Proofs of Retrievability via Fountain Code
|
|
- Susanna Logan
- 5 years ago
- Views:
Transcription
1 Proofs of Retrievability via Fountain Code Sumanta Sarkar and Reihaneh Safavi-Naini Department of Computer Science, University of Calgary, Canada Foundations and Practice of Security October 25, 2012
2 Outsourcing Data into Cloud Storage Suppose a user generates lots of electronic data: videos, photos, s, text documents. He also has many devices: desktop, laptop, tablet, smartphone. But none of them are capable of storing huge data. Cloud storage comes with the solution: Outsource the data into the cloud. Access all data from all the devices and from anywhere. Cloud keeps the whole data intact as long as the client wants.
3 Risk of Outsourcing Data into Cloud Storage Completely rely on the cloud for the integrity of the data. No control over the infrastructure of the cloud. Device failure may erase some portions of the data. A dishonest cloud may erase some portions of the data to reduce its own storage cost.
4 Checking the Integrity of the Data Store a MAC of the data locally. Can download the whole file, compute the MAC and check with the previously stored one. Not a practical solution when the data is big.
5 Proofs of Retrievability (PoR) Juels and Kaliski 2007 introduced Proofs of Retrievability (PoR) protocol which verifies the integrity of the data through an audit protocol.
6 Proofs of Retrievability (PoR) Juels and Kaliski 2007 introduced Proofs of Retrievability (PoR) protocol which verifies the integrity of the data through an audit protocol. The client applies an erasure code on the file M and stores the encoded file M in the cloud. M can be decoded from a fraction, say ρ of M.
7 Proofs of Retrievability (PoR) Juels and Kaliski 2007 introduced Proofs of Retrievability (PoR) protocol which verifies the integrity of the data through an audit protocol. The client applies an erasure code on the file M and stores the encoded file M in the cloud. M can be decoded from a fraction, say ρ of M. Along with M, the client also stores some extra information (M) which will be used in the audit. An audit is a challenge-response protocol. In the audit the client (verifier) challenges on some random location of the file and cloud s (prover) correct response proves that file blocks are intact in those locations.
8 Proofs of Retrievability (PoR) Juels and Kaliski 2007 introduced Proofs of Retrievability (PoR) protocol which verifies the integrity of the data through an audit protocol. The client applies an erasure code on the file M and stores the encoded file M in the cloud. M can be decoded from a fraction, say ρ of M. Along with M, the client also stores some extra information (M) which will be used in the audit. An audit is a challenge-response protocol. In the audit the client (verifier) challenges on some random location of the file and cloud s (prover) correct response proves that file blocks are intact in those locations. The security of a PoR scheme is formalized by showing the existence of an extractor which retrieves the file with very high probability from an erasing adversary that can pass the audit protocol with some reasonable probability.
9 Efficiency of PoR System The computational cost of preparing a file for storing in the cloud, and calculating the response, Communication cost required during an audit and, The extra storage (overhead) needed for storing the file M.
10 Efficiency of PoR System The computational cost of preparing a file for storing in the cloud, and calculating the response, Communication cost required during an audit and, The extra storage (overhead) needed for storing the file M. So small size challenge improves the communication cost of the protocol, and also the computation cost of the prover as less blocks will be involved in the computation of response.
11 Bounded/Unbounded-use PoR and Private/Public Verifiability PoR that allows unlimited number of challenge-response interactions is unbounded-use, otherwise it is bounded-use. A private verifiable PoR allows only the owner of the file who stores the file can run the challenge-response protocol, whereas in public verifiable PoR, anyone knowing the appropriate public key can perform the verification.
12 Main Contribution We present an unbounded-use private PoR scheme that improves the cost of response computation and the cost of communication of challenges in the average case. Our construction closely follows that of Shacham and Waters 2008 and uses Fountain code.
13 Related Work on PoR PoR was introduced by Juels and Kaliski 2007 and subsequently has been extended and improved by Shacham and Waters 2008; Bowers, Juels and Oprea 2009; Dodis, Vadhan and Wichs JK07 scheme has quadratic communication complexity (in terms of security parameter) for response. This was improved to linear complexity in SW08 by using homomorphic linear authenticators. Dodis et al. viewed the set of all correct responses corresponding to the file M = Enc(M) stored in the cloud as a codeword C which is a challenge-response encoding of M. The set of all responses for the same file M from the prover form a word C which may differ from C. The extractor decodes M from C.
14 Background on PoR We follow SW08. Kg(): This randomized algorithm generates a secret key sk and the public key pk. St(sk,M): This randomized algorithm takes the secret key sk and the client file M {0, 1}. Then it processes M and outputs M which is stored in the cloud. P, V : The randomized algorithms that correspond to the prover and the verifier. At the end of the prover-verifier interaction: {0, 1} R (V(pk, sk, t) P(pk, t, M )).
15 PoR properties: Correctness and Soundness Correctness means that if the prover is honest then (V(pk, sk, t) P(pk, t, M )) = 1. A PoR is sound if any prover that convinces the verification means that it actually holds the file.
16 ɛ-adversary and the Extractor Adversary is assumed to erase some portion of the file with probability bounded by a fixed value. A prover is ɛ-admissible if it convincingly answers an ɛ fraction of challenges. A PoR scheme is ɛ-sound if there exists an extraction algorithm (Extractor) which by interacting (challenge-response) with the ɛ-admissible adversary can recover the file except with negligible probability.
17 Fountain Codes In Fountain codes the sender generates potentially a limitless string of encoded symbols. The receiver can recover the message from sufficiently many encoded symbols. Examples: LT code [Luby 2002] and Raptor code [Shokrollahi 2006] are two well known Fountain codes.
18 Raptor Code: Encoding Precoding The message is (x 1,..., x k ), where each x i is of l-bits. First (x 1,..., x k ) is encoded to (y 1,..., y n ) by an erasure code C n which can recover (x 1,..., x k ) from any ρn number of symbols. LT coding To generate Raptor encoding symbols, LT code is applied on (y 1,..., y n ). For that, a degree distribution defined by a polynomial n w(x) = w i x i where w i is the probability of choosing i, i {1,..., n} is chosen. i=1 Randomly choose a degree, say j, using w(x). Choose uniformly at random, j symbols from the set {y 1,..., y n }, and XOR them to produce the encoded symbol (output symbol) r i = y i1... y ij.
19 Raptor Code structure
20 Raptor Code: Decoding After collecting r i symbols little more than k in amount, apply BP decoding and get ρ fraction of {y 1,..., y n }, and then applying decoding of C n receiver can recover (x 1,..., x k ).
21 Raptor Code parameters The following are from the Raptor code construction given in [Shokrollahi 2006]. Let α > 0 be a real number, set D = 4(1 + α)/α and define w D (x) = 1 µ + 1 (µx + D where µ = (α/2) + (α/2) 2. The average of w D is x i (i 1)i + x D+1 D i=2 ), (1) ln(1/α) + β + O(α), (2) where 1 < β < 1 + γ + ln(9), the constant γ is the Euler s constant.
22 Results on decoding Raptor Code Lemma (Shokrollahi 2006) There exists a positive real number c (depending on α) such that with an error probability of at most e cn any set of (1 + α/2)n + 1 output symbols of the LT-code with distribution w D and n-input symbols y 1,..., y n are sufficient to recover at least ρn input symbols from {y 1,..., y n } via belief propagation decoding, where ρ = 1 α/4 1+α. Theorem (Shokrollahi 2006) Let α > 0 be a real number, k an integer, D = 4(1 + α)/α, R = (1 + α/2)/(1 + α), n = k/r. Let C n be an erasure code which can decode (1 R)/2 erasures. Then the Raptor code with precode C n and the LT-code with the distribution w D (x) which encodes k symbols, can decode from (1 + α)k output symbols.
23 PoR of SW08 Suppose F = (m 1,..., m n ) is the erasure encoded file of the client file F. Each m i Z p. Choose θ Z p randomly and create authenticators σ i = PRF (i) + θm i. Challenge: Q = {(i 1, v 1 ),..., (i w, v w )}, where i j randomly chosen from {1,..., n} and v j chosen randomly from Z p. Response: r = (i,v i ) Q v im i and σ = (i,v i ) Q v iσ i. Verify: σ? = (i,v i ) Q v iprf (i) + θr.
24 RAPTOR-PoR: Choosing Key R Kg(): A random symmetric encryption key k enc Kenc and a R random MAC key k mac Kmac are chosen. The secret key is sk = (k enc, k mac ). Since this is private verification, there is no public key pk.
25 RAPTOR-PoR: Preparing File for Storing First M = (x 1,..., x k ), x i is l-bits, is encoded by an erasure code C n to obtain M = (y 1,..., y n ), where C n is such that any ρn symbols from (y 1,..., y n ) will be enough for the reconstruction of M.
26 RAPTOR-PoR: Preparing File for Storing First M = (x 1,..., x k ), x i is l-bits, is encoded by an erasure code C n to obtain M = (y 1,..., y n ), where C n is such that any ρn symbols from (y 1,..., y n ) will be enough for the reconstruction of M. R Choose a PRF key k prf Kprf and a random binary l l matrix A = [A 1,..., A l ] T, where each A i is an l-bit row vector.
27 RAPTOR-PoR: Preparing File for Storing First M = (x 1,..., x k ), x i is l-bits, is encoded by an erasure code C n to obtain M = (y 1,..., y n ), where C n is such that any ρn symbols from (y 1,..., y n ) will be enough for the reconstruction of M. R Choose a PRF key k prf Kprf and a random binary l l matrix A = [A 1,..., A l ] T, where each A i is an l-bit row vector. Let t 0 = n Enc kenc (k prf A 1 A l ), and t = t 0 MAC kmac (t 0 ) be the file tag.
28 RAPTOR-PoR: Preparing File for Storing First M = (x 1,..., x k ), x i is l-bits, is encoded by an erasure code C n to obtain M = (y 1,..., y n ), where C n is such that any ρn symbols from (y 1,..., y n ) will be enough for the reconstruction of M. R Choose a PRF key k prf Kprf and a random binary l l matrix A = [A 1,..., A l ] T, where each A i is an l-bit row vector. Let t 0 = n Enc kenc (k prf A 1 A l ), and t = t 0 MAC kmac (t 0 ) be the file tag. For each i, where 1 i n, create authenticators σ 1,..., σ n as σ i = PRF kprf (i) y i A for 1 i n. Each σ i is also an l-bit symbol. Then M = (y 1,..., y n, σ 1,..., σ n ) is the processed file. Send M and t to the cloud.
29 RAPTOR-PoR: Audit (1) V.Tagcheck(sk, t) : Obtains k mac and k enc from the secret key sk. t 0 = n Enc kenc (k prf A 1 A l ) t = t 0 MAC kmac (t 0 ) Receives the tag t from the prover and verify it by the k mac, if MAC does not match, quit the audit. Otherwise, using the symmetric key k enc, decrypt Enc kenc (k prf A 1 A l ) and recover n, k prf and the matrix A.
30 RAPTOR-PoR: Audit (1) V.Tagcheck(sk, t) : Obtains k mac and k enc from the secret key sk. t 0 = n Enc kenc (k prf A 1 A l ) t = t 0 MAC kmac (t 0 ) Receives the tag t from the prover and verify it by the k mac, if MAC does not match, quit the audit. Otherwise, using the symmetric key k enc, decrypt Enc kenc (k prf A 1 A l ) and recover n, k prf and the matrix A. V.Chal(n) : Choose an integer w using the degree distribution with the generator polynomial w D (x) = n i=1 w ix i. Then choose w indices, say {i 1,..., i w }, uniformly from {1,..., n} and choose one index, say c, uniformly at random from {i 1,..., i w }. Send Q = ({i 1,..., i w }, {c}) to the prover.
31 RAPTOR-PoR: Audit (2) P(Q, M ) : In response to the challenge Q compute r = y i1... y iw (3) σ = σ i1... σ iw. Send resp = (r, σ, y c, σ c ) to the verifier.
32 RAPTOR-PoR: Audit (2) P(Q, M ) : In response to the challenge Q compute r = y i1... y iw (3) σ = σ i1... σ iw. Send resp = (r, σ, y c, σ c ) to the verifier. V.Ver(A, k prf, resp) : After receiving prover s response, check whether σ =? ra PRF kprf (i), i {i 1,...,i w } σ c? = PRFkprf (c) y c A.
33 Parameters for RAPTOR-PoR Refer to Raptor code parameters: we take α = 1/l. l is the security parameter. Rate of the precode C n is R = 2l+1 2l+2. Then n = poly(l), if k = poly(l). The erasure probability that C n can handle is 1 ρ = 1 4(l+1). D = 4(l + 1), µ = 1 2l + 1 4l 2, the degree distribution is w D (x) = 2l + 1 4l 2 + 2l + 1 x + 4l ( 2 x 2 2l x 3 4(l+1) x (4l + 3)(4l + 4) + x ) 4l+5. 4l + 4 The mean of this distribution is ln(l) + β + O(1/l) = O(log l), where 1 < β < 1 + γ + ln(9), the constant γ is the Euler s constant.
34 RAPTOR-PoR: Result on Extractor Theorem If the prover is ɛ-admissible then running the Audit protocol for (1+1/l)k ɛ iterations, the extractor will be able to retrieve the file with error probability e poly(l).
35 RAPTOR-PoR: Comparison with the other PoR All previous schemes challenge a fixed number of blocks of order O(l). In our scheme, the size of the challenge set is chosen from the interval [1, 4l + 5] according to the probability distribution w D (x). So in the worst case, it is O(l). However, in the average case it is ln(l) + β + O(1/l), where 1 < β < 1 + γ + ln(9), i.e., O(log l). This also means that the cloud has to consider O(log l) number of blocks while computing a response in the average case. In RAPTOR-PoR, the response is formed just by XORing w l-bit-elements, whereas forming a response for a challenge on w elements in SW 2008 scheme, one has to compute w-multiplications and (w 1)-additions over Z p.
36 Conclusion We have proposed a PoR construction based on the SW 2008 PoR and improved the response computation. Notably we use challenge of variable length which are chosen probabilistically. The next task is to have an efficient implementation of our scheme, which requires additional measures. For instance applying erasure encoding on a big file is not practical, so file should be divided into stripes and then we can apply erasure encoding on each stripes. So this require completely new analysis of the scheme.
37 THANK YOU
Compact Proofs of Retrievability
Compact Proofs of Retrievability Hovav Shacham hovav@cs.ucsd.edu Brent Waters bwaters@cs.utexas.edu Abstract In a proof-of-retrievability system, a data storage center must prove to a verifier that he
More informationProofs of Storage from Homomorphic Identification Protocols
Proofs of Storage from Homomorphic Identification Protocols Giuseppe Ateniese The Johns Hopkins University ateniese@cs.jhu.edu Seny Kamara Microsoft Research senyk@microsoft.com Jonathan Katz University
More informationProofs of Retrievability via Hardness Amplification
Proofs of Retrievability via Hardness Amplification Yevgeniy Dodis Salil Vadhan Daniel Wichs January 25, 2009 Abstract Proofs of Retrievability (PoR), introduced by Juels and Kaliski [JK07], allow the
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationEntangled Cloud Storage
An extended abstract of this paper is published in the proceedings of the 3rd International Workshop on Security in Cloud Computing SCC@AsiaCCS 2015. This is the full version. Entangled Cloud Storage Giuseppe
More informationEl Gamal A DDH based encryption scheme. Table of contents
El Gamal A DDH based encryption scheme Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction El Gamal Practical Issues The El Gamal encryption
More informationLightweight and Privacy-Preserving Delegatable Proofs of Storage
Lightweight and Privacy-Preserving Delegatable Proofs of Storage Jia Xu 1, Anjia Yang 1,2, Jianying Zhou 1, and Duncan S. Wong 2 Institute for Infocomm Research, Singapore 1, {xuj,jyzhou}@i2r.a-star.edu.sg
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationHow to Encrypt with the LPN Problem
How to Encrypt with the LPN Problem Henri Gilbert, Matt Robshaw, and Yannick Seurin ICALP 2008 July 9, 2008 Orange Labs the context the authentication protocol HB + by Juels and Weis [JW05] recently renewed
More informationRaptor Codes: From a Math Idea to LTE embms. BIRS, October 2015
Raptor Codes: From a Math Idea to LTE embms BIRS, October 2015 The plan is to... 1 introduce LT codes and Raptor codes 2 provide insights into their design 3 address some common misconceptions 2 / 31 The
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationFountain Codes. Amin Shokrollahi EPFL
Fountain Codes Amin Shokrollahi EPFL Content Fountain Codes LT-Codes Raptor Codes Extensions Transmission Problem Transmit information from one sender to multiple receivers where the channel between sender
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationAdditive Conditional Disclosure of Secrets
Additive Conditional Disclosure of Secrets Sven Laur swen@math.ut.ee Helsinki University of Technology Motivation Consider standard two-party computation protocol. x f 1 (x, y) m 1 m2 m r 1 mr f 2 (x,
More informationSecure RAID Schemes from EVENODD and STAR Codes
Secure RAID Schemes from EVENODD and STAR Codes Wentao Huang and Jehoshua Bruck California Institute of Technology, Pasadena, USA {whuang,bruck}@caltechedu Abstract We study secure RAID, ie, low-complexity
More informationEntangled Cloud Storage
Entangled Cloud Storage Giuseppe Ateniese 1, Özgür Dagdelen2, Ivan Damgård 3, and Daniele Venturi 3 1 Sapienza University of Rome 2 Technische Universität Darmstadt 3 Aarhus University June 25, 2013 Abstract.
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationEssentially Optimal Robust Secret Sharing with Maximal Corruptions
Essentially Optimal Robust Secret Sharing with Maximal Corruptions Allison Bishop 1, Valerio Pastro 1, Rajmohan Rajaraman 2, and Daniel Wichs 2 1 Columbia University 2 Northeastern University November
More informationLecture 3: Interactive Proofs and Zero-Knowledge
CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic
More informationWindowed Erasure Codes
Windowed Erasure Codes Chris Studholme Department of Computer Science University of Toronto Email: cvs@csutorontoca Ian Blake Department of Electrical and Computer Eng University of Toronto Email: ifblake@commutorontoca
More informationProbabilistically Checkable Arguments
Probabilistically Checkable Arguments Yael Tauman Kalai Microsoft Research yael@microsoft.com Ran Raz Weizmann Institute of Science ran.raz@weizmann.ac.il Abstract We give a general reduction that converts
More informationProofs of Reliability
Proofs of Reliability 1 Preliminaries 1.1 Problem Overview We consider the following cloud storage scenario. A client outsources a file F to a CSP. To handle large files, F is first partitioned into subfiles
More informationClassical Verification of Quantum Computations
Classical Verification of Quantum Computations Urmila Mahadev UC Berkeley September 12, 2018 Classical versus Quantum Computers Can a classical computer verify a quantum computation? Classical output (decision
More informationLecture 15 - Zero Knowledge Proofs
Lecture 15 - Zero Knowledge Proofs Boaz Barak November 21, 2007 Zero knowledge for 3-coloring. We gave a ZK proof for the language QR of (x, n) such that x QR n. We ll now give a ZK proof (due to Goldreich,
More informationComputing on Encrypted Data
Computing on Encrypted Data COSIC, KU Leuven, ESAT, Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium. August 31, 2018 Computing on Encrypted Data Slide 1 Outline Introduction Multi-Party
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationNotes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.
COS 533: Advanced Cryptography Lecture 9 (October 11, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Udaya Ghai Notes for Lecture 9 1 Last Time Last time, we introduced zero knowledge proofs
More informationU.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6
U.C. Berkeley CS276: Cryptography Handout N6 Luca Trevisan February 5, 2009 Notes for Lecture 6 Scribed by Ian Haken, posted February 8, 2009 Summary The encryption scheme we saw last time, based on pseudorandom
More informationEntity Authentication
Entity Authentication Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie? α k The
More informationNear-Optimal Secret Sharing and Error Correcting Codes in AC 0
Near-Optimal Secret Sharing and Error Correcting Codes in AC 0 Kuan Cheng Yuval Ishai Xin Li December 18, 2017 Abstract We study the question of minimizing the computational complexity of (robust) secret
More informationCryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1
Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes
More informationChapter 11 : Private-Key Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 1 Chapter 11 Public-Key Encryption Apologies: all numbering
More informationEfficient Public-Key Distance Bounding
Efficient Public-Key Distance Bounding HNDN KILINÇ ND SERGE VUDENY 1 1. Introduction of Distance Bounding 2. Formal Definitions for Security and Privacy 3. Weak uthenticated Key greement 4. Our Protocols:
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationFountain Uncorrectable Sets and Finite-Length Analysis
Fountain Uncorrectable Sets and Finite-Length Analysis Wen Ji 1, Bo-Wei Chen 2, and Yiqiang Chen 1 1 Beijing Key Laboratory of Mobile Computing and Pervasive Device Institute of Computing Technology, Chinese
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationMTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Zero-knowledge Proofs Sven Laur University of Tartu Formal Syntax Zero-knowledge proofs pk (pk, sk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) (pk,sk)? R
More information1 Basic Number Theory
ECS 228 (Franklin), Winter 2013, Crypto Review 1 Basic Number Theory This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationEfficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply
CIS 2018 Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply Claudio Orlandi, Aarhus University Circuit Evaluation 3) Multiplication? How to compute [z]=[xy]? Alice, Bob
More informationAttribute-based Encryption & Delegation of Computation
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin Attribute-based Encryption & Delegation of Computation April 9, 2013 Scribe: Steven Goldfeder We will cover the ABE
More informationHomomorphic Signatures for Polynomial Functions
An extended abstract of this work appears in Advances in Cryptology EUROCRYPT 2011, ed. K. Paterson, Springer LNCS 6632 (2011), 149 168. This is the full version. Homomorphic Signatures for Polynomial
More informationCSA E0 235: Cryptography (19 Mar 2015) CBC-MAC
CSA E0 235: Cryptography (19 Mar 2015) Instructor: Arpita Patra CBC-MAC Submitted by: Bharath Kumar, KS Tanwar 1 Overview In this lecture, we will explore Cipher Block Chaining - Message Authentication
More informationThis document is downloaded from DR-NTU, Nanyang Technological University Library, Singapore.
This document is downloaded from DR-NTU, Nanyang Technological University Library, Singapore Title Multi-receiver authentication code for network coding( Accepted version ) Author(s) Oggier, Frederique;
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Serge Vaudenay 17.1.2017 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not
More informationPseudorandom Generators
Principles of Construction and Usage of Pseudorandom Generators Alexander Vakhitov June 13, 2005 Abstract In this report we try to talk about the main concepts and tools needed in pseudorandom generators
More informationLecture 1. 1 Introduction. 2 Secret Sharing Schemes (SSS) G Exposure-Resilient Cryptography 17 January 2007
G22.3033-013 Exposure-Resilient Cryptography 17 January 2007 Lecturer: Yevgeniy Dodis Lecture 1 Scribe: Marisa Debowsky 1 Introduction The issue at hand in this course is key exposure: there s a secret
More informationLecture 14 October 22
EE 2: Coding for Digital Communication & Beyond Fall 203 Lecture 4 October 22 Lecturer: Prof. Anant Sahai Scribe: Jingyan Wang This lecture covers: LT Code Ideal Soliton Distribution 4. Introduction So
More informationA SHUFFLE ARGUMENT SECURE IN THE GENERIC MODEL
A SHUFFLE ARGUMENT SECURE IN THE GENERIC MODEL Prastudy Fauzi, Helger Lipmaa, Michal Zajac University of Tartu, Estonia ASIACRYPT 2016 OUR RESULTS A new efficient CRS-based NIZK shuffle argument OUR RESULTS
More informationPart III Advanced Coding Techniques
Part III Advanced Coding Techniques José Vieira SPL Signal Processing Laboratory Departamento de Electrónica, Telecomunicações e Informática / IEETA Universidade de Aveiro, Portugal 2010 José Vieira (IEETA,
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationPractical Homomorphic MACs for Arithmetic Circuits
Practical Homomorphic MACs for Arithmetic Circuits Dario Catalano 1 and Dario Fiore 2 1 Dipartimento di Matematica e Informatica, Università di Catania, Italy catalano@dmi.unict.it 2 IMDEA Software Institute,
More informationFrom Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes
From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 2001, vol. 2020 of Lecture Notes in Computer
More informationNotes on Property-Preserving Encryption
Notes on Property-Preserving Encryption The first type of specialized encryption scheme that can be used in secure outsourced storage we will look at is property-preserving encryption. This is encryption
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationQuestion 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +
Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(
More informationRetricoin: Bitcoin Based on Compact Proofs of Retrievability
Retricoin: Bitcoin Based on Compact Proofs of Retrievability Binanda Sengupta Indian Statistical Institute Kolkata, India binanda_r@isical.ac.in Samiran Bag Sushmita Ruj Kyushu University Indian Statistical
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationParallel Coin-Tossing and Constant-Round Secure Two-Party Computation
Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Yehuda Lindell Dept. of Computer Science and Applied Math. The Weizmann Institute of Science Rehovot 76100, Israel. lindell@wisdom.weizmann.ac.il
More informationCryptographic Protocols Notes 2
ETH Zurich, Department of Computer Science SS 2018 Prof. Ueli Maurer Dr. Martin Hirt Chen-Da Liu Zhang Cryptographic Protocols Notes 2 Scribe: Sandro Coretti (modified by Chen-Da Liu Zhang) About the notes:
More informationAn Introduction to Probabilistic Encryption
Osječki matematički list 6(2006), 37 44 37 An Introduction to Probabilistic Encryption Georg J. Fuchsbauer Abstract. An introduction to probabilistic encryption is given, presenting the first probabilistic
More informationEfficient and Secure Delegation of Linear Algebra
Efficient and Secure Delegation of Linear Algebra Payman Mohassel University of Calgary pmohasse@cpsc.ucalgary.ca Abstract We consider secure delegation of linear algebra computation, wherein a client,
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Fun with Public-Key Tonight we ll Introduce some basic tools of public-key crypto Combine the tools to create more powerful tools Lay the ground work for substantial
More informationPattern Matching Encryption, Strategic Equivalence of Range Voting and Approval Voting, and Statistical Robustness of Voting Rules.
Pattern Matching Encryption, Strategic Equivalence of Range Voting and Approval Voting, and Statistical Robustness of Voting Rules by Emily Shen Submitted to the Department of Electrical Engineering and
More informationVector Commitments and their Applications
Vector Commitments and their Applications Dario Catalano 1 and Dario Fiore 2 1 Dipartimento di Matematica e Informatica, Università di Catania, Italy. catalano@dmi.unict.it 2 Max Planck Institute for Software
More informationCryptography in the Multi-string Model
Cryptography in the Multi-string Model Jens Groth 1 and Rafail Ostrovsky 1 University of California, Los Angeles, CA 90095 {jg,rafail}@cs.ucla.edu Abstract. The common random string model introduced by
More informationCSA E0 312: Secure Computation September 09, [Lecture 9-10]
CSA E0 312: Secure Computation September 09, 2015 Instructor: Arpita Patra [Lecture 9-10] Submitted by: Pratik Sarkar 1 Summary In this lecture we will introduce the concept of Public Key Samplability
More informationLecture 30: Hybrid Encryption and Prime Number Generation. Hybrid Encryption & Primes
Lecture 30: Hybrid Encryption and Prime Number Generation Recall: ElGamal Encryption I We begin by recalling the ElGamal Public-key Encryption Recall that to describe a private-key encryption scheme we
More informationSmooth Projective Hash Function and Its Applications
Smooth Projective Hash Function and Its Applications Rongmao Chen University of Wollongong November 21, 2014 Literature Ronald Cramer and Victor Shoup. Universal Hash Proofs and a Paradigm for Adaptive
More informationVerifying Computations in the Cloud (and Elsewhere) Michael Mitzenmacher, Harvard University Work offloaded to Justin Thaler, Harvard University
Verifying Computations in the Cloud (and Elsewhere) Michael Mitzenmacher, Harvard University Work offloaded to Justin Thaler, Harvard University Goals of Verifiable Computation Provide user with correctness
More informationLecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle
More informationk-nearest Neighbor Classification over Semantically Secure Encry
k-nearest Neighbor Classification over Semantically Secure Encrypted Relational Data Reporter:Ximeng Liu Supervisor: Rongxing Lu School of EEE, NTU May 9, 2014 1 2 3 4 5 Outline 1. Samanthula B K, Elmehdwi
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationDetection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors
Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors February 1, 2008 Ronald Cramer 1,2, Yevgeniy Dodis 3, Serge Fehr 2, Carles Padró 4, and Daniel Wichs
More informationLecture 3,4: Multiparty Computation
CS 276 Cryptography January 26/28, 2016 Lecture 3,4: Multiparty Computation Instructor: Sanjam Garg Scribe: Joseph Hui 1 Constant-Round Multiparty Computation Last time we considered the GMW protocol,
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationA Lower Bound on the Key Length of Information-Theoretic Forward-Secure Storage Schemes
A Lower Bound on the Key Length of Information-Theoretic Forward-Secure Storage Schemes Stefan Dziembowski Department of Computer Science University of Rome, La Sapienza Abstract. Forward-Secure Storage
More informationMultiparty Computation
Multiparty Computation Principle There is a (randomized) function f : ({0, 1} l ) n ({0, 1} l ) n. There are n parties, P 1,...,P n. Some of them may be adversarial. Two forms of adversarial behaviour:
More informationLattice Cryptography
CSE 06A: Lattice Algorithms and Applications Winter 01 Instructor: Daniele Micciancio Lattice Cryptography UCSD CSE Many problems on point lattices are computationally hard. One of the most important hard
More informationEE376A - Information Theory Midterm, Tuesday February 10th. Please start answering each question on a new page of the answer booklet.
EE376A - Information Theory Midterm, Tuesday February 10th Instructions: You have two hours, 7PM - 9PM The exam has 3 questions, totaling 100 points. Please start answering each question on a new page
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationSecure Computation of Hidden Markov Models and Secure Floating-Point Arithmetic in the Malicious Model
Noname manuscript No. (will be inserted by the editor) Secure Computation of Hidden Markov Models and Secure Floating-Point Arithmetic in the Malicious Model Mehrdad Aliasgari Marina Blanton Fattaneh Bayatbabolghani
More informationLecture 22: RSA Encryption. RSA Encryption
Lecture 22: Recall: RSA Assumption We pick two primes uniformly and independently at random p, q $ P n We define N = p q We shall work over the group (Z N, ), where Z N is the set of all natural numbers
More informationCS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn
CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, 2014 Instructor: Rachel Lin 1 Recap Lecture 5: RSA OWFs Scribe: Tiawna Cayton Last class we discussed a collection of one-way functions (OWFs),
More informationOn Expected Constant-Round Protocols for Byzantine Agreement
On Expected Constant-Round Protocols for Byzantine Agreement Jonathan Katz Chiu-Yuen Koo Abstract In a seminal paper, Feldman and Micali show an n-party Byzantine agreement protocol in the plain model
More informationFour-state Non-malleable Codes with Explicit Constant Rate
Four-state Non-malleable Codes with Explicit Constant Rate Bhavana Kanukurthi Sai Lakshmi Bhavana Obbattu Sruthi Sekar Indian Institute Of Science, Bangalore Abstract. Non-malleable codes (NMCs), introduced
More informationIII. Authentication - identification protocols
III. Authentication - identification protocols Definition 3.1 A cryptographic protocol is a distributed algorithm describing precisely the interaction between two or more parties, achieving certain security
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More information6.080 / Great Ideas in Theoretical Computer Science Spring 2008
MIT OpenCourseWare http://ocw.mit.edu 6.080 / 6.089 Great Ideas in Theoretical Computer Science Spring 2008 For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms.
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationLecture 7: CPA Security, MACs, OWFs
CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)
More informationFully Homomorphic Encryption over the Integers
Fully Homomorphic Encryption over the Integers Many slides borrowed from Craig Marten van Dijk 1, Craig Gentry 2, Shai Halevi 2, Vinod Vaikuntanathan 2 1 MIT, 2 IBM Research Computing on Encrypted Data
More informationNon-Conversation-Based Zero Knowledge
Non-Conversation-Based Zero Knowledge JOËL ALWEN Università di Salerno 84084 Fisciano (SA) ITALY jfa237@nyu.edu GIUSEPPE PERSIANO Università di Salerno 84084 Fisciano (SA) ITALY giuper@dia.unisa.it Submission
More informationLecture 15 & 16: Trapdoor Permutations, RSA, Signatures
CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.
More informationSecret Sharing CPT, Version 3
Secret Sharing CPT, 2006 Version 3 1 Introduction In all secure systems that use cryptography in practice, keys have to be protected by encryption under other keys when they are stored in a physically
More information