Efficient Public-Key Distance Bounding
|
|
- Egbert White
- 5 years ago
- Views:
Transcription
1 Efficient Public-Key Distance Bounding HNDN KILINÇ ND SERGE VUDENY 1
2 1. Introduction of Distance Bounding 2. Formal Definitions for Security and Privacy 3. Weak uthenticated Key greement 4. Our Protocols: Eff-pkDB and Eff-pkDB private 5. Conclusion 2
3 Introduction 3
4 Relay ttack 4
5 Distance Bounding Introduced by Brands and Chaum Verifier Prover The prover authenticates and proves its proximity to the verifier. 5
6 Distance Bounding Symmetric Distance Bounding: The prover and verifier share a secret Public-key Distance Bounding: The prover has the public-key of the verifier The verifier has the public-key of the prover 6
7 Problems in Public-key DB Slower than symmetric key operations Limited computational resources on the devices Construct an efficient and secure public-key distance bounding 7
8 1. Introduction of Distance Bounding 2. Formal Definitions for Security and Privacy 3. Weak uthenticated Key greement 4. Our Protocols: Eff-pkDB and Eff-pkDB private 5. Conclusion 8
9 Public-key Distance Bounding (public key) distance bounding protocol is a two party probabilistic polynomial time (PPT) protocol and consists of a tuple (K P, K V, P, V, B). K P (sk P, pk P ), K V (sk V, pk V ) P(sk P, pk P, pk V ) is proving algorithm, V(sk V, pk V ) is verifying algorithm, B is distance bound t the end of the protocol, the verifier V(sk V, pk V ) sends a final message Out V. If Out V = 1, then the verifier accepts. If Out V = 0, then the verifier rejects. 9
10 Man-in-the-middle (MiM) Security Honest and far-away prover and adversary K P (sk P, pk P ), K V (sk V, pk V ) pk P, pk V If Out V = 1 and pk P wins negligible P n P n P 1 B V P V 1 P 2 P 1 V 2 V i V n = B P 2 V ni 2 V 1 P 10
11 Distance Fraud (DF) Security Malicious and far-away prover pk K V (sk V, pk V ) V = P genkeys(pk V ) (sk P, pk P ) If Out V = 1 and pk P P wins negligible P n P n P 1 B P P 1 B P V V 1 V 2 V i V n = V V 1i 2 P i P 2 P 2 11
12 Distance Hijacking (DH) Security Malicious and far-away prover and hones and close prover K V sk V, pk V K P (sk P, pk P ), pk V, pk P = P genkeys(pk V, pk P ) (sk P, pk P ) If Out V = 1 and pk P P wins negligible B P P 1 P 1 P n P n B P 1 P P 1 P V P V 1 P 2 V 2 P i V i V n P n = P i P 2 V n1 i2 P n P 2 P 2 12
13 Strong Privacy (HPVP Model) P 1, P 2,, P n and can corrupt the provers: learns the secret keys of the provers. s a challenge, picks to provers P i, P j Challenger picks one of them as a virtual tag and gives the virtual prover to. can send messages to the virtual tag. can send messages to the verifier. If can recognizes the virtual tag, then he wins the game. DB protocol is strong private, if wins the above game with the probability at most negligible 13
14 n Overview of Our Protocol Verifier sk V, pk V gree on a key s with using Key greement (K) Protocol Prover sk P, pk P, pk V K Efficiency Security MQV 2.5 No proof HMQV 2.5 CK KE+ 3 CK NXOS 4 eck Run a symmetric-key DB with s CMQV 3 eck What kind of security properties do we need for the key agreement protocol to have MiM, DF and DH secure and strong private DB protocol? 14
15 1. Introduction of Distance Bounding 2. Formal Definitions for Security and Privacy 3. Weak uthenticated Key greement 4. Our Protocols: Eff-pkDB and Eff-pkDB private 5. Conclusion 15
16 uthenticated Key greement (one pass) sk, pk, pk B sk B, pk B, pk N (sk, pk, pk B, N) N D(1 n ) B(sk B, pk B, pk, N) S S 16
17 Decitional-uthenticated Key greement (D-K) Challenger dversary Generate sk, pk, sk B, pk B Pick s 1 Pick b {0,1} s b,n, pk B, pk pk N, s 0 Oracle B (.) N D(1 n ) run B(sk B, pk B,., N) Oracle (.,.) (sk, pk,.,. ) It can access the oracles except (pk B, N) b If b = b It wins 17
18 D-K Privacy Game Challenger dversary Generate sk, pk, sk B1, pk B1 pk, sk B 1, pk B1 Pick b {0,1} N D(1 n ), s = B(sk B b, pk Bb, pk, N) sk B 0, pk B0 s Pick sk B 0, pk B0 Oracle (.,.) (sk, pk,.,. ) b If b = b It wins 18
19 Nonce-DH D-K secure and private key agreement protocol sk Z q pk = g sk sk, pk, pk B Public parameter G order of q and g G sk B, pk B, pk sk B Z q pk B = g sk B N K Effici ency Security MQV 2.5 No proof HMQV 2.5 CK KE+ 3 CK NXOS 4 eck s = H(g, pk B, pk, pk B sk, N) Pick N 0,1 l s = H(g, pk B, pk, pk sk B, N) CMQV 3 eck Nonce-DH 1 D-K Nonce-DH is D-K secure and private in the random oracle model assuming that Gap Diffie-Hellman problem is hard. 19
20 1. Introduction of Distance Bounding 2. Formal Definitions for Security and Privacy 3. Weak uthenticated Key greement 4. Our Protocols: Eff-pkDB and Eff-pkDB private 5. Conclusion 20
21 Eff-pkDB Verifier sk V, pk V Prover sk P, pk P, pk V N, pk P s = (sk, pk, pk B, N) symdb(s) N D(1 n ) s = B(sk P, pk P, pk V, N) Out 21
22 MiM-security of Eff-pkDB If symdb is multi-verifier OT-MiM secure and the key agreement protocol is D-K secure, the Eff-pkDB is MiM-secure. 22
23 MiM-security of Eff-pkDB Game 0: V 1 P 1 N 1 D(1 n ) s = B(sk P, pk P, pk V, N 1 ) V 2 P 2 N 2 D(1 n ) s = B(sk P, pk P, pk V, N 2 ) V 3 P 3 N 1 D(1 n ) s = B(sk P, pk P, pk V, N 1 )... P i V i N D(1 n ) s = B(sk P, pk P, pk V, N i )... P j V j N D(1n) s = B(sk P, pk P, pk V, N i )... V n P n N n D(1 n ) s = B(sk P, pk P, pk V, N n ) V i received N and pk P The prover who generates N is the matching prover Out Vi Pr[Out Vi = 1] = p 0 23
24 MiM-security of Eff-pkDB Game 1: No Nonce is duplicate V 1 V 2 V 3 P 3... P i V i... P j V j... V n P 1 pick N 1 s = B(sk P, pk P, pk V, N 1 ) P 2 pick N 2 s = B(sk P, pk P, pk V, N 2 ) pick N 1 s = B(sk P, pk P, pk V, N 1 ) pick N i s = B(sk P, pk P, pk V, N i ) pick N i s = B(sk P, pk P, pk V, N i ) P n pick N n s = B(sk P, pk P, pk V, N n ) Out Vi We have at most one prover generating N p 1 p 0 is negligible. Game 0 -> Game 1 Pr[Out Vi = 1] = p 1 24
25 MiM-security of Eff-pkDB Game 2: Provers picks secret s randomly V 1 P 1 V 2 P 2... P i... Out Vi V V n i pick s 1 pick s 2 pick s i pick s n P n Pr[Out Vi = 1] = p 2 Simulation of Prover receive s 0, N from Oracle B send pk P, N pick s 1 store N, s 1, pk P to T run symdb(s 1 ) Simulation of Verifier receive N, pk P if N,., pk P in T retrieve s from N, s, pk P else receive s from Oracle (pk P, N ) run symdb(s 1 ) Because of D-K security p 2 p 1 is negligible. Game 0 -> Game 1 -> Game 2 25
26 MiM-security of Eff-pkDB Game 3: Provers picks the nonce without the oracle V 1 P 1 V 2 P 2... P i... Out Vi V V n i pick s 1 pick s 2 pick s i pick s n P n Pr[Out Vi = 1] = p 3 Simulation of Prover N D(1 n ) send pk P, N pick s 1 store N, s 1, pk P to T run symdb(s 1 ) Simulation of Verifier receive N, pk P if N,., pk P in T retrieve s from N, s, pk P else receive s from Oracle (pk P, N ) run symdb(s 1 ) p 3 = p 2. Game 0 -> Game 1 -> Game 2-> Game 3 26
27 MiM-security of Eff-pkDB Game 4: Multi-verifier OT-MiM game The verifier instances V 1 V i V n The prover instance generating N P j The other prover instances are simulated P 1, P 2,, P j 1, P j+1,, P n Out Vi Pr[Out Vi = 1] = p 4 p 4 is negligible because of symdb. Game 0 -> Game 1 -> Game 2-> Game 3->Game 4 p 0 is negligible 27
28 Strong-Private variant of Eff-pkDB Verifier sk V, pk V Prover sk P, pk P, pk V = (pk V1, pk V2 ) e N, pk P = Dec skv 1 (e) s = sk, pk, pk B, N symdb(s) N D(1 n ) e = Enc N, pk pkv 1 P s = B(sk P, pk P, pk V, N) pk P is private output Out 28
29 Strong-privacy of the variant of Eff-pkDB ssuming the key agreement protocol is D-K-private and the cryptosystem is IND-CC secure, then the variant of Eff-pkDB is strong private in HPVP model. 29
30 n instance of Eff-pkDB Nonce-DH+OTDB sk V Z q pk V = g sk V sk V, pk V, pk P Public parameter G order of q and g G sk P, pk P, pk V sk P Z q pk P = g sk P N, pk P s = H g, pk P, pk V, pk P sk V, N pick N V 0,1 2n a = N V s start timer end timer check if i rtt i < 2B and r i is correct N V for i = 0 to n c i r i Out Pick N 0,1 l sk s = H g, pk P, pk V, pk P V, N a = N V s r i = a 2i+ci 30
31 1. Introduction of Distance Bounding 2. Formal Definitions for Security and Privacy 3. Weak uthenticated Key greement 4. Our Protocols: Eff-pkDB and Eff-pkDB private 5. Conclusion 31
32 Conclusion Protocol Security Privacy PK Operation Number of Computations Brands-Chaum MiM, DF No privacy 1 commitment, 1 signature 1 EC multiplication, 2 hashing, 1 modular inversion, 1 random string selection HPO (Hermans et al.) MiM, DF Weak 4 EC multiplication, 2 random string selections, 2 mappings PrivDB (Vaudenay) MiM, DF, DH Strong 1 signature, 1 IND-CC encryption 3 EC multiplication, 2 hashing, 2 random string selections, 1 symmetric key encryption, 1 modular inversion, 1mapping, 1 MC ProProx (Vaudenay) MiM, DF, DH, TF No Privacy n+1 commitment, n ZK proofs eproprox (Vaudenay) MiM, DF, DH, TF Strong 1 encryption, s hashing, n+1 commitments, n ZK proofs Eff-pkDB MiM, DF, DH No Privacy 1 D-K secure K protocol 1 EC multiplication, 2 hashing, 1 random string selection, Private Variant of Eff-pkDB MiM, DF, DH Strong 1 IND-CC encryption, 1 D-K secure K protocol 3 EC multiplication, 2 hashing, 2 random string selections, 1 symmetric key encryption, 1 MC * ECDS for the signature scheme and ECIES for the IND-CC secure encryption scheme 32
A Prover-Anonymous and Terrorist-Fraud Resistant Distance-Bounding Protocol
A Prover-Anonymous and Terrorist-Fraud Resistant Distance-Bounding Protocol Xavier Bultel 1 Sébastien Gambs 2 David Gerault 1 Pascal Lafourcade 1 Cristina Onete 3 Jean-Marc Robert 4 1 University Clermont
More informationNo#ons of Privacy: ID- Hiding, Untrace- ability, Anonymity & Deniability
No#ons of Privacy: ID- Hiding, Untrace- ability, Anonymity & Deniability Paris, 19/03/2014 CIDRE Cristina Onete Meet the girl Need authentication Marie-Claire Cris%na Onete 19/03/2014 2 Secure Authentication
More informationOn the Need for Provably Secure Distance Bounding
On the Need for Provably Secure Distance Bounding Serge Vaudenay ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE http://lasec.epfl.ch/ SV 2012 distance bounding CIoT 2012 1 / 39 1 Introduction to Distance-Bounding
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationCryptography and Security Midterm Exam
Cryptography and Security Midterm Exam Serge Vaudenay 23.11.2017 duration: 1h45 no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationOutline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.
Provable Security in the Computational Model III Signatures David Pointcheval Ecole normale supérieure, CNRS & INRI Public-Key Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions
More informationMarch 19: Zero-Knowledge (cont.) and Signatures
March 19: Zero-Knowledge (cont.) and Signatures March 26, 2013 1 Zero-Knowledge (review) 1.1 Review Alice has y, g, p and claims to know x such that y = g x mod p. Alice proves knowledge of x to Bob w/o
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationA Strong Identity Based Key-Insulated Cryptosystem
A Strong Identity Based Key-Insulated Cryptosystem Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275, P.R.China
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationLecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge
CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to
More informationAdditive Conditional Disclosure of Secrets
Additive Conditional Disclosure of Secrets Sven Laur swen@math.ut.ee Helsinki University of Technology Motivation Consider standard two-party computation protocol. x f 1 (x, y) m 1 m2 m r 1 mr f 2 (x,
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More informationTowards Secure Distance Bounding
Towards Secure Distance Bounding Ioana Boureanu, Katerina Mitrokotsa, Serge Vaudenay ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE http://lasec.epfl.ch/ SV 2013 distance bounding FSE 2013 1 / 48 1 Why Distance-Bounding?
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationSimple SK-ID-KEM 1. 1 Introduction
1 Simple SK-ID-KEM 1 Zhaohui Cheng School of Computing Science, Middlesex University The Burroughs, Hendon, London, NW4 4BT, United Kingdom. m.z.cheng@mdx.ac.uk Abstract. In 2001, Boneh and Franklin presented
More informationAnonymous Credentials Light
Anonymous Credentials Light Foteini Baldimtsi, Anna Lysyanskaya foteini,anna@cs.brown.edu Computer Science Department, Brown University Abstract. We define and propose an efficient and provably secure
More informationA Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM
A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM Paulo S. L. M. Barreto Bernardo David Rafael Dowsley Kirill Morozov Anderson C. A. Nascimento Abstract Oblivious Transfer
More informationCryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1
Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes
More informationEntity Authentication
Entity Authentication Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie? α k The
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More information1 Basic Number Theory
ECS 228 (Franklin), Winter 2013, Crypto Review 1 Basic Number Theory This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationA New Framework for RFID Privacy
New Framework for RFID Privacy No uthor Given No Institute Given bstract. Formal RFID security and privacy frameworks are fundamental to the design and analysis of robust RFID systems. In this paper, we
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationLecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko
CMSC 858K Advanced Topics in Cryptography February 26, 2004 Lecturer: Jonathan Katz Lecture 10 Scribe(s): Jeffrey Blank Chiu Yuen Koo Nikolai Yakovenko 1 Summary We had previously begun to analyze the
More informationOblivious Transfer and Secure Multi-Party Computation With Malicious Parties
CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties Vitaly Shmatikov slide 1 Reminder: Oblivious Transfer b 0, b 1 i = 0 or 1 A b i B A inputs two bits, B inputs the index
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Fun with Public-Key Tonight we ll Introduce some basic tools of public-key crypto Combine the tools to create more powerful tools Lay the ground work for substantial
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationLecture 15 - Zero Knowledge Proofs
Lecture 15 - Zero Knowledge Proofs Boaz Barak November 21, 2007 Zero knowledge for 3-coloring. We gave a ZK proof for the language QR of (x, n) such that x QR n. We ll now give a ZK proof (due to Goldreich,
More informationRing Group Signatures
Ring Group Signatures Liqun Chen Hewlett-Packard Laboratories, Long Down Avenue, Stoke Gifford, Bristol, BS34 8QZ, United Kingdom. liqun.chen@hp.com Abstract. In many applications of group signatures,
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationA Secure and Efficient Authenticated Diffie Hellman Protocol
A Secure and Efficient Authenticated Diffie Hellman Protocol Augustin P. Sarr 1, Philippe Elbaz Vincent 2, and Jean Claude Bajard 3 1 Netheos R&D 1,2 Institut Fourier CNRS, Université Grenoble 1 3 LIP6
More informationOn The (In)security Of Fischlin s Paradigm
On The (In)security Of Fischlin s Paradigm Prabhanjan Ananth 1, Raghav Bhaskar 1, Vipul Goyal 1, and Vanishree Rao 2 1 Microsoft Research India prabhanjan.va@gmail.com,{rbhaskar,vipul}@microsoft.com 2
More informationEfficient RSA Key Generation and Threshold Paillier in the Two-Party Setting
An extended abstract of this paper was published in the proceedings of CT-RSA 2012. Efficient RSA Key Generation and Threshold Paillier in the Two-Party Setting Carmit Hazay Gert Læssøe Mikkelsen Tal Rabin
More informationOn the Need for Provably Secure Distance Bounding
On the Need for Provably Secure Distance Bounding Ioane Boureanu Ecole Polytechnique Fédérale de Lausanne (EPFL) ESC2013 Outline 1 Topic and Aim 2 Intro to Distance-Bounding Distance-Bounding 3 DB Security
More informationA Novel Strong Designated Verifier Signature Scheme without Random Oracles
1 A Novel Strong Designated Verifier Signature Scheme without Random Oracles Maryam Rajabzadeh Asaar 1, Mahmoud Salmasizadeh 2 1 Department of Electrical Engineering, 2 Electronics Research Institute (Center),
More informationCSA E0 312: Secure Computation September 09, [Lecture 9-10]
CSA E0 312: Secure Computation September 09, 2015 Instructor: Arpita Patra [Lecture 9-10] Submitted by: Pratik Sarkar 1 Summary In this lecture we will introduce the concept of Public Key Samplability
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationOn Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan)
On Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan) Secure Multiparty Computation (MPC) Ideal World/ Functionality
More informationGentry IBE Paper Reading
Gentry IBE Paper Reading Y. Jiang 1 1 University of Wollongong September 5, 2014 Literature Craig Gentry. Practical Identity-Based Encryption Without Random Oracles. Advances in Cryptology - EUROCRYPT
More informationType-based Proxy Re-encryption and its Construction
Type-based Proxy Re-encryption and its Construction Qiang Tang Faculty of EWI, University of Twente, the Netherlands q.tang@utwente.nl Abstract. Recently, the concept of proxy re-encryption has been shown
More informationAnonymous Proxy Signature with Restricted Traceability
Anonymous Proxy Signature with Restricted Traceability Jiannan Wei Joined work with Guomin Yang and Yi Mu University of Wollongong Outline Introduction Motivation and Potential Solutions Anonymous Proxy
More informationA Posteriori Openable Public Key Encryption *
A Posteriori Openable Public Key Encryption * Xavier Bultel 1, Pascal Lafourcade 1, CNRS, UMR 6158, LIMOS, F-63173 Aubière, France Université Clermont Auvergne, LIMOS, BP 10448, 63000 Clermont-Ferrand,
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationNon-interactive Designated Verifier Proofs and Undeniable Signatures
Non-interactive Designated Verifier Proofs and Undeniable Signatures Caroline Kudla and Kenneth G. Paterson Information Security Group Royal Holloway, University of London, UK {c.j.kudla,kenny.paterson}@rhul.ac.uk
More informationOn Two Round Rerunnable MPC Protocols
On Two Round Rerunnable MPC Protocols Paul Laird Dublin Institute of Technology, Dublin, Ireland email: {paul.laird}@dit.ie Abstract. Two-rounds are minimal for all MPC protocols in the absence of a trusted
More informationFrom Secure MPC to Efficient Zero-Knowledge
From Secure MPC to Efficient Zero-Knowledge David Wu March, 2017 The Complexity Class NP NP the class of problems that are efficiently verifiable a language L is in NP if there exists a polynomial-time
More informationProvable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design
Practical Cryptography: Provable Security as a Tool for Protocol Design Phillip Rogaway UC Davis & Chiang Mai Univ rogaway@csucdavisedu http://wwwcsucdavisedu/~rogaway Summer School on Foundations of Internet
More informationEfficient RSA Key Generation and Threshold Paillier in the Two-Party Setting
Efficient RSA Key Generation and Threshold Paillier in the Two-Party Setting Carmit Hazay Gert Læssøe Mikkelsen Tal Rabin Tomas Toft Abstract The problem of generating an RSA composite in a distributed
More informationID-based tripartite key agreement with signatures
-based tripartite key agreement with signatures 1 Divya Nalla ILab, Dept of omputer/info Sciences, University of Hyderabad, Gachibowli, Hyderabad, 500046, India divyanalla@yahoocom bstract : This paper
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationFast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries
Fast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries Yehuda Lindell Dept. of Computer Science Bar-Ilan University, Israel lindell@biu.ac.il February 8, 2015 Abstract In the setting
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationAnonymous Credentials Light
Anonymous Credentials Light Foteini Baldimtsi Brown University foteini@cs.brown.edu Anna Lysyanskaya Brown University anna@cs.brown.edu ABSTRACT We define and propose an efficient and provably secure construction
More informationThe odd couple: MQV and HMQV
The odd couple: MQV and HMQV Jean-Philippe Aumasson 1 / 49 Summary MQV = EC-DH-based key agreement protocol, proposed by Menezes, Qu and Vanstone (1995), improved with Law and Solinas (1998), widely standardized
More informationA Fair and Efficient Solution to the Socialist Millionaires Problem
In Discrete Applied Mathematics, 111 (2001) 23 36. (Special issue on coding and cryptology) A Fair and Efficient Solution to the Socialist Millionaires Problem Fabrice Boudot a Berry Schoenmakers b Jacques
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationMultiparty Computation
Multiparty Computation Principle There is a (randomized) function f : ({0, 1} l ) n ({0, 1} l ) n. There are n parties, P 1,...,P n. Some of them may be adversarial. Two forms of adversarial behaviour:
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Solution Serge Vaudenay 29.1.2018 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices
More informationNon-Interactive ZK:The Feige-Lapidot-Shamir protocol
Non-Interactive ZK: The Feige-Lapidot-Shamir protocol April 20, 2009 Remainders FLS protocol Definition (Interactive proof system) A pair of interactive machines (P, V ) is called an interactive proof
More informationDesignated Conrmer Signatures Revisited
Designated Conrmer Signatures Revisited Douglas Wikström ETH Zürich, Department of Computer Science douglas@inf.ethz.ch 26th February 2007 Abstract Previous denitions of designated conrmer signatures in
More informationNew Notions of Security: Universal Composability without Trusted Setup
New Notions of Security: Universal Composability without Trusted Setup Manoj Prabhakaran & Amit Sahai Princeton University To appear in STOC 04 Defining Security Central Problem in Cryptography Understanding
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationLecture 10: Zero-Knowledge Proofs
Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam
More informationLecture 3: Interactive Proofs and Zero-Knowledge
CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationPicnic Post-Quantum Signatures from Zero Knowledge Proofs
Picnic Post-Quantum Signatures from Zero Knowledge Proofs MELISSA CHASE, MSR THE PICNIC TEAM DAVID DERLER STEVEN GOLDFEDER JONATHAN KATZ VLAD KOLESNIKOV CLAUDIO ORLANDI SEBASTIAN RAMACHER CHRISTIAN RECHBERGER
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationKeyword Search and Oblivious Pseudo-Random Functions
Keyword Search and Oblivious Pseudo-Random Functions Mike Freedman NYU Yuval Ishai, Benny Pinkas, Omer Reingold 1 Background: Oblivious Transfer Oblivious Transfer (OT) [R], 1-out-of-N [EGL]: Input: Server:
More informationEfficient RSA Key Generation and Threshold Paillier in the Two-Party Setting
An extended abstract of this paper was published in the proceedings of CT-RSA 2012. Efficient RSA Key Generation and Threshold Paillier in the Two-Party Setting Carmit Hazay Gert Læssøe Mikkelsen Tal Rabin
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationBoneh-Franklin Identity Based Encryption Revisited
Boneh-Franklin Identity Based Encryption Revisited David Galindo Institute for Computing and Information Sciences Radboud University Nijmegen P.O.Box 9010 6500 GL, Nijmegen, The Netherlands. d.galindo@cs.ru.nl
More informationLecture 9 - Symmetric Encryption
0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,
More informationIdentification Schemes of Proofs of Ability Secure against Concurrent Man-in-the-Middle Attacks
Identification Schemes of Proofs of Ability Secure against Concurrent Man-in-the-Middle Attacks Hiroaki Anada and Seiko Arita Institute of Information Security, Yokohama, Japan hiroaki.anada@gmail.com,
More informationSecurity Protocols and Application Final Exam
Security Protocols and Application Final Exam Solution Philippe Oechslin and Serge Vaudenay 25.6.2014 duration: 3h00 no document allowed a pocket calculator is allowed communication devices are not allowed
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationAre you the one to share? Secret Transfer with Access Structure
Are you the one to share? Secret Transfer with Access Structure Yongjun Zhao, Sherman S.M. Chow Department of Information Engineering The Chinese University of Hong Kong, Hong Kong Private Set Intersection
More informationOn The (In)security Of Fischlin s Paradigm
On The (In)security Of Fischlin s Paradigm PRABHANJAN ANANTH Microsoft Research India prabhanjan.va@gmail.com RAGHAV BHASKAR Microsoft Research India rbhaskar@microsoft.com VIPUL GOYAL Microsoft Research
More informationSecure Signatures and Chosen Ciphertext Security in a Post-Quantum World
Secure Signatures and Chosen Ciphertext Security in a Post-Quantum World Dan Boneh Mark Zhandry Stanford University {dabo,zhandry}@cs.stanford.edu Abstract We initiate the study of quantum-secure digital
More informationMulti-Input Functional Encryption
Multi-Input Functional Encryption S. Dov Gordon Jonathan Katz Feng-Hao Liu Elaine Shi Hong-Sheng Zhou Abstract Functional encryption (FE) is a powerful primitive enabling fine-grained access to encrypted
More informationProofs of Retrievability via Fountain Code
Proofs of Retrievability via Fountain Code Sumanta Sarkar and Reihaneh Safavi-Naini Department of Computer Science, University of Calgary, Canada Foundations and Practice of Security October 25, 2012 Outsourcing
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationDigital Signatures from Challenge-Divided Σ-Protocols
Digital Signatures from Challenge-Divided Σ-Protocols Andrew C. Yao Yunlei Zhao Abstract Digital signature is one of the basic primitives in cryptography. A common paradigm of obtaining signatures, known
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationA DAA Scheme Requiring Less TPM Resources
A DAA Scheme Requiring Less TPM Resources Liqun Chen Hewlett-Packard Laboratories liqun.chen@hp.com Abstract. Direct anonymous attestation (DAA) is a special digital signature primitive, which provides
More informationNon-Interactive Zero-Knowledge Proofs of Non-Membership
Non-Interactive Zero-Knowledge Proofs of Non-Membership O. Blazy, C. Chevalier, D. Vergnaud XLim / Université Paris II / ENS O. Blazy (XLim) Negative-NIZK CT-RSA 2015 1 / 22 1 Brief Overview 2 Building
More information