Trapdoor functions from the Computational Diffie-Hellman Assumption
|
|
- Helen Potter
- 5 years ago
- Views:
Transcription
1 Trapdoor functions from the Computational Diffie-Hellman Assumption Sanjam Garg 1 Mohammad Hajiabadi 1,2 1 University of California, Berkeley 2 University of Virginia August 22, / 18
2 Classical Public-Key Crypto 2 / 18
3 Classical Public-Key Crypto 2 / 18
4 PKE and TDF PKE pk pk 1 k G m E c c D m sk r sk 3 / 18
5 PKE and TDF PKE pk pk 1 k G m E c c D m sk r sk Security: m 0, m 1 : (pk, E(pk, m 0 ; r 0 )) c (pk, E(pk, m 1 ; r 1 )) 3 / 18
6 PKE and TDF PKE pk pk 1 k G m E c c D m sk r sk Security: m 0, m 1 : (pk, E(pk, m 0 ; r 0 )) c (pk, E(pk, m 1 ; r 1 )) TDF ik ik 1 k G x F y y F 1 x tk tk 3 / 18
7 PKE and TDF PKE pk pk 1 k G m E c c D m sk r sk Security: m 0, m 1 : (pk, E(pk, m 0 ; r 0 )) c (pk, E(pk, m 1 ; r 1 )) TDF ik ik 1 k G x F y y F 1 x tk One-wayness Security: (ik, F(ik, x))? x is hard for random ik, x. tk 3 / 18
8 TDF vs PKE Main Difference No randomness used in the evaluation algorithm of TDF. 4 / 18
9 TDF vs PKE Main Difference No randomness used in the evaluation algorithm of TDF. Relations TDF implies the existence of PKE. [Yao 82, GM 82]. 4 / 18
10 TDF vs PKE Main Difference No randomness used in the evaluation algorithm of TDF. Relations TDF implies the existence of PKE. [Yao 82, GM 82]. TDF impossible from PKE w.r.t. black-box techniques [GMR 01]. 4 / 18
11 TDF Usefulness ik 1, ik 2 ik 1, ik 2 and tk 1 5 / 18
12 TDF Usefulness ik 1, ik 2 ik 1, ik 2 and tk 1 y 1 = F (ik 1, x 1 ), y 2 = F (ik 2, x 2 ) 5 / 18
13 TDF Usefulness ik 1, ik 2 ik 1, ik 2 and tk 1 y 1 = F (ik 1, x 1 ), y 2 = F (ik 2, x 2 ) Prove that x 1 = x 2 5 / 18
14 TDF Usefulness ik 1, ik 2 ik 1, ik 2 and tk 1 y 1 = F (ik 1, x 1 ), y 2 = F (ik 2, x 2 ) Prove that x 1 = x 2 Bob: Compute x 1 = F 1 (tk 1, y 1 ) and check if y 2 = F(ik 2, x 1 ). Application: black-box constructions of CCA-secure PKE ([PW 08,RS 09, etc]). 5 / 18
15 TDF Usefulness ik 1, ik 2 ik 1, ik 2 and tk 1 y 1 = F (ik 1, x 1 ), y 2 = F (ik 2, x 2 ) Prove that x 1 = x 2 Bob: Compute x 1 = F 1 (tk 1, y 1 ) and check if y 2 = F(ik 2, x 1 ). Application: black-box constructions of CCA-secure PKE ([PW 08,RS 09, etc]). PKE instead of TDF Consistency check: require some kind of proof (e.g., NIZK). [BFY90,NY90] 5 / 18
16 What assumptions are sufficient for TDFs? Factoring DDH and LWE [PW08] 6 / 18
17 What assumptions are sufficient for TDFs? Factoring DDH and LWE [PW08] Big gap from PKE! 6 / 18
18 What assumptions are sufficient for TDFs? Factoring DDH and LWE [PW08] Big gap from PKE! This talk: We can do it from CDH. 6 / 18
19 CDH and DDH G: group of order p and generator g. 7 / 18
20 CDH and DDH G: group of order p and generator g. Computational Diffie-Hellman (CDH) Hard to compute g xy from (g, g x, g y ), where x, y Z p. 7 / 18
21 CDH and DDH G: group of order p and generator g. Computational Diffie-Hellman (CDH) Hard to compute g xy from (g, g x, g y ), where x, y Z p. Decisional Diffie-Hellman (DDH) (g, g x, g y, g xy ) c (g, g x, g y, g z ), where x, y, z Z p 7 / 18
22 Why is CDH Preferable? 8 / 18
23 Why is CDH Preferable? CDH is a weaker assumption. There are groups in which CDH is conjectured to be hard but DDH is easy (e.g., Z p, groups with pairings). 8 / 18
24 Main Challenge in Building TDF from DH-Related Assumptions Why is constructing TDF from Diffie-Hellman assumptions difficult? 9 / 18
25 Main Challenge in Building TDF from DH-Related Assumptions Why is constructing TDF from Diffie-Hellman assumptions difficult? It doesn t naturally offer trapdoors! 9 / 18
26 TDF from DDH (Failed Idea Using ElGamal Encryption) 10 / 18
27 TDF from DDH (Failed Idea Using ElGamal Encryption) (G, g), G = p. pk = g α pk c = (g r, pk r m) r? 1 k G m E c D sk = α r sk = α m 10 / 18
28 TDF from DDH (Failed Idea Using ElGamal Encryption) (G, g), G = p. pk = g α pk c = (g r, pk r m) r? 1 k G m E c D sk = α r sk = α m Main bottleneck in designing TDFs Recovering r: solving the Discrete Log! 10 / 18
29 DDH-Based TDF [Peikert-Waters 08] (G, g), G = p. 11 / 18
30 DDH-Based TDF [Peikert-Waters 08] (G, g), G = p. ik = g M where M Z n n p (and invertible) and tk = M 1 11 / 18
31 DDH-Based TDF [Peikert-Waters 08] (G, g), G = p. ik = g M where M Z n n p (and invertible) and tk = M 1 g M x {0, 1} n F y = g MxT y F 1 tk = M 1 (g x 1,..., g xn) 11 / 18
32 DDH-Based TDF [Peikert-Waters 08] (G, g), G = p. ik = g M where M Z n n p (and invertible) and tk = M 1 g M x {0, 1} n F y = g MxT y F 1 tk = M 1 (g x 1,..., g xn) Can solve discrete-log as x 1... x n {0, 1}! 11 / 18
33 DDH-Based TDF [Peikert-Waters 08] (G, g), G = p. ik = g M where M Z n n p (and invertible) and tk = M 1 g M x {0, 1} n F y = g MxT y F 1 tk = M 1 (g x 1,..., g xn) Can solve discrete-log as x 1... x n {0, 1}! One-wayness Matrix pseudorandomness [NR97]: DDH implies g M c g M, where M is a random invertible matrix and M is a random rank-one matrix. 11 / 18
34 DDH-Based TDF [Peikert-Waters 08] (G, g), G = p. ik = g M where M Z n n p (and invertible) and tk = M 1 g M x {0, 1} n F y = g MxT y F 1 tk = M 1 (g x 1,..., g xn) Can solve discrete-log as x 1... x n {0, 1}! One-wayness Matrix pseudorandomness [NR97]: DDH implies g M c g M, where M is a random invertible matrix and M is a random rank-one matrix. CDH is not known to imply rank indistinguishability. 11 / 18
35 1 Background Introduction Main Challenges 2 Our TDF Construction Our Methodology Base Primitive: Recyclable Targeting KEM TDF from Recyclable Targeting KEM 3 Summary and Future Work 12 / 18
36 Our Methodology for building TDF from CDH Derandomizing a class of PKE 13 / 18
37 Our Methodology for building TDF from CDH Derandomizing a class of PKE TDFs from recyclable targeted key-encapsulation schemes (Recyclable Targeted KEMs) [DG 17, BBS 03] 13 / 18
38 Our Methodology for building TDF from CDH Derandomizing a class of PKE TDFs from recyclable targeted key-encapsulation schemes (Recyclable Targeted KEMs) [DG 17, BBS 03] Plan for the Rest of the talk Define Recyclable Targeted KEM CDH Recyclable Targeted KEM (Not discussed. See [DG 17].) Recyclable Targeted KEM TDF 13 / 18
39 Key-Encapsulation Mechanism pk pk e e 1 k G m E c c D m sk e is always a single bit. r sk 14 / 18
40 Recyclable Targetted KEM 15 / 18
41 Recyclable Targetted KEM Targeting Property [DG 17] E(pk, (i, b); r) = (ct, e) D(sk, ct) = e if (pk, sk) K(1 λ ) and sk i = b. 15 / 18
42 Recyclable Targetted KEM Targeting Property [DG 17] E(pk, (i, b); r) = (ct, e) D(sk, ct) = e if (pk, sk) K(1 λ ) and sk i = b. Security: (pk, sk, ct, e) c (pk, sk, ct, e ), where (ct, e) $ E(pk, (i, 1 sk i ); r) and e $ {0, 1}. 15 / 18
43 Recyclable Targetted KEM Targeting Property [DG 17] E(pk, (i, b); r) = (ct, e) D(sk, ct) = e if (pk, sk) K(1 λ ) and sk i = b. Security: (pk, sk, ct, e) c (pk, sk, ct, e ), where (ct, e) $ E(pk, (i, 1 sk i ); r) and e $ {0, 1}. Recyclability ct does not depend on pk. So E(pk, (i, b); r) = (E 1 ((i, b); r), E 2 (pk, (i, b); r)) = (ct, e) 15 / 18
44 (i [n], b {0, 1}) sk D r E 1 ct pk E 2 r e ct e if pk = G(sk) and sk i = b 16 / 18
45 (i [n], b {0, 1}) sk D r E 1 ct pk E 2 r e ct e if pk = G(sk) and sk i = b Simple construction ( for recovering the first bit of the input. r1 ) ( ) ( ) ct1 E1 ((i=1,b=0);r tk = r 1 and ik = = 1 ) E 1 ((i=1,b=1);r 1 ) ct 1 16 / 18
46 (i [n], b {0, 1}) sk D r E 1 ct pk E 2 r e ct e if pk = G(sk) and sk i = b Simple construction ( for recovering the first bit of the input. r1 ) ( ) ( ) ct1 E1 ((i=1,b=0);r tk = r 1 and ik = ct = 1 ) 1 E 1 ((i=1,b=1);r 1 ) F(ik, sk): 16 / 18
47 (i [n], b {0, 1}) sk D r E 1 ct pk E 2 r e ct e if pk = G(sk) and sk i = b Simple construction ( for recovering the first bit of the input. r1 ) ( ) ( ) ct1 E1 ((i=1,b=0);r tk = r 1 and ik = ct = 1 ) 1 E 1 ((i=1,b=1);r 1 ) F(ik, sk): let pk = G(sk). 16 / 18
48 (i [n], b {0, 1}) sk D r E 1 ct pk E 2 r e ct e if pk = G(sk) and sk i = b Simple construction ( for recovering the first bit of the input. r1 ) ( ) ( ) ct1 E1 ((i=1,b=0);r tk = r 1 and ik = ct = 1 ) 1 E 1 ((i=1,b=1);r 1 ) F(ik, sk): let pk = G(sk). if sk1 = 0, then return (pk, D(sk, ct 1 )) 16 / 18
49 (i [n], b {0, 1}) sk D r E 1 ct pk E 2 r e ct e if pk = G(sk) and sk i = b Simple construction ( for recovering the first bit of the input. r1 ) ( ) ( ) ct1 E1 ((i=1,b=0);r tk = r 1 and ik = ct = 1 ) 1 E 1 ((i=1,b=1);r 1 ) F(ik, sk): let pk = G(sk). if sk1 = 0, then return (pk, D(sk, ct 1 )) = (pk, E 2 (pk; r 1 )). if sk1 = 1, then return (pk, D(sk, ct 1 )) = (pk, E 2(pk; r 1 )). 16 / 18
50 (i [n], b {0, 1}) sk D r E 1 ct pk E 2 r e ct e if pk = G(sk) and sk i = b Simple construction ( for recovering the first bit of the input. r1 ) ( ) ( ) ct1 E1 ((i=1,b=0);r tk = r 1 and ik = ct = 1 ) 1 E 1 ((i=1,b=1);r 1 ) F(ik, sk): let pk = G(sk). if sk1 = 0, then return (pk, D(sk, ct 1 )) = (pk, E 2 (pk; r 1 )). if sk1 = 1, then return (pk, D(sk, ct 1 )) = (pk, E 2(pk; r 1 )). F 1 : Check for a match: (E2 ) (pk; r 1 ) E 2 (pk; r 1 ) 16 / 18
51 (i [n], b {0, 1}) sk D r E 1 ct pk E 2 r e ct e if pk = G(sk) and sk i = b Simple construction ( for recovering the first bit of the input. r1 ) ( ) ( ) ct1 E1 ((i=1,b=0);r tk = r 1 and ik = ct = 1 ) 1 E 1 ((i=1,b=1);r 1 ) F(ik, sk): let pk = G(sk). if sk1 = 0, then return (pk, D(sk, ct 1 )) = (pk, E 2 (pk; r 1 )). if sk1 = 1, then return (pk, D(sk, ct 1 )) = (pk, E 2(pk; r 1 )). F 1 : Check for a match: (E2 ) (pk; r 1 ) E 2 (pk; r 1 ) Can recover sk 1 with probability 1/2. This can be boosted via repetition. 16 / 18
52 (i [n], b {0, 1}) sk D r E 1 ct pk E 2 r e ct e if pk = G(sk) and sk i = b Simple construction ( for recovering the first bit of the input. r1 ) ( ) ( ) ct1 E1 ((i=1,b=0);r tk = r 1 and ik = ct = 1 ) 1 E 1 ((i=1,b=1);r 1 ) F(ik, sk): let pk = G(sk). if sk1 = 0, then return (pk, D(sk, ct 1 )) = (pk, E 2 (pk; r 1 )). if sk1 = 1, then return (pk, D(sk, ct 1 )) = (pk, E 2(pk; r 1 )). F 1 : Check for a match: (E2 ) (pk; r 1 ) E 2 (pk; r 1 ) Can recover sk 1 with probability 1/2. This can be boosted via repetition. Not clear how to prove security! 16 / 18
53 (i [n], b {0, 1}) sk D r E 1 ct pk E 2 r e ct e if pk = G(sk) and sk i = b Simple construction ( for recovering the first bit of the input. r1 ) ( ) ( ) ct1 E1 ((i=1,b=0);r tk = r 1 and ik = ct = 1 ) 1 E 1 ((i=1,b=1);r 1 ) F(ik, sk): let pk = G(sk). if sk1 = 0, then return (pk, D(sk, ct 1 )) = (pk, E 2 (pk; r 1 )). if sk1 = 1, then return (pk, D(sk, ct 1 )) = (pk, E 2(pk; r 1 )). F 1 : Check for a match: (E2 ) (pk; r 1 ) E 2 (pk; r 1 ) Can recover sk 1 with probability 1/2. This can be boosted via repetition. Not clear how to prove security! Fix: Put a random bit in the place you cannot apply D. 16 / 18
54 Recovering the First Bit Gen(1 λ ): tk = ( r1 r 1 ) and ik = ( ct1 ct 1 ) = F(ik, sk b 1 ): let pk = G(sk). Then: ( ) D(sk, ct1 ) if sk1 = 0 then M 1 := b ( 1 ) b if sk1 = 1 then M 1 := 1 D(sk, ct 1 ) Return Y = (pk, M 1 ). F 1 (tk, Y): M 1 = ( ) E1 ((i=1,b=0);r 1 ) E 1 ((i=1,b=1);r 1 ) ( ) E2 (pk, (1, 0); r 1 ) E 2 (pk, (1, 1); r 1 ) 17 / 18
55 Summary and Future Work Summary A Construction of TDFs from CDH. Future Work Extended forms of TDFs from CDH (e.g., lossy trapdoor functions) Trapdoor Permutations from CDH/DDH? 18 / 18
Lossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More informationTrapdoor Functions from the Computational Diffie-Hellman Assumption
Trapdoor Functions from the Computational Diffie-Hellman Assumption Sanjam Garg Mohammad Hajiabadi June 29, 2018 Abstract Trapdoor functions TDFs are a fundamental primitive in cryptography. Yet, the current
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More information14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption. Victor Shoup New York University
14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption Victor Shoup New York University A Historical Perspective The wild years (mid 70 s-mid 80 s): Diffie-Hellman, RSA, ElGamal The
More information5.4 ElGamal - definition
5.4 ElGamal - definition In this section we define the ElGamal encryption scheme. Next to RSA it is the most important asymmetric encryption scheme. Recall that for a cyclic group G, an element g G is
More informationNotes for Lecture Decision Diffie Hellman and Quadratic Residues
U.C. Berkeley CS276: Cryptography Handout N19 Luca Trevisan March 31, 2009 Notes for Lecture 19 Scribed by Cynthia Sturton, posted May 1, 2009 Summary Today we continue to discuss number-theoretic constructions
More informationAdvanced Cryptography 1st Semester Public Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 1st 2007 1 / 64 Last Time (I) Indistinguishability Negligible function Probabilities Indistinguishability
More informationLecture Note 3 Date:
P.Lafourcade Lecture Note 3 Date: 28.09.2009 Security models 1st Semester 2007/2008 ROUAULT Boris GABIAM Amanda ARNEDO Pedro 1 Contents 1 Perfect Encryption 3 1.1 Notations....................................
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationPeculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology
1 / 19 Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 7 May 2010 2 / 19 Talk Agenda Encryption schemes
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationNotes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.
COS 533: Advanced Cryptography Lecture 9 (October 11, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Udaya Ghai Notes for Lecture 9 1 Last Time Last time, we introduced zero knowledge proofs
More informationPublic-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP
Public-Key Cryptography Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP Diffie-Hellman Key-exchange Secure under DDH: (g x,g x,g xy ) (g x,g x,g r ) Random x {0,..,
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationLossy Trapdoor Functions and Their Applications
Lossy Trapdoor Functions and Their Applications Chris Peikert SRI International Brent Waters SRI International August 29, 2008 Abstract We propose a general cryptographic primitive called lossy trapdoor
More informationAll-But-Many Lossy Trapdoor Functions. Dennis Hofheinz (Karlsruhe Institute of Technology)
All-But-Many Lossy Trapdoor Functions Dennis Hofheinz (Karlsruhe Institute of Technology) Overview over this talk All-But-Many Lossy Trapdoor Functions (ABM-LTFs) A technical tool specifically designed
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationThe Cramer-Shoup Cryptosystem
The Cramer-Shoup Cryptosystem Eileen Wagner October 22, 2014 1 / 28 The Cramer-Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationEfficient Chosen-Ciphertext Security via Extractable Hash Proofs
Efficient Chosen-Ciphertext Security via Extractable Hash Proofs Hoeteck Wee Queens College, CUNY hoeteck@cs.qc.cuny.edu Abstract. We introduce the notion of an extractable hash proof system. Essentially,
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationOn Notions of Security for Deterministic Encryption, and Efficient Constructions without Random Oracles
A preliminary version of this paper appears in Advances in Cryptology - CRYPTO 2008, 28th Annual International Cryptology Conference, D. Wagner ed., LNCS, Springer, 2008. This is the full version. On Notions
More informationBasics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018
Basics in Cryptology II Distributed Cryptography David Pointcheval Ecole normale supérieure, CNRS & INRIA ENS Paris 2018 NS/CNRS/INRIA Cascade David Pointcheval 1/26ENS/CNRS/INRIA Cascade David Pointcheval
More informationAdvanced Cryptography 03/06/2007. Lecture 8
Advanced Cryptography 03/06/007 Lecture 8 Lecturer: Victor Shoup Scribe: Prashant Puniya Overview In this lecture, we will introduce the notion of Public-Key Encryption. We will define the basic notion
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationLossy Trapdoor Functions from Smooth Homomorphic Hash Proof Systems
Lossy Trapdoor Functions from Smooth Homomorphic Hash Proof Systems Brett Hemenway UCLA bretth@mathuclaedu Rafail Ostrovsky UCLA rafail@csuclaedu January 9, 2010 Abstract In STOC 08, Peikert and Waters
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationCOS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7
COS 597C: Recent Developments in Program Obfuscation Lecture 7 10/06/16 Lecturer: Mark Zhandry Princeton University Scribe: Jordan Tran Notes for Lecture 7 1 Introduction In this lecture, we show how to
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationLecture 11: Key Agreement
Introduction to Cryptography 02/22/2018 Lecture 11: Key Agreement Instructor: Vipul Goyal Scribe: Francisco Maturana 1 Hardness Assumptions In order to prove the security of cryptographic primitives, we
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationParallel Decryption Queries in Bounded Chosen Ciphertext Attacks
Parallel Decryption Queries in Bounded Chosen Ciphertext Attacks Takahiro Matsuda and Kanta Matsuura The University of Tokyo, Japan {tmatsuda,kanta}@iis.u-tokyo.ac.jp Abstract. Whether it is possible to
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani Mathematical Institute Oxford University 1 of 60 Outline 1 RSA Encryption Scheme 2 Discrete Logarithm and Diffie-Hellman Algorithm 3 ElGamal Encryption Scheme 4
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationA Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM
A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM Paulo S. L. M. Barreto Bernardo David Rafael Dowsley Kirill Morozov Anderson C. A. Nascimento Abstract Oblivious Transfer
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationEfficient Chosen-Ciphertext Security via Extractable Hash Proofs
Efficient Chosen-Ciphertext Security via Extractable Hash Proofs Hoeteck Wee Queens College, CUNY hoeteck@cs.qc.cuny.edu Abstract. We introduce the notion of an extractable hash proof system. Essentially,
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationBuilding Lossy Trapdoor Functions from Lossy Encryption
Building Lossy Trapdoor Functions from Lossy Encryption Brett Hemenway Rafail Ostrovsky February 24, 2015 Abstract Injective one-way trapdoor functions are one of the most fundamental cryptographic primitives.
More informationLecture 16: Public Key Encryption:II
Lecture 16: Public Key Encryption:II Instructor: Omkant Pandey Spring 2017 (CSE 594) Instructor: Omkant Pandey Lecture 16: Public Key Encryption:II Spring 2017 (CSE 594) 1 / 17 Last time PKE from ANY trapdoor
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationLimits on the Power of Garbling Techniques for Public-Key Encryption
Limits on the Power of Garbling Techniques for Public-Key Encryption Sanjam Garg Mohammad Hajiabadi Mohammad Mahmoody Ameer Mohammed Abstract Understanding whether public-key encryption can be based on
More informationIntroduction to Modern Cryptography Recitation 3. Orit Moskovich Tel Aviv University November 16, 2016
Introduction to Modern Cryptography Recitation 3 Orit Moskovich Tel Aviv University November 16, 2016 The group: Z N Let N 2 be an integer The set Z N = a 1,, N 1 gcd a, N = 1 with respect to multiplication
More informationOn the CCA1-Security of Elgamal and Damgård s Elgamal
On the CCA1-Security of Elgamal and Damgård s Elgamal Cybernetica AS, Estonia Tallinn University, Estonia October 21, 2010 Outline I Motivation 1 Motivation 2 3 Motivation Three well-known security requirements
More informationThe Kernel Matrix Diffie-Hellman Assumption
The Kernel Matrix Diffie-Hellman Assumption Carla Ràfols 1, Paz Morillo 2 and Jorge L. Villar 2 1 Universitat Pompeu Fabra (UPF) Spain 2 Universitat Politècnica de Catalunya (UPC) Spain Matemática Aplicada
More informationIdentity Based Encryption
Bilinear Pairings in Cryptography: Identity Based Encryption Dan Boneh Stanford University Recall: Pub-Key Encryption (PKE) PKE Three algorithms : (G, E, D) G(λ) (pk,sk) outputs pub-key and secret-key
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationBuilding Injective Trapdoor Functions From Oblivious Transfer
Electronic Colloquium on Computational Complexity, Report No. 127 (2010) Building Injective Trapdoor Functions From Oblivious Transfer Brett Hemenway and Rafail Ostrovsky August 9, 2010 Abstract Injective
More information14 Diffie-Hellman Key Agreement
14 Diffie-Hellman Key Agreement 14.1 Cyclic Groups Definition 14.1 Example Let д Z n. Define д n = {д i % n i Z}, the set of all powers of д reduced mod n. Then д is called a generator of д n, and д n
More informationPublic-Key Cryptosystems from the Worst-Case Shortest Vector Problem. Chris Peikert Georgia Tech
1 / 14 Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert Georgia Tech Computer Security & Cryptography Workshop 12 April 2010 2 / 14 Talk Outline 1 State of Lattice-Based
More informationEx1 Ex2 Ex3 Ex4 Ex5 Ex6
Technische Universität München (I7) Winter 2012/13 Dr. M. Luttenberger / M. Schlund Cryptography Endterm Last name: First name: Student ID no.: Signature: If you feel ill, let us know immediately. Please,
More informationKey Encapsulation Mechanisms from Extractable Hash Proof Systems, Revisited
Key Encapsulation Mechanisms from Extractable Hash Proof Systems, Revisited Takahiro Matsuda and Goichiro Hanaoka Research Institute for Secure Systems, National Institute of Advanced Industrial Science
More informationTighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)
1 Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shuichi Katsumata (The University of Tokyo /AIST) Shota Yamada (AIST) Takashi Yamakawa
More informationShort Exponent Diffie-Hellman Problems
Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationNotes for Lecture 16
COS 533: Advanced Cryptography Lecture 16 (11/13/2017) Lecturer: Mark Zhandry Princeton University Scribe: Boriana Gjura Notes for Lecture 16 1 Lattices (continued) 1.1 Last time. We defined lattices as
More informationLecture 30: Hybrid Encryption and Prime Number Generation. Hybrid Encryption & Primes
Lecture 30: Hybrid Encryption and Prime Number Generation Recall: ElGamal Encryption I We begin by recalling the ElGamal Public-key Encryption Recall that to describe a private-key encryption scheme we
More informationBEYOND POST QUANTUM CRYPTOGRAPHY
BEYOND POST QUANTUM CRYPTOGRAPHY Mark Zhandry Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical Beyond Post-Quantum Cryptography
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationEl Gamal A DDH based encryption scheme. Table of contents
El Gamal A DDH based encryption scheme Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction El Gamal Practical Issues The El Gamal encryption
More informationChosen Ciphertext Security via Point Obfuscation
Chosen Ciphertext Security via Point Obfuscation Takahiro Matsuda and Goichiro Hanaoka Research Institute for Secure Systems (RISEC), National Institute of Advanced Industrial Science and Technology (AIST),
More informationBounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts
Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts Stefano Tessaro (UC Santa Barbara) David A. Wilson (MIT) Bounded-Collusion IBE from Semantically-Secure
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationPseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions
Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions Crypto 2011 Daniele Micciancio Petros Mol August 17, 2011 1 Learning With Errors (LWE) secret public: integers n,
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More information1 Basic Number Theory
ECS 228 (Franklin), Winter 2013, Crypto Review 1 Basic Number Theory This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationKDM-CCA Security from RKA Secure Authenticated Encryption
KDM-CCA Security from RKA Secure Authenticated Encryption Xianhui Lu 1,2, Bao Li 1,2, Dingding Jia 1,2 1. Data Assurance and Communication Security Research Center, Chinese Academy of Sciences, Beijing,
More informationOn Homomorphic Encryption and Chosen-Ciphertext Security
On Homomorphic Encryption and Chosen-Ciphertext Security Brett Hemenway 1 and Rafail Ostrovsky 2 1 University of Michigan 2 UCLA Abstract. Chosen-Ciphertext (IND-CCA) security is generally considered the
More informationOn the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups
On the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups Goichiro Hanaoka, Takahiro Matsuda, Jacob C.N. Schuldt Research Institute for Secure Systems (RISEC)
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationCS 395T. Probabilistic Polynomial-Time Calculus
CS 395T Probabilistic Polynomial-Time Calculus Security as Equivalence Intuition: encryption scheme is secure if ciphertext is indistinguishable from random noise Intuition: protocol is secure if it is
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationLeakage Resilient ElGamal Encryption
Asiacrypt 2010, December 9th, Singapore Outline 1 Hybrid Encryption, the KEM/DEM framework 2 ElGamal KEM 3 Leakage Resilient Crypto Why? How? Other models? 4 Leakage Resilient ElGamal CCA1 secure KEM (Key
More informationOn The Security of The ElGamal Encryption Scheme and Damgård s Variant
On The Security of The ElGamal Encryption Scheme and Damgård s Variant J. Wu and D.R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, ON, Canada {j32wu,dstinson}@uwaterloo.ca
More informationLecture 14: Hardness Assumptions
CSE 594 : Modern Cryptography 03/23/2017 Lecture 14: Hardness Assumptions Instructor: Omkant Pandey Scribe: Hyungjoon Koo, Parkavi Sundaresan 1 Modular Arithmetic Let N and R be set of natural and real
More informationCDH/DDH-Based Encryption. K&L Sections , 11.4.
CDH/DDH-Based Encrytion K&L Sections 8.3.1-8.3.3, 11.4. 1 Cyclic grous A finite grou G of order q is cyclic if it has an element g of q. { 0 1 2 q 1} In this case, G = g = g, g, g,, g ; G is said to be
More informationOverview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017
CSC 580 Cryptography and Computer Security Math for Public Key Crypto, RSA, and Diffie-Hellman (Sections 2.4-2.6, 2.8, 9.2, 10.1-10.2) March 21, 2017 Overview Today: Math needed for basic public-key crypto
More informationPublicly Evaluable Pseudorandom Functions and Their Applications
Publicly Evaluable Pseudorandom Functions and Their Applications Yu Chen yuchen.prc@gmail.com Zongyang Zhang zongyang.zhang@gmail.com Abstract We put forth the notion of publicly evaluable pseudorandom
More informationFast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems
Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems Benny Applebaum, David Cash, Chris Peikert, Amit Sahai Princeton University, Georgia Tech, SRI international,
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More informationIntroduction to Cryptography. Susan Hohenberger
Introduction to Cryptography Susan Hohenberger 1 Cryptography -- from art to science -- more than just encryption -- essential today for non-military applications 2 Symmetric Crypto Shared secret K =>
More informationReport on Learning with Errors over Rings-based HILA5 and its CCA Security
Report on Learning with Errors over Rings-based HILA5 and its CCA Security Jesús Antonio Soto Velázquez January 24, 2018 Abstract HILA5 is a cryptographic primitive based on lattices that was submitted
More informationBuilding Lossy Trapdoor Functions from Lossy Encryption
Building Lossy Trapdoor Functions from Lossy Encryption Brett Hemenway 1 and Rafail Ostrovsky 2 1 University of Pennsylvania fbrett@cis.upenn.edu 2 UCLA rafail@cs.ucla.edu Abstract. Injective one-way trapdoor
More informationA New Variant of the Cramer-Shoup KEM Secure against Chosen Ciphertext Attack
A New Variant of the Cramer-Shoup KEM Secure against Chosen Ciphertext Attack Joonsang Baek 1 Willy Susilo 2 Joseph K. Liu 1 Jianying Zhou 1 1 Institute for Infocomm Research, Singapore 2 University of
More information1 Public-key encryption
CSCI 5440: Cryptography Lecture 4 The Chinese University of Hong Kong, Spring 2018 29 and 30 January 2018 1 Public-key encryption Public-key encryption is a type of protocol by which Alice can send Bob
More informationBootstrapping Obfuscators via Fast Pseudorandom Functions
Bootstrapping Obfuscators via Fast Pseudorandom Functions Benny Applebaum October 26, 2013 Abstract We show that it is possible to upgrade an obfuscator for a weak complexity class WEAK into an obfuscator
More informationAnalysis of Random Oracle Instantiation Scenarios for OAEP and other Practical Schemes
Analysis of Random Oracle Instantiation Scenarios for OAEP and other Practical Schemes Alexandra Boldyreva 1 and Marc Fischlin 2 1 College of Computing, Georgia Institute of Technology, 801 Atlantic Drive,
More information