Lattice-based DAPS and Generalizations
|
|
- Oliver Anderson
- 5 years ago
- Views:
Transcription
1 Lattice-based DAPS and Generalizations Dan Boneh, Sam Kim, Valeria Nikolaenko Stanford University July 11, 2017
2 Certificate Authorities
3 Certificate Authorities
4 Certificate Authorities
5 Certificate Authorities
6 Signatures For many scenarios, signers are trusted to make unique bindings Certificate Authorities Time Stamping Authorities
7 Signatures For many scenarios, signers are trusted to make unique bindings Certificate Authorities Time Stamping Authorities But traditional digital signatures impose no uniqueness condition
8 Signatures For many scenarios, signers are trusted to make unique bindings Certificate Authorities Time Stamping Authorities But traditional digital signatures impose no uniqueness condition Often times, signers are coerced into making fake certificates (double-signing)
9 Signatures For many scenarios, signers are trusted to make unique bindings Certificate Authorities Time Stamping Authorities But traditional digital signatures impose no uniqueness condition Often times, signers are coerced into making fake certificates (double-signing) What can we do in these type of situations?
10 Signatures For many scenarios, signers are trusted to make unique bindings Certificate Authorities Time Stamping Authorities But traditional digital signatures impose no uniqueness condition Often times, signers are coerced into making fake certificates (double-signing) What can we do in these type of situations? Are there mechanisms to really force the CA to act honestly even in the face of coercion?
11 Double Signing There are mechanisms to detect when a CA issues a fake certificate Certificate Transparency (CT) [LLK15] CONIKS [MBB+15]
12 Double Signing There are mechanisms to detect when a CA issues a fake certificate Certificate Transparency (CT) [LLK15] CONIKS [MBB+15] However, often times punishment not so severe A period of bad publicity
13 Double Signing There are mechanisms to detect when a CA issues a fake certificate Certificate Transparency (CT) [LLK15] CONIKS [MBB+15] However, often times punishment not so severe A period of bad publicity Consequences not severe enough to prevent legal coercion
14 Double Signing There are mechanisms to detect when a CA issues a fake certificate Certificate Transparency (CT) [LLK15] CONIKS [MBB+15] However, often times punishment not so severe A period of bad publicity Consequences not severe enough to prevent legal coercion Can we make the consequences more severe such that the CA can use it as an argument against coercion?
15 DAPS Double Authentication Preventing Signatures (DAPS) [PS14]
16 DAPS Double Authentication Preventing Signatures (DAPS) [PS14] Message of them form (subj, payload)
17 DAPS Double Authentication Preventing Signatures (DAPS) [PS14] Message of them form (subj, payload) Signatures of (subj, payload 1 ), (subj, payload 2 ) leaks signing key
18 DAPS Double Authentication Preventing Signatures (DAPS) [PS14] Message of them form (subj, payload) Signatures of (subj, payload 1 ), (subj, payload 2 ) leaks signing key CA uses as self-enforcement
19 DAPS Double Authentication Preventing Signatures (DAPS) [PS14] Message of them form (subj, payload) Signatures of (subj, payload 1 ), (subj, payload 2 ) leaks signing key CA uses as self-enforcement CA will use DAPS as a justification to resist coercion
20 Legal Coercion
21 Legal Coercion
22 Legal Coercion
23 Right Notion? Q : What if Facebook happens to accidentally lose its certificate?
24 Right Notion? Q : What if Facebook happens to accidentally lose its certificate? A : Use short-lived certificates
25 Right Notion? Q : What if Facebook happens to accidentally lose its certificate? A : Use short-lived certificates Q : What if agency simply coerces another CA to issue a certificate for facebook.com?
26 Right Notion? Q : What if Facebook happens to accidentally lose its certificate? A : Use short-lived certificates Q : What if agency simply coerces another CA to issue a certificate for facebook.com? A : Use certificate pinning
27 Right Notion? Q : What if Facebook happens to accidentally lose its certificate? A : Use short-lived certificates Q : What if agency simply coerces another CA to issue a certificate for facebook.com? A : Use certificate pinning Q : What if Facebook wishes to use a different certificate for each server?
28 Right Notion? Q : What if Facebook happens to accidentally lose its certificate? A : Use short-lived certificates Q : What if agency simply coerces another CA to issue a certificate for facebook.com? A : Use certificate pinning Q : What if Facebook wishes to use a different certificate for each server? A : Use intermediate CA s
29 Right Notion? Q : What if Facebook happens to accidentally lose its certificate? A : Use short-lived certificates Q : What if agency simply coerces another CA to issue a certificate for facebook.com? A : Use certificate pinning Q : What if Facebook wishes to use a different certificate for each server? A : Use intermediate CA s There are other holes in the argument (but that is not the point!)
30 DAPS Formulation Setup (sk, vk) Sign(sk, msg) σ Verify(vk, msg, σ) 0/1
31 DAPS Formulation Setup (sk, vk) Sign(sk, (subj, payload)) σ Verify(vk, msg, σ) 0/1 Extract((subj, payload 1 ), σ 1, (subj, payload 2 ), σ 2 ) sk
32 Results Previously, [PS14] construct DAPS from the hardness of factoring
33 Results Previously, [PS14] construct DAPS from the hardness of factoring This Work: Construct DAPS from lattices (SIS) Provide generalization of DAPS Extend to multi-authority setting
34 SIS Let n, m, q, β be appropriately chosen positive integers. Short Integer Solutions (SIS) Problem Given a uniformly random matrix A Z n m q, find short a nonzero u Z m such that A u = 0.
35 SIS Let n, m, q, β be appropriately chosen positive integers. Inhomogeneous SIS Problem Given a uniformly random matrix A Zq n m, and a vector v Z n q, find a short nonzero u Z m such that A u = v.
36 SIS Let n, m, q, β be appropriately chosen positive integers. Inhomogeneous SIS Problem Given a uniformly random matrix A Zq n m, and a vector v Z n q, find a short nonzero u Z m such that A u = v. Nice properties: Solving SIS results in solving worst-case lattice problems! Possible to generate A with a trapdoor td such that SIS easy to solve
37 GPV Signatures Signature scheme using hash-and-sign [GPV08] vk = A sk = td Sign(sk, msg): Hash v = H(msg) Z n q and compute σ = u such that A u = v Verify(vk, msg, σ): Verify that A u = v and u short.
38 Gadget trapdoors Let G be a special gadget matrix where SIS easy ( Find short u such that G u = v )
39 Gadget trapdoors Let G be a special gadget matrix where SIS easy ( Find short u such that G u = v ) Trapdoor td for A defined as a short, full-rank matrix R such that A R = H G for any invertible matrix H Z n n q.
40 Gadget trapdoors Let G be a special gadget matrix where SIS easy ( Find short u such that G u = v ) Trapdoor td for A defined as a short, full-rank matrix R such that A R = H G for any invertible matrix H Z n n q. To sample pre-image u: 1. Sample short ũ such that G ũ = v 2. Let u = R ũ. Then Au = A R ũ = v In the real scheme, must take care of distributional issues
41 FRD Encodings Full-Rank Difference (FRD) encoding: Encoding function H FRD : Z n q GL(Z n n q ) For any two distinct vectors u, v, the matrix H FRD (u) H FRD (v) is full rank
42 DAPS Construction Fix a hash function H and FRD encoding H FRD. vk = A, sk = td Sign(sk, (subj, payload)): 1. V = H(subj) Z n m q 2. H = H FRD (payload) Zq n n 3. Let σ = U be a short matrix U such that A U + H G = V Verify(vk, (subj, payload), σ): Verify the relation A U + H G = V and check U short
43 DAPS Construction Extract((subj, payload 1 ), σ 1, (subj, payload 2 ), σ 2 ): We have two signatures σ 1 = U 1, σ 2 = U 2 such that A U 1 + H FRD (payload 1 ) G = H(subj) A U 2 + H FRD (payload 2 ) G = H(subj)
44 DAPS Construction Extract((subj, payload 1 ), σ 1, (subj, payload 2 ), σ 2 ): We have two signatures σ 1 = U 1, σ 2 = U 2 such that A U 1 + H 1 G = V A U 2 + H 2 G = V
45 DAPS Construction Extract((subj, payload 1 ), σ 1, (subj, payload 2 ), σ 2 ): We have two signatures σ 1 = U 1, σ 2 = U 2 such that A (U 1 U 2 ) = (H 2 H 1 )G
46 DAPS Construction Extract((subj, payload 1 ), σ 1, (subj, payload 2 ), σ 2 ): We have two signatures σ 1 = U 1, σ 2 = U 2 such that A (U 1 U }{{} 2 ) = (H 2 H 1 )G short
47 DAPS Construction Extract((subj, payload 1 ), σ 1, (subj, payload 2 ), σ 2 ): We have two signatures σ 1 = U 1, σ 2 = U 2 such that A (U 1 U 2 ) = (H 2 H }{{} 1 )G full-rank
48 DAPS Construction Extract((subj, payload 1 ), σ 1, (subj, payload 2 ), σ 2 ): We have two signatures σ 1 = U 1, σ 2 = U 2 such that A (U 1 U 2 ) = (H 2 H }{{} 1 )G full-rank The matrix (U 1 U 2 ) trapdoor for A
49 Predicate Authentication Preventing Signatures Setup (sk, vk) Sign(sk, msg) σ Verify(vk, msg, σ) 0/1 Extract((msg 1, σ 1 ),..., (msg t, σ t )) sk Extraction succeeds if φ(msg 1,..., msg t ) = 1
50 Predicate Authentication Preventing Signatures Setup (sk, vk) Sign(sk, msg) σ Verify(vk, msg, σ) 0/1 Extract((msg 1, σ 1 ),..., (msg t, σ t )) sk Extraction succeeds if φ(msg 1,..., msg t ) = 1 DAPS is a special case for predicate φ((subj 1,payload 1 ), (subj 2, payload 2 )) = { 1 subj1 = subj 2 payload 1 payload 2 0 Otherwise
51 Open Problems Theoretical: Can we construct PAPS for more general circuit classes? Practical: What are some practical holes for implementing DAPS in the real world?
52 Open Problems Theoretical: Can we construct PAPS for more general circuit classes? Practical: What are some practical holes for implementing DAPS in the real world? Thanks!
Enforcing honesty of certification authorities: Tagged one-time signature schemes
Enforcing honesty of certification authorities: Tagged one-time signature schemes Information Security Group Royal Holloway, University of London bertram.poettering@rhul.ac.uk Stanford, January 11, 2013
More informationSampling Lattice Trapdoors
Sampling Lattice Trapdoors November 10, 2015 Today: 2 notions of lattice trapdoors Efficient sampling of trapdoors Application to digital signatures Last class we saw one type of lattice trapdoor for a
More informationFUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS. Elette Boyle Shafi Goldwasser Ioana Ivan
FUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS Elette Boyle Shafi Goldwasser Ioana Ivan Traditional Paradigm: All or Nothing Encryption [DH76] Given SK, can decrypt. Otherwise, can t distinguish encryptions
More informationTowards Tightly Secure Lattice Short Signature and Id-Based Encryption
Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li QUT Asiacrypt 16 2016-12-06 1 / 19 Motivations 1. Short lattice signature with tight security reduction w/o
More informationHow to Use Linear Homomorphic Signature in Network Coding
How to Use Linear Homomorphic Signature in Network Coding Li Chen lichen.xd at gmail.com Xidian University September 28, 2013 How to Use Linear Homomorphic Signature in Network Coding Outline 1 Linear
More informationProtean Signature Schemes
Protean Signature Schemes Stephan Krenn, Henrich C. Pöhls, Kai Samelin, Daniel Slamanig October 2, 2018 Cryptology And Network Security (CANS 2018), Naples, Italy 1 Digital Signatures 2 Digital Signatures
More informationLattice-based Multi-signature with Linear Homomorphism
Copyright c 2016 The Institute of Electronics, Information and Communication Engineers SCIS 2016 2016 Symposium on Cryptography and Information Security Kumamoto, Japan, Jan. 19-22, 2016 The Institute
More informationLinearly Homomorphic Signatures over Binary Fields and New Tools for Lattice-Based Signatures
An extended abstract of this work appears in Public Key Cryptography PKC 2011, ed. R. Gennaro, Springer LNCS 6571 (2011), 1 16. This is the full version. Linearly Homomorphic Signatures over Binary Fields
More informationRandom Oracles in a Quantum World
Dan Boneh 1 Özgür Dagdelen 2 Marc Fischlin 2 Anja Lehmann 3 Christian Schaffner 4 Mark Zhandry 1 1 Stanford University, USA 2 CASED & Darmstadt University of Technology, Germany 3 IBM Research Zurich,
More informationMulti-Key Homomorphic Authenticators
Multi-Key Homomorphic Authenticators Dario Fiore 1, Aikaterini Mitrokotsa 2, Luca Nizzardo 1, and Elena Pagnin 2 1 IMDEA Software Institute, Madrid, Spain {dario.fiore, luca.nizzardo}@imdea.org 2 Chalmers
More informationHomomorphic Signatures for Polynomial Functions
An extended abstract of this work appears in Advances in Cryptology EUROCRYPT 2011, ed. K. Paterson, Springer LNCS 6632 (2011), 149 168. This is the full version. Homomorphic Signatures for Polynomial
More informationPrivate Puncturable PRFs from Standard Lattice Assumptions
Private Puncturable PRFs from Standard Lattice Assumptions Sam Kim Stanford University Joint work with Dan Boneh and Hart Montgomery Pseudorandom Functions (PRFs) [GGM84] Constrained PRFs [BW13, BGI13,
More informationDigital signature schemes
Digital signature schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction digital signature scheme security of digital
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationCLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD
CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationAn Equivalence Between Attribute-Based Signatures and Homomorphic Signatures, and New Constructions for Both
An Equivalence Between Attribute-Based Signatures and Homomorphic Signatures, and New Constructions for Both Rotem Tsabary January 24, 2018 Abstract In Attribute-Based Signatures (ABS; first defined by
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationProofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures
Proofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures G. Fuchsbauer D. Pointcheval École normale supérieure Pairing'09, 13.08.2009 Fuchsbauer, Pointcheval (ENS) Proofs
More informationAn update on Hash-based Signatures. Andreas Hülsing
An update on Hash-based Signatures Andreas Hülsing Trapdoor- / Identification Scheme-based (PQ-)Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters 9-9-2015 PAGE 2... 1
More informationLecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004
CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce
More informationAdaptively Secure Fully Homomorphic Signatures Based on Lattices
Adaptively Secure Fully Homomorphic Signatures Based on Lattices Xavier Boyen Xiong Fan Elaine Shi Queensland University of Technology University of Maryland Abstract In a homomorphic signature scheme,
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationLossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More informationLattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More informationABSTRACT AND PROGRAM OBFUSCATION. Department of Computer Science
ABSTRACT Title of Dissertation: FRONTIERS IN LATTICE CRYPTOGRAPHY AND PROGRAM OBFUSCATION Daniel Apon, Doctor of Philosophy, 2017 Dissertation directed by: Professor Jonathan Katz Department of Computer
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationTrapdoors for Lattices: Simpler, Tighter, Faster, Smaller
Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1 UC San Diego 2 Georgia Tech April 2012 1 / 16 Lattice-Based Cryptography y = g x mod p m e mod N e(g a,
More information6.892 Computing on Encrypted Data October 28, Lecture 7
6.892 Computing on Encrypted Data October 28, 2013 Lecture 7 Lecturer: Vinod Vaikuntanathan Scribe: Prashant Vasudevan 1 Garbled Circuits Picking up from the previous lecture, we start by defining a garbling
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationThe Double-Hash Transform: From Identification to (Double-Authentication-Preventing) Signatures, Tightly
The Double-Hash Transform: From Identification to (Double-Authentication-Preventing) Signatures, Tightly Mihir Bellare 1 Douglas Stebila 2 December 2015 Abstract We give a new method to turn identification
More informationTransitive Signatures Based on Non-adaptive Standard Signatures
Transitive Signatures Based on Non-adaptive Standard Signatures Zhou Sujing Nanyang Technological University, Singapore, zhousujing@pmail.ntu.edu.sg Abstract. Transitive signature, motivated by signing
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes Lecture 8 Tel-Aviv University
More informationFully anonymous attribute tokens from lattices
Fully anonymous attribute tokens from lattices Jan Camenisch (IBM Research Zurich) Gregory Neven (IBM Research Zurich) Markus Rückert Elevator pitch Goal: Anonymous credentials from lattices Starting point:
More informationMitigating Multi-Target-Attacks in Hash-based Signatures. Andreas Hülsing joint work with Joost Rijneveld, Fang Song
Mitigating Multi-Target-Attacks in Hash-based Signatures Andreas Hülsing joint work with Joost Rijneveld, Fang Song A brief motivation Trapdoor- / Identification Scheme-based (PQ-)Signatures Lattice, MQ,
More informationLattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationAttribute-based Encryption & Delegation of Computation
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin Attribute-based Encryption & Delegation of Computation April 9, 2013 Scribe: Steven Goldfeder We will cover the ABE
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 16 October 30, 2017 CPSC 467, Lecture 16 1/52 Properties of Hash Functions Hash functions do not always look random Relations among
More informationA Lattice-Based Universal Thresholdizer for Cryptographic Systems
A Lattice-Based Universal Thresholdizer for Cryptographic Systems Dan Boneh Rosario Gennaro Steven Goldfeder Sam Kim Abstract We develop a general approach to thresholdizing a large class of (non-threshold)
More informationCRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16
CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16 Groth-Sahai proofs helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Interactive zero knowledge from Σ-protocols
More informationFunctional Encryption for Inner Product Predicates from Learning with Errors
Functional Encryption for Inner Product Predicates from Learning with Errors Shweta Agrawal University of California, Los Angeles shweta@cs.ucla.edu Vinod Vaikuntanathan University of Toronto vinodv@cs.toronto.edu
More informationSPHINCS: practical stateless hash-based signatures
SPHINCS: practical stateless hash-based signatures D. J. Bernstein, D. Hopwood, A. Hülsing, T. Lange, R. Niederhagen, L. Papachristodoulou, P. Schwabe, and Z. Wilcox O'Hearn Digital Signatures are Important!
More informationAttribute-Based Signatures for Unbounded Languages from Standard Assumptions
Attribute-Based Signatures for Unbounded Languages from Standard Assumptions Yusuke Sakai (AIST, Japan) Shuichi Katsumata (AIST, Japan / U. Tokyo, Japan) Nuttapong Attrapadung (AIST, Japan) GoichiroHanaoka
More informationA survey on quantum-secure cryptographic systems
A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum
More informationNotes for Lecture 15
COS 533: Advanced Cryptography Lecture 15 (November 8, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Kevin Liu Notes for Lecture 15 1 Lattices A lattice looks something like the following.
More informationImpossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs
Impossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs Dafna Kidron Yehuda Lindell June 6, 2010 Abstract Universal composability and concurrent general composition
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationOn the (In)security of the Fiat-Shamir Paradigm
On the (In)security of the Fiat-Shamir Paradigm Shafi Goldwasser Yael Tauman February 2, 2004 Abstract In 1986, Fiat and Shamir proposed a general method for transforming secure 3-round public-coin identification
More information10 Concrete candidates for public key crypto
10 Concrete candidates for public key crypto In the previous lecture we talked about public key cryptography and saw the Diffie Hellman system and the DSA signature scheme. In this lecture, we will see
More informationHardness and advantages of Module-SIS and Module-LWE
Hardness and advantages of Module-SIS and Module-LWE Adeline Roux-Langlois EMSEC: Univ Rennes, CNRS, IRISA April 24, 2018 Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018
More informationUniversal Samplers with Fast Verification
Universal Samplers with Fast Verification Venkata Koppula University of Texas at Austin kvenkata@csutexasedu Brent Waters University of Texas at Austin bwaters@csutexasedu January 9, 2017 Andrew Poelstra
More informationRelaxed Lattice-Based Signatures with Short Zero-Knowledge Proofs
Relaxed Lattice-Based Signatures with Short Zero-Knowledge Proofs Cecilia Boschini, Jan Camenisch, and Gregory Neven IBM Research Zurich {bos, jca, nev}@zurich.ibm.com Abstract. Higher-level cryptographic
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationHomomorphic Signatures with Efficient Verification for Polynomial Functions
Homomorphic Signatures with Efficient Verification for Polynomial Functions Dario Catalano 1, Dario Fiore 2, and Bogdan Warinschi 3 1 Università di Catania, Italy. catalano@dmi.unict.it 2 IMDEA Software
More informationSECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL. Mark Zhandry Stanford University
SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL Mark Zhandry Stanford University Random Oracle Model (ROM) Sometimes, we can t prove a scheme secure in the standard model. Instead,
More informationAttribute-Based Signatures
Attribute-Based Signatures Hemanta K. Maji Manoj Prabhakaran Mike Rosulek Abstract We introduce Attribute-Based Signatures (ABS), a versatile primitive that allows a party to sign a message with fine-grained
More informationSIS-based Signatures
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin February 26, 2013 Basics We will use the following parameters: n, the security parameter. =poly(n). m 2n log s 2 n
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationDeterring Certificate Subversion: Efficient Double-Authentication-Preventing Signatures
Deterring Certificate Subversion: Efficient Double-Authentication-Preventing Signatures Mihir Bellare 1 Bertram Poettering 2 Douglas Stebila 3 October 2016 Abstract This paper presents highly efficient
More informationBackground: Lattices and the Learning-with-Errors problem
Background: Lattices and the Learning-with-Errors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b
More informationTighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)
1 Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shuichi Katsumata (The University of Tokyo /AIST) Shota Yamada (AIST) Takashi Yamakawa
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationBEYOND POST QUANTUM CRYPTOGRAPHY
BEYOND POST QUANTUM CRYPTOGRAPHY Mark Zhandry Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical Beyond Post-Quantum Cryptography
More informationSIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography
SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 8 of Trappe and Washington DIGITAL SIGNATURES message sig 1. How do we bind
More informationBonsai Trees (or, Arboriculture in Lattice-Based Cryptography)
Bonsai Trees (or, Arboriculture in Lattice-Based Cryptography) Chris Peikert Georgia Institute of Technology July 20, 2009 Abstract We introduce bonsai trees, a lattice-based cryptographic primitive that
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Public-key crypto ECC RSA DSA Secret-key crypto AES SHA2 SHA1... Combination of both
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationAvailable online at J. Math. Comput. Sci. 6 (2016), No. 3, ISSN:
Available online at http://scik.org J. Math. Comput. Sci. 6 (2016), No. 3, 281-289 ISSN: 1927-5307 AN ID-BASED KEY-EXPOSURE FREE CHAMELEON HASHING UNDER SCHNORR SIGNATURE TEJESHWARI THAKUR, BIRENDRA KUMAR
More informationA Small Subgroup Attack on Arazi s Key Agreement Protocol
Small Subgroup ttack on razi s Key greement Protocol Dan Brown Certicom Research, Canada dbrown@certicom.com lfred Menezes Dept. of C&O, University of Waterloo, Canada ajmeneze@uwaterloo.ca bstract In
More informationHigher Order Universal One-Way Hash Functions from the Subset Sum Assumption
Higher Order Universal One-Way Hash Functions from the Subset Sum Assumption Ron Steinfeld, Josef Pieprzyk, Huaxiong Wang Dept. of Computing, Macquarie University, Australia {rons, josef, hwang}@ics.mq.edu.au
More informationSome Security Comparisons of GOST R and ECDSA Signature Schemes
Some Security Comparisons of GOST R 34.10-2012 and ECDSA Signature Schemes Trieu Quang Phong Nguyen Quoc Toan Institute of Cryptography Science and Technology Gover. Info. Security Committee, Viet Nam
More informationEfficient Lattice (H)IBE in the Standard Model
Efficient Lattice (H)IBE in the Standard Model Shweta Agrawal University of Texas, Austin Dan Boneh Stanford University Xavier Boyen PARC Abstract We construct an efficient identity based encryption system
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Asymmetric Crypto ECC RSA DSA Symmetric Crypto AES SHA2 SHA1... Combination of both
More informationSuccinct Adaptive Garbled RAM
Succinct Adaptive Garbled RAM Ran Canetti Yilei Chen Justin Holmgren Mariana Raykova November 4, 2015 Abstract We show how to garble a large persistent database and then garble, one by one, a sequence
More informationFinding Collisions in Interactive Protocols Tight Lower Bounds on the Round and Communication Complexities of Statistically Hiding Commitments
Finding Collisions in Interactive Protocols Tight Lower Bounds on the Round and Communication Complexities of Statistically Hiding Commitments Iftach Haitner Jonathan J. Hoch Omer Reingold Gil Segev December
More informationLattice Cryptography
CSE 06A: Lattice Algorithms and Applications Winter 01 Instructor: Daniele Micciancio Lattice Cryptography UCSD CSE Many problems on point lattices are computationally hard. One of the most important hard
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationIntroduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes
Introduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 03 13 More
More informationII. Digital signatures
II. Digital signatures Alice m Bob Eve 1. Did Bob send message m, or was it Eve? 2. Did Eve modify the message m, that was sent by Bob? 1 Digital signatures Digital signature - are equivalent of handwritten
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationA brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago
A brief survey of post-quantum cryptography D. J. Bernstein University of Illinois at Chicago Once the enormous energy boost that quantum computers are expected to provide hits the street, most encryption
More informationPrivacy Preserving Verifiable Key Directories
Privacy Preserving Verifiable Key Directories Melissa Chase Microsoft Research melissac@microsoft.com Apoorvaa Deshpande Brown University acdeshpa@cs.brown.edu Esha Ghosh Microsoft Research esha.ghosh@microsoft.com
More informationCS 355: TOPICS IN CRYPTOGRAPHY
CS 355: TOPICS IN CRYPTOGRAPHY DAVID WU Abstract. Preliminary notes based on course material from Professor Boneh s Topics in Cryptography course (CS 355) in Spring, 2014. There are probably typos. Last
More informationLattice Cryptography
CSE 206A: Lattice Algorithms and Applications Winter 2016 Lattice Cryptography Instructor: Daniele Micciancio UCSD CSE Lattice cryptography studies the construction of cryptographic functions whose security
More informationBonsai Trees, or How to Delegate a Lattice Basis
Bonsai Trees, or How to Delegate a Lattice Basis David Cash, Dennis Hofheinz, Eike Kiltz, and Chris Peikert Abstract. We introduce a new lattice-based cryptographic structure called a bonsai tree, and
More informationInaccessible Entropy and its Applications. 1 Review: Psedorandom Generators from One-Way Functions
Columbia University - Crypto Reading Group Apr 27, 2011 Inaccessible Entropy and its Applications Igor Carboni Oliveira We summarize the constructions of PRGs from OWFs discussed so far and introduce the
More informationCRYSTALS Kyber and Dilithium. Peter Schwabe February 7, 2018
CRYSTALS Kyber and Dilithium Peter Schwabe peter@cryptojedi.org https://cryptojedi.org February 7, 2018 Crypto today 5 building blocks for a secure channel Symmetric crypto Block or stream cipher (e.g.,
More informationPractical Verifiable Encryption and Decryption of Discrete Logarithms
Practical Verifiable Encryption and Decryption of Discrete Logarithms Jan Camenisch IBM Zurich Research Lab Victor Shoup New York University p.1/27 Verifiable encryption of discrete logs Three players:
More informationFamily Feud Review. Linear Algebra. October 22, 2013
Review Linear Algebra October 22, 2013 Question 1 Let A and B be matrices. If AB is a 4 7 matrix, then determine the dimensions of A and B if A has 19 columns. Answer 1 Answer A is a 4 19 matrix, while
More informationMulti-Key Homomorphic Signatures Unforgeable under Insider Corruption
Multi-Key Homomorphic Signatures Unforgeable under Insider Corruption Russell W. F. Lai 1,2, Raymond K. H. Tai 1, Harry W. H. Wong 1, and Sherman S. M. Chow 1 1 Chinese University of Hong Kong, Hong Kong
More informationPrimary-Secondary-Resolver Membership Proof Systems
Primary-Secondary-Resolver Membership Proof Systems Moni Naor and Asaf Ziv Weizmann Institute of Science, Department of Computer Science and Applied Mathematics. {moni.naor,asaf.ziv}@weizmann.ac.il. Abstract.
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 19 November 8, 2017 CPSC 467, Lecture 19 1/37 Zero Knowledge Interactive Proofs (ZKIP) ZKIP for graph isomorphism Feige-Fiat-Shamir
More informationPrivate Puncturable PRFs From Standard Lattice Assumptions
Private Puncturable PRFs From Standard Lattice Assumptions Dan Boneh Stanford University dabo@cs.stanford.edu Sam Kim Stanford University skim13@cs.stanford.edu Hart Montgomery Fujitsu Laboratories of
More informationCryptography in the Multi-string Model
Cryptography in the Multi-string Model Jens Groth 1 and Rafail Ostrovsky 1 University of California, Los Angeles, CA 90095 {jg,rafail}@cs.ucla.edu Abstract. The common random string model introduced by
More informationDATA PRIVACY AND SECURITY
DATA PRIVACY AND SECURITY Instructor: Daniele Venturi Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Interlude: Number Theory Cubum autem in duos cubos, aut quadratoquadratum
More informationWeek 12: Hash Functions and MAC
Week 12: Hash Functions and MAC 1. Introduction Hash Functions vs. MAC 2 Hash Functions Any Message M Hash Function Generate a fixed length Fingerprint for an arbitrary length message. No Key involved.
More informationMalleable Signatures: Complex Unary Transformations and Delegatable Anonymous Credentials
Malleable Signatures: Complex Unary Transformations and Delegatable Anonymous Credentials Melissa Chase Microsoft Research Redmond melissac@microsoft.com Markulf Kohlweiss Microsoft Research Cambridge
More information