The Kernel Matrix Diffie-Hellman Assumption
|
|
- Randolph Morris
- 5 years ago
- Views:
Transcription
1 The Kernel Matrix Diffie-Hellman Assumption Carla Ràfols 1, Paz Morillo 2 and Jorge L. Villar 2 1 Universitat Pompeu Fabra (UPF) Spain 2 Universitat Politècnica de Catalunya (UPC) Spain Matemática Aplicada a la Criptografía Asiacrypt 2016, Hanoi, 8 Dec 2016
2 Outline 1 Introduction 2 The Kernel Matrix Diffie-Hellman Assumption 3 Hardness of the KerDH Assumption 4 The Case l > k + 1
3 Additive (Implicit) Notation Given a group G of prime order q and a generator g G: g x [x] g [1] 1 [0] g x g y [x][y] = [x + y] (g x ) y [x] y = [xy] (g x 1,..., g xn ) [x 1,..., x n ] g x 11 g x 1m x 11 x 1m.... g x n1 g xnm x n1 x nm Given a (symmetric) bilinear map e : G G G T : e(g x, g y ) = g xy T e([x], [y]) = [xy] T
4 Subspace Membership Problems For a (k, l)-collection of vector subspaces of dimension k, S = {S i } i I, of the vector space Z l q, where 0 < k < l Definition (Subspace Membership Problem) Given G and g, tell apart D real = ([S], [z]) for random S S and z S D random = ([S], [z]) for random S S and z Z l q
5 Subspace Membership Problems For a (k, l)-collection of vector subspaces of dimension k, S = {S i } i I, of the vector space Z l q, where 0 < k < l Definition (Subspace Membership Problem) Given G and g, tell apart D real = ([S], [z]) for random S S and z S D random = ([S], [z]) for random S S and z Z l q Typically, S = Span A, where A Z l k q and rank A = k.
6 Subspace Membership Problems DDH: A(a) = z = ( ) 1 (w) = a ( ) 1 a ( w aw ) a Z q vs. z = ( z1 z 2 ) a Lin: A(a 1, a 2 ) = 0 a 2 a 1, a 2 Z q 1 1 a 1 0 ( ) a 1 w 1 z = 0 a 2 w1 = a w 2 w 2 vs. z = w 1 + w 2 z 1 z 2 z 3
7 Subspace Membership Problems DDH: A(a) = z = ( ) 1 (w) = a ( ) 1 a ( w aw ) a Z q vs. z = ( z1 z 2 ) a Lin: A(a 1, a 2 ) = 0 a 2 a 1, a 2 Z q 1 1 a 1 0 ( ) a 1 w 1 z = 0 a 2 w1 = a w 2 w 2 vs. z = w 1 + w 2 Matrix distributions z 1 z 2 z 3
8 Matrix Distributions Given 1 k < l, Definition (Polynomial Matrix Distribution) A Dl,k f, where A Zl k q, rank A = k and A is sampled according to A = f (a 1,..., a d ), where a 1,..., a d Z q and f is a polynomial map of constant degree.
9 Matrix Distributions Given 1 k < l, Definition (Polynomial Matrix Distribution) A Dl,k f, where A Zl k q, rank A = k and A is sampled according to A = f (a 1,..., a d ), where a 1,..., a d Z q and f is a polynomial map of constant degree. We also tolerate Pr(rank A < k) negl. We focus on the case l = k + 1, and deg f = 1
10 Matrix Distributions Given 1 k < l, Definition (Polynomial Matrix Distribution) A Dl,k f, where A Zl k q, rank A = k and A is sampled according to A = f (a 1,..., a d ), where a 1,..., a d Z q and f is a polynomial map of constant degree. We also tolerate Pr(rank A < k) negl. We focus on the case l = k + 1, and deg f = 1 E.g. A(a) = ( ) 1 a a 1 0 A(a 1, a 2 ) = 0 a 2 1 1
11 Matrix Decision Diffie-Hellman (MDDH) Problems Definition (Dl,k A -MDDH Problem [EHKRV13]) Tell apart the two probability distributions D real = (G, q, g, [A(t)], [A(t)w]), t Z d q, w Z k q D random = (G, q, g, [A(t)], [z]), t Z d q, z Z l q The Dl,k A -MDDH Assumption states that the above problem is hard, w.r.t. and instance generator (q, G, g) I
12 Matrix Decision Diffie-Hellman (MDDH) Problems Definition (Dl,k A -MDDH Problem [EHKRV13]) Tell apart the two probability distributions D real = (G, q, g, [A(t)], [A(t)w]), t Z d q, w Z k q D random = (G, q, g, [A(t)], [z]), t Z d q, z Z l q The Dl,k A -MDDH Assumption states that the above problem is hard, w.r.t. and instance generator (q, G, g) I Generic hardness depends on the degree and irreducibility of the determinant polynomial d(t, z) = det(a(t) z)
13 Known Instances t t 1,1 t 1,k. A k-unif = t A k-lin = t k+1,1 t k+1,k 0 0 t k t t.. 2. A k-casc = tk t t... A k-scasc = t 0 0 1
14 Applications Some known applications: Public key encryption Hash Proof systems Pseudorandom functions Non-interactive Zero-Knowledge proofs (Groth-Sahai) Efficient Proofs for CRS-Dependent Languages Key idea: Most constructions based on DDH or 2-Lin are actually valid for any MDDH problem We can obtain more compact instances more secure instances (secure even when an efficient multilinear map is available)
15 Outline 1 Introduction 2 The Kernel Matrix Diffie-Hellman Assumption 3 Hardness of the KerDH Assumption 4 The Case l > k + 1
16 Flexible Computational Matrix Problems Decision problems: natural model for indistinguishability adversarial capabilities (IND-CPA, pseudorandomness,... ).
17 Flexible Computational Matrix Problems Decision problems: natural model for indistinguishability adversarial capabilities (IND-CPA, pseudorandomness,... ). (Flexible) computational problems: Capture forgery adversarial capabilities. E.g. breaking unforgeability of a digital signature soundness of a ZK argument binding property of a commitment...
18 Flexible Computational Matrix Problems Decision problems: natural model for indistinguishability adversarial capabilities (IND-CPA, pseudorandomness,... ). (Flexible) computational problems: Capture forgery adversarial capabilities. E.g. breaking unforgeability of a digital signature soundness of a ZK argument binding property of a commitment... We unify some existing flexible computational problems in the literature in a single framework.
19 The Kernel Matrix Diffie-Hellman Assumption For a (r, l)-collection of vector subspaces of dimension r, S = {S i } i I, of the vector space Z l q, where 0 < r < l Definition (Subspace Sampling Problem) Given G, g and [S], find [x] where x is a nonzero vector in S Typically S = ker A, where A Z l k q, rank A = k and r = l k.
20 The Kernel Matrix Diffie-Hellman Assumption For a (r, l)-collection of vector subspaces of dimension r, S = {S i } i I, of the vector space Z l q, where 0 < r < l Definition (Subspace Sampling Problem) Given G, g and [S], find [x] where x is a nonzero vector in S Typically S = ker A, where A Z l k q, rank A = k and r = l k. Definition (Dl,k A -KerMDH Problem) Given [A], where A D l,k find a nonzero vector [x] such that x A = 0. The Dl,k A -KerDH Assumption states that the above problem is hard, w.r.t. and instance generator (q, G, g) I
21 KerMDH Examples DDH Kernel: A(a) = ( ) 1 a a Z q Given [A], find [x 1, x 2 ] [0] such that ( ) ( ) 1 x1 x 2 = x a 1 + ax 2 = 0 a Lin Kernel: A(a 1, a 2 ) = 0 a a 1, a 2 Z q Given [A], find [x 1, x 2, x 3 ] [0] such that ( ) a 1 0 x1 x 2 x 3 0 a 2 = ( ) a 1 x 1 + x 3 a 2 x 2 + x 3 = 0 1 1
22 KerMDH Examples DDH Kernel: A(a) = ( ) 1 a a Z q Given [A], find [x 1, x 2 ] [0] such that ( ) ( ) 1 x1 x 2 = x a 1 + ax 2 = 0 a Lin Kernel: A(a 1, a 2 ) = 0 a Just Take [x 1, x 2 ] = [ a, 1]! a 1, a 2 Z q Given [A], find [x 1, x 2, x 3 ] [0] such that ( ) a 1 0 x1 x 2 x 3 0 a 2 = ( ) a 1 x 1 + x 3 a 2 x 2 + x 3 = 0 1 1
23 KerMDH Examples DDH Kernel: A(a) = ( ) 1 a a Z q Given [A], find [x 1, x 2 ] [0] such that ( ) ( ) 1 x1 x 2 = x a 1 + ax 2 = 0 a Lin Kernel: A(a 1, a 2 ) = 0 a Just Take [x 1, x 2 ] = [ a, 1]! a 1, a 2 Z q Given [A], find [x 1, x 2, x 3 ] [0] such that ( ) a 1 0 x1 x 2 x 3 0 a 2 = ( ) a 1 x 1 + x 3 a 2 x 2 + x 3 = [x 1, x 2, x 3 ] = [ a 2 λ, a 1 λ, a 1 a 2 λ] for some λ. Hard to compute from [a 1 ], [a 2 ]!
24 More Examples Lemma (KerMDH vs. MDDH) In pairing groups, D A l,k -MDDH DA l,k -KerDH D real : x Aw = 0 x (Aw) = 0 e([x ], [Aw]) = [0] T D random : z Z l q x z 0 e([x ], [Aw]) [0] T w.o.p.
25 More Examples Lemma (KerMDH vs. MDDH) In pairing groups, D A l,k -MDDH DA l,k -KerDH D real : x Aw = 0 x (Aw) = 0 e([x ], [Aw]) = [0] T D random : z Z l q x z 0 e([x ], [Aw]) [0] T w.o.p. All hard MDDH instances define hard KerMDH instances: k-unif, k-lin, k-casc, k-scasc,...
26 The KerMDH Family KerMDH integrates some previously known assumptions: Find-Rep [Brands93] Simultaneous Double Pairing [AFGHO10] Triple Pairing [Groth10] Simultaneous Pairing [GL07] 1-Flexible Diffie-Hellman [LV08] 1-Flexible Square Diffie-Hellman [LPV05]
27 The KerMDH Family KerMDH integrates some previously known assumptions: Find-Rep [Brands93] Simultaneous Double Pairing [AFGHO10] Triple Pairing [Groth10] Simultaneous Pairing [GL07] 1-Flexible Diffie-Hellman [LV08] 1-Flexible Square Diffie-Hellman [LPV05] Applications: Homomorphic Signatures [LPJY13] Quasi-Adaptive NIZK [KW15] Trapdoor Commitments to Group Elements Structure Preserving Signatures [KPW15],...
28 The power of KerMDH Designated-verifier proof of membership: Given [x] and [M], prove that x = Mw for some w. Designated verifier keys: Secret K, public [M K ]. Proof: [π] such that π = x K. ([π ] = [w M K ] fulfils the equation)
29 The power of KerMDH Designated-verifier proof of membership: Given [x] and [M], prove that x = Mw for some w. Designated verifier keys: Secret K, public [M K ]. Proof: [π] such that π = x K. ([π ] = [w M K ] fulfils the equation) Using D l,k -KerDH, Publicly verifiable proof: Public parameters: [M], [M K ], [A], [KA], A D l,k. Proof: [π] such that e([π ], [A]) = e([x ], [KA]). π A = x KA (π x K )A = 0 π = x K or D l,k -KerDH is easy.
30 Outline 1 Introduction 2 The Kernel Matrix Diffie-Hellman Assumption 3 Hardness of the KerDH Assumption 4 The Case l > k + 1
31 Hardness of KerDH Hard instances: D l,k hard for k > 1, implies that D l,k -KerDH is hard in the generic k-linear group model
32 Hardness of KerDH Hard instances: D l,k hard for k > 1, implies that D l,k -KerDH is hard in the generic k-linear group model Algebraic Reductions: If B = LAR then D B l,k -KerDH DA l,k -KerDH
33 Hardness of KerDH Hard instances: D l,k hard for k > 1, implies that D l,k -KerDH is hard in the generic k-linear group model Algebraic Reductions: If B = LAR then D B l,k -KerDH DA l,k -KerDH Increasing Hardness: For the typical families of hard D l,k of increasing size D A k+1 -KerDH DA k -KerDH D A k+1 -KerDH DA k -KerDH
34 Hardness of KerDH Hard instances: D l,k hard for k > 1, implies that D l,k -KerDH is hard in the generic k-linear group model Algebraic Reductions: If B = LAR then D B l,k -KerDH DA l,k -KerDH Increasing Hardness: For the typical families of hard D l,k of increasing size D A k+1 -KerDH DA k -KerDH D A k+1 -KerDH DA k -KerDH Explicit Reductions
35 Hardness of KerDH Hard instances: D l,k hard for k > 1, implies that D l,k -KerDH is hard in the generic k-linear group model Algebraic Reductions: If B = LAR then D B l,k -KerDH DA l,k -KerDH Increasing Hardness: For the typical families of hard D l,k of increasing size D A k+1 -KerDH DA k -KerDH D A k+1 -KerDH DA k -KerDH Black-Box Separation Explicit Reductions
36 Families with Increasing Hardness [EHKRV13] D 1 -MDDH D 2 -MDDH D 3 -MDDH D 4 -MDDH / / / / D 2 -KerDH D 3 -KerDH D 4 -KerDH / / / [This work] Valid for all families: k-unif, k-lin, k-casc, k-scasc.
37 Black-Box Separations BB P 1 P 2 means that a reduction R solves P 1 using any possible oracle solving P 2.
38 Black-Box Separations BB P 1 P 2 means that a reduction R solves P 1 using any possible oracle solving P 2. Black-box reductions between flexible problems are hard to find (or they are very natural) (R must work for all possible solutions of P 2.)
39 Black-Box Separations BB P 1 P 2 means that a reduction R solves P 1 using any possible oracle solving P 2. Black-box reductions between flexible problems are hard to find (or they are very natural) (R must work for all possible solutions of P 2.) Black-box separation means that every BB reduction fails for some oracle for P 2.
40 Black-Box Separations BB P 1 P 2 means that a reduction R solves P 1 using any possible oracle solving P 2. Black-box reductions between flexible problems are hard to find (or they are very natural) (R must work for all possible solutions of P 2.) Black-box separation means that every BB reduction fails for some oracle for P 2. We impose some extra requirements to R: It is generic (it works on the generic k-linear group model), It makes a constant number of calls Q to the P 2 oracle.
41 BB Separation: Reduction Splitting D l,k -KerDH R D l, k-kerdh for k > k $ [A] R 0 s R 1 [v] = [u + η(w)] O Q 1 queries [w] [ker à ] [Ã] O last query
42 BB Separation: Reduction Splitting D l,k -KerDH R D l, k-kerdh for k > k $ [A] R 0 s R 1 [v] = [u + η(w)] O Q 1 queries [w] [ker à ] [Ã] O last query Generic model: η is linear and it only depends on $. dim Im(η) < k
43 BB Separation: Query Supression Definition (k-elusiveness) A (r, l)-collection of vector subspaces S is k-elusive if given any k-vector subspace F, Pr[S F {0} : S S] negl
44 BB Separation: Query Supression Definition (k-elusiveness) A (r, l)-collection of vector subspaces S is k-elusive if given any k-vector subspace F, Pr[S F {0} : S S] negl Lemma For any hard matrix distribution D l,k, the collection of subspaces {ker A } A Dl,k is k-elusive.
45 BB Separation: Query Supression Definition (k-elusiveness) A (r, l)-collection of vector subspaces S is k-elusive if given any k-vector subspace F, Pr[S F {0} : S S] negl Lemma For any hard matrix distribution D l,k, the collection of subspaces {ker A } A Dl,k is k-elusive. We prove the last oracle call does not help the reduction. By induction, if R exists then D l,k -KerDH can be solved directly (e.g. Q = 0). Larger Kernel Problems are strictly harder!
46 Outline 1 Introduction 2 The Kernel Matrix Diffie-Hellman Assumption 3 Hardness of the KerDH Assumption 4 The Case l > k + 1
47 A New Matrix Distribution With l > k + 1 (k, d)-circ: A compact hard matrix distribution with l > k + 1 t 1 0. t 1. t d... A (k, d)-circ = 1 t d t td 0 1
48 A New Matrix Distribution With l > k + 1 (k, d)-circ: A compact hard matrix distribution with l > k + 1 t 1 0. t 1. t d... A (k, d)-circ = 1 t d t td 0 1 Optimal representation size for hard (k + d) k polynomial matrix distributions of degree 1 Application: Compact public key structure preserving commitments to vectors (see paper)
49 Generic Hardness of (k, d)-circ A(t) has a constant nonzero k-minor (The easy case of the Determinant Criterion for l > k + 1 in [Herold2014])
50 Generic Hardness of (k, d)-circ A(t) has a constant nonzero k-minor (The easy case of the Determinant Criterion for l > k + 1 in [Herold2014]) The principal ideal (d) used in the case l = k + 1 is replaced by the ideal I generated by all the (k + 1)-minors of (A(t) z).
51 Generic Hardness of (k, d)-circ A(t) has a constant nonzero k-minor (The easy case of the Determinant Criterion for l > k + 1 in [Herold2014]) The principal ideal (d) used in the case l = k + 1 is replaced by the ideal I generated by all the (k + 1)-minors of (A(t) z). Only polynomials p in I can be used successfully by a solver of (k, d)-circ-mddh.
52 Generic Hardness of (k, d)-circ A(t) has a constant nonzero k-minor (The easy case of the Determinant Criterion for l > k + 1 in [Herold2014]) The principal ideal (d) used in the case l = k + 1 is replaced by the ideal I generated by all the (k + 1)-minors of (A(t) z). Only polynomials p in I can be used successfully by a solver of (k, d)-circ-mddh. We prove that the set of (k + 1)-minors of (A(t) z) for (k, d)-circ is a Gröbner basis of I, and all minors have total degree k + 1. Then, no nonzero polynomial of degree k exist in I.
53 Optimal Compactness of (k, d)-circ Theorem Any hard polynomial matrix distribution Dl,k A least l k parameters. of degree 1, has at
54 Optimal Compactness of (k, d)-circ Theorem Any hard polynomial matrix distribution Dl,k A least l k parameters. of degree 1, has at If d < l k: apply gaussian row elimination with scalar coefficients to the matrix A(t) Dl,k f to put at least l (d + 1) k zeros in the first column. There exists an invertible matrix L GL l (Z q ) such that LA(t) has an identically zero k-minor. LA(t) defines an easy MDDH problem. Therefore, D l,k -MDDH is also easy.
55 The Kernel Matrix Diffie-Hellman Assumption Carla Ràfols 1, Paz Morillo 2 and Jorge L. Villar 2 1 Universitat Pompeu Fabra (UPF) Spain 2 Universitat Politècnica de Catalunya (UPC) Spain Matemática Aplicada a la Criptografía Asiacrypt 2016, Hanoi, 8 Dec 2016 The End!
Disjunctions for Hash Proof Systems: New Constructions and Applications
Disjunctions for Hash Proof Systems: New Constructions and Applications Michel Abdalla, Fabrice Benhamouda, and David Pointcheval ENS, Paris, France Abstract. Hash Proof Systems were first introduced by
More informationAn Algebraic Framework for Diffie-Hellman Assumptions
An Algebraic Framework for Diffie-Hellman Assumptions Alex Escala 1, Gottfried Herold 2, Eike Kiltz 2, Carla Ràfols 2, and Jorge Villar 3 1 Universitat Autònoma de Barcelona, Spain 2 Horst-Görtz Institute
More informationImproved Structure Preserving Signatures under Standard Bilinear Assumptions
Improved Structure Preserving Signatures under Standard Bilinear Assumptions Charanjit S. Jutla 1 and Arnab Roy 2 1 IBM T. J. Watson Research Center, Yorktown Heights, NY, USA csjutla@us.ibm.com 2 Fujitsu
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationEssam Ghadafi CT-RSA 2016
SHORT STRUCTURE-PRESERVING SIGNATURES Essam Ghadafi e.ghadafi@ucl.ac.uk Department of Computer Science, University College London CT-RSA 2016 SHORT STRUCTURE-PRESERVING SIGNATURES OUTLINE 1 BACKGROUND
More informationShorter Quasi-Adaptive NIZK Proofs for Linear Subspaces
Shorter Quasi-Adaptive NIZK Proofs for Linear Subspaces Charanjit S. Jutla 1 and Arnab Roy 2 1 IBM T. J. Watson Research Center Yorktown Heights, NY 10598, USA csjutla@us.ibm.com 2 Fujitsu Laboratories
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationTrapdoor functions from the Computational Diffie-Hellman Assumption
Trapdoor functions from the Computational Diffie-Hellman Assumption Sanjam Garg 1 Mohammad Hajiabadi 1,2 1 University of California, Berkeley 2 University of Virginia August 22, 2018 1 / 18 Classical Public-Key
More informationOn the CCA1-Security of Elgamal and Damgård s Elgamal
On the CCA1-Security of Elgamal and Damgård s Elgamal Cybernetica AS, Estonia Tallinn University, Estonia October 21, 2010 Outline I Motivation 1 Motivation 2 3 Motivation Three well-known security requirements
More informationOutline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.
Provable Security in the Computational Model III Signatures David Pointcheval Ecole normale supérieure, CNRS & INRI Public-Key Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions
More informationCRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16
CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16 Groth-Sahai proofs helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Interactive zero knowledge from Σ-protocols
More informationAdaptive partitioning. Dennis Hofheinz (KIT, Karlsruhe)
Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Public-Key Encryption Accepted security
More informationGraded Encoding Schemes from Obfuscation
Graded Encoding Schemes from Obfuscation Pooya Farshim 1&2, Julia Hesse 1&2&5, Dennis Hofheinz 3, and Enrique Larraia 4 1 Département d informatique de l ENS, École normale supérieure, CNRS, PSL Research
More informationGraded Encoding Schemes from Obfuscation
Graded Encoding Schemes from Obfuscation Pooya Farshim,1,2, Julia Hesse 1,2,3, Dennis Hofheinz,3, and Enrique Larraia 1 DIENS, École normale supérieure, CNRS, PSL Research University, Paris, France 2 INRIA
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationBEYOND POST QUANTUM CRYPTOGRAPHY
BEYOND POST QUANTUM CRYPTOGRAPHY Mark Zhandry Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical Beyond Post-Quantum Cryptography
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationTightly Secure CCA-Secure Encryption without Pairings
Tightly Secure CCA-Secure Encryption without Pairings Romain Gay 1,, Dennis Hofheinz 2,, Eike Kiltz 3,, and Hoeteck Wee 1, 1 ENS, Paris, France rgay,wee@di.ens.fr 2 Ruhr-Universität Bochum, Bochum, Germany
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationShort Signatures Without Random Oracles
Short Signatures Without Random Oracles Dan Boneh and Xavier Boyen (presented by Aleksandr Yampolskiy) Outline Motivation Preliminaries Secure short signature Extensions Conclusion Why signatures without
More informationLecture 2: Program Obfuscation - II April 1, 2009
Advanced Topics in Cryptography Lecture 2: Program Obfuscation - II April 1, 2009 Lecturer: S. Goldwasser, M. Naor Scribe by: R. Marianer, R. Rothblum Updated: May 3, 2009 1 Introduction Barak et-al[1]
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More information14 Diffie-Hellman Key Agreement
14 Diffie-Hellman Key Agreement 14.1 Cyclic Groups Definition 14.1 Example Let д Z n. Define д n = {д i % n i Z}, the set of all powers of д reduced mod n. Then д is called a generator of д n, and д n
More informationStructure-Preserving Signatures from Standard Assumptions, Revisited
Structure-Preserving Signatures from Standard Assumptions, Revisited Eike Kiltz, Jiaxin Pan, and Hoeteck Wee 1 Ruhr-Universität Bochum 2 Ruhr-Universität Bochum 3 ENS, Paris {eike.kiltz,jiaxin.pan}@rub.de,
More informationLossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More informationQuasi-Adaptive NIZK for Linear Subspaces Revisited
Quasi-Adaptive NIZK for Linear Subspaces Revisited Eike Kiltz and Hoeteck Wee 1 Ruhr-Universität Bochum 2 ENS, Paris Abstract. Non-interactive zero-knowledge (NIZK) proofs for algebraic relations in a
More informationDual-System Simulation-Soundness with Applications to UC-PAKE and More
Dual-System Simulation-Soundness with Applications to UC-PAKE and More Charanjit S. Jutla IBM T. J. Watson Research Center Yorktown Heights, NY 10598, USA csjutla@us.ibm.com Arnab Roy Fujitsu Laboratories
More informationVerifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin
Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Béguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationParallel Decryption Queries in Bounded Chosen Ciphertext Attacks
Parallel Decryption Queries in Bounded Chosen Ciphertext Attacks Takahiro Matsuda and Kanta Matsuura The University of Tokyo, Japan {tmatsuda,kanta}@iis.u-tokyo.ac.jp Abstract. Whether it is possible to
More informationProofs of Ignorance and Applications to 2-Message Witness Hiding
Proofs of Ignorance and Applications to 2-Message Witness Hiding Apoorvaa Deshpande Yael Kalai September 25, 208 Abstract We consider the following paradoxical question: Can one prove lack of knowledge?
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationPublic-Key Encryption with Simulation-Based Selective-Opening Security and Compact Ciphertexts
Public-Key Encryption with Simulation-Based Selective-Opening Security and Compact Ciphertexts Dennis Hofheinz 1, Tibor Jager 2, and Andy Rupp 1 1 Karlsruhe Institute of Technology, Germany {dennis.hofheinz,andy.rupp}@kit.edu
More informationPractical Round-Optimal Blind Signatures in the Standard Model
W I S S E N T E C H N I K L E I D E N S C H A F T IAIK Practical Round-Optimal Blind Signatures in the Standard Model Georg Fuchsbauer, Christian Hanser and Daniel Slamanig, Institute of Science and Technology
More informationIdentity-based encryption
Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationLecture 11 The Radical and Semisimple Lie Algebras
18.745 Introduction to Lie Algebras October 14, 2010 Lecture 11 The Radical and Semisimple Lie Algebras Prof. Victor Kac Scribe: Scott Kovach and Qinxuan Pan Exercise 11.1. Let g be a Lie algebra. Then
More informationRandom Oracles in a Quantum World
Dan Boneh 1 Özgür Dagdelen 2 Marc Fischlin 2 Anja Lehmann 3 Christian Schaffner 4 Mark Zhandry 1 1 Stanford University, USA 2 CASED & Darmstadt University of Technology, Germany 3 IBM Research Zurich,
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationSymmetric Encryption
1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationOn the (Im)possibility of Projecting Property in Prime-Order Setting
On the (Im)possibility of Projecting Property in Prime-Order Setting Jae Hong Seo Department of Mathematics, Myongji University, Yongin, Republic of Korea jaehongseo@mju.ac.r Abstract. Projecting bilinear
More informationSIS-based Signatures
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin February 26, 2013 Basics We will use the following parameters: n, the security parameter. =poly(n). m 2n log s 2 n
More informationEfficient Smooth Projective Hash Functions and Applications
Efficient Smooth Projective Hash Functions and Applications David Pointcheval Joint work with Olivier Blazy, Céline Chevalier and Damien Vergnaud Ecole Normale Supérieure Isaac Newton Institute for Mathematical
More informationNotes for Lecture Decision Diffie Hellman and Quadratic Residues
U.C. Berkeley CS276: Cryptography Handout N19 Luca Trevisan March 31, 2009 Notes for Lecture 19 Scribed by Cynthia Sturton, posted May 1, 2009 Summary Today we continue to discuss number-theoretic constructions
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationEx1 Ex2 Ex3 Ex4 Ex5 Ex6
Technische Universität München (I7) Winter 2012/13 Dr. M. Luttenberger / M. Schlund Cryptography Endterm Last name: First name: Student ID no.: Signature: If you feel ill, let us know immediately. Please,
More informationLecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004
CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationDigital Signature Schemes and the Random Oracle Model. A. Hülsing
Digital Signature Schemes and the Random Oracle Model A. Hülsing Today s goal Review provable security of in use signature schemes. (PKCS #1 v2.x) PAGE 1 Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/dsa.jpg
More informationIdentity-based Encryption Tightly Secure under Chosen-ciphertext Attacks
Identity-based Encryption Tightly Secure under Chosen-ciphertext Attacks Dennis Hofheinz 1, Dingding Jia 2,3,4, and Jiaxin Pan 1 1 Karlsruhe Institute of Technology, Karlsruhe, Germany {Dennis.Hofheinz,
More informationEfficient Fully-Leakage Resilient One-More Signature Schemes
Efficient Fully-Leakage Resilient One-More Signature Schemes Antonio Faonio IMDEA Software Institute, Madrid, Spain In a recent paper Faonio, Nielsen and Venturi (ICALP 2015) gave new constructions of
More informationA New Constant-size Accountable Ring Signature Scheme Without Random Oracles
New Constant-size ccountable Ring Signature Scheme Without Random Oracles Sudhakar Kumawat 1 and Souradyuti Paul 2 1 Indian Institute of Technology Gandhinagar 2 Indian Institute of Technology Bhilai {sudhakar.bm07,souradyuti.paul}@gmail.com
More informationIDEAL CLASSES AND RELATIVE INTEGERS
IDEAL CLASSES AND RELATIVE INTEGERS KEITH CONRAD The ring of integers of a number field is free as a Z-module. It is a module not just over Z, but also over any intermediate ring of integers. That is,
More informationLinear Algebra. Min Yan
Linear Algebra Min Yan January 2, 2018 2 Contents 1 Vector Space 7 1.1 Definition................................. 7 1.1.1 Axioms of Vector Space..................... 7 1.1.2 Consequence of Axiom......................
More informationMultilinear Maps from Obfuscation
Multilinear Maps from Obfuscation Martin R. Albrecht (RHUL) Pooya Farshim (QUB) Shuai Han (SJTU) Dennis Hofheinz (KIT) Enrique Larraia (RHUL) Kenneth G. Paterson (RHUL) December 18, 2017 Abstract We provide
More informationPolynomial Spaces: ANewFrameworkforComposite-to-Prime-OrderTransformations
Polynomial Spaces: ANewFrameworkforComposite-to-Prime-OrderTransformations Gottfried Herold 1, Julia Hesse 2, Dennis Hofheinz 2,CarlaRàfols 1, and Andy Rupp 2 1 Ruhr-University Bochum, Germany {gottfried.herold,carla.rafols}@rub.de
More informationHunting and Gathering Verifiable Random Functions from Standard Assumptions with Short Proofs
Hunting and Gathering Verifiable Random Functions from Standard Assumptions with Short Proofs Lisa Kohl Karlsruhe Institute of Technology, Karlsruhe, Germany Lisa.Kohl@kit.edu Abstract. A verifiable random
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationNotes for Lecture 16
COS 533: Advanced Cryptography Lecture 16 (11/13/2017) Lecturer: Mark Zhandry Princeton University Scribe: Boriana Gjura Notes for Lecture 16 1 Lattices (continued) 1.1 Last time. We defined lattices as
More informationA SHUFFLE ARGUMENT SECURE IN THE GENERIC MODEL
A SHUFFLE ARGUMENT SECURE IN THE GENERIC MODEL Prastudy Fauzi, Helger Lipmaa, Michal Zajac University of Tartu, Estonia ASIACRYPT 2016 OUR RESULTS A new efficient CRS-based NIZK shuffle argument OUR RESULTS
More informationOn the Impossibility of Structure-Preserving Deterministic Primitives
On the Impossibility of Structure-Preserving Deterministic Primitives Masayuki Abe 1, Jan Camenisch 2, Rafael Dowsley 3, and Maria Dubovitskaya 2,4 1 NTT Corporation, Japan, abe.masayuki@lab.ntt.co.jp
More informationPrastudy Fauzi, HelgerLipmaa, Michal Zajac University of Tartu, Estonia ASIACRYPT 2016
Prastudy Fauzi, HelgerLipmaa, Michal Zajac University of Tartu, Estonia ASIACRYPT 2016 A new efficient CRS-based NIZK shuffle argument Four+ times more efficient verification than in prior work Verification
More informationGGHLite: More Efficient Multilinear Maps from Ideal Lattices
GGHLite: More Efficient Multilinear Maps from Ideal Lattices Adeline Langlois, Damien Stehlé and Ron Steinfeld Aric Team, LIP, ENS de Lyon May, 4 Adeline Langlois GGHLite May, 4 / 9 Our main result Decrease
More informationNon-interactive Zaps and New Techniques for NIZK
Non-interactive Zaps and New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai July 10, 2006 Abstract In 2000, Dwork and Naor proved a very surprising result: that there exist Zaps, tworound witness-indistinguishable
More informationTest 3, Linear Algebra
Test 3, Linear Algebra Dr. Adam Graham-Squire, Fall 2017 Name: I pledge that I have neither given nor received any unauthorized assistance on this exam. (signature) DIRECTIONS 1. Don t panic. 2. Show all
More informationTHE MINIMAL POLYNOMIAL AND SOME APPLICATIONS
THE MINIMAL POLYNOMIAL AND SOME APPLICATIONS KEITH CONRAD. Introduction The easiest matrices to compute with are the diagonal ones. The sum and product of diagonal matrices can be computed componentwise
More informationSimulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures
Simulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth UCLA, Computer Science Department 3531A Boelter Hall Los Angeles, CA 90095, USA jg@cs.ucla.edu December
More informationLinear Multi-Prover Interactive Proofs
Quasi-Optimal SNARGs via Linear Multi-Prover Interactive Proofs Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Interactive Arguments for NP L C = x C x, w = 1 for some w P(x, w) V(x) accept / reject
More informationPolicy-based Signature
Reporter:Ximeng Liu Supervisor: Rongxing Lu School of EEE, NTU November 2, 2013 1 2 3 1. Bellare M, Fuchsbauer G. s[r]. Cryptology eprint Archive, Report 2013/413, 2013. 2. [GS08] Jens Groth, Amit Sahai.
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationA More Efficient Computationally Sound Non-Interactive Zero-Knowledge Shuffle Argument
A More Efficient Computationally Sound Non-Interactive Zero-Knowledge Shuffle Argument Helger Lipmaa 1 and Bingsheng Zhang 2 1 University of Tartu, Estonia 2 State University of New York at Buffalo, USA
More informationShort Exponent Diffie-Hellman Problems
Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and
More informationAssignment 1 Math 5341 Linear Algebra Review. Give complete answers to each of the following questions. Show all of your work.
Assignment 1 Math 5341 Linear Algebra Review Give complete answers to each of the following questions Show all of your work Note: You might struggle with some of these questions, either because it has
More informationA Novel Strong Designated Verifier Signature Scheme without Random Oracles
1 A Novel Strong Designated Verifier Signature Scheme without Random Oracles Maryam Rajabzadeh Asaar 1, Mahmoud Salmasizadeh 2 1 Department of Electrical Engineering, 2 Electronics Research Institute (Center),
More informationALGEBRA QUALIFYING EXAM PROBLEMS LINEAR ALGEBRA
ALGEBRA QUALIFYING EXAM PROBLEMS LINEAR ALGEBRA Kent State University Department of Mathematical Sciences Compiled and Maintained by Donald L. White Version: August 29, 2017 CONTENTS LINEAR ALGEBRA AND
More informationLimitations on Transformations from Composite-Order to Prime-Order Groups: The Case of Round-Optimal Blind Signatures
Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of Round-Optimal Blind Signatures Sarah Meiklejohn (UC San Diego) Hovav Shacham (UC San Diego) David Mandell Freeman
More informationEfficient Identity-based Encryption Without Random Oracles
Efficient Identity-based Encryption Without Random Oracles Brent Waters Weiwei Liu School of Computer Science and Software Engineering 1/32 Weiwei Liu Efficient Identity-based Encryption Without Random
More informationEUF-CMA-Secure Structure-Preserving Signatures on Equivalence Classes
EUF-CMA-Secure Structure-Preserving Signatures on Equivalence Classes Georg Fuchsbauer Christian Hanser 2 Daniel Slamanig 2 IST Austria georg.fuchsbauer@ist.ac.at 2 Institute for Applied Information Processing
More informationA Profitable Sub-Prime Loan: Obtaining the Advantages of Composite Order in Prime-Order Bilinear Groups
Full version of an extended abstract published in Proceedings of PKC 2015, Springer-Verlag, 2015. Available from the IACR Cryptology eprint Archive as Report 2013/300. A Profitable Sub-Prime Loan: Obtaining
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationA REDUCTION OF SEMIGROUP DLP TO CLASSIC DLP
A REDUCTION OF SEMIGROUP DLP TO CLASSIC DLP MATAN BANIN AND BOAZ TSABAN Abstract. We present a polynomial-time reduction of the discrete logarithm problem in any periodic (or torsion) semigroup (Semigroup
More informationCompactly Hiding Linear Spans
Published in T. Iwata and J. H. Cheon, Eds., Advances in Cryptology ASIACYPT 2015, Part I, vol. 9452 of Lecture Notes in Computer Science, pp. 681-707, Springer, 2015. Compactly Hiding Linear Spans Tightly
More informationIntroduction to Modern Cryptography Recitation 3. Orit Moskovich Tel Aviv University November 16, 2016
Introduction to Modern Cryptography Recitation 3 Orit Moskovich Tel Aviv University November 16, 2016 The group: Z N Let N 2 be an integer The set Z N = a 1,, N 1 gcd a, N = 1 with respect to multiplication
More informationEfficient Public-Key Cryptography in the Presence of Key Leakage
Efficient Public-Key Cryptography in the Presence of Key Leakage Yevgeniy Dodis Kristiyan Haralambiev Adriana López-Alt Daniel Wichs August 17, 2010 Abstract We study the design of cryptographic primitives
More informationCryptographic Solutions for Data Integrity in the Cloud
Cryptographic Solutions for Stanford University, USA Stanford Computer Forum 2 April 2012 Homomorphic Encryption Homomorphic encryption allows users to delegate computation while ensuring secrecy. Homomorphic
More information50 Algebraic Extensions
50 Algebraic Extensions Let E/K be a field extension and let a E be algebraic over K. Then there is a nonzero polynomial f in K[x] such that f(a) = 0. Hence the subset A = {f K[x]: f(a) = 0} of K[x] does
More informationStructure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials
Structure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials Christian Hanser and Daniel Slamanig Institute for Applied Information Processing and Communications
More informationQuestion 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +
Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(
More informationHonors Algebra 4, MATH 371 Winter 2010 Assignment 4 Due Wednesday, February 17 at 08:35
Honors Algebra 4, MATH 371 Winter 2010 Assignment 4 Due Wednesday, February 17 at 08:35 1. Let R be a commutative ring with 1 0. (a) Prove that the nilradical of R is equal to the intersection of the prime
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More informationIdentity-based Encryption Tightly Secure under Chosen-ciphertext Attacks
Identity-based Encryption Tightly Secure under Chosen-ciphertext Attacks Dennis Hofheinz 1 Dingding Jia 2,3,4 Jiaxin Pan 1 1 Karlsruhe Institute of Technology, Karlsruhe, Germany {Dennis.Hofheinz, Jiaxin.Pan}@kit.edu
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationStrong Security Models for Public-Key Encryption Schemes
Strong Security Models for Public-Key Encryption Schemes Pooya Farshim (Joint Work with Manuel Barbosa) Information Security Group, Royal Holloway, University of London, Egham TW20 0EX, United Kingdom.
More information1 Public-key encryption
CSCI 5440: Cryptography Lecture 4 The Chinese University of Hong Kong, Spring 2018 29 and 30 January 2018 1 Public-key encryption Public-key encryption is a type of protocol by which Alice can send Bob
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More information