Alain Passelègue Ecole Normale Supérieure Joint work with: Michel Abdalla (ENS), Fabrice Benhamouda (ENS), Kenneth G.
|
|
- Jonah Simmons
- 5 years ago
- Views:
Transcription
1 Alain Passelègue Ecole Normale Supérieure Joint work with: Michel Abdalla (ENS), Fabrice Benhamouda (ENS), Kenneth G. Paterson (RHUL) 26 mars 2014 Journées C2
2 Single-Key Attack on a cryptosystem F k F x F(k,x) 1
3 Single-Key Attack on a cryptosystem F Related-Key Attack (RKA) on a cryptosystem F k k k F F F x F(k,x) x F(k 1,x) x F(k n,x) k 1,, k n derived from k in adversary-specified way. 1
4 Practice Fault injection attacks: an attacker A forces the cryptosystem to run on a different related key. k A F Fault Injection F x F(k,x) x F(k,x) 2
5 Theory [BK03] defines a class Φ of Related-Key Deriving (RKD) functions for F. k k k F F F (φ 1,x 1 ) F(k 1,x 1 ) (φ 2,x 2 ) F(k 2,x 2 ) (φ n,x n ) F(k n,x n ) k i = φ i (k) where φ i Φ 3
6 Pseudorandom Functions (PRF) A family of functions F: K D R: o Efficiently computable o Hard to distinguish from a random function. 4
7 Pseudorandom Functions (PRF) A family of functions F: K D R: o Efficiently computable o Hard to distinguish from a random function. x D Oracle If b = 1 If b = 0 k k A b =? y R x F F(k,x) x G G(k,x) 4
8 The Naor-Reingold PRF (NR) We use the Naor-Reingold PRF, denoted NR. Let G = <g> be a group of prime order p. NR: Z n 0,1 n {0 n } G p NR(k,x) = g n x[i] k[i] i = 1 5
9 Outline Part 1: Security model and state of the art. [BK03,BC10] Part 2: A First Extension => affine PRF. Part 3: Generalization => affine and polynomial PRFs. 6
10 Part 1: Security Model: Φ-RKA-PRF [BK03] Let F: K D R be a PRF and Φ class of RKD-functions (set of functions φ: K K). Initialize : Pick at random k K, b {0,1} and G: K D R. Oracle (φ,x) Φ D If b = 1 If b = 0 φ(k) φ(k) A y R F G Until adversary A responds b. x F(φ(k),x) x G(φ(k),x) F is a Φ-RKA-PRF if 2. Pr b = b 1 is negligible for any adversary A. 7
11 Key-Malleability M is Φ-Key-Malleable if there is a Key-Transformer that can compute M(φ(k),x) from M(k,u) for any φ Φ. k A u M(k,u) PRF M M(φ(k),x) 8
12 Bad Thing About Key-Malleability M is Φ-Key-Malleable => M is not Φ-RKA-Secure A (id,u) M(k,u) Oracle RKA M Compute M(φ(k),x) (φ,x) M(φ(k),x) Checks if the values match. 9
13 BUT: M is Φ-RKA-Secure for a unique-input adversary (which cannot query twice the same x). How to force the adversary to be unique-input? F(k,x) = M(k,g(k,x)), with g an injective function. Idea: g(k,x) = H(k,x) with H a collision-resistant hash function. Not clear how to prove it. 10
14 BUT: M is Φ-RKA-Secure for a unique-input adversary (which cannot query twice the same x). How to force the adversary to be unique-input? F(k,x) = M(k,g(k,x)), with g an injective function. Idea: g(k,x) = H(M(k,w),x) s.t. M(k,w) = M(k,w) iff k = k (Key-Fingerprint w). Example: NR(k,x) = g k[i] i = 1 w = (10 0, 010 0,, 0 01) NR(k,w) = (g k[1], g k[2],, g k[n] ) n x[i] 10
15 Good Thing About Key-Malleability For a claw-free class Φ (s.t. k, φ φ, φ(k) φ (k)): M(φ(k),w) = M(φ (k),w) iff φ = φ H is collision-resistant + distinct (φ,x) => H((M(φ(k),w),x)) distinct Unique-input F(k,x) M(k,H(M(k,w),x)) is RKA-secure. 11
16 The Bellare-Cash Framework [BC10] For a claw-free class Φ. PRF M: o Φ-Key-Malleable o Key Fingerprint w o Compatible H Framework F(k,x) = M(k,H(x,M(k,w))) Φ-RKA-secure PRF F 12
17 The Bellare-Cash Framework [BC10] For a claw-free class Φ. PRF M: o Φ-Key-Malleable o Key Fingerprint w o Compatible H Framework F(k,x) = M(k,H(x,M(k,w))) Φ-RKA-secure PRF F Applied to NR: Multiplicative RKA-secure PRF. Additive RKA-secure PRF (with reduction time O(2 n )). 12
18 Why this reduction time? NR(k+1,11 1) = g (k 1 +1).(k 2 +1)..(k n +1) = g k 1 k 2 k n. g k 2 k 3 k n. g k 1 k 3 k n.. g k 1. g 2 n terms = NR(k,11 1).NR(k,01 1).NR(k,101 1)..NR(k,10 0).g Running time: O(2 n ) 13
19 Summary Bellare-Cash Φ Claw-Free Multiplicative-RKA-PRF Additive-RKA-PRF (O(2 n )) PRF M Φ = {id} Φ-Key-Malleable 14
20 Summary Bellare-Cash Φ Claw-Free Multiplicative-RKA-PRF Additive-RKA-PRF (O(2 n )) PRF M Φ = {id} Φ-Key-Malleable What about other classes Φ s.t. Φ-Key-Malleable? 14
21 Part 2: The Non-Claw-Freeness Problem If there exists φ φ s.t. φ(k) = φ (k) A (φ,x) Φ 0,1 n y G Oracle h = H(x,M(φ(k),w)) y M(φ(k),h) A (φ,x) Φ 0,1 n y G Oracle h = H(x,M(φ (k),w)) y M(φ (k),h ) y = y (φ φ )(k) = 0 15
22 How to Handle Claws? New problem: Φ-Key-Collision (Φ-KC). Initialize: $ k K Adversary (φ,x) Challenger M(φ(k),x) (φ,φ ) Finalize(φ,φ ): φ φ s.t. φ(k) = φ (k) 16
23 A First Result For a claw-free class Φ. PRF M: o Φ-Key-Malleable o Key Fingerprint w o Compatible H Framework F(k,x) = M(k,H(x,M(k,w))) Φ-RKA-secure PRF F 17
24 A First Result For any class Φ. PRF M: o Φ-Key-Malleable o Key Fingerprint w o Compatible H + Hardness of Φ-KC Framework F(k,x) = M(k,H(x,M(k,w))) Φ-RKA-secure PRF F 17
25 A First Result For any class Φ. PRF M: o Φ-Key-Malleable o Key Fingerprint w o Compatible H + Hardness of Φ-KC Framework F(k,x) = M(k,H(x,M(k,w))) Φ-RKA-secure PRF F Applied to NR: Affine RKA-secure PRF (with reduction time O(2 n )). 17
26 Summary Bellare-Cash Φ Claw-Free Multiplicative-RKA-PRF Additive-RKA-PRF (O(2 n )) PRF Φ = {id} Φ-Key-Malleable 18
27 Summary Bellare-Cash Φ Claw-Free Multiplicative-RKA-PRF Additive-RKA-PRF (O(2 n )) PRF Φ = {id} Extended-BC Affine-RKA-PRF (O(2 n )) Φ-Key-Malleable 18
28 Summary Bellare-Cash Φ Claw-Free Multiplicative-RKA-PRF Additive-RKA-PRF (O(2 n )) PRF Φ = {id} Extended-BC Affine-RKA-PRF (O(2 n )) Φ-Key-Malleable What about non-key-malleable classes? 18
29 Part 3: Extension to the polynomial case Φ-Unique-Input-RKA-Security: Initialize: $ $ k K, b {0,1} Unique-Input Adversary (φ,x) y Challenger If b = 0 y M(φ(k),x) Else y $ Finalize(b ): b = b b 19
30 From Key-Malleability to UI-RKA-Security M is a Φ-Key-Malleable PRF => M is Φ-UI-RKA-Secure Unique-Input Adversary PRF Attacker PRF Oracle (φ,x) y Uses KM: If b = 0 y M(φ(k),x) Else y $ u z If b = 0 z M(k,u) Else z G(k,u) b b 20
31 Generalization For any class Φ. PRF M: o Φ-Key-Malleable o Key Fingerprint w o Compatible H Hardness of Φ-KC Framework F(k,x) = M(k,H(x,M(k,w))) Φ-RKA-secure PRF F 21
32 Generalization For any class Φ. PRF M: o Φ-UI-RKA-Secure o Key Fingerprint w o Compatible H Hardness of Φ-KC Framework F(k,x) = M(k,H(x,M(k,w))) Φ-RKA-secure PRF F 21
33 Generalization For any class Φ. PRF M: o Φ-UI-RKA-Secure o Key Fingerprint w o Compatible H Hardness of Φ-KC Framework F(k,x) = M(k,H(x,M(k,w))) Φ-RKA-secure PRF F Applied to NR: Polynomial RKA-secure PRF (with polynomial time reduction!) 21
34 NR: Φ aff -UI-RKA Security Let A be a unique-input adversary. (φ,x) Φ aff 0,1 n If b = 0 If b = 1 k A y G NR NR(φ(k),x) $ $ 22
35 NR: Φ aff -UI-RKA Security NR(k+1,11 1) = g (k 1 +1).(k 2 +1)..(k n +1) = g k 1 k 2 k n. g k 2 k 3 k n. g k 1 k 3 k n.. g k 1. g = NR(k,11 1).NR(k,01 1).NR(k,101 1)..NR(k,10 0).g Exponential running time. 2 n terms 23
36 The Polynomial-Time Reduction Idea: No need to compute everything! 1 st query: NR(k+1,11) = g (k 1 +1).(k 2 +1) 24
37 The Polynomial-Time Reduction Idea: No need to compute everything! 1 st query: NR(k+1,11) = g (k 1 +1).(k 2 +1) y 1 $ 24
38 The Polynomial-Time Reduction Idea: No need to compute everything! 1 st query: NR(k+1,11) = g (k 1 +1).(k 2 +1) y 1 $ 2 nd query: NR(k,01) = g k 2 24
39 The Polynomial-Time Reduction Idea: No need to compute everything! 1 st query: NR(k+1,11) = g (k 1 +1).(k 2 +1) y 1 $ 2 nd query: NR(k,01) = g k 2 Exponents: (k 1 +1).(k 2 +1) and k 2 => Linearly independant 24
40 The Polynomial-Time Reduction Idea: No need to compute everything! 1 st query: NR(k+1,11) = g (k 1 +1).(k 2 +1) y 1 $ 2 nd query: NR(k,01) = g k 2 Exponents: (k 1 +1).(k 2 +1) and k 2 => Linearly independant y 2 $ 24
41 (φ 1,x 1 ) y 1 (φ q,x q ) y q A 25
42 (φ 1,x 1 ) y 1 (φ q,x q ) E i exponent associated to query (φ i,x i ). y q A 25
43 (φ 1,x 1 ) y 1 (φ q,x q ) E i exponent associated to query (φ i,x i ). y q A (φ,x) 25
44 (φ 1,x 1 ) y 1 (φ q,x q ) E i exponent associated to query (φ i,x i ). y q Simulation A (φ,x) 1. Compute E = Exp(φ,x) 2. Check if E is linearly independant from E 1,,E q 3. If linearly independant y $ Else E = a 1 E a q E q y y 1 a 1..y q a q 25
45 (φ 1,x 1 ) y 1 (φ q,x q ) E i exponent associated to query (φ i,x i ). y q Simulation A (φ,x) 1. Compute E = Exp(φ,x) 2. Check if E is linearly independant from E 1,,E q 3. If linearly independant y $ Else E = a 1 E a q E q y y 1 a 1..y q a q 25
46 (φ 1,x 1 ) y 1 (φ q,x q ) E i exponent associated to query (φ i,x i ). y q Simulation A (φ,x) 1. Compute E = Exp(φ,x) 2. Check if E is linearly independant from E 1,,E q 3. If linearly independant y $ Else E = a 1 E a q E q y y 1 a 1..y q a q 25
47 (φ 1,x 1 ) y 1 (φ q,x q ) E i exponent associated to query (φ i,x i ). y q Simulation A (φ,x) y 1. Compute E = Exp(φ,x) 2. Check if E is linearly independant from E 1,,E q 3. If linearly independant y $ Else E = a 1 E a q E q y y 1 a 1..y q a q 25
48 Reduction Time: q x (Time for the statistical linearity test). O(q(q 3 + n)) => Polytime Reduction 26
49 Summary Bellare-Cash Φ Claw-Free Multiplicative-RKA-PRF Additive-RKA-PRF (O(2 n )) PRF Φ = {id} Φ-UI-RKA-Secure Φ-Key-Malleable 27
50 Summary Bellare-Cash Φ Claw-Free Multiplicative-RKA-PRF Additive-RKA-PRF (O(2 n )) PRF Φ = {id} Extended-BC Affine-RKA-PRF (O(2 n )) Φ-UI-RKA-Secure Φ-Key-Malleable 27
51 Summary Bellare-Cash Φ Claw-Free Multiplicative-RKA-PRF Additive-RKA-PRF (O(2 n )) PRF Φ = {id} Extended-BC Affine-RKA-PRF (O(2 n )) Φ-UI-RKA-Secure Φ-Key-Malleable Generalization Polynomial-RKA-PRF (Polytime) 27
52 Open problems o Larger classes? (e.g. φ(k) = M.k, for an invertible matrix M). o Other assumptions (DLIN-based for LW-PRF, Lattice-based, ). 28
53 Thank you for your attention. Questions? References in the slides: [BK03] Mihir Bellare and Tadayoshi Kohno. A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications. In Eli Biham, editor, EUROCRYPT 2003, volume 2656 of LNCS, pages ,Warsaw, Poland, May 4 8, Springer, Berlin, Germany. [BC10] Mihir Bellare and David Cash. Pseudorandom functions and permutations provably secure against related-key attacks. In Tal Rabin, editor, CRYPTO 2010, volume 6223 of LNCS, pages , Santa Barbara, CA, USA, August 15 19, Springer, Berlin, Germany. 29
Related-Key Security for Pseudorandom Functions Beyond the Linear Barrier
Related-Key Security for Pseudorandom Functions Beyond the Linear Barrier Michel Abdalla 1 Fabrice Benhamouda 1 Alain Passelègue 1 Kenneth. Paterson 2 1 Département d Informatique, École normale supérieure
More informationRelated-Key Security for Pseudorandom Functions Beyond the Linear Barrier
An extended abstract of this paper appears in the Proceedings of the 34th Annual Cryptology Conference (CRYPTO 2014), Part I, Juan A. aray and Rosario ennaro (Eds.), volume 8616 of Lecture Notes in Computer
More informationRelated-Key Almost Universal Hash Functions: Definitions, Constructions and Applications
Related-Key Almost Universal Hash Functions: Definitions, Constructions and Applications Peng Wang, Yuling Li, Liting Zhang and Kaiyan Zheng State Key Laboratory of Information Security, Institute of Information
More informationAlgebraic XOR-RKA-Secure Pseudorandom Functions from Post-Zeroizing Multilinear Maps
Algebraic XOR-RKA-Secure Pseudorandom Functions from Post-Zeroizing Multilinear Maps Michel Abdalla 1,2, Fabrice Benhamouda 3, and Alain Passelègue 4 1 Département d informatique de l ENS École normale
More informationRandom Oracles in a Quantum World
Dan Boneh 1 Özgür Dagdelen 2 Marc Fischlin 2 Anja Lehmann 3 Christian Schaffner 4 Mark Zhandry 1 1 Stanford University, USA 2 CASED & Darmstadt University of Technology, Germany 3 IBM Research Zurich,
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationRKA Security beyond the Linear Barrier: IBE, Encryption and Signatures
RKA Security beyond the Linear Barrier: IBE, Encryption and Signatures Mihir Bellare 1 Kenneth G. Paterson 2 Susan Thomson 3 August 2012 Abstract We provide a framework enabling the construction of IBE
More informationProvable Security in Symmetric Key Cryptography
Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X
More informationThe Indistinguishability of the XOR of k permutations
The Indistinguishability of the XOR of k permutations Benoit Cogliati, Rodolphe Lampe, Jacques Patarin University of Versailles, France Abstract. Given k independent pseudorandom permutations f 1,...,
More informationRKA Security beyond the Linear Barrier: IBE, Encryption and Signatures
RKA Security beyond the Linear Barrier: IBE, Encryption and Signatures Mihir Bellare 1, Kenneth G. Paterson 2, and Susan Thomson 3 1 Department of Computer Science & Engineering, University of California
More informationA Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs, and Applications
An extended abstract of this paper appears in Advances in Cryptology EUROCRYPT 03, Lecture Notes in Computer Science Vol.??, E. Biham ed., Springer-Verlag, 2003. This is the full version. A Theoretical
More informationSecurity Analysis of an Identity-Based Strongly Unforgeable Signature Scheme
Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme Kwangsu Lee Dong Hoon Lee Abstract Identity-based signature (IBS) is a specific type of public-key signature (PKS) where any
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani Mathematical Institute Oxford University 1 of 60 Outline 1 RSA Encryption Scheme 2 Discrete Logarithm and Diffie-Hellman Algorithm 3 ElGamal Encryption Scheme 4
More informationAn Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security
An extended abstract of this aer aears in the Proceedings of the 35th Annual Crytology Conference (CRYPTO 2015), Part I, Rosario ennaro and Matthew Robshaw (Eds.), volume 9215 of Lecture Notes in Comuter
More informationLecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko
CMSC 858K Advanced Topics in Cryptography February 26, 2004 Lecturer: Jonathan Katz Lecture 10 Scribe(s): Jeffrey Blank Chiu Yuen Koo Nikolai Yakovenko 1 Summary We had previously begun to analyze the
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationIdentity-based encryption
Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages
More informationNew and Improved Key-Homomorphic Pseudorandom Functions
New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1 Georgia Institute of Technology CRYPTO 14 19 August 2014 Outline 1 Introduction 2 Construction, Parameters
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Last Time Hardcore Bits Hardcore Bits Let F be a one- way function with domain x, range y Definition: A function h:xà {0,1} is
More informationOn Cipher-Dependent Related-Key Attacks in the Ideal-Cipher Model
On Cipher-Dependent Related-Key Attacks in the Ideal-Cipher Model M.R. Albrecht 1, P. Farshim 2, K.G. Paterson 2, and G.J. Watson 3 1 SALSA Project -INRIA, UPMC, Univ Paris 06 malb@lip6.fr 2 Information
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationBenes and Butterfly schemes revisited
Benes and Butterfly schemes revisited Jacques Patarin, Audrey Montreuil Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract In [1], W. Aiello and R. Venkatesan have
More informationEfficient Identity-Based Encryption Without Random Oracles
Efficient Identity-Based Encryption Without Random Oracles Brent Waters Abstract We present the first efficient Identity-Based Encryption (IBE) scheme that is fully secure without random oracles. We first
More informationThe Random Oracle Model and the Ideal Cipher Model are Equivalent
The Random Oracle Model and the Ideal Cipher Model are Equivalent Jean-ébastien Coron 1, Jacques Patarin 2, and Yannick eurin 2,3 (1) Univ. Luxembourg, (2) Univ. Versailles, (3)Orange Labs éminaire EN
More informationPermutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1
Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Kwangsu Lee A Thesis for the Degree of Master of Science Division of Computer Science, Department
More informationQuantum-secure symmetric-key cryptography based on Hidden Shifts
Quantum-secure symmetric-key cryptography based on Hidden Shifts Gorjan Alagic QMATH, Department of Mathematical Sciences University of Copenhagen Alexander Russell Department of Computer Science & Engineering
More informationSECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL. Mark Zhandry Stanford University
SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL Mark Zhandry Stanford University Random Oracle Model (ROM) Sometimes, we can t prove a scheme secure in the standard model. Instead,
More informationZCZ: Achieving n-bit SPRP Security with a Minimal Number of Tweakable-block-cipher Calls
ZCZ: Achieving n-bit SPRP Security with a Minimal Number of Tweakable-block-cipher Calls Ritam Bhaumik, Indian Statistical Institute, Kolkata Eik List, Bauhaus-Universität Weimar, Weimar Mridul Nandi,
More informationLecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004
CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce
More informationGentry IBE Paper Reading
Gentry IBE Paper Reading Y. Jiang 1 1 University of Wollongong September 5, 2014 Literature Craig Gentry. Practical Identity-Based Encryption Without Random Oracles. Advances in Cryptology - EUROCRYPT
More informationCryptography Secure Against Related-Key Attacks and Tampering
Cryptography Secure Against Related-Key Attacks and Tampering Mihir Bellare 1, David Cash 2, and Rachel Miller 3 1 Department of Computer Science & Engineering, University of California San Diego, http://www.cs.ucsd.edu/users/mihir
More informationLossy Trapdoor Functions from Smooth Homomorphic Hash Proof Systems
Lossy Trapdoor Functions from Smooth Homomorphic Hash Proof Systems Brett Hemenway UCLA bretth@mathuclaedu Rafail Ostrovsky UCLA rafail@csuclaedu January 9, 2010 Abstract In STOC 08, Peikert and Waters
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Integer Factorization iven an integer N, find it s prime factors Studied for centuries, presumed difficult rade school algorithm:
More informationThe Group Diffie-Hellman Problems
This extended abstract appears in: Workshop on Selected Areas in Cryptography 2002 (15 16 august 2002, St John s, Newfoundland, Canada H Heys and K Nyberg Eds Springer-Verlag, LNCS 2595, pages 325 338
More informationSecure and Practical Identity-Based Encryption
Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.
More informationKDM-CCA Security from RKA Secure Authenticated Encryption
KDM-CCA Security from RKA Secure Authenticated Encryption Xianhui Lu 1,2, Bao Li 1,2, Dingding Jia 1,2 1. Data Assurance and Communication Security Research Center, Chinese Academy of Sciences, Beijing,
More informationProvable Security of Cryptographic Hash Functions
Provable Security of Cryptographic Hash Functions Mohammad Reza Reyhanitabar Centre for Computer and Information Security Research University of Wollongong Australia Outline Introduction Security Properties
More informationSome Security Comparisons of GOST R and ECDSA Signature Schemes
Some Security Comparisons of GOST R 34.10-2012 and ECDSA Signature Schemes Trieu Quang Phong Nguyen Quoc Toan Institute of Cryptography Science and Technology Gover. Info. Security Committee, Viet Nam
More informationBEYOND POST QUANTUM CRYPTOGRAPHY
BEYOND POST QUANTUM CRYPTOGRAPHY Mark Zhandry Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical Beyond Post-Quantum Cryptography
More informationOutline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.
Provable Security in the Computational Model III Signatures David Pointcheval Ecole normale supérieure, CNRS & INRI Public-Key Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions
More informationA survey on quantum-secure cryptographic systems
A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum
More informationA New Paradigm of Hybrid Encryption Scheme
A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa 1 and Yvo Desmedt 2 1 Ibaraki University, Japan kurosawa@cis.ibaraki.ac.jp 2 Dept. of Computer Science, University College London, UK, and Florida
More informationSemantic Security of RSA. Semantic Security
Semantic Security of RSA Murat Kantarcioglu Semantic Security As before our goal is to come up with a public key system that protects against more than total break We want our system to be secure against
More informationA short proof of the unpredictability of cipher block chaining
A short proof of the unpredictability of cipher block chaining Daniel J. Bernstein Department of Mathematics, Statistics, and Computer Science (M/C 249) The University of Illinois at Chicago Chicago, IL
More informationDistinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network
Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense
More informationRandom Oracles in a Quantum World
Random Oracles in a Quantum World AsiaISG Research Seminars 2011/2012 Özgür Dagdelen, Marc Fischlin (TU Darmstadt) Dan Boneh, Mark Zhandry (Stanford University) Anja Lehmann (IBM Zurich) Christian Schaffner
More informationIII. Pseudorandom functions & encryption
III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion:
More informationFrom Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes
From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 2001, vol. 2020 of Lecture Notes in Computer
More informationIntroduction to Pairing-Based Cryptography
Introduction to Pairing-Based Cryptography Mihir Bellare April, 2006 Department of Computer Science and Engineering, University of California at San Diego, La Jolla, CA 92093, USA. mihir@cs.ucsd.edu, http://www-cse.ucsd.edu/users/mihir
More informationPseudorandom functions and permutations
Introduction Pseudorandom functions and permutations 15-859I Spring 2003 Informally, a Pseudorandom function family (PRF is a collection of functions which are indistinguishable from random functions PRFs
More informationOn High-Rate Cryptographic Compression Functions
On High-Rate Cryptographic Compression Functions Richard Ostertág and Martin Stanek Department o Computer Science Faculty o Mathematics, Physics and Inormatics Comenius University Mlynská dolina, 842 48
More informationThe Cramer-Shoup Cryptosystem
The Cramer-Shoup Cryptosystem Eileen Wagner October 22, 2014 1 / 28 The Cramer-Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive
More informationAn Implementation of Ecient Pseudo-Random Functions. Michael Langberg. March 25, Abstract
An Implementation of Ecient Pseudo-Random Functions Michael Langberg March 5, 1998 Abstract Naor and Reingold [3] have recently introduced two new constructions of very ecient pseudo-random functions,
More informationNew Proofs for NMAC and HMAC: Security without Collision-Resistance
New Proofs for NMAC and HMAC: Security without Collision-Resistance Mihir Bellare Dept. of Computer Science & Engineering 0404, University of California San Diego 9500 Gilman Drive, La Jolla, CA 92093-0404,
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationCryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley dbrumley@cmu.edu Carnegie Mellon University The Landscape Jargon in Cryptography 2 Good News: OTP has perfect secrecy Thm:
More informationTHE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY
THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY Mark Zhandry - Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical
More informationCPSC 91 Computer Security Fall Computer Security. Assignment #2
CPSC 91 Computer Security Assignment #2 Note that for many of the problems, there are many possible solutions. I only describe one possible solution for each problem here, but we could examine other possible
More informationFrom Non-Adaptive to Adaptive Pseudorandom Functions
From Non-Adaptive to Adaptive Pseudorandom Functions Itay Berman Iftach Haitner January, 202 Abstract Unlike the standard notion of pseudorandom functions (PRF), a non-adaptive PRF is only required to
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationConstructing secure MACs Message authentication in action. Table of contents
Constructing secure MACs Message authentication in action Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents From last time Recall the definition of message
More informationLecture 7: Boneh-Boyen Proof & Waters IBE System
CS395T Advanced Cryptography 2/0/2009 Lecture 7: Boneh-Boyen Proof & Waters IBE System Instructor: Brent Waters Scribe: Ioannis Rouselakis Review Last lecture we discussed about the Boneh-Boyen IBE system,
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationChosen-Ciphertext Security without Redundancy
This is the full version of the extended abstract which appears in Advances in Cryptology Proceedings of Asiacrypt 03 (30 november 4 december 2003, Taiwan) C. S. Laih Ed. Springer-Verlag, LNCS 2894, pages
More informationGQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attacks
GQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attacks [Mihir Bellare, Adriana Palacio] Iliopoulos Fotis School of Electrical and Computer Engineering
More informationLecture 15 & 16: Trapdoor Permutations, RSA, Signatures
CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.
More informationThe Sum of PRPs is a Secure PRF
The Sum of PRPs is a Secure PRF Stefan Lucks Theoretische Informatik, Universität Mannheim 68131 Mannheim, Germany lucks@th.informatik.uni-mannheim.de Abstract. Given d independent pseudorandom permutations
More informationAdvanced Cryptography 1st Semester Public Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 1st 2007 1 / 64 Last Time (I) Indistinguishability Negligible function Probabilities Indistinguishability
More informationForgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions
Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions Scott Contini 1 and Yiqun Lisa Yin 2 1 Macquarie University, Centre for Advanced Computing ACAC, NSW 2109, Australia scontini@comp.mq.edu.au
More informationA Pseudo-Random Encryption Mode
A Pseudo-Random Encryption Mode Moni Naor Omer Reingold Block ciphers are length-preserving private-key encryption schemes. I.e., the private key of a block-cipher determines a permutation on strings of
More informationEliminating Random Permutation Oracles in the Even-Mansour Cipher
Eliminating Random Permutation Oracles in the Even-Mansour Cipher Craig Gentry and Zulfikar Ramzan DoCoMo Communications Laboratories USA, Inc. {cgentry, ramzan}@docomolabs-usa.com Abstract. Even and Mansour
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationA New Variant of the Cramer-Shoup KEM Secure against Chosen Ciphertext Attack
A New Variant of the Cramer-Shoup KEM Secure against Chosen Ciphertext Attack Joonsang Baek 1 Willy Susilo 2 Joseph K. Liu 1 Jianying Zhou 1 1 Institute for Infocomm Research, Singapore 2 University of
More informationA Domain Extender for the Ideal Cipher
A Domain Extender for the Ideal Cipher Jean-Sébastien Coron 2, Yevgeniy Dodis 1, Avradip Mandal 2, and Yannick Seurin 3,4 1 New York University 2 University of Luxembourg 3 University of Versailles 4 Orange
More informationQuestion 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +
Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(
More informationCLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD
CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without
More informationCPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions
CPSC 91 Computer Security Assignment #3 Solutions 1. Show that breaking the semantic security of a scheme reduces to recovering the message. Solution: Suppose that A O( ) is a message recovery adversary
More informationRSA OAEP is Secure under the RSA Assumption
RSA OAEP is Secure under the RSA Assumption Eiichiro Fujisaki 1, Tatsuaki Okamoto 1, David Pointcheval 2, and Jacques Stern 2 1 NTT Labs, 1-1 Hikarino-oka, Yokosuka-shi, 239-0847 Japan. E-mail: {fujisaki,okamoto}@isl.ntt.co.jp.
More informationLimits on the Efficiency of One-Way Permutation-Based Hash Functions
Limits on the Efficiency of One-Way Permutation-Based Hash Functions Jeong Han Kim Daniel R. Simon Prasad Tetali Abstract Naor and Yung show that a one-bit-compressing universal one-way hash function (UOWHF)
More informationModes of Operations for Wide-Block Encryption
Wide-Block Encryption p. 1/4 Modes of Operations for Wide-Block Encryption Palash Sarkar Indian Statistical Institute, Kolkata Wide-Block Encryption p. 2/4 Structure of Presentation From block cipher to
More informationAn efficient variant of Boneh-Gentry-Hamburg's identity-based encryption without pairing
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2015 An efficient variant of Boneh-Gentry-Hamburg's
More informationLecture 14: Cryptographic Hash Functions
CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is
More informationIsogenies in a quantum world
Isogenies in a quantum world David Jao University of Waterloo September 19, 2011 Summary of main results A. Childs, D. Jao, and V. Soukharev, arxiv:1012.4019 For ordinary isogenous elliptic curves of equal
More informationEfficient Identity-based Encryption Without Random Oracles
Efficient Identity-based Encryption Without Random Oracles Brent Waters Weiwei Liu School of Computer Science and Software Engineering 1/32 Weiwei Liu Efficient Identity-based Encryption Without Random
More information2 Preliminaries 2.1 Notations Z q denotes the set of all congruence classes modulo q S denotes the cardinality of S if S is a set. If S is a set, x R
A Public Key Encryption In Standard Model Using Cramer-Shoup Paradigm Mahabir Prasad Jhanwar and Rana Barua mahabir r, rana@isical.ac.in Stat-Math Unit Indian Statistical Institute Kolkata, India Abstract.
More informationDesign Validations for Discrete Logarithm Based Signature Schemes
Proceedings of the 2000 International Workshop on Practice and Theory in Public Key Cryptography (PKC 2000) (18 20 january 2000, Melbourne, Australia) H. Imai and Y. Zheng Eds. Springer-Verlag, LNCS 1751,
More informationHomework 7 Solutions
Homework 7 Solutions Due: March 22, 2018 CS 151: Intro. to Cryptography and Computer Security 1 Fun with PRFs a. F a s = F 0 k(x) F s (x) is not a PRF, for any choice of F. Consider a distinguisher D a
More informationSecurity Under Key-Dependent Inputs
Security Under Key-Dependent Inputs Shai Halevi Hugo Krawczyk IBM T.J. Watson Research Center shaih@alum.mit.edu, hugo@ee.technion.ac.il August 13, 2007 Abstract In this work we re-visit the question of
More informationThe Gap-Problems: a New Class of Problems for the Security of Cryptographic Schemes
Proceedings of the 2001 International Workshop on Practice and Theory in Public Key Cryptography (PKC 2001) (13 15 february 2001, Cheju Islands, South Korea) K. Kim Ed. Springer-Verlag, LNCS 1992, pages
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from
More informationIndifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding
Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding Donghoon Chang 1, Sangjin Lee 1, Mridul Nandi 2, and Moti Yung 3 1 Center for Information Security Technologies(CIST),
More informationCOMS W4995 Introduction to Cryptography October 12, Lecture 12: RSA, and a summary of One Way Function Candidates.
COMS W4995 Introduction to Cryptography October 12, 2005 Lecture 12: RSA, and a summary of One Way Function Candidates. Lecturer: Tal Malkin Scribes: Justin Cranshaw and Mike Verbalis 1 Introduction In
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationOn the Round Security of Symmetric-Key Cryptographic Primitives
On the Round Security of Symmetric-Key Cryptographic Primitives Zulfikar Ramzan Leonid Reyzin. November 30, 000 Abstract We put forward a new model for understanding the security of symmetric-key primitives,
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationProvable Security Support for the Skein Hash Family
Provable Security Support for the Skein Hash Family Version 1.0, April 29, 2009 Mihir Bellare University of California San Diego, mihir@cs.ucsd.edu Tadayoshi Kohno University of Washington, yoshi@cs.washington.edu
More informationDigital Signature Schemes and the Random Oracle Model. A. Hülsing
Digital Signature Schemes and the Random Oracle Model A. Hülsing Today s goal Review provable security of in use signature schemes. (PKCS #1 v2.x) PAGE 1 Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/dsa.jpg
More informationSecurity Proofs for Signature Schemes. Ecole Normale Superieure. 45, rue d'ulm Paris Cedex 05
Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern Jacques.Stern@ens.fr Ecole Normale Superieure Laboratoire d'informatique 45, rue d'ulm 75230 Paris Cedex 05
More information