCryptographic Solutions for Data Integrity in the Cloud
Cryptographic Solutions for Stanford University, USA Stanford Computer Forum 2 April 2012 Homomorphic Encryption Homomorphic encryption allows users to delegate computation while ensuring secrecy. Homomorphic
More informationLecture 7: ElGamal and Discrete Logarithms
Lecture 7: ElGamal and Discrete Logarithms Johan Håstad, transcribed by Johan Linde 2006-02-07 1 The discrete logarithm problem Recall that a generator g of a group G is an element of order n such that
More informationSharing DSS by the Chinese Remainder Theorem
Sharing DSS by the Chinese Remainder Theorem Kamer Kaya,a, Ali Aydın Selçuk b a Ohio State University, Columbus, 43210, OH, USA b Bilkent University, Ankara, 06800, Turkey Abstract In this paper, we propose
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018
Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationSmooth Projective Hash Function and Its Applications
Smooth Projective Hash Function and Its Applications Rongmao Chen University of Wollongong November 21, 2014 Literature Ronald Cramer and Victor Shoup. Universal Hash Proofs and a Paradigm for Adaptive
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationA Posteriori Openable Public Key Encryption *
A Posteriori Openable Public Key Encryption * Xavier Bultel 1, Pascal Lafourcade 1, CNRS, UMR 6158, LIMOS, F-63173 Aubière, France Université Clermont Auvergne, LIMOS, BP 10448, 63000 Clermont-Ferrand,
More informationNon-Interactive Provably Secure Attestations for Arbitrary RSA Prime Generation Algorithms
Non-Interactive Provably Secure Attestations for Arbitrary RSA Prime Generation Algorithms Fabrice Benhamouda Houda Ferradi Rémi Géraud David Naccache École Normale Supérieure Équipe de cryptographie,
More informationNotes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.
COS 533: Advanced Cryptography Lecture 9 (October 11, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Udaya Ghai Notes for Lecture 9 1 Last Time Last time, we introduced zero knowledge proofs
More informationEntity Authentication
Entity Authentication Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie? α k The
More informationLectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols
CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation
More informationDistributed Smooth Projective Hashing and its Application to Two-Server PAKE
Distributed Smooth Projective Hashing and its Application to Two-Server PAKE Franziskus Kiefer and Mark Manulis Department of Computing, University of Surrey, UK mail@franziskuskiefer.de, mark@manulis.eu
More informationAdaptive partitioning. Dennis Hofheinz (KIT, Karlsruhe)
Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Public-Key Encryption Accepted security
More informationUniversally Composable Two-Server PAKE
Universally Composable Two-Server PAKE Franziskus Kiefer 1 and Mark Manulis 2 1 Mozilla Berlin, Germany mail@franziskuskiefer.de 2 Surrey Center for Cyber Security Department of Computer Science, University
More informationLecture 3,4: Multiparty Computation
CS 276 Cryptography January 26/28, 2016 Lecture 3,4: Multiparty Computation Instructor: Sanjam Garg Scribe: Joseph Hui 1 Constant-Round Multiparty Computation Last time we considered the GMW protocol,
More informationBenny Pinkas Bar Ilan University
Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Benny Pinkas Bar Ilan University 1 Extending OT [IKNP] Is fully simulatable Depends on a non-standard security assumption
More information18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018
18734: Foundations of Privacy Anonymous Cash Anupam Datta CMU Fall 2018 Today: Electronic Cash Goals Alice can ask for Bank to issue coins from her account. Alice can spend coins. Bank cannot track what
More informationCryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols
CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno Blanchet CNRS, École Normale Supérieure, INRIA, Paris March 2009 Bruno Blanchet (CNRS, ENS, INRIA) CryptoVerif March
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationLecture Notes on Secret Sharing
COMS W4261: Introduction to Cryptography. Instructor: Prof. Tal Malkin Lecture Notes on Secret Sharing Abstract These are lecture notes from the first two lectures in Fall 2016, focusing on technical material
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More informationA Framework for Password-Based Authenticated Key Exchange
A Framework for Password-Based Authenticated Key Exchange Extended Abstract Rosario Gennaro and Yehuda Lindell IBM T.J. Watson Research Center Yorktown Heights, NY 10528, USA. {rosario,lindell}@us.ibm.com
More information5.4 ElGamal - definition
5.4 ElGamal - definition In this section we define the ElGamal encryption scheme. Next to RSA it is the most important asymmetric encryption scheme. Recall that for a cyclic group G, an element g G is
More informationFast Lattice-Based Encryption: Stretching SPRING
Fast Lattice-Based Encryption: Stretching SPRING Charles Bouillaguet 1 Claire Delaplace 1,2 Pierre-Alain Fouque 2 Paul Kirchner 3 1 CFHP team, CRIStAL, Université de Lille, France 2 EMSEC team, IRISA,
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationEfficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply
CIS 2018 Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply Claudio Orlandi, Aarhus University Circuit Evaluation 3) Multiplication? How to compute [z]=[xy]? Alice, Bob
More informationA Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM
A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM Paulo S. L. M. Barreto Bernardo David Rafael Dowsley Kirill Morozov Anderson C. A. Nascimento Abstract Oblivious Transfer
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationLattice Cryptography
CSE 06A: Lattice Algorithms and Applications Winter 01 Instructor: Daniele Micciancio Lattice Cryptography UCSD CSE Many problems on point lattices are computationally hard. One of the most important hard
More information5th March Unconditional Security of Quantum Key Distribution With Practical Devices. Hermen Jan Hupkes
5th March 2004 Unconditional Security of Quantum Key Distribution With Practical Devices Hermen Jan Hupkes The setting Alice wants to send a message to Bob. Channel is dangerous and vulnerable to attack.
More informationDigital Signature Schemes and the Random Oracle Model. A. Hülsing
Digital Signature Schemes and the Random Oracle Model A. Hülsing Today s goal Review provable security of in use signature schemes. (PKCS #1 v2.x) PAGE 1 Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/dsa.jpg
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationA Key Recovery Attack on MDPC with CCA Security Using Decoding Errors
A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo Thomas Johansson Paul Stankovski Dept. of Electrical and Information Technology, Lund University ASIACRYPT 2016 Dec 8th, 2016
More informationAdditive Conditional Disclosure of Secrets
Additive Conditional Disclosure of Secrets Sven Laur swen@math.ut.ee Helsinki University of Technology Motivation Consider standard two-party computation protocol. x f 1 (x, y) m 1 m2 m r 1 mr f 2 (x,
More informationMTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Zero-knowledge Proofs Sven Laur University of Tartu Formal Syntax Zero-knowledge proofs pk (pk, sk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) (pk,sk)? R
More informationPrivate Comparison. Chloé Hébant 1, Cedric Lefebvre 2, Étienne Louboutin3, Elie Noumon Allini 4, Ida Tucker 5
Private Comparison Chloé Hébant 1, Cedric Lefebvre 2, Étienne Louboutin3, Elie Noumon Allini 4, Ida Tucker 5 1 École Normale Supérieure, CNRS, PSL University 2 IRIT 3 Chair of Naval Cyber Defense, IMT
More informationShort Exponent Diffie-Hellman Problems
Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and
More informationLecture 30: Hybrid Encryption and Prime Number Generation. Hybrid Encryption & Primes
Lecture 30: Hybrid Encryption and Prime Number Generation Recall: ElGamal Encryption I We begin by recalling the ElGamal Public-key Encryption Recall that to describe a private-key encryption scheme we
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationTwo-Round PAKE from Approximate SPH and Instantiations from Lattices
Two-Round PAKE from Approximate SPH and Instantiations from Lattices Jiang Zhang 1 and Yu Yu 2,1,3 1 State Key Laboratory of Cryptology, P.O. Box 5159, Beijing 100878, China 2 Department of Computer Science
More informationDistributed Oblivious RAM for Secure Two-Party Computation
Seminar in Distributed Computing Distributed Oblivious RAM for Secure Two-Party Computation Steve Lu & Rafail Ostrovsky Philipp Gamper Philipp Gamper 2017-04-25 1 Yao s millionaires problem Two millionaires
More informationPeculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology
1 / 19 Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 7 May 2010 2 / 19 Talk Agenda Encryption schemes
More informationRate-Limited Secure Function Evaluation: Definitions and Constructions
An extended abstract of this paper is published in the proceedings of the 16th International Conference on Practice and Theory in Public-Key Cryptography PKC 2013. This is the full version. Rate-Limited
More informationQuantitative Approaches to Information Protection
Quantitative Approaches to Information Protection Catuscia Palamidessi INRIA Saclay 1 LOCALI meeting, Beijin 06/11/2013 Plan of the talk Motivations and Examples A General Quantitative Model Quantitative
More informationInstructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year
Data Privacy and Security Instructor: Daniele Venturi Master Degree in Data Science Sapienza University of Rome Academic Year 2017-2018 Interlude: Number Theory Cubum autem in duos cubos, aut quadratoquadratum
More informationRound-Optimal Password-Based Authenticated Key Exchange
Round-Optimal Password-Based Authenticated Key Exchange Jonathan Katz 1 and Vinod Vaikuntanathan 2 1 University of Maryland, USA jkatz@cs.umd.edu 2 Microsoft Research vinodv@alum.mit.edu Abstract. We show
More informationSolution to Midterm Examination
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Handout #13 Xueyuan Su November 4, 2008 Instructions: Solution to Midterm Examination This is a closed book
More informationBounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts
Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts Stefano Tessaro (UC Santa Barbara) David A. Wilson (MIT) Bounded-Collusion IBE from Semantically-Secure
More informationPERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY
PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY BURTON ROSENBERG UNIVERSITY OF MIAMI Contents 1. Perfect Secrecy 1 1.1. A Perfectly Secret Cipher 2 1.2. Odds Ratio and Bias 3 1.3. Conditions for Perfect
More information