Adaptive partitioning. Dennis Hofheinz (KIT, Karlsruhe)
|
|
- Irma Norman
- 5 years ago
- Views:
Transcription
1 Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe)
2 Public-Key Encryption
3 Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA)
4 Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' Challenger
5 Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible
6 Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible Observation: covers only 1-user, 1-ciphertext scenario
7 Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible Observation: covers only 1-user, 1-ciphertext scenario Hybrid argument multi-user, multi-ciphertext security
8 Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible Observation: covers only 1-user, 1-ciphertext scenario Hybrid argument multi-user, multi-ciphertext security But: security guarantees may degrade in scenario size
9 Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible Observation: covers only 1-user, 1-ciphertext scenario Hybrid argument multi-user, multi-ciphertext security But: security guarantees may degrade in scenario size So: scenario size may influence keylength recommendations
10 This talk
11 This talk Tightly secure PKE: multi-challenge IND-CCA Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' repeat Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible
12 This talk Tightly secure PKE: multi-challenge IND-CCA Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' repeat Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible Goal: tight reduction to standard assumption (e.g., DDH)
13 This talk Tightly secure PKE: multi-challenge IND-CCA Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' repeat Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible Goal: tight reduction to standard assumption (e.g., DDH) Tight: reduction loss independent of # ciphertexts/queries
14 This talk Tightly secure PKE: multi-challenge IND-CCA Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' repeat Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible Goal: tight reduction to standard assumption (e.g., DDH) Tight: reduction loss independent of # ciphertexts/queries Enables security guarantees for arbitrary/unknown scenarios
15 This talk Tightly secure PKE: multi-challenge IND-CCA Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' repeat Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible Goal: tight reduction to standard assumption (e.g., DDH) Tight: reduction loss independent of # ciphertexts/queries Enables security guarantees for arbitrary/unknown scenarios Difficulty: standard techniques yield non-tight reductions
16 Tight CCA security
17 Tight CCA security Tightly secure PKE: multi-challenge IND-CCA m0(1),m1(1) C(1)=Enc(pk,mb(1)) m0(q),m1(q) Adversary A C(Q)=Enc(pk,mb(Q)) Challenger Standard techniques yield non-tight reductions, examples:
18 Tight CCA security Tightly secure PKE: multi-challenge IND-CCA m0(1),m1(1) C(1)=Enc(pk,mb(1)) m0(q),m1(q) Adversary A C(Q)=Enc(pk,mb(Q)) Challenger Standard techniques yield non-tight reductions, examples: IBE: reduction knows "punctured" sk, randomize one C (i)
19 Tight CCA security Tightly secure PKE: multi-challenge IND-CCA m0(1),m1(1) C(1)=Enc(pk,mb(1)) m0(q),m1(q) Adversary A C(Q)=Enc(pk,mb(Q)) Challenger Standard techniques yield non-tight reductions, examples: IBE: reduction knows "punctured" sk, randomize one C (i) HPS: reduction knows full sk, entropy in sk randomizes one C (i)
20 Tight CCA security Tightly secure PKE: multi-challenge IND-CCA m0(1),m1(1) C(1)=Enc(pk,mb(1)) m0(q),m1(q) Adversary A C(Q)=Enc(pk,mb(Q)) Challenger Standard techniques yield non-tight reductions, examples: IBE: reduction knows "punctured" sk, randomize one C (i) HPS: reduction knows full sk, entropy in sk randomizes one C (i) NY (double encryption with consistency proof): make one C(i) "special" (with simulated proof), requires simulation-soundness Difficulty: simulation-soundness in face of many simulated proofs
21 Previous work / contribution
22 Previous work / contribution Scheme pk C (KEM) Loss Assumption CS98/BBM O(Q) DDH KD04/BBM O(Q) DDH CS O(Q) DCR HJ12 O(1) O(λ) O(1) DLIN (PFG) LPJY15 O(λ) 47 O(λ) DLIN (PFG) H O(λ) DLIN (PFG) GHKW16 2λ 3 O(λ) DDH This work 24 6 O(λ) DLIN (PFG) This work O(λ) DCR
23 Previous work / contribution Scheme pk C (KEM) Loss Assumption CS98/BBM O(Q) DDH KD04/BBM O(Q) DDH CS O(Q) DCR HJ12 O(1) O(λ) O(1) DLIN (PFG) LPJY15 O(λ) 47 O(λ) DLIN (PFG) H O(λ) DLIN (PFG) GHKW16 2λ 3 O(λ) DDH This work 24 6 O(λ) DLIN (PFG) This work O(λ) DCR This work: not yet practical, but conceptual progress
24 Previous work / contribution Scheme pk C (KEM) Loss Assumption CS98/BBM O(Q) DDH KD04/BBM O(Q) DDH CS O(Q) DCR HJ12 O(1) O(λ) O(1) DLIN (PFG) LPJY15 O(λ) 47 O(λ) DLIN (PFG) H O(λ) DLIN (PFG) GHKW16 2λ 3 O(λ) DDH This work 24 6 O(λ) DLIN (PFG) This work O(λ) DCR This work: not yet practical, but conceptual progress Generic new techniques to randomize challenge ciphertexts
25 Previous work / contribution Scheme pk C (KEM) Loss Assumption CS98/BBM O(Q) DDH KD04/BBM O(Q) DDH CS O(Q) DCR HJ12 O(1) O(λ) O(1) DLIN (PFG) LPJY15 O(λ) 47 O(λ) DLIN (PFG) H O(λ) DLIN (PFG) GHKW16 2λ 3 O(λ) DDH This work 24 6 O(λ) DLIN (PFG) This work O(λ) DCR This work: not yet practical, but conceptual progress Generic new techniques to randomize challenge ciphertexts Yields first DCR-based tightly secure PKE scheme
26 Previous work / contribution Scheme pk C (KEM) Loss Assumption CS98/BBM O(Q) DDH KD04/BBM O(Q) DDH CS O(Q) DCR HJ12 O(1) O(λ) O(1) DLIN (PFG) LPJY15 O(λ) 47 O(λ) DLIN (PFG) H O(λ) DLIN (PFG) GHKW16 2λ 3 O(λ) DDH This work 24 6 O(λ) DLIN (PFG) This work O(λ) DCR This work: not yet practical, but conceptual progress Generic new techniques to randomize challenge ciphertexts Yields first DCR-based tightly secure PKE scheme Remaining talk: overview over new techniques
27 Basic strategy
28 Basic strategy This work: not yet practical, but conceptual progress Generic new techniques to randomize challenge ciphertexts Yields first DCR-based tightly secure PKE scheme Remaining talk: overview over new techniques Starting point: Naor-Yung double encryption: C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
29 Basic strategy This work: not yet practical, but conceptual progress Generic new techniques to randomize challenge ciphertexts Yields first DCR-based tightly secure PKE scheme Remaining talk: overview over new techniques Starting point: Naor-Yung double encryption: C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) Consistency proof: proves that M0=M1
30 Naor-Yung encryption
31 Naor-Yung encryption C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) One (known) way to prove Naor-Yung secure:
32 Naor-Yung encryption C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) One (known) way to prove Naor-Yung secure: 0) IND-CCA experiment (many challenges), use sk0 to decrypt
33 Naor-Yung encryption C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) One (known) way to prove Naor-Yung secure: NIZK ind. 0) IND-CCA experiment (many challenges), use sk0 to decrypt 1) simulate all proofs π (using NIZK simulator) in challenges
34 Naor-Yung encryption C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) One (known) way to prove Naor-Yung secure: NIZK ind. CPA 0) IND-CCA experiment (many challenges), use sk0 to decrypt 1) simulate all proofs π (using NIZK simulator) in challenges 2) randomize all M1 in challenges
35 Naor-Yung encryption C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) One (known) way to prove Naor-Yung secure: NIZK ind. CPA sim-snd 0) IND-CCA experiment (many challenges), use sk0 to decrypt 1) simulate all proofs π (using NIZK simulator) in challenges 2) randomize all M1 in challenges 3) use sk1 (not sk0) to decrypt (in decryption queries)
36 Naor-Yung encryption C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) One (known) way to prove Naor-Yung secure: NIZK ind. CPA sim-snd CPA 0) IND-CCA experiment (many challenges), use sk0 to decrypt 1) simulate all proofs π (using NIZK simulator) in challenges 2) randomize all M1 in challenges 3) use sk1 (not sk0) to decrypt (in decryption queries) 4) randomize all M0 in challenges
37 Naor-Yung encryption C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) One (known) way to prove Naor-Yung secure: NIZK ind. CPA sim-snd CPA 0) IND-CCA experiment (many challenges), use sk0 to decrypt 1) simulate all proofs π (using NIZK simulator) in challenges 2) randomize all M1 in challenges 3) use sk1 (not sk0) to decrypt (in decryption queries) 4) randomize all M0 in challenges Difficulty outsourced into simulation-sound NIZK proofs π (many-challenge setting, with tight security reduction)
38 Naor-Yung encryption C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) One (known) way to prove Naor-Yung secure: NIZK ind. CPA sim-snd CPA 0) IND-CCA experiment (many challenges), use sk0 to decrypt 1) simulate all proofs π (using NIZK simulator) in challenges 2) randomize all M1 in challenges 3) use sk1 (not sk0) to decrypt (in decryption queries) 4) randomize all M0 in challenges Difficulty outsourced into simulation-sound NIZK proofs π This work: (many-challenge with tightstrategy/ security reduction) New setting, randomization New way to prove NY in multi-challenge setting
39 Recap: hash proof systems
40 Recap: hash proof systems Ingredient: hash proof systems (designated-verifier NIZKs): Prover (knows hpk) (x,π) Verifier (knows hsk)
41 Recap: hash proof systems Ingredient: hash proof systems (designated-verifier NIZKs): Prover (x,π) (knows hpk) Verifier (knows hsk) Unique proofs for x L, can be computed in two ways: π = hpk(x,w) = hsk(x)
42 Recap: hash proof systems Ingredient: hash proof systems (designated-verifier NIZKs): Prover (x,π) (knows hpk) Verifier (knows hsk) Unique proofs for x L, can be computed in two ways: π = hpk(x,w) = hsk(x) NIZK simulator uses secret key hsk to compute π
43 Recap: hash proof systems Ingredient: hash proof systems (designated-verifier NIZKs): Prover (x,π) (knows hpk) Verifier (knows hsk) Unique proofs for x L, can be computed in two ways: π = hpk(x,w) = hsk(x) NIZK simulator uses secret key hsk to compute π Statistical soundness: if only proofs for true statements x known then any proof π for false x inf.th. hidden
44 Recap: hash proof systems Ingredient: hash proof systems (designated-verifier NIZKs): Prover (x,π) (knows hpk) Verifier (knows hsk) Unique proofs for x L, can be computed in two ways: π = hpk(x,w) = hsk(x) NIZK simulator uses secret key hsk to compute π Statistical soundness: if only proofs for true statements x known then any proof π for false x inf.th. hidden Efficient HPSs for linear [CS02] and OR-languages [ABP15] known
45 Idea for our proof system (uses HPSs)
46 Idea for our proof system (uses HPSs) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
47 Idea for our proof system (uses HPSs) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) Structure of π: π = (π0, π1, Com(τ)), where
48 Idea for our proof system (uses HPSs) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) Structure of π: π = (π0, π1, Com(τ)), where τ is a random bit (similar to Katz-Wang signature scheme)
49 Idea for our proof system (uses HPSs) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) Structure of π: π = (π0, π1, Com(τ)), where τ is a random bit (similar to Katz-Wang signature scheme) π0 is a HPS proof (under hsk0) for (M0=M1 τ=0)
50 Idea for our proof system (uses HPSs) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) Structure of π: π = (π0, π1, Com(τ)), where τ is a random bit (similar to Katz-Wang signature scheme) π0 is a HPS proof (under hsk0) for (M0=M1 τ=0) π1 is a HPS proof (under hsk1) for (M0=M1 τ=1)
51 Idea for our proof system (uses HPSs) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) Structure of π: where τ is a random bit (similar to Katz-Wang signature scheme) π0 is a HPS proof (under hsk0) for (M0=M1 τ=0) π1 is a HPS proof (under hsk1) for (M0=M1 τ=1) π = (π0, π1, Com(τ)), Simulated π for bad C breaks only hsk1-τ (but not hskτ)
52 Adaptive partitioning
53 Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Randomization strategy: C(2) C(1) C(10) C(5) C(Q)
54 Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Randomization strategy: τ=0 C(2) τ=1 C(1) C(10) C(5) C(Q)
55 Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Randomization strategy: τ=0 C(2) τ=1 C(1) C(10) C(5) C(Q)
56 Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Randomization strategy: C(2) C(1) C(10) C(5) τ=1 C(Q) τ=0
57 Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Randomization strategy: C(2) C(1) C(10) C(5) τ=1 C(Q) τ=0
58 Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Randomization strategy: C(2) C(1) C(10) C(5) C(Q)
59 Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Randomization strategy: C(2) C(1) C(10) C(5) C(Q)
60 Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Randomization strategy: C(2) C(1) C(10) C(5) C(Q) Requires O(λ) steps
61 Adaptive partitioning
62 Adaptive partitioning C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ)) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Step 1: guess τ* (τ of first Dec-query with valid π and M0 M1) (This means adversary breaks soundness of hsk1-τ*)
63 Adaptive partitioning C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ)) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Step 1: guess τ* (τ of first Dec-query with valid π and M0 M1) (This means adversary breaks soundness of hsk1-τ*) Step 2: randomize all challenge ciphertexts with τ=1-τ* (This allows to randomize half of all challenge ciphertexts)
64 Adaptive partitioning C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ)) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Step 1: guess τ* (τ of first Dec-query with valid π and M0 M1) (This means adversary breaks soundness of hsk1-τ*) Step 2: randomize all challenge ciphertexts with τ=1-τ* (This allows to randomize half of all challenge ciphertexts) Step 3: re-randomize partitioning bit τ in challenges, then goto 1 (Prepare to randomize one half of another random partition of challenges)
65 Adaptive partitioning C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ)) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Step 1: guess τ* (τ of first Dec-query with valid π and M0 M1) (This means adversary breaks soundness of hsk1-τ*) Step 2: randomize all challenge ciphertexts with τ=1-τ* (This allows to randomize half of all challenge ciphertexts) Step 3: re-randomize partitioning bit τ in challenges, then goto 1 (Prepare to randomize one half of another random partition of challenges) Difference to [KW03]: KW keep τ public (but simulation capabilities hidden)
66 Adaptive partitioning
67 Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Illustration: C(2) C(1) C* C(5) C(Q) C(10)
68 Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Illustration: τ=0 C(2) τ=1 C(1) C* C(5) C(Q) C(10)
69 Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Illustration: τ=0 C(2) τ=1 C(1) C* C(5) C(Q) C(10)
70 Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Illustration: C(2) C(1) C* C(10) C(5) τ=1 C(Q) τ=0
71 Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Illustration: C(2) C(1) C* C(10) C(5) τ=1 C(Q) τ=0
72 Adaptive partitioning
73 Adaptive partitioning C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ)) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Omitted difficulty: how does this re-partitioning work? Step 3: re-randomize partitioning bit τ in challenges, then goto 1 (Prepare to randomize one half of another random partition of challenges)
74 Adaptive partitioning C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ)) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Omitted difficulty: how does this re-partitioning work? Step 3: re-randomize partitioning bit τ in challenges, then goto 1 (Prepare to randomize one half of another random partition of challenges) Problem: how to manage/recall what is randomized
75 Adaptive partitioning C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ)) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Omitted difficulty: how does this re-partitioning work? Step 3: re-randomize partitioning bit τ in challenges, then goto 1 (Prepare to randomize one half of another random partition of challenges) Problem: how to manage/recall what is randomized Solution idea: in i-th randomization cycle, use i-th bit of H(C0,C1)
76 Adaptive partitioning C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ)) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Omitted difficulty: how does this re-partitioning work? Step 3: re-randomize partitioning bit τ in challenges, then goto 1 (Prepare to randomize one half of another random partition of challenges) Problem: how to manage/recall what is randomized Solution idea: in i-th randomization cycle, use i-th bit of H(C0,C1) Remaining problem: efficient HPSs for OR-proofs
77 Adaptive partitioning C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ)) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Omitted difficulty: how does this re-partitioning work? Step 3: re-randomize partitioning bit τ in challenges, then goto 1 (Prepare to randomize one half of another random partition of challenges) Problem: how to manage/recall what is randomized Solution idea: in i-th randomization cycle, use i-th bit of H(C0,C1) Remaining problem: efficient HPSs for OR-proofs In pairing-friendly groups: [ABP15] In DCR setting: new proof system (uses that we can compute dlogs in DCR)
78 Summary
79 Summary New strategy to obtain tightly IND-CCA secure PKE schemes
80 Summary New strategy to obtain tightly IND-CCA secure PKE schemes Core difference to previous approaches: decide adaptively which ciphertexts are to be randomized in each randomization cycle
81 Summary New strategy to obtain tightly IND-CCA secure PKE schemes Core difference to previous approaches: decide adaptively which ciphertexts are to be randomized in each randomization cycle Main benefit: DCR-based solution (using new OR-proofs)
82 Summary New strategy to obtain tightly IND-CCA secure PKE schemes Core difference to previous approaches: decide adaptively which ciphertexts are to be randomized in each randomization cycle Main benefit: DCR-based solution (using new OR-proofs) Follow-up work shows potential of ideas
83 Summary New strategy to obtain tightly IND-CCA secure PKE schemes Core difference to previous approaches: decide adaptively which ciphertexts are to be randomized in each randomization cycle Main benefit: DCR-based solution (using new OR-proofs) Follow-up work shows potential of ideas Compact tightly secure PKE from DDH Compact tightly secure structure-preserving signatures
Tightly CCA-Secure Encryption without Pairings. Romain Gay, ENS Dennis Hofheinz, KIT Eike Kiltz, RUB Hoeteck Wee, ENS
Tightly CCA-Secure Encryption without Pairings Romain Gay, ENS Dennis Hofheinz, KIT Eike Kiltz, RUB Hoeteck Wee, ENS Security of encryption pk Alice Enc(pk, m) Bob sk Security of encryption pk Alice Enc(pk,
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationLecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]
CMSC 858K Advanced Topics in Cryptography February 19, 2004 Lecturer: Jonathan Katz Lecture 8 Scribe(s): Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan 1 Introduction Last time we introduced
More informationLecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge
CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to
More informationTighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)
1 Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shuichi Katsumata (The University of Tokyo /AIST) Shota Yamada (AIST) Takashi Yamakawa
More informationChosen-Ciphertext Security (I)
Chosen-Ciphertext Security (I) CS 601.442/642 Modern Cryptography Fall 2018 S 601.442/642 Modern Cryptography Chosen-Ciphertext Security (I) Fall 2018 1 / 20 Recall: Public-Key Encryption Syntax: Genp1
More informationTightly Secure CCA-Secure Encryption without Pairings
Tightly Secure CCA-Secure Encryption without Pairings Romain Gay 1,, Dennis Hofheinz 2,, Eike Kiltz 3,, and Hoeteck Wee 1, 1 ENS, Paris, France rgay,wee@di.ens.fr 2 Ruhr-Universität Bochum, Bochum, Germany
More informationOn Tightly Secure Non-Interactive Key Exchange
On Tightly Secure Non-Interactive Key Exchange Julia Hesse,1, Dennis Hofheinz,2, and Lisa Kohl,2 1 Technische Universität Darmstadt, Germany julia.hesse@crisp-da.de 2 Karlsruhe Institute of Technology,
More informationOn Tightly Secure Non-Interactive Key Exchange
On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universität Darmstadt) Dennis Hofheinz (Karlsruhe Institute of Technology) Lisa Kohl (Karlsruhe Institute of Technology) 1 Non-Interactive
More informationG /G Advanced Cryptography November 11, Lecture 10. defined Adaptive Soundness and Adaptive Zero Knowledge
G22.3220-001/G63.2180 Advanced Cryptography November 11, 2009 Lecture 10 Lecturer: Yevgeniy Dodis Scribe: Adriana Lopez Last time we: defined Adaptive Soundness and Adaptive Zero Knowledge defined Unbounded
More informationOn the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups
On the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups Goichiro Hanaoka, Takahiro Matsuda, Jacob C.N. Schuldt Research Institute for Secure Systems (RISEC)
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationCONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS
CONSRUCIONS SECURE AGAINS RECEIVER SELECIVE OPENING AND CHOSEN CIPHEREX AACKS Dingding Jia, Xianhui Lu, Bao Li jiadingding@iie.ac.cn C-RSA 2017 02-17 Outline Background Motivation Our contribution Existence:
More informationNotes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.
COS 533: Advanced Cryptography Lecture 9 (October 11, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Udaya Ghai Notes for Lecture 9 1 Last Time Last time, we introduced zero knowledge proofs
More informationParallel Decryption Queries in Bounded Chosen Ciphertext Attacks
Parallel Decryption Queries in Bounded Chosen Ciphertext Attacks Takahiro Matsuda and Kanta Matsuura The University of Tokyo, Japan {tmatsuda,kanta}@iis.u-tokyo.ac.jp Abstract. Whether it is possible to
More informationBounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts
Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts Stefano Tessaro (UC Santa Barbara) David A. Wilson (MIT) Bounded-Collusion IBE from Semantically-Secure
More informationStandard Security Does Not Imply Indistinguishability Under Selective Opening
Standard Security Does Not Imply Indistinguishability Under Selective Opening Dennis Hofheinz 1, Vanishree Rao 2, and Daniel Wichs 3 1 Karlsruhe Institute of Technology, Germany, dennis.hofheinz@kit.edu
More informationSmooth Projective Hash Function and Its Applications
Smooth Projective Hash Function and Its Applications Rongmao Chen University of Wollongong November 21, 2014 Literature Ronald Cramer and Victor Shoup. Universal Hash Proofs and a Paradigm for Adaptive
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More informationLeakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter
Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter Baodong Qin Shengli Liu October 9, 2013 Abstract We present a new generic construction
More informationKurosawa-Desmedt Meets Tight Security
Kurosw-Desmedt Meets Tight Security Romin Gy (École normle supérieure) Dennis Hofheinz (Krlsruhe Institute of Technology) Lis Kohl (Krlsruhe Institute of Technology) 1 Scenrio All illustrtions by John
More informationCircular chosen-ciphertext security with compact ciphertexts
Circular chosen-ciphertext security with compact ciphertexts Dennis Hofheinz October 9, 2018 Abstract A key-dependent message (KDM) secure encryption scheme is secure even if an adversary obtains encryptions
More informationStructure Preserving CCA Secure Encryption
Structure Preserving CCA Secure Encryption presented by ZHANG Tao 1 / 9 Introduction Veriable Encryption enable validity check of the encryption (Camenisch et al. @ CRYPTO'03): veriable encryption of discrete
More information14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption. Victor Shoup New York University
14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption Victor Shoup New York University A Historical Perspective The wild years (mid 70 s-mid 80 s): Diffie-Hellman, RSA, ElGamal The
More informationA ROBUST AND PLAINTEXT-AWARE VARIANT OF SIGNED ELGAMAL ENCRYPTION
A ROBUST AND PLAINTEXT-AWARE VARIANT OF SIGNED ELGAMAL ENCRYPTION Joana Treger ANSSI, France. Session ID: CRYP-W21 Session Classification: Advanced ELGAMAL ENCRYPTION & BASIC CONCEPTS CDH / DDH Computational
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationLeakage Resilient ElGamal Encryption
Asiacrypt 2010, December 9th, Singapore Outline 1 Hybrid Encryption, the KEM/DEM framework 2 ElGamal KEM 3 Leakage Resilient Crypto Why? How? Other models? 4 Leakage Resilient ElGamal CCA1 secure KEM (Key
More informationA New Paradigm of Hybrid Encryption Scheme
A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa 1 and Yvo Desmedt 2 1 Ibaraki University, Japan kurosawa@cis.ibaraki.ac.jp 2 Dept. of Computer Science, University College London, UK, and Florida
More informationLossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More informationEfficient Public-Key Cryptography in the Presence of Key Leakage
Efficient Public-Key Cryptography in the Presence of Key Leakage Yevgeniy Dodis Kristiyan Haralambiev Adriana López-Alt Daniel Wichs August 17, 2010 Abstract We study the design of cryptographic primitives
More informationSECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL. Mark Zhandry Stanford University
SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL Mark Zhandry Stanford University Random Oracle Model (ROM) Sometimes, we can t prove a scheme secure in the standard model. Instead,
More informationCryptography CS 555. Topic 24: Finding Prime Numbers, RSA
Cryptography CS 555 Topic 24: Finding Prime Numbers, RSA 1 Recap Number Theory Basics Abelian Groups φφ pppp = pp 1 qq 1 for distinct primes p and q φφ NN = Z N gg xx mod N = gg [xx mmmmmm φφ NN ] mod
More information6.892 Computing on Encrypted Data October 28, Lecture 7
6.892 Computing on Encrypted Data October 28, 2013 Lecture 7 Lecturer: Vinod Vaikuntanathan Scribe: Prashant Vasudevan 1 Garbled Circuits Picking up from the previous lecture, we start by defining a garbling
More informationEncryption Schemes Secure Against Chosen-Ciphertext Selective Opening Attacks
Encryption Schemes Secure Against Chosen-Ciphertext Selective Opening Attacks Serge Fehr 1 and Dennis Hofheinz 2 and Eike Kiltz 1 and Hoeteck Wee 3 1 CWI, Amsterdam 2 Karlsruhe Institute of Technology
More informationKDM-CCA Security from RKA Secure Authenticated Encryption
KDM-CCA Security from RKA Secure Authenticated Encryption Xianhui Lu 1,2, Bao Li 1,2, Dingding Jia 1,2 1. Data Assurance and Communication Security Research Center, Chinese Academy of Sciences, Beijing,
More informationNon-malleability under Selective Opening Attacks: Implication and Separation
Non-malleability under Selective Opening Attacks: Implication and Separation Zhengan Huang 1, Shengli Liu 1, Xianping Mao 1, and Kefei Chen 2,3 1. Department of Computer Science and Engineering, Shanghai
More informationGentry IBE Paper Reading
Gentry IBE Paper Reading Y. Jiang 1 1 University of Wollongong September 5, 2014 Literature Craig Gentry. Practical Identity-Based Encryption Without Random Oracles. Advances in Cryptology - EUROCRYPT
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationTwo-Round PAKE from Approximate SPH and Instantiations from Lattices
Two-Round PAKE from Approximate SPH and Instantiations from Lattices Jiang Zhang 1 and Yu Yu 2,1,3 1 State Key Laboratory of Cryptology, P.O. Box 5159, Beijing 100878, China 2 Department of Computer Science
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationDual-System Simulation-Soundness with Applications to UC-PAKE and More
Dual-System Simulation-Soundness with Applications to UC-PAKE and More Charanjit S. Jutla IBM T. J. Watson Research Center Yorktown Heights, NY 10598, USA csjutla@us.ibm.com Arnab Roy Fujitsu Laboratories
More informationPublic-Key Encryption with Simulation-Based Selective-Opening Security and Compact Ciphertexts
Public-Key Encryption with Simulation-Based Selective-Opening Security and Compact Ciphertexts Dennis Hofheinz 1, Tibor Jager 2, and Andy Rupp 1 1 Karlsruhe Institute of Technology, Germany {dennis.hofheinz,andy.rupp}@kit.edu
More informationCSA E0 312: Secure Computation September 09, [Lecture 9-10]
CSA E0 312: Secure Computation September 09, 2015 Instructor: Arpita Patra [Lecture 9-10] Submitted by: Pratik Sarkar 1 Summary In this lecture we will introduce the concept of Public Key Samplability
More informationAll-But-Many Lossy Trapdoor Functions. Dennis Hofheinz (Karlsruhe Institute of Technology)
All-But-Many Lossy Trapdoor Functions Dennis Hofheinz (Karlsruhe Institute of Technology) Overview over this talk All-But-Many Lossy Trapdoor Functions (ABM-LTFs) A technical tool specifically designed
More informationCompactly Hiding Linear Spans
Published in T. Iwata and J. H. Cheon, Eds., Advances in Cryptology ASIACYPT 2015, Part I, vol. 9452 of Lecture Notes in Computer Science, pp. 681-707, Springer, 2015. Compactly Hiding Linear Spans Tightly
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationSecure Certificateless Public Key Encryption without Redundancy
Secure Certificateless Public Key Encryption without Redundancy Yinxia Sun and Futai Zhang School of Mathematics and Computer Science Nanjing Normal University, Nanjing 210097, P.R.China Abstract. Certificateless
More informationIII. Pseudorandom functions & encryption
III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion:
More informationA Twist on the Naor-Yung Paradigm and Its Application to Ecient CCA-Secure Encryption from Hard Search Problems
A Twist on the Naor-Yung Paradigm and Its Application to Ecient CCA-Secure Encryption from Hard Search Problems Ronald Cramer, Dennis Hofheinz, and Eike Kiltz Abstract. The Naor-Yung (NY) paradigm shows
More informationChosen-Ciphertext Security from Subset Sum
Chosen-Ciphertext Security from Subset Sum Sebastian Faust 1, Daniel Masny 1, and Daniele Venturi 2 1 Horst-Görtz Institute for IT Security and Faculty of Mathematics, Ruhr-Universität Bochum, Bochum,
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationOn the Selective-Opening Security of DHIES
On the Selective-Opening Security of DHIES and other practical encryption schemes UbiCrypt Research Retreat, Schloss Raesfeld: 29.& 30. Sep. 2014 Felix Heuer, Tibor Jager, Eike Kiltz, Sven Schäge Horst
More informationSearchable encryption & Anonymous encryption
Searchable encryption & Anonymous encryption Michel Abdalla ENS & CNS February 17, 2014 MPI - Course 2-12-1 Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, 2014 1 /
More informationEfficient Fully-Leakage Resilient One-More Signature Schemes
Efficient Fully-Leakage Resilient One-More Signature Schemes Antonio Faonio IMDEA Software Institute, Madrid, Spain In a recent paper Faonio, Nielsen and Venturi (ICALP 2015) gave new constructions of
More informationNotes for Lecture 16
COS 533: Advanced Cryptography Lecture 16 (11/13/2017) Lecturer: Mark Zhandry Princeton University Scribe: Boriana Gjura Notes for Lecture 16 1 Lattices (continued) 1.1 Last time. We defined lattices as
More informationOn the CCA1-Security of Elgamal and Damgård s Elgamal
On the CCA1-Security of Elgamal and Damgård s Elgamal Cybernetica AS, Estonia Tallinn University, Estonia October 21, 2010 Outline I Motivation 1 Motivation 2 3 Motivation Three well-known security requirements
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationStandard versus Selective Opening Security: Separation and Equivalence Results
Standard versus Selective Opening Security: Separation and Equivalence Results Dennis Hofheinz and Andy Rupp Karlsruhe Institute of Technology, Germany {dennis.hofheinz,andy.rupp}@kit.edu Supported by
More informationEnhanced Chosen-Ciphertext Security and Applications
Enhanced Chosen-Ciphertext Security and Applications Dana Dachman-Soled 1 Georg Fuchsbauer 2 Payman Mohassel 3 Adam O Neill 4 Abstract We introduce and study a new notion of enhanced chosen-ciphertext
More informationSimulation-based Selective Opening CCA Security for PKE from Key Encapsulation Mechanisms
Simulation-based Selective Opening CCA Security for PKE from Key Encapsulation Mechanisms Shengli Liu 1 and Kenneth G. Paterson 2 1 Department of Computer Science and Engineering, Shanghai Jiao Tong University,
More informationRandom Oracles in a Quantum World
Dan Boneh 1 Özgür Dagdelen 2 Marc Fischlin 2 Anja Lehmann 3 Christian Schaffner 4 Mark Zhandry 1 1 Stanford University, USA 2 CASED & Darmstadt University of Technology, Germany 3 IBM Research Zurich,
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationOn The Security of The ElGamal Encryption Scheme and Damgård s Variant
On The Security of The ElGamal Encryption Scheme and Damgård s Variant J. Wu and D.R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, ON, Canada {j32wu,dstinson}@uwaterloo.ca
More informationStrong Security Models for Public-Key Encryption Schemes
Strong Security Models for Public-Key Encryption Schemes Pooya Farshim (Joint Work with Manuel Barbosa) Information Security Group, Royal Holloway, University of London, Egham TW20 0EX, United Kingdom.
More informationVerifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin
Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Béguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space
More informationEfficient Constructions of Deterministic Encryption from Hybrid Encryption and Code-Based PKE
Efficient Constructions of Deterministic Encryption from Hybrid Encryption and Code-Based PKE Yang Cui 1,2, Kirill Morozov 1, Kazukuni Kobara 1,2, and Hideki Imai 1,2 1 Research Center for Information
More informationLossy Trapdoor Functions and Their Applications
Lossy Trapdoor Functions and Their Applications Chris Peikert SRI International Brent Waters SRI International August 29, 2008 Abstract We propose a general cryptographic primitive called lossy trapdoor
More informationShort Exponent Diffie-Hellman Problems
Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and
More informationStronger Public Key Encryption Schemes
Stronger Public Key Encryption Schemes Withstanding RAM Scraper Like Attacks Prof. C.Pandu Rangan Professor, Indian Institute of Technology - Madras, Chennai, India-600036. C.Pandu Rangan (IIT Madras)
More informationOn Notions of Security for Deterministic Encryption, and Efficient Constructions without Random Oracles
A preliminary version of this paper appears in Advances in Cryptology - CRYPTO 2008, 28th Annual International Cryptology Conference, D. Wagner ed., LNCS, Springer, 2008. This is the full version. On Notions
More informationDisjunctions for Hash Proof Systems: New Constructions and Applications
Disjunctions for Hash Proof Systems: New Constructions and Applications Michel Abdalla, Fabrice Benhamouda, and David Pointcheval ENS, Paris, France Abstract. Hash Proof Systems were first introduced by
More informationIdentity-based encryption
Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages
More informationHierarchical identity-based encryption
Hierarchical identity-based encryption Michel Abdalla ENS & CNS September 26, 2011 MPI - Course 2-12-1 Lecture 3 - Part 1 Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26,
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More informationPairing-Based Cryptography An Introduction
ECRYPT Summer School Samos 1 Pairing-Based Cryptography An Introduction Kenny Paterson kenny.paterson@rhul.ac.uk May 4th 2007 ECRYPT Summer School Samos 2 The Pairings Explosion Pairings originally used
More informationNon-Malleable Codes from Average-Case Hardness: AC 0, Decision Trees, and Streaming Space-Bounded Tampering
Non-Malleable Codes from Average-Case Hardness: AC 0, Decision Trees, and Streaming Space-Bounded Tampering Marshall Ball 1, Dana Dachman-Soled 2, Mukul Kulkarni 2, and Tal Malkin 1 1 Columbia University
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationPublic-Key Encryption
Public-Key Encryption 601.642/442: Modern Cryptography Fall 2017 601.642/442: Modern Cryptography Public-Key Encryption Fall 2017 1 / 14 The Setting Alice and Bob don t share any secret Alice wants to
More informationTightly Secure Signatures and Public-Key Encryption
Tightly Secure Signatures and Public-Key Encryption Dennis Hofheinz and Tibor Jager Karlsruhe Institute of Technology, Germany {dennis.hofheinz,tibor.jager}@kit.edu Abstract We construct the first public-key
More informationLattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More informationThe Kernel Matrix Diffie-Hellman Assumption
The Kernel Matrix Diffie-Hellman Assumption Carla Ràfols 1, Paz Morillo 2 and Jorge L. Villar 2 1 Universitat Pompeu Fabra (UPF) Spain 2 Universitat Politècnica de Catalunya (UPC) Spain Matemática Aplicada
More information8 Security against Chosen Plaintext
8 Security against Chosen Plaintext Attacks We ve already seen a definition that captures security of encryption when an adversary is allowed to see just one ciphertext encrypted under the key. Clearly
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationRound-Optimal Password-Based Authenticated Key Exchange
Round-Optimal Password-Based Authenticated Key Exchange Jonathan Katz Vinod Vaikuntanathan Abstract We show a general framework for constructing password-based authenticated key-exchange protocols with
More informationTamper and Leakage Resilience in the Split-State Model
Tamper and Leakage Resilience in the Split-State Model Feng-Hao Liu and Anna Lysyanskaya May 4, 2012 Abstract It is notoriously difficult to create hardware that is immune from side channel and tampering
More informationOn Post-Quantum Cryptography
On Post-Quantum Cryptography Ehsan Ebrahimi Quantum Cryptography Group University of Tartu, Estonia 15 March 2018 Information Security and Cryptography Group Seminar Post-Quantum Cryptography Users intend
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationNon-Interactive Zero-Knowledge Proofs of Non-Membership
Non-Interactive Zero-Knowledge Proofs of Non-Membership O. Blazy, C. Chevalier, D. Vergnaud XLim / Université Paris II / ENS O. Blazy (XLim) Negative-NIZK CT-RSA 2015 1 / 22 1 Brief Overview 2 Building
More informationREMARKS ON IBE SCHEME OF WANG AND CAO
REMARKS ON IBE SCEME OF WANG AND CAO Sunder Lal and Priyam Sharma Derpartment of Mathematics, Dr. B.R.A.(Agra), University, Agra-800(UP), India. E-mail- sunder_lal@rediffmail.com, priyam_sharma.ibs@rediffmail.com
More informationThe Cramer-Shoup Cryptosystem
The Cramer-Shoup Cryptosystem Eileen Wagner October 22, 2014 1 / 28 The Cramer-Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationTightly SIM-SO-CCA Secure Public Key Encryption from Standard Assumptions
Tightly SIM-SO-CCA Secure Public Key Encryption from Standard Assumptions Lin Lyu 1,2, Shengli Liu 1,2,3( ), Shuai Han 1,2,4, and Dawu Gu 5,1 1 Dept. of Computer Science and Engineering, Shanghai Jiao
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationA Strong Identity Based Key-Insulated Cryptosystem
A Strong Identity Based Key-Insulated Cryptosystem Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275, P.R.China
More informationEfficient Chosen-Ciphertext Security via Extractable Hash Proofs
Efficient Chosen-Ciphertext Security via Extractable Hash Proofs Hoeteck Wee Queens College, CUNY hoeteck@cs.qc.cuny.edu Abstract. We introduce the notion of an extractable hash proof system. Essentially,
More information