Deriving GDOI. Dusko Pavlovic and Cathy Meadows
|
|
- Ferdinand Bates
- 5 years ago
- Views:
Transcription
1 Deriving GDOI Dusko Pavlovic and Cathy Meadows September
2 Outline 1. Trace logic 2. Axioms and rules 3. Deriving core GDOI 4. Global encryption and hashing transformations 5. Adding PFS and POP options 2
3 1. Trace logic 1.1. Actions send: t A, B C, receive: (x Y, Z) C, new: (νx) C match: (p(t)/p(x)) C 3
4 1.2. Statements Atomic predicates: a a < b a = b 4
5 Meaning t A < (x) Y some send t by A precedes some receive x by Y a = t A t A the action a is in the form U(t) X = V (t) Y X = Y U(t) = V (t) and 5
6 Composite predicates: Y. (m) Y n B, A Y < (n, Hm B, A) A (νx) A < x A < (k, H(x, k)) A X. v X< log v (νy) B < g y B < ((g y )) X < v y X< 6
7 Abbreviations: (t) (x)(x/t) t U(t/x), transparent for all ((t)) abbreviates (U(t/x)), transparent for receiver t A< a = t A b = t B. b a t A< a = t A b = t B. b a 7
8 Summary: protocol runs are partial orders of actions predicates are sets of protocol runs statements are A : Φ A knows that the current run satisfies Φ A : (νx)φ A knows that Φ holds after she has generated x 8
9 2. Axioms and rules 2.1. General axioms (t) = a. a = t a < (t) (rcv) (νm) M = a A. ( m F V (a) a > (νm) ) A M (νm) M < m M < ((m)) A a A (new) 9
10 2.2. Ping authentication by challenge-response A : (νm) A ( c AB m A < ((r AB m)) A = c AB m A < ((c AB m)) B < r AB m B< < ((r AB m)) A ) (cr) 10
11 2.3. Challenge-response by hashing Use shared secret σ AB keyed hash H AB x = h(σ AB, x) to implement c AB (x) = x r AB (x) = H AB (x) 11
12 Axioms of keyed hash H AB t X< = X = A X = B (hash1) Hs = Ht = s = t (hash2) 12
13 Proposition. Keyed hash implements a challengeresponse protocol: A : (νm) A ( m A < ((H AB u m )) A = m A < ((m)) B < H AB u m B< < ((H AB u m )) A ) (crh) where u m is a term containing m. 13
14 3. Deriving core GDOI 2.1. One-way ping authentication A B νm m Hm 14
15 Agents views A sees : (νm) A < m A < (Hm) A knows (crh) : (νm) A ( m A < ((Hm)) A = m A < ((m)) B < Hm B< < ((Hm)) A ) concludes : (νm) A < m A < ((m)) B < Hm B< < (Hm) A 15
16 B sees : (m A, B) B < Hm B knows (rcv) : (t) = a. a = t a < (t) concludes : X. m A, B X < (m A, B) B < Hm B 16
17 2.2. Two one-way ping authentications A B νm m n,hm Hn νn 17
18 Agents views A sees : (νm) A < m A < (n, Hm) A < Hn A knows (crh) : knows (rcv) (νm) A ( m A < ((Hm)) A = m A < ((m)) B < Hm B< < ((Hm)) A ) (t) = a. a = t a < (t) concludes : (νm) A < m A < ((m)) B < Hm B< < (n, Hm) A < Hn A Y. n B, A Y < (n, Hm B, A) A 18
19 B sees : (m A, B) B < (νn) B < n, Hm B < (Hn) B knows (crh) : knows (rcv) : (νn) B ( n B < ((Hn)) B = n B < ((n)) A < Hn A< < ((Hn)) B ) (t) = a. a = t a < (t) concludes : X. m A, B X < (m A, B) B < (νn) B < n, Hm B < ((n)) A < Hn A< < (Hn) B 19
20 2.3. Two-way challenge-response A B νm m n,h(m,n) Hn νn 20
21 Agents views A sees : (νm) A < m A < (n, H(m, n)) A < Hn A knows (crh) : knows (rcv) : (νm) A ( m A < ((Hu m )) A = m A < ((m)) B < Hu m B< < ((Hu m )) A ) (t) = a. a = t a < (t) knows : B honest (m) B < (νy) B < y, H(m, y) B < (Hy) B 21
22 Like in the one-way authentication, A concludes (i) : (νm) A < m A < ((m)) B < H(m, n) B< < (n, H(m, n)) A 22
23 The honesty assumption implies A concludes (ii) : B honest H(x, n) B = (νy) B < y, H(x, y) B< y = n 23
24 (i) (ii) (hash) = H(m, n) B = n, H(m, n) B hence A concludes : B honest = (νm) A < m A < < (m) B < (νn) B < n, H(m, n) B < < (n, H(m, n)) A < Hn A 24
25 B sees : (m A, B) B < (νn) B < n, H(m, n) B < (Hn) B knows (crh) : knows (rcv) : (νn) B ( n B < ((Hn)) B = n B < ((n)) A < Hn A< < ((Hn)) B ) (t) = a. a = t a < (t) knows : A honest (νx) A < x A < (n, H(x, n)) A < Hn A 25
26 Like in the one-way authentication B concludes (i) : (m) B < (νn) B < n, H(m, n) B < ((n)) A < Hn A< < (Hn) B 26
27 The honesty implies B concludes (ii) : A honest Hy A = (νx) A < x A < (y, H(x, y)) A 27
28 To connect (i) and (ii), note that The premis Hy A of (ii) follows from (i) if we instantiate y = n. The origination implies that the action Hn A< in (i) is the same as Hy A< in (ii). Because (rcv) n, H(x, n) Y < < (n, H(x, n)) A in (ii), the agent B can conclude that n, H(x, n) Y = n, H(m, n) B and thus Y = B, provided that A is honest. This is a consequence of the (hash1)-axiom, which implies that the hashes must originate from A or B. Axiom (hash2) then tells that x = m. 28
29 Hence B concludes : A honest = (νm) A < m A < < (m) B < (νn) B < n, H(m, n) B < < (n, H(m, n)) A < Hn A < (Hn) B 29
30 Summary A and B can prove exactly what the run looks like except that A cannot know whether her last message was received. Starting from ping, in two refinement steps, the agents achieve matching histories, completely determined run, all security properties are testable. 30
31 The achieved security properties are freshness: each agent knows that the other agent, if she is honest, has freshly generated the challenge; entity authentication: each of the agents knows that the other has intentionally responded to her own challenge, and intentionally issued a challenge; and each agent furthermore knows that the other agent possesses a symmetric knowledge, and so on, so that authenticity of the session becomes their common knowledge ASSUMING security of hash expressed by (hash1) and (hash2) honesty of the participants 31
32 2.4. Hash-based authenticated key distribution IF YOU GET HERE, YOU MUST BE ASLEEP. 32
A compositional logic for proving security properties of protocols
Journal of Computer Security 11 (2003) 677 721 677 IOS Press A compositional logic for proving security properties of protocols Nancy Durgin a, John Mitchell b and Dusko Pavlovic c a Sandia National Labs,
More informationA derivation system and compositional logic for security protocols
Journal of Computer Security 13 2005) 423 482 423 IOS Press A derivation system and compositional logic for security protocols Anupam Datta a,, Ante Derek a, John C. Mitchell a and Dusko Pavlovic b a Computer
More informationVerification of Security Protocols in presence of Equational Theories with Homomorphism
Verification of Security Protocols in presence of Equational Theories with Homomorphism Stéphanie Delaune France Télécom, division R&D, LSV CNRS & ENS Cachan February, 13, 2006 Stéphanie Delaune (FT R&D,
More informationExam Security January 19, :30 11:30
Exam Security January 19, 2016. 8:30 11:30 You can score a maximum of 100. Each question indicates how many it is worth. You are NOT allowed to use books or notes, or a (smart) phone. You may answer in
More informationNSL Verification and Attacks Agents Playing Both Roles
NSL Verification and Attacks Agents Playing Both Roles Pedro Adão Gergei Bana Abstract Background: [2] and eprint version: [1] 1 The Axioms Equality is a Congruence. The first axiom says that the equality
More informationDeriving Key Distribution Protocols and their Security Properties
Deriving Key Distribution Protocols and their Security Properties Iliano Cervesato 1 Catherine Meadows 2 Dusko Pavlovic 3 December 4, 2006 CMU-CS-06-172 School of Computer Science Carnegie Mellon University
More informationBAN Logic A Logic of Authentication
BAN Logic A Logic of Authentication Sape J. Mullender Huygens Systems Research Laboratory Universiteit Twente Enschede 1 BAN Logic The BAN logic was named after its inventors, Mike Burrows, Martín Abadí,
More informationVerification of the TLS Handshake protocol
Verification of the TLS Handshake protocol Carst Tankink (0569954), Pim Vullers (0575766) 20th May 2008 1 Introduction In this text, we will analyse the Transport Layer Security (TLS) handshake protocol.
More informationCryptographic Protocols Notes 2
ETH Zurich, Department of Computer Science SS 2018 Prof. Ueli Maurer Dr. Martin Hirt Chen-Da Liu Zhang Cryptographic Protocols Notes 2 Scribe: Sandro Coretti (modified by Chen-Da Liu Zhang) About the notes:
More informationCryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1
Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Serge Vaudenay 29.1.2018 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not
More informationSIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography
SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 8 of Trappe and Washington DIGITAL SIGNATURES message sig 1. How do we bind
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationNetwork Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30
Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) LIU Zhen Due Date: March 30 Questions: 1. RSA (20 Points) Assume that we use RSA with the prime numbers p = 17 and q = 23. (a) Calculate
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationAutomatic Verification of Complex Security Protocols With an Unbounded Number of Sessions
Automatic Verification of Complex Security Protocols With an Unbounded Number of Sessions Kaile Su, Weiya Yue and Qingliang Chen Department of Computer Science, Sun Yat-sen University Guangzhou, P.R. China
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Solution Serge Vaudenay 29.1.2018 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices
More informationTerm Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool
Term Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool Santiago Escobar Departamento de Sistemas Informáticos y Computación Universitat Politècnica de València sescobar@dsic.upv.es
More informationSPCS Cryptography Homework 13
1 1.1 PRP For this homework, use the ollowing PRP: E(k, m) : {0, 1} 3 {0, 1} 3 {0, 1} 3 000 001 010 011 100 101 110 111 m 000 011 001 111 010 000 101 110 100 001 101 110 010 000 111 100 001 011 010 001
More informationTime-Bounding Needham-Schroeder Public Key Exchange Protocol
Time-Bounding Needham-Schroeder Public Key Exchange Protocol Max Kanovich, Queen Mary, University of London, UK University College London, UCL-CS, UK Tajana Ban Kirigin, University of Rijeka, HR Vivek
More informationLecture 38: Secure Multi-party Computation MPC
Lecture 38: Secure Multi-party Computation Problem Statement I Suppose Alice has private input x, and Bob has private input y Alice and Bob are interested in computing z = f (x, y) such that each party
More informationPing Pong Protocol & Auto-compensation
Ping Pong Protocol & Auto-compensation Adam de la Zerda For QIP seminar Spring 2004 02.06.04 Outline Introduction to QKD protocols + motivation Ping-Pong protocol Security Analysis for Ping-Pong Protocol
More informationExtending Dolev-Yao with Assertions
Extending Dolev-Yao with Assertions Vaishnavi Sundararajan Chennai Mathematical Institute FOSAD 2015 August 31, 2015 (Joint work with R Ramanujam and S P Suresh) Vaishnavi S Extending Dolev-Yao with Assertions
More informationStrand Spaces Proving Protocols Corr. Jonathan Herzog 6 April 2001
Strand Spaces Proving Protocols Corr Jonathan Herzog 6 April 2001 Introduction 3Second part of talk given early last month Introduced class of cryptographic protocols Modeled at high level of abstraction
More informationThe odd couple: MQV and HMQV
The odd couple: MQV and HMQV Jean-Philippe Aumasson 1 / 49 Summary MQV = EC-DH-based key agreement protocol, proposed by Menezes, Qu and Vanstone (1995), improved with Law and Solinas (1998), widely standardized
More informationPractice Assignment 2 Discussion 24/02/ /02/2018
German University in Cairo Faculty of MET (CSEN 1001 Computer and Network Security Course) Dr. Amr El Mougy 1 RSA 1.1 RSA Encryption Practice Assignment 2 Discussion 24/02/2018-29/02/2018 Perform encryption
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationProving Security Protocols Correct. Lawrence C. Paulson Computer Laboratory
Proving Security Protocols Correct Lawrence C. Paulson Computer Laboratory How Detailed Should a Model Be? too detailed too simple concrete abstract not usable not credible ``proves'' everything ``attacks''
More informationarxiv:quant-ph/ v1 6 Dec 2005
Quantum Direct Communication with Authentication Hwayean Lee 1,,4, Jongin Lim 1,, HyungJin Yang,3 arxiv:quant-ph/051051v1 6 Dec 005 Center for Information Security TechnologiesCIST) 1, Graduate School
More informationProving Properties of Security Protocols by Induction
Proving Security Protocols 1 L. C. Paulson Proving Properties of Security Protocols by Induction Lawrence C. Paulson Computer Laboratory University of Cambridge Proving Security Protocols 2 L. C. Paulson
More informationNotes on BAN Logic CSG 399. March 7, 2006
Notes on BAN Logic CSG 399 March 7, 2006 The wide-mouthed frog protocol, in a slightly different form, with only the first two messages, and time stamps: A S : A, {T a, B, K ab } Kas S B : {T s, A, K ab
More informationMATH UN Midterm 2 November 10, 2016 (75 minutes)
Name: UNI: Instructor: Shrenik Shah MATH UN3025 - Midterm 2 November 10, 2016 (75 minutes) This examination booklet contains 6 problems. There are 10 sheets of paper including the front cover. This is
More informationA decidable subclass of unbounded security protocols
A decidable subclass of unbounded security protocols R. Ramanujam and S. P. Suresh The Institute of Mathematical Sciences C.I.T. Campus, Chennai 600 113, India. E-mail: {jam,spsuresh}@imsc.res.in 1 Summary
More informationAPPLICATIONS OF BAN-LOGIC JAN WESSELS CMG FINANCE B.V.
APPLITIONS OF AN-LOGIC JAN WESSELS CMG FINANCE.V. APRIL 19, 2001 Chapter 1 Introduction This document is meant to give an overview of the AN-logic. The AN-logic is one of the methods for the analysis of
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationA Secure and Efficient Authenticated Diffie Hellman Protocol
A Secure and Efficient Authenticated Diffie Hellman Protocol Augustin P. Sarr 1, Philippe Elbaz Vincent 2, and Jean Claude Bajard 3 1 Netheos R&D 1,2 Institut Fourier CNRS, Université Grenoble 1 3 LIP6
More informationA Logic of Authentication. Borrows, Abadi and Needham TOCS 1990, DEC-SRC 1989
A Logic of Authentication Borrows, Abadi and Needham TOCS 1990, DEC-SRC 1989 Logic Constructs P believes X : P may act as though X is true. P sees X : a message containing X was sent to P; P can read and
More informationLecture 2: Quantum bit commitment and authentication
QIC 890/891 Selected advanced topics in quantum information Spring 2013 Topic: Topics in quantum cryptography Lecture 2: Quantum bit commitment and authentication Lecturer: Gus Gutoski This lecture is
More informationModels for an Adversary-Centric Protocol Logic
Workshop on Logical Aspects of Cryptographics 2001 Preliminary Version Models for an Adversary-Centric Protocol Logic Peter Selinger Department of Mathematics and Statistics University of Ottawa Ottawa,
More informationThe Needham-Schroeder-Lowe protocol
The Needham-Schroeder-Lowe protocol Unbounded sessions Principals run either initiator or responder role in each of their sessions We adopt the following conventions throughout this paper: honest principals
More informationAnalysis of authentication protocols Intership report
Analysis of authentication protocols Intership report Stéphane Glondu ENS de Cachan September 3, 2006 1 Introduction Many computers are interconnected through networks, the biggest of them being Internet.
More informationCPSA and Formal Security Goals
CPSA and Formal Security Goals John D. Ramsdell The MITRE Corporation CPSA Version 2.5.1 July 8, 2015 Contents 1 Introduction 3 2 Syntax 6 3 Semantics 8 4 Examples 10 4.1 Needham-Schroeder Responder.................
More informationLecture 9 - Symmetric Encryption
0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,
More informationLecture 15 - Zero Knowledge Proofs
Lecture 15 - Zero Knowledge Proofs Boaz Barak November 21, 2007 Zero knowledge for 3-coloring. We gave a ZK proof for the language QR of (x, n) such that x QR n. We ll now give a ZK proof (due to Goldreich,
More informationA Logic of Authentication
A Logic of Authentication by Burrows, Abadi, and Needham Presented by Adam Schuchart, Kathryn Watkins, Michael Brotzman, Steve Bono, and Sam Small Agenda The problem Some formalism The goals of authentication,
More informationIntroduction to Cryptography Lecture 4
Data Integrity, Message Authentication Introduction to Cryptography Lecture 4 Message authentication Hash functions Benny Pinas Ris: an active adversary might change messages exchanged between and M M
More informationLecture Notes, Week 10
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 10 (rev. 2) Professor M. J. Fischer March 29 & 31, 2005 Lecture Notes, Week 10 1 Zero Knowledge Interactive
More informationA Small Subgroup Attack on Arazi s Key Agreement Protocol
Small Subgroup ttack on razi s Key greement Protocol Dan Brown Certicom Research, Canada dbrown@certicom.com lfred Menezes Dept. of C&O, University of Waterloo, Canada ajmeneze@uwaterloo.ca bstract In
More information2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms
CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such
More informationNon-Interactive Zero-Knowledge Proofs of Non-Membership
Non-Interactive Zero-Knowledge Proofs of Non-Membership O. Blazy, C. Chevalier, D. Vergnaud XLim / Université Paris II / ENS O. Blazy (XLim) Negative-NIZK CT-RSA 2015 1 / 22 1 Brief Overview 2 Building
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationWilliam Stallings Copyright 2010
A PPENDIX F M EASURES OF S ECRECY AND S ECURITY William Stallings Copyright 2010 F.1 PERFECT SECRECY...2! F.2 INFORMATION AND ENTROPY...8! Information...8! Entropy...10! Properties of the Entropy Function...12!
More informationPublic Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.
Public Key Cryptography All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other. The thing that is common among all of them is that each
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationCryptology. Vilius Stakėnas autumn
Cryptology Vilius Stakėnas 2010 autumn 2.22 Cryptographic protocols 2 Key distribution............................................ 3 Zero-knowledge proofs...................................... 4 ZKP concept.............................................
More informationCS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing
Lecture 11: Key Management, Secret Sharing Céline Blondeau Email: celine.blondeau@aalto.fi Department of Computer Science Aalto University, School of Science Key Management Secret Sharing Shamir s Threshold
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More informationThe Faithfulness of Abstract Protocol Analysis: Message Authentication
The Faithfulness of Abstract Protocol Analysis: Message Authentication Joshua D. Guttman F. Javier Thayer Lenore D. Zuck December 18, 2002 Abstract Dolev and Yao initiated an approach to studying cryptographic
More informationEntity Authentication
Entity Authentication Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie? α k The
More informationCryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg
Course 1: Remainder: RSA Université du Luxembourg September 21, 2010 Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and
More informationQuestion 1. The Chinese University of Hong Kong, Spring 2018
CSCI 5440: Cryptography The Chinese University of Hong Kong, Spring 2018 Homework 2 Solutions Question 1 Consider the following encryption algorithm based on the shortlwe assumption. The secret key is
More informationProblem Set 4 Solutions
Introduction to Algorithms October 8, 2001 Massachusetts Institute of Technology 6.046J/18.410J Singapore-MIT Alliance SMA5503 Professors Erik Demaine, Lee Wee Sun, and Charles E. Leiserson Handout 18
More informationA Semantics for a Logic of Authentication. Cambridge, MA : A; B
A Semantics for a Logic of Authentication (Extended Abstract) Martn Abadi Digital Equipment Corporation Systems Research Center 130 Lytton Avenue Palo Alto, CA 94301 ma@src.dec.com Abstract: Burrows, Abadi,
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationElliptic Curves. Giulia Mauri. Politecnico di Milano website:
Elliptic Curves Giulia Mauri Politecnico di Milano email: giulia.mauri@polimi.it website: http://home.deib.polimi.it/gmauri May 13, 2015 Giulia Mauri (DEIB) Exercises May 13, 2015 1 / 34 Overview 1 Elliptic
More informationProtocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete
Protocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete Michaël Rusinowitch and Mathieu Turuani LORIA-INRIA- Université Henri Poincaré, 54506 Vandoeuvre-les-Nancy cedex, France
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 18 November 3, 2014 CPSC 467, Lecture 18 1/43 Zero Knowledge Interactive Proofs (ZKIP) Secret cave protocol ZKIP for graph isomorphism
More informationLecture 7: Boneh-Boyen Proof & Waters IBE System
CS395T Advanced Cryptography 2/0/2009 Lecture 7: Boneh-Boyen Proof & Waters IBE System Instructor: Brent Waters Scribe: Ioannis Rouselakis Review Last lecture we discussed about the Boneh-Boyen IBE system,
More informationCryptanalysis of a Group Key Transfer Protocol Based on Secret Sharing: Generalization and Countermeasures
Cryptanalysis of a Group Key Transfer Protocol Based on Secret Sharing: Generalization and Countermeasures Kallepu Raju, Appala Naidu Tentu, V. Ch. Venkaiah Abstract: Group key distribution protocol is
More informationAnalysing the Security of a Non-repudiation Communication Protocol with Mandatory Proof of Receipt
Analysing the Security of a Non-repudiation Communication Protocol with Mandatory Proof of Receipt TOM COFFEY, PUNEET SAIDHA, PETER URROWS Data Communication Security Laboratory University of Limerick
More informationPractice Exam Winter 2018, CS 485/585 Crypto March 14, 2018
Practice Exam Name: Winter 2018, CS 485/585 Crypto March 14, 2018 Portland State University Prof. Fang Song Instructions This exam contains 8 pages (including this cover page) and 5 questions. Total of
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 18 November 6, 2017 CPSC 467, Lecture 18 1/52 Authentication While Preventing Impersonation Challenge-response authentication protocols
More informationarxiv: v1 [cs.cr] 27 May 2016
Towards the Automated Verification of Cyber-Physical Security Protocols: Bounding the Number of Timed Intruders Vivek Nigam 1, Carolyn Talcott 2 and Abraão Aires Urquiza 1 arxiv:1605.08563v1 [cs.cr] 27
More informationENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions
ENEE 457: Computer Systems Security 09/19/16 Lecture 6 Message Authentication Codes and Hash Functions Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationb = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.
INTRODUCTION TO CRYPTOGRAPHY 5. Discrete Logarithms Recall the classical logarithm for real numbers: If we write b = 10 a, then a = log 10 b is the logarithm of b to the base 10. Changing the base to e
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 16 March 19, 2012 CPSC 467b, Lecture 16 1/58 Authentication While Preventing Impersonation Challenge-response authentication protocols
More information1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2
Contents 1 Recommended Reading 1 2 Public Key/Private Key Cryptography 1 2.1 Overview............................................. 1 2.2 RSA Algorithm.......................................... 2 3 A Number
More informationGroup Undeniable Signatures
Group Undeniable Signatures YUH-DAUH LYUU Dept. of Computer Science & Information Engineering and Dept. of Finance National Taiwan University No 1, Sec 4, Roosevelt Rd, Taipei, Taiwan lyuu@csie.ntu.edu.tw
More informationAnalysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh
Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh Bruno Produit Institute of Computer Science University of Tartu produit@ut.ee December 19, 2017 Abstract This document is an analysis
More informationQuantum threat...and quantum solutions
Quantum threat...and quantum solutions How can quantum key distribution be integrated into a quantum-safe security infrastructure Bruno Huttner ID Quantique ICMC 2017 Outline Presentation of ID Quantique
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationAnalyzing the IETF ACE-OAuth Protocol
Analyzing the IETF ACE-OAuth Protocol Hannes Tschofenig Arm Limited, Email: hannes.tschofenig@arm.com I. ABSTRACT The OAuth Security Workshop series was started after a group of researchers from Trier/Germany
More informationGrover s algorithm based multi-qubit secret sharing scheme
Grover s algorithm based multi-qubit secret sharing scheme Arti Chamoli and C. M. Bhandari Indian Institute of Information Technology, Allahabad, Deoghat, Jhalwa, Allahabad-20, India. Email: achamoli@iiita.ac.in,
More informationGroup Diffie Hellman Protocols and ProVerif
Group Diffie Hellman Protocols and ProVerif CS 395T - Design and Analysis of Security Protocols Ankur Gupta Secure Multicast Communication Examples: Live broadcast of a match, stock quotes, video conferencing.
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationRound-Optimal Password-Based Authenticated Key Exchange
Round-Optimal Password-Based Authenticated Key Exchange Jonathan Katz Vinod Vaikuntanathan Abstract We show a general framework for constructing password-based authenticated key-exchange protocols with
More informationA Piggybank Protocol for Quantum Cryptography
Piggybank Protocol for Quantum Cryptography Navya Chodisetti bstract This paper presents a quantum mechanical version of the piggy-bank cryptography protocol. The basic piggybank cryptography idea is to
More informationLeftovers from Lecture 3
Leftovers from Lecture 3 Implementing GF(2^k) Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x): (1,1,0,1,1) *(0,1,0,1,1) = (1,1,0,0,1) For small size finite
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Serge Vaudenay 17.1.2017 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not
More informationIdentity-Based Online/Offline Encryption
Fuchun Guo 2 Yi Mu 1 Zhide Chen 2 1 University of Wollongong, Australia ymu@uow.edu.au 2 Fujian Normal University, Fuzhou, China fuchunguo1982@gmail.com Outline 1 2 3 4 Identity-based Encryption Review
More informationAsynchronous Communication 2
Asynchronous Communication 2 INF4140 22.11.12 Lecture 11 INF4140 (22.11.12) Asynchronous Communication 2 Lecture 11 1 / 37 Overview: Last time semantics: histories and trace sets specification: invariants
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 19 November 8, 2017 CPSC 467, Lecture 19 1/37 Zero Knowledge Interactive Proofs (ZKIP) ZKIP for graph isomorphism Feige-Fiat-Shamir
More information