All-But-Many Lossy Trapdoor Functions. Dennis Hofheinz (Karlsruhe Institute of Technology)
|
|
|
- Edgar Gordon
- 5 years ago
- Views:
Transcription
1 All-But-Many Lossy Trapdoor Functions Dennis Hofheinz (Karlsruhe Institute of Technology)
2
3
4
5 Overview over this talk All-But-Many Lossy Trapdoor Functions (ABM-LTFs) A technical tool specifically designed for the multi-user-multi-challenge case Construction of ABM-LTFs A new look on Waters signatures
6 Net stop All-But-Many Lossy Trapdoor Functions (ABM-LTFs) A technical tool specifically designed for the multi-user-multi-challenge case
7 Recap: Lossy Trapdoor Functions Fek (Keyed) function: X Key can be ek (invertible mode) or ek' (lossy mode) Properties: Fek(X) Invertibility: Fek invertible using suitable trapdoor ik sampled with ek Indistinguishability: Lossiness: ek ek' image set Fek'(X) much smaller than X Constructions from LWE, DDH, DCR (efficient!): ek = ( pk, C = Epk(b) ) (Invertible mode: b=1, lossy mode: b=0) Fek(X) = CX = Epk(bX)
8
9 All-But-N LTFs [HLOV11] Idea to cope with multi-challenge setting: many lossy tags! Construction based on Paillier/DJ encryption: Pick degree-n polynomial f(t) = fiti with zeros T1*,, TN* ek = ( pk, C0 = Epk(f0),, CN = Epk(fN) ) Fek,T(X) = ( CiTi )X = Epk( f(t) X ) Problem: space compleity linear in the number of challenges Actually, this is necessary to encode precisely N lossy tags Yields SO-CCA secure PKE that depends on number of challenges Idea: each lossy tag Ti* corresponds to a challenge ciphertet Our goal: LTFs with many lossy tags!
10 All-But-Many LTFs Intuition/sketch of definition: There are (superpoly) many lossy tags and (superpoly) many invertible tags Lossy and invertible tags computationally indistinguishable Tag sets ( marks lossy tags): All-But-One LTF: All-But-N LTF: All-But-Many LTF: Invertible tags easy to sample, but trapdoor required to sample lossy tags Syntactic similarity to blinded signatures (valid signature = lossy tag)
11 Net stop Construction of ABM-LTFs A new look on Waters signatures
12 First attempt Syntactic similarity to blinded signatures (valid sig = lossy tag) First attempt: so let's simply (Paillier/DJ-)encrypt signatures! T = E(Sign(H)) Something unique and public (e.g., chameleon hash) Evaluation magically verifies signature inside encryption...should end up with C = E(0) iff sig is valid, then sets Y:=CX C = E(0) Fek,T(X) = CX = E(0) lossy Sig valid Sig invalid C = E(d) for d 0 Fek,T(X) = CX = E(dX) invertible Problem: (Paillier/DJ-)encryption only additively homomorphic How to evaluate signature using only addition in ZN?
13 Working with encrypted matrices Idea 1: use matrices instead of single elements (inspired by [PW08]) T E(M) = ( E(M1,1) E(M1,2) E(M1,3) E(M2,1) E(M2,2) E(M2,3) E(M3,1) E(M3,2) E(M3,3) ) Use encrypted matri-vector multiplication: Fek,T(X) = E(M) ()( X1 X2 X3 = ) j E(M1,j)Xj j E(M2,j)Xj j E(M3,j)Xj = E(M X) Fek,T lossy M non-invertible det(m)=0 (or non-invertible) Payoff: det(m) can be cubic in encrypted values Use determinant to encode more comple computations
14 Translating Waters signatures Idea 2: emulate Waters signatures in ZN Use encryption instead of eponentiation (ga becomes E(a)) Pairing becomes Paillier/DJ multiplication (encode verification into det(m)!) CDH in G becomes Paillier-No-Mult : E(a), E(b) E(ab) hard All-But-Many LTF construction (slightly simplified): ek = ( A=E(a), B=E(b), Hi=E(hi) (i=0,...,n) ) (translated Waters public key) T = ( R=E(r), Z=E(z), CHF-rand ) (translated Waters signature) T E(M) = ( E(z) E(b) E(h) E(a) E(1) E(0) E(r) E(0) E(1) Fek,T(X) = E(M) X = E(M X) ) with E(h) = H(t) = h0+ tihi for t = CHF(R,Z;rnd) (implicit Waters verification) Note: det(m) = z (ab+rh), so: T lossy M singular z = ab + rh
15 Last slide: applications Efficient CCA-secure Selective Opening Security Many challenges, need to make eactly challenges lossy Paillier-based ABM-LTFs give first efficient SO-CCA scheme (Not very efficient) tight IND-CCA security for PKE Make all challenges lossy simultaneously (tightly secure ABM-LTF) Different ABM-LTF required (not very efficient, based on q-sddh) CCA-secure Key-Dependent Message security Similar concepts, but more structured ABM-LTFs required (upcoming) Leakage resilience?
All-But-Many Lossy Trapdoor Functions
All-But-Many Lossy Trapdoor Functions Dennis Hofheinz December 30, 2011 Abstract We put forward a generalization of lossy trapdoor functions (LTFs). Namely, all-but-many lossy trapdoor functions (ABM-LTFs)
Trapdoor functions from the Computational Diffie-Hellman Assumption
Trapdoor functions from the Computational Diffie-Hellman Assumption Sanjam Garg 1 Mohammad Hajiabadi 1,2 1 University of California, Berkeley 2 University of Virginia August 22, 2018 1 / 18 Classical Public-Key
Adaptive partitioning. Dennis Hofheinz (KIT, Karlsruhe)
Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Public-Key Encryption Accepted security
Circular chosen-ciphertext security with compact ciphertexts
Circular chosen-ciphertext security with compact ciphertexts Dennis Hofheinz October 9, 2018 Abstract A key-dependent message (KDM) secure encryption scheme is secure even if an adversary obtains encryptions
Lossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
Smooth Projective Hash Function and Its Applications
Smooth Projective Hash Function and Its Applications Rongmao Chen University of Wollongong November 21, 2014 Literature Ronald Cramer and Victor Shoup. Universal Hash Proofs and a Paradigm for Adaptive
PRACTICAL, ANONYMOUS, AND PUBLICLY LINKABLE UNIVERSALLY-COMPOSABLE REPUTATION SYSTEMS
SESSION ID: CRYP-F03 PRACTICAL, ANONYMOUS, AND PUBLICLY LINKABLE UNIVERSALLY-COMPOSABLE REPUTATION SYSTEMS Jakob Juhnke PhD Student/Research Assistant Paderborn University Paderborn, Germany Why do we
Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter
Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter Baodong Qin Shengli Liu October 9, 2013 Abstract We present a new generic construction
Structure Preserving CCA Secure Encryption
Structure Preserving CCA Secure Encryption presented by ZHANG Tao 1 / 9 Introduction Veriable Encryption enable validity check of the encryption (Camenisch et al. @ CRYPTO'03): veriable encryption of discrete
How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
Tightly CCA-Secure Encryption without Pairings. Romain Gay, ENS Dennis Hofheinz, KIT Eike Kiltz, RUB Hoeteck Wee, ENS
Tightly CCA-Secure Encryption without Pairings Romain Gay, ENS Dennis Hofheinz, KIT Eike Kiltz, RUB Hoeteck Wee, ENS Security of encryption pk Alice Enc(pk, m) Bob sk Security of encryption pk Alice Enc(pk,
Introduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
ASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
Public-Key Encryption with Simulation-Based Selective-Opening Security and Compact Ciphertexts
Public-Key Encryption with Simulation-Based Selective-Opening Security and Compact Ciphertexts Dennis Hofheinz 1, Tibor Jager 2, and Andy Rupp 1 1 Karlsruhe Institute of Technology, Germany {dennis.hofheinz,andy.rupp}@kit.edu
Introduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
Lecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
Chosen-Ciphertext Security from Subset Sum
Chosen-Ciphertext Security from Subset Sum Sebastian Faust 1, Daniel Masny 1, and Daniele Venturi 2 1 Horst-Görtz Institute for IT Security and Faculty of Mathematics, Ruhr-Universität Bochum, Bochum,
Essam Ghadafi CT-RSA 2016
SHORT STRUCTURE-PRESERVING SIGNATURES Essam Ghadafi e.ghadafi@ucl.ac.uk Department of Computer Science, University College London CT-RSA 2016 SHORT STRUCTURE-PRESERVING SIGNATURES OUTLINE 1 BACKGROUND
Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply
CIS 2018 Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply Claudio Orlandi, Aarhus University Circuit Evaluation 3) Multiplication? How to compute [z]=[xy]? Alice, Bob
Advanced Cryptography 03/06/2007. Lecture 8
Advanced Cryptography 03/06/007 Lecture 8 Lecturer: Victor Shoup Scribe: Prashant Puniya Overview In this lecture, we will introduce the notion of Public-Key Encryption. We will define the basic notion
14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption. Victor Shoup New York University
14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption Victor Shoup New York University A Historical Perspective The wild years (mid 70 s-mid 80 s): Diffie-Hellman, RSA, ElGamal The
Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions
Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions Crypto 2011 Daniele Micciancio Petros Mol August 17, 2011 1 Learning With Errors (LWE) secret public: integers n,
Building Injective Trapdoor Functions From Oblivious Transfer
Electronic Colloquium on Computational Complexity, Report No. 127 (2010) Building Injective Trapdoor Functions From Oblivious Transfer Brett Hemenway and Rafail Ostrovsky August 9, 2010 Abstract Injective
COS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7
COS 597C: Recent Developments in Program Obfuscation Lecture 7 10/06/16 Lecturer: Mark Zhandry Princeton University Scribe: Jordan Tran Notes for Lecture 7 1 Introduction In this lecture, we show how to
Graded Encoding Schemes from Obfuscation. Interactively Secure Groups from Obfuscation
Graded Encoding Schemes from Obfuscation Interactively Secure Groups from Obfuscation P. Farshim 1,2 J. Hesse 1 D. Hofheinz 3 E. Larraia 4 T. Agrikola 1 D. Hofheinz 1 1 École normale supérieure (ENS),
Semantic Security of RSA. Semantic Security
Semantic Security of RSA Murat Kantarcioglu Semantic Security As before our goal is to come up with a public key system that protects against more than total break We want our system to be secure against
Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts
Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts Stefano Tessaro (UC Santa Barbara) David A. Wilson (MIT) Bounded-Collusion IBE from Semantically-Secure
Post-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
Evaluating 2-DNF Formulas on Ciphertexts
Evaluating 2-DNF Formulas on Ciphertexts Dan Boneh, Eu-Jin Goh, and Kobbi Nissim Theory of Cryptography Conference 2005 Homomorphic Encryption Enc. scheme is homomorphic to function f if from E[A], E[B],
Public-Key Encryption
Public-Key Encryption 601.642/442: Modern Cryptography Fall 2017 601.642/442: Modern Cryptography Public-Key Encryption Fall 2017 1 / 14 The Setting Alice and Bob don t share any secret Alice wants to
Introduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
On the CCA1-Security of Elgamal and Damgård s Elgamal
On the CCA1-Security of Elgamal and Damgård s Elgamal Cybernetica AS, Estonia Tallinn University, Estonia October 21, 2010 Outline I Motivation 1 Motivation 2 3 Motivation Three well-known security requirements
Public-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP
Public-Key Cryptography Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP Diffie-Hellman Key-exchange Secure under DDH: (g x,g x,g xy ) (g x,g x,g r ) Random x {0,..,
On Notions of Security for Deterministic Encryption, and Efficient Constructions without Random Oracles
A preliminary version of this paper appears in Advances in Cryptology - CRYPTO 2008, 28th Annual International Cryptology Conference, D. Wagner ed., LNCS, Springer, 2008. This is the full version. On Notions
Discrete logarithm and related schemes
Discrete logarithm and related schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Discrete logarithm problem examples, equivalent
The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
Lossy Trapdoor Functions from Smooth Homomorphic Hash Proof Systems
Lossy Trapdoor Functions from Smooth Homomorphic Hash Proof Systems Brett Hemenway UCLA bretth@mathuclaedu Rafail Ostrovsky UCLA rafail@csuclaedu January 9, 2010 Abstract In STOC 08, Peikert and Waters
1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
All-But-Many Encryption
All-But-Many Encryption A New Framework for Fully-Equipped UC Commitments Eiichiro Fujisaki NTT Secure Platform Laboratories fujisaki.eiichiro@lab.ntt.co.jp Abstract. We present a general framework for
CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD
CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without
Improved Security for Linearly Homomorphic Signatures: A Generic Framework
Improved Security for Linearly Homomorphic Signatures: A Generic Framework Stanford University, USA PKC 2012 Darmstadt, Germany 23 May 2012 Problem: Computing on Authenticated Data Q: How do we delegate
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
Public-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
Dual Projective Hashing and its Applications Lossy Trapdoor Functions and More
Dual Projective Hashing and its Applications Lossy Trapdoor Functions and More Hoeteck Wee George Washington University hoeteck@gwu.edu Abstract. We introduce the notion of dual projective hashing. This
On Homomorphic Encryption and Chosen-Ciphertext Security
On Homomorphic Encryption and Chosen-Ciphertext Security Brett Hemenway 1 and Rafail Ostrovsky 2 1 University of Michigan 2 UCLA Abstract. Chosen-Ciphertext (IND-CCA) security is generally considered the
Attribute-based Encryption & Delegation of Computation
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin Attribute-based Encryption & Delegation of Computation April 9, 2013 Scribe: Steven Goldfeder We will cover the ABE
Lecture 16: Public Key Encryption:II
Lecture 16: Public Key Encryption:II Instructor: Omkant Pandey Spring 2017 (CSE 594) Instructor: Omkant Pandey Lecture 16: Public Key Encryption:II Spring 2017 (CSE 594) 1 / 17 Last time PKE from ANY trapdoor
Lossy Trapdoor Functions and Their Applications
Lossy Trapdoor Functions and Their Applications Chris Peikert SRI International Brent Waters SRI International August 29, 2008 Abstract We propose a general cryptographic primitive called lossy trapdoor
KDM-CCA Security from RKA Secure Authenticated Encryption
KDM-CCA Security from RKA Secure Authenticated Encryption Xianhui Lu 1,2, Bao Li 1,2, Dingding Jia 1,2 1. Data Assurance and Communication Security Research Center, Chinese Academy of Sciences, Beijing,
On the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups
On the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups Goichiro Hanaoka, Takahiro Matsuda, Jacob C.N. Schuldt Research Institute for Secure Systems (RISEC)
High-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven
High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers
Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
https://www.microsoft.com/en-us/research/people/plonga/ Outline Motivation recap Isogeny-based cryptography The SIDH key exchange protocol The SIKE protocol Authenticated key exchange from supersingular
Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller
Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1 UC San Diego 2 Georgia Tech April 2012 1 / 16 Lattice-Based Cryptography y = g x mod p m e mod N e(g a,
Cryptographic Multilinear Maps. Craig Gentry and Shai Halevi
Cryptographic Multilinear Maps Craig Gentry and Shai Halevi China Summer School on Lattices and Cryptography, June 2014 Multilinear Maps (MMAPs) A Technical Tool A primitive for building applications,
Provable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)
1 Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shuichi Katsumata (The University of Tokyo /AIST) Shota Yamada (AIST) Takashi Yamakawa
Practical Verifiable Encryption and Decryption of Discrete Logarithms
Practical Verifiable Encryption and Decryption of Discrete Logarithms Jan Camenisch IBM Zurich Research Lab Victor Shoup New York University p.1/27 Verifiable encryption of discrete logs Three players:
Leakage Resilient ElGamal Encryption
Asiacrypt 2010, December 9th, Singapore Outline 1 Hybrid Encryption, the KEM/DEM framework 2 ElGamal KEM 3 Leakage Resilient Crypto Why? How? Other models? 4 Leakage Resilient ElGamal CCA1 secure KEM (Key
Optimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample
Optimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample Fuchun Guo 1, Rongmao Chen 2, Willy Susilo 1, Jianchang Lai 1, Guomin Yang 1, and Yi Mu 1 1 Institute
Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
Fully anonymous attribute tokens from lattices
Fully anonymous attribute tokens from lattices Jan Camenisch (IBM Research Zurich) Gregory Neven (IBM Research Zurich) Markus Rückert Elevator pitch Goal: Anonymous credentials from lattices Starting point:
ECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
DATA PRIVACY AND SECURITY
DATA PRIVACY AND SECURITY Instructor: Daniele Venturi Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Interlude: Number Theory Cubum autem in duos cubos, aut quadratoquadratum
Standard versus Selective Opening Security: Separation and Equivalence Results
Standard versus Selective Opening Security: Separation and Equivalence Results Dennis Hofheinz and Andy Rupp Karlsruhe Institute of Technology, Germany {dennis.hofheinz,andy.rupp}@kit.edu Supported by
Trapdoor Functions from the Computational Diffie-Hellman Assumption
Trapdoor Functions from the Computational Diffie-Hellman Assumption Sanjam Garg Mohammad Hajiabadi June 29, 2018 Abstract Trapdoor functions TDFs are a fundamental primitive in cryptography. Yet, the current
Adaptive Trapdoor Functions and Chosen-Ciphertext Security
Adaptive Trapdoor Functions and Chosen-Ciphertext Security Eike Kiltz 1, Payman Mohassel 2, and Adam O Neill 3 1 CWI, Amsterdam, Netherlands kiltz@cwi.nl 2 University of Calgary, AB, Canada pmohasse@cpsc.ucalgary.ca
Efficient Identity-based Encryption Without Random Oracles
Efficient Identity-based Encryption Without Random Oracles Brent Waters Weiwei Liu School of Computer Science and Software Engineering 1/32 Weiwei Liu Efficient Identity-based Encryption Without Random
Towards Tightly Secure Lattice Short Signature and Id-Based Encryption
Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li QUT Asiacrypt 16 2016-12-06 1 / 19 Motivations 1. Short lattice signature with tight security reduction w/o
Selective Opening Security for Receivers
Selective Opening Security for Receivers Carmit Hazay Arpita Patra Bogdan Warinschi Abstract In a selective opening (SO) attack an adversary breaks into a subset of honestly created ciphertexts and tries
CRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
Recent Advances in Identity-based Encryption Pairing-free Constructions
Fields Institute Workshop on New Directions in Cryptography 1 Recent Advances in Identity-based Encryption Pairing-free Constructions Kenny Paterson kenny.paterson@rhul.ac.uk June 25th 2008 Fields Institute
Efficient Cryptographic Primitives for. Non-Interactive Zero-Knowledge Proofs. and Applications
Efficient Cryptographic Primitives for Non-Interactive Zero-Knowledge Proofs and Applications by Kristiyan Haralambiev A dissertation submitted in partial fulfillment of the requirements for the degree
Continuous Non-Malleable Key Derivation and Its Application to Related-Key Security
Continuous Non-Malleable Key Derivation and Its Application to Related-Key Security Baodong Qin 1,2, Shengli Liu 1,, Tsz Hon Yuen 3, Robert H. Deng 4, and Kefei Chen 5 1. Department of Computer Science
Computing on Encrypted Data
Computing on Encrypted Data COSIC, KU Leuven, ESAT, Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium. August 31, 2018 Computing on Encrypted Data Slide 1 Outline Introduction Multi-Party
Kurosawa-Desmedt Key Encapsulation Mechanism, Revisited and More
Kurosawa-Desmedt Key Encapsulation Mechanism, Revisited and More Kaoru Kurosawa 1 and Le Trieu Phong 1 Ibaraki University, Japan kurosawa@mx.ibaraki.ac.jp NICT, Japan phong@nict.go.jp Abstract. While the
A ROBUST AND PLAINTEXT-AWARE VARIANT OF SIGNED ELGAMAL ENCRYPTION
A ROBUST AND PLAINTEXT-AWARE VARIANT OF SIGNED ELGAMAL ENCRYPTION Joana Treger ANSSI, France. Session ID: CRYP-W21 Session Classification: Advanced ELGAMAL ENCRYPTION & BASIC CONCEPTS CDH / DDH Computational
Identity-Based Identification Schemes
Identity-Based Identification Schemes Guomin Yang Centre for Computer and Information Security Research School of Computing and Information Technology University of Wollongong G. Yang (CCISR, SCIT, UOW)
SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL. Mark Zhandry Stanford University
SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL Mark Zhandry Stanford University Random Oracle Model (ROM) Sometimes, we can t prove a scheme secure in the standard model. Instead,
Hidden Field Equations
Security of Hidden Field Equations (HFE) 1 The security of Hidden Field Equations ( H F E ) Nicolas T. Courtois INRIA, Paris 6 and Toulon University courtois@minrank.org Permanent HFE web page : hfe.minrank.org
ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
Lattice Cryptography
CSE 06A: Lattice Algorithms and Applications Winter 01 Instructor: Daniele Micciancio Lattice Cryptography UCSD CSE Many problems on point lattices are computationally hard. One of the most important hard
Applied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
Lecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
Available online at J. Math. Comput. Sci. 6 (2016), No. 3, ISSN:
Available online at http://scik.org J. Math. Comput. Sci. 6 (2016), No. 3, 281-289 ISSN: 1927-5307 AN ID-BASED KEY-EXPOSURE FREE CHAMELEON HASHING UNDER SCHNORR SIGNATURE TEJESHWARI THAKUR, BIRENDRA KUMAR
Week : Public Key Cryptosystem and Digital Signatures
Week 10-11 : Public Key Cryptosystem and Digital Signatures 1. Public Key Encryptions RSA, ElGamal, 2 RSA- PKC(1/3) 1st public key cryptosystem R.L.Rivest, A.Shamir, L.Adleman, A Method for Obtaining Digital
Notes for Lecture Decision Diffie Hellman and Quadratic Residues
U.C. Berkeley CS276: Cryptography Handout N19 Luca Trevisan March 31, 2009 Notes for Lecture 19 Scribed by Cynthia Sturton, posted May 1, 2009 Summary Today we continue to discuss number-theoretic constructions
Keyword Search and Oblivious Pseudo-Random Functions
Keyword Search and Oblivious Pseudo-Random Functions Mike Freedman NYU Yuval Ishai, Benny Pinkas, Omer Reingold 1 Background: Oblivious Transfer Oblivious Transfer (OT) [R], 1-out-of-N [EGL]: Input: Server:
An Efficient and Secure Protocol for Privacy Preserving Set Intersection
An Efficient and Secure Protocol for Privacy Preserving Set Intersection PhD Candidate: Yingpeng Sang Advisor: Associate Professor Yasuo Tan School of Information Science Japan Advanced Institute of Science
Lecture Note 3 Date:
P.Lafourcade Lecture Note 3 Date: 28.09.2009 Security models 1st Semester 2007/2008 ROUAULT Boris GABIAM Amanda ARNEDO Pedro 1 Contents 1 Perfect Encryption 3 1.1 Notations....................................
Ex1 Ex2 Ex3 Ex4 Ex5 Ex6
Technische Universität München (I7) Winter 2012/13 Dr. M. Luttenberger / M. Schlund Cryptography Endterm Last name: First name: Student ID no.: Signature: If you feel ill, let us know immediately. Please,
Tightly SIM-SO-CCA Secure Public Key Encryption from Standard Assumptions
Tightly SIM-SO-CCA Secure Public Key Encryption from Standard Assumptions Lin Lyu 1,2, Shengli Liu 1,2,3( ), Shuai Han 1,2,4, and Dawu Gu 5,1 1 Dept. of Computer Science and Engineering, Shanghai Jiao
Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups
Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups David Mandell Freeman Stanford University, USA Eurocrypt 2010 Monaco, Monaco 31 May 2010 David Mandell Freeman (Stanford)
Building Lossy Trapdoor Functions from Lossy Encryption
Building Lossy Trapdoor Functions from Lossy Encryption Brett Hemenway Rafail Ostrovsky February 24, 2015 Abstract Injective one-way trapdoor functions are one of the most fundamental cryptographic primitives.
Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of Round-Optimal Blind Signatures
Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of Round-Optimal Blind Signatures Sarah Meiklejohn (UC San Diego) Hovav Shacham (UC San Diego) David Mandell Freeman
Report on Learning with Errors over Rings-based HILA5 and its CCA Security
Report on Learning with Errors over Rings-based HILA5 and its CCA Security Jesús Antonio Soto Velázquez January 24, 2018 Abstract HILA5 is a cryptographic primitive based on lattices that was submitted
5.4 ElGamal - definition
5.4 ElGamal - definition In this section we define the ElGamal encryption scheme. Next to RSA it is the most important asymmetric encryption scheme. Recall that for a cyclic group G, an element g G is
SPHINCS: practical stateless hash-based signatures
SPHINCS: practical stateless hash-based signatures D. J. Bernstein, D. Hopwood, A. Hülsing, T. Lange, R. Niederhagen, L. Papachristodoulou, P. Schwabe, and Z. Wilcox O'Hearn Digital Signatures are Important!
Instructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year
Data Privacy and Security Instructor: Daniele Venturi Master Degree in Data Science Sapienza University of Rome Academic Year 2017-2018 Interlude: Number Theory Cubum autem in duos cubos, aut quadratoquadratum