Broadcast EncrypCon Amos Fiat & Moni Naor
|
|
- Cori Eaton
- 5 years ago
- Views:
Transcription
1 Broadcast EncrypCon Amos Fiat & Moni Naor Presented By Gayathri VS
2 Outline q The Problem q Zero Message Schemes à Basic Scheme à 1- resilient Scheme based on 1- way funccon à 1- resilient Scheme based on number- theory q Low- Memory k- resilient schemes 2
3 The Problem The System consists of broadcascng center set U of n users. key is distributed to users upon joining the system. securely transmit data to a randomly changing privileged subset of users out of the set S Any CoaliCon of k users from the universe, who are not part of the privileged set should not be able to decrypt the message. (Scheme is k- resilient). 3
4 NotaCons q U is the universe consiscng of n users q P is privileged subset q S is any subset trying to learn the secret (S P = NULL) q S is size of subset S q K s is key common to subset S 4
5 Security DefiniCons q Scheme is resilient if for all subset S ( S P = NULL, where P U is privileged set ) S cannot learn secret common to P. q Scheme is k- resilient if S <= k. q Scheme is (k,p) random resilient if any randomly selected Subset is k- resilient with probability (1- p) 5
6 Obvious SoluCon q SoluCon 1 : 6
7 Obvious SoluCon q SoluCon 2 : 7
8 Obvious SoluCons Performance q SoluCon 1 : Each user is assigned a unique key 1 key per user & O(n) messages q SoluCon 2 : Each subset gets a unique key 2 n- 1 keys per user & O(1) message q For any arbitrary subset, we have two choices for X 2.. X n. (they may or may not be present in that subset) Total number of subset which contains x = 2 n- 1 8
9 q The Goal is the opcmize Problem Statement.. Revisited a) number of transmissions sent by the center to create the common secret b) Number of keys each user stores c) ComputaConal effort in retrieving the common key by the members of the privileged class. 9
10 Outline q The Problem q Zero Message Schemes (Low resiliency) à Basic Scheme (AssumpCon Free) à 1- resilient Scheme based on 1- way funccon à 1- resilient Scheme based on number- theory q Low- Memory k- resilient schemes 10
11 Zero Message Schemes q Having the knowledge of Users in privileged set T, all users can compute the common key to decrypt the message sent by the center q The privileged set can be idencfied by sending a relacvely short transmission. This is set idencficacon transmission ( different from the broadcast encrypcon transmission ) 11
12 BASIC SCHEME q For every set S U where 0 S k, Assign key K s q Distribute K s to all users x U S U = { a, b, c }. Here n=3. Let k be 2 KEY DISTIBUTION : S = {a, b, c, {a,b}, {a,c}, {b,c}} K s = {K a, K b, K c, K ab,k ac,k bc } User a has K b, K c, K bc User b has K a, K c, K ac User c has K a, K b, K ab 12
13 q ENCRYPTION : The common key to the privileged set P is simply the exclusive or of all keys K S where S U P q If P = { a,b } then K = XOR K S where S U P Here S is c so K = K C q RESILENCY : Every possible set S U P 0 S k will miss the key K S and cannot decrypt the message sent by the center. q NUMBER OF MESSAGES,KEYS : Number of keys per each User : Σ I = 0 to k (n)_c_i q For the above scheme to be 1- resilient each user should store (n+1) keys q For the above scheme to be n- resilient each user should store 2 n- 1 keys 13
14 1- resilient scheme based on one- way funccon q O(n) keys in previous scheme can be reduced to!" log 2 n#$ keys if keys are pseudo- randomly generated q Let f: {0,1} l - > {0,1} 2l be a pseudo- random generator (the length of the output of is twice the length of the input). q Users are on the leaf of the balanced binary tree. q The root is labeled with the common seed from Set {0,1} l 14
15 q apply the pseudo- random generators to the root label.assign the lep half (first bits) to be the label of the lep subtree while the right half (last bits) is the label of the right subtree. q User x should get all leaf labels except his. To achieve this, we remove the path from x to the root,which is a forest on log n labels. q Every x U can use the log n values that he got and generate all leaf labels except his own. 15
16 16
17 A 1- resilient scheme based on ComputaConal Number TheoreCc AssumpCons q The center chooses a random hard to factor composite N= P.Q where P and Q are primes. q It also chooses a secret value g of high index. q Each user i U is assigned g i = g pi. gcd(pi,pj) = 1, for I j q The common key for P U is g T = g PT mod N where PT = Π i P pi q Each user i P can compute g T by g ix mod N where X = Π i (P- i) pi 17
18 SCHEME TRIVIAL SOLUTION- 1 TRIVIAL SOLUTION- 2 NO OF KEYS/ USER MESSAGE LENGTH RESILIENCY ASSUMPTION 1 O(n) any Nothing 2 n- 1 1 Any Nothing BASIC SCHEME Σ K (n)c k 1 K Nothing BASIC SCHEME (k=1) BASIC SCHEME (K=N- 1) 1- resilant using PRG 1- resilent using number theory O(n) 1 1 Nothing O(2 n ) 1 N nothing Ceil(log n) 1 1 One- way funccons and hence PRG exist Root extraccon is hard 18
19 Outline q The Problem q Zero Message Schemes (Low resiliency) à Basic Scheme (AssumpCon Free) à 1- resilient Scheme based on 1- way funccon à 1- resilient Scheme based on number- theory q Low- Memory k- resilient schemes à One Level Schemes à MulC Level Schemes 19
20 Low Memory- Resilient Schemes q The zero message 1- resilient schemes requires for k>1 memory which is exponencal in k q Low- memory k- resilient schemes can be built from 1- resilient q Let w denote the number of keys that a user is required to store in the 1- resilient scheme w = n+1 if no cryptographic assumpcons are made, w = ceil(log n) if we assume that one- way funccons exists and w =1 if we assume that it is hard to extract roots modulo a composite. q efficiency of the schemes is how many w s they require. 20
21 One Level Scheme 1. f 1, f 2. f l is a family of funccon denoted by f i : U {1,...,m}, 1 i l 2. For every group S U, S =k there exists some funccon f i that is 1-1 on S all x,y in S f i (x) f i (y) {f i } contains perfect hash funccon for all subsets of size k in U when mapped to range {1,2..m} 21
22 One Level Scheme Key DistribuCon 1. {R(i, j)}1 i l,1 j m are independent 1- resilient schemes 2. Each user x U gets the keys associated with the scheme R(i,fi(x)) 1 i l. 1 2 N user 1 R(1,f 1 (1)) R(1,f 1 (2)) R(1,f 1 (n)) 2 R(2,f 2 (1)) R(2,f 2 (2)) R(2,f 2 (n)) L R(L,f l (1)) R(L,f L (2)) R(L,f L (n)) 22
23 One Level Schemes EncrypCon and DecrypCon 1. To transmit M to T U, the center breaks M into l random shares such that M = M 1 XOR M 2 XOR M l 2. For 1 i l the center transmits M i in m discnct messages using R(i,j) j=1,2..m where j=f i (x) for all x in P. 3. Every x T may recover Mi, 1 i l, from R(I,j) where j = fi(x), and then add them up to get M. If x1 is part of P, M 1 R(1,f 1 (x1) ) M 2 R(2,f 2 (x1) ) M L - R(l, f l (x1) 23
24 One Level Scheme - Storage 1 2 N user 1 R(1,f 1 (1)) R(1,f 1 (2)) R(1,f 1 (n)) 2 R(2,f 2 (1)) R(2,f 2 (2)) R(2,f 2 (n)) L R(L,f l (1)) R(L,f L (2)) R(L,f L (n)) M R(1,f 1 (1)) R(1,f 1 (2)) M 2 R(2,f 2 (1)) R(2,f 2 (2)) M L R(L,f L (1)) R(L,f L (2)) Storage per user: l Omes that of the 1- resilient scheme. Length of transmission: l m messages 24
25 One Level Scheme - Resiliency Claim: The scheme is k- resilient. q Let S be a coalicon of size S k. q There exists f i that is 1-1 on S. q M i is the message transmiued using f i. M i is delivered in m independent transmissions. q There can be at most only one x S for which fi(x) = j who has the keys of that scheme. q However R(i, j) is 1- resilient and hence that single user cannot recover M i and hence M. 25
26 One Level Scheme Idea q use a perfect family of hash funccons q send a share of the secret M corresponding to each hash funccon. q Each share is broadcasted with different encrypcons. q The privileged users can decrypt these messages and any colluding set of at most k users cannot obtain at least one of the shares q no informacon about M is revealed if we miss even one of the shares. 26
27 Se}ng Parameters q Set m = 2k 2, l = k log n q Theorem: There exists a k- resilient scheme that requires the users to store O(k log n w) keys and the center to broadcast O(k 3 log n) messages. The scheme may be constructed at random with arbitrarily high probability. q Probability that a random f i is not 1-1 on S is ((kc 2 ).2 m- 1 )/ 2 m = (kc 2 ).(1/m) = k(k- 1)/2m = ¼ - 1/4k ¼ q Given the family of funccon f 1, f 2.. f l Prob(No f i is 1-1 on S ) = 1/4 L =1/2 2L = 1/n 2k (l = klogn ; 2l = 2klogn ; 2l = log n 2k ;n 2k = 2 2l ) q Prob ( Some f i is 1-1 on S ) = ( 1 n - 2k ) q Prob ( there exists f i is 1-1 on all S of size k) >= (1- n - 2k ) t, where t = n_c_k >= 1 n - k 27
28 Se}ng Parameters Scheme is (k,p) random resilient if any randomly selected Subset is k- resilient with probability (1- p) P(that for all subset of size k, there exists f i is 1-1 on S ) 1 p For (k,p) random resiliency subsctute l = log(1/p) Theorem : (k,p)- resilient scheme requires the users to store O(log(1/p) w) keys and the center should broadcast O(k 2 log(1/p)) messages. 28
29 MulC Level Schemes q MulC- level schemes, like the one- level ones, convert 1- resilient schemes to k- resilient ones. q The mulc- levelness comes through the R(i, j)s that are sets of 1- resilient schemes. q It decrease the length of transmission at the expense of more storage at the user. 29
30 MulC- Level Scheme Key DistribuCon Every user x in U, for every 1 i l and for every 1 r w, receives keys associated with the scheme R(i,f i (x),r) User 1 R(1,f 1 (1),1) R(1,f 1 (1),2) R(1,f 1 (1),w) R(2,f 2 (1),1) R(2,f 2 (1),2) R(2,f 2 (1),w) R(l,f l (1),1) R(l,f l (1),2) R(l,f l (1),w) For every Subset of size k, there exists for some 1 i l such that for all j there exist some w such that R(i,j,w)is resilient to set {x in S, f i (x) = j ) 30
31 MulC Level Scheme EncrypCon and DecrypCon. 1. To transmit M to T U, the center breaks M randomly into l shares, such that M = M 1 XOR M 2 XOR.. M l 2. Each M i is broken into w shares for each j. M 1 (i,j) M 2 (i,j). M w (i,j) 3. For 1 i l and 1 r w M r (i,j) is broadcasted to Privileged subset {x T :f i (x)=j} 4. For any subset of size k, by assumpcon there is an i and for all j in that I scheme w is resilient to x in S with f i (x) = j Storage per user: l w Cmes that of the 1- resilient scheme. Length of transmission: l m w Cmes that of the 1- resilient scheme. 31
32 q Set L = 2k.log n, m = k/log k, w = log k + 1,t = 2elog k q There exists a k- resilient scheme that requires each user to store O(k.log k. log n.w) keys and the center to broadcast O(k 2 log 2 klogn) messages. Moreover, the scheme can be constructed effeccvely with high probability q there exists a (k,p) random- resilient scheme with the property that the number of keys each user should store is O(log k.log(1/p).w) and the center should broadcast O(klog 2 klog(1/p)) messages. Moreover, the scheme can be constructed effeccvely with high probability 32
33 SCHEME NO OF KEYS/ USER MESSAGE LENGTH RESILIENCY ASSUMPTION BASIC SCHEME Σ K (n)c k 1 K Nothing 1- resilant using PRG 1- resilent using number theory One Level Scheme Ceil(log n) 1 1 One- way funccons and hence PRG exist Root extraccon is hard O(k log n w) O(k 3 log n) k 1- Level (k,p) O(log(1/p) w) O(k 2 log(1/p)) k MulC- Level O(k log k log n w) O(k2 log2 k log n) k 33
34 Thank You! 34
A Survey of Broadcast Encryption
A Survey of Broadcast Encryption Jeremy Horwitz 13 January 2003 Abstract Broadcast encryption is the problem of a sending an encrypted message to a large user base such that the message can only be decrypted
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationAll-Or-Nothing Transforms Using Quasigroups
All-Or-Nothing Transforms Using Quasigroups Stelios I Marnas, Lefteris Angelis, and George L Bleris Department of Informatics, Aristotle University 54124 Thessaloniki, Greece Email: {marnas,lef,bleris}@csdauthgr
More informationLecture 10: HMAC and Number Theory
CS 6903 Modern Cryptography April 15, 2010 Lecture 10: HMAC and Number Theory Instructor: Nitesh Saxena Scribes: Anand Bidla, Samiksha Saxena,Varun Sanghvi 1 HMAC A Hash-based Message Authentication Code
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationLeftovers from Lecture 3
Leftovers from Lecture 3 Implementing GF(2^k) Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x): (1,1,0,1,1) *(0,1,0,1,1) = (1,1,0,0,1) For small size finite
More informationduring transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL
THE MATHEMATICAL BACKGROUND OF CRYPTOGRAPHY Cryptography: used to safeguard information during transmission (e.g., credit card number for internet shopping) as opposed to Coding Theory: used to transmit
More informationb = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.
INTRODUCTION TO CRYPTOGRAPHY 5. Discrete Logarithms Recall the classical logarithm for real numbers: If we write b = 10 a, then a = log 10 b is the logarithm of b to the base 10. Changing the base to e
More informationLecture 14. Outline. 1. Finish Polynomials and Secrets. 2. Finite Fields: Abstract Algebra 3. Erasure Coding
Lecture 14. Outline. 1. Finish Polynomials and Secrets. 2. Finite Fields: Abstract Algebra 3. Erasure Coding Modular Arithmetic Fact and Secrets Modular Arithmetic Fact: There is exactly 1 polynomial of
More informationCryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1
Cryptography CS 555 Topic 18: RSA Implementation and Security Topic 18 1 Outline and Readings Outline RSA implementation issues Factoring large numbers Knowing (e,d) enables factoring Prime testing Readings:
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 16 October 30, 2017 CPSC 467, Lecture 16 1/52 Properties of Hash Functions Hash functions do not always look random Relations among
More information3F1: Signals and Systems INFORMATION THEORY Examples Paper Solutions
Engineering Tripos Part IIA THIRD YEAR 3F: Signals and Systems INFORMATION THEORY Examples Paper Solutions. Let the joint probability mass function of two binary random variables X and Y be given in the
More informationOn Perfect and Adaptive Security in Exposure-Resilient Cryptography. Yevgeniy Dodis, New York University Amit Sahai, Princeton Adam Smith, MIT
On Perfect and Adaptive Security in Exposure-Resilient Cryptography Yevgeniy Dodis, New York University Amit Sahai, Princeton Adam Smith, MIT 1 Problem: Partial Key Exposure Alice needs to store a cryptographic
More informationOutline. Computer Science 418. Number of Keys in the Sum. More on Perfect Secrecy, One-Time Pad, Entropy. Mike Jacobson. Week 3
Outline Computer Science 48 More on Perfect Secrecy, One-Time Pad, Mike Jacobson Department of Computer Science University of Calgary Week 3 2 3 Mike Jacobson (University of Calgary) Computer Science 48
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More information1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2
Contents 1 Recommended Reading 1 2 Public Key/Private Key Cryptography 1 2.1 Overview............................................. 1 2.2 RSA Algorithm.......................................... 2 3 A Number
More informationOn Everlasting Security in the Hybrid Bounded Storage Model
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor Abstract The bounded storage model (BSM) bounds the storage space of an adversary rather than its running time. It utilizes
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationQuestion 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +
Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(
More informationCrypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.
Crypto math II Alin Tomescu alinush@mit.edu May 7, 015 Abstract A quick overview on group theory from Ron Rivest s 6.857 course in Spring 015. 1 Overview Group theory review Diffie-Hellman (DH) key exchange
More informationCourse 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography
Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography David R. Wilkins Copyright c David R. Wilkins 2006 Contents 9 Introduction to Number Theory and Cryptography 1 9.1 Subgroups
More informationLecture 3,4: Multiparty Computation
CS 276 Cryptography January 26/28, 2016 Lecture 3,4: Multiparty Computation Instructor: Sanjam Garg Scribe: Joseph Hui 1 Constant-Round Multiparty Computation Last time we considered the GMW protocol,
More informationChapter 2 : Perfectly-Secret Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 2 : Perfectly-Secret Encryption 1 2.1 Definitions and Basic Properties We refer to probability
More informationLecture Notes on Secret Sharing
COMS W4261: Introduction to Cryptography. Instructor: Prof. Tal Malkin Lecture Notes on Secret Sharing Abstract These are lecture notes from the first two lectures in Fall 2016, focusing on technical material
More informationDiscrete Logarithm Problem
Discrete Logarithm Problem Finite Fields The finite field GF(q) exists iff q = p e for some prime p. Example: GF(9) GF(9) = {a + bi a, b Z 3, i 2 = i + 1} = {0, 1, 2, i, 1+i, 2+i, 2i, 1+2i, 2+2i} Addition:
More informationNumber Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers
Number Theory: Applications Number Theory Applications Computer Science & Engineering 235: Discrete Mathematics Christopher M. Bourke cbourke@cse.unl.edu Results from Number Theory have many applications
More informationIntegers and Division
Integers and Division Notations Z: set of integers N : set of natural numbers R: set of real numbers Z + : set of positive integers Some elements of number theory are needed in: Data structures, Random
More informationBreaking an encryption scheme based on chaotic Baker map
Breaking an encryption scheme based on chaotic Baker map Gonzalo Alvarez a, and Shujun Li b a Instituto de Física Aplicada, Consejo Superior de Investigaciones Científicas, Serrano 144 28006 Madrid, Spain
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 15 October 20, 2014 CPSC 467, Lecture 15 1/37 Common Hash Functions SHA-2 MD5 Birthday Attack on Hash Functions Constructing New
More informationEntanglement and information
Ph95a lecture notes for 0/29/0 Entanglement and information Lately we ve spent a lot of time examining properties of entangled states such as ab è 2 0 a b è Ý a 0 b è. We have learned that they exhibit
More informationTopics. Probability Theory. Perfect Secrecy. Information Theory
Topics Probability Theory Perfect Secrecy Information Theory Some Terms (P,C,K,E,D) Computational Security Computational effort required to break cryptosystem Provable Security Relative to another, difficult
More informationDigital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay
Digital Signatures Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay July 24, 2018 1 / 29 Group Theory Recap Groups Definition A set
More informationMultiparty Computation
Multiparty Computation Principle There is a (randomized) function f : ({0, 1} l ) n ({0, 1} l ) n. There are n parties, P 1,...,P n. Some of them may be adversarial. Two forms of adversarial behaviour:
More informationElliptic Curve Cryptography
Elliptic Curve Cryptography Elliptic Curves An elliptic curve is a cubic equation of the form: y + axy + by = x 3 + cx + dx + e where a, b, c, d and e are real numbers. A special addition operation is
More informationWinter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2
0368.3049.01 Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod Assignment #2 Published Sunday, February 17, 2008 and very slightly revised Feb. 18. Due Tues., March 4, in Rani Hod
More informationCryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1
Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes
More informationNotes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I
Number Theory: Applications Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry Fall 2007 Computer Science & Engineering 235 Introduction to Discrete Mathematics Sections 3.4 3.7 of Rosen cse235@cse.unl.edu
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationLattice Cryptography
CSE 06A: Lattice Algorithms and Applications Winter 01 Instructor: Daniele Micciancio Lattice Cryptography UCSD CSE Many problems on point lattices are computationally hard. One of the most important hard
More informationPermutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1
Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Kwangsu Lee A Thesis for the Degree of Master of Science Division of Computer Science, Department
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 19 November 8, 2017 CPSC 467, Lecture 19 1/37 Zero Knowledge Interactive Proofs (ZKIP) ZKIP for graph isomorphism Feige-Fiat-Shamir
More informationElliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.
Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes 1 14-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 1 /
More informationLecture Notes. Advanced Discrete Structures COT S
Lecture Notes Advanced Discrete Structures COT 4115.001 S15 2015-01-27 Recap ADFGX Cipher Block Cipher Modes of Operation Hill Cipher Inverting a Matrix (mod n) Encryption: Hill Cipher Example Multiple
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationNumber theory (Chapter 4)
EECS 203 Spring 2016 Lecture 12 Page 1 of 8 Number theory (Chapter 4) Review Compute 6 11 mod 13 in an efficient way What is the prime factorization of 100? 138? What is gcd(100, 138)? What is lcm(100,138)?
More informationLecture 11: Hash Functions, Merkle-Damgaard, Random Oracle
CS 7880 Graduate Cryptography October 20, 2015 Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle Lecturer: Daniel Wichs Scribe: Tanay Mehta 1 Topics Covered Review Collision-Resistant Hash Functions
More informationCRYPTOGRAPHY AND NUMBER THEORY
CRYPTOGRAPHY AND NUMBER THEORY XINYU SHI Abstract. In this paper, we will discuss a few examples of cryptographic systems, categorized into two different types: symmetric and asymmetric cryptography. We
More informationCODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.
CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES A selection of the following questions will be chosen by the lecturer to form the Cryptology Assignment. The Cryptology Assignment is due by 5pm Sunday 1
More informationHistorical cryptography. cryptography encryption main applications: military and diplomacy
Historical cryptography cryptography encryption main applications: military and diplomacy ancient times world war II Historical cryptography All historical cryptosystems badly broken! No clear understanding
More informationSIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography
SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 8 of Trappe and Washington DIGITAL SIGNATURES message sig 1. How do we bind
More informationCryptographic Hash Functions
Cryptographic Hash Functions Çetin Kaya Koç koc@ece.orst.edu Electrical & Computer Engineering Oregon State University Corvallis, Oregon 97331 Technical Report December 9, 2002 Version 1.5 1 1 Introduction
More informationLecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle
More informationPERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY
PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY BURTON ROSENBERG UNIVERSITY OF MIAMI Contents 1. Perfect Secrecy 1 1.1. A Perfectly Secret Cipher 2 1.2. Odds Ratio and Bias 3 1.3. Conditions for Perfect
More informationDistributed Oblivious RAM for Secure Two-Party Computation
Seminar in Distributed Computing Distributed Oblivious RAM for Secure Two-Party Computation Steve Lu & Rafail Ostrovsky Philipp Gamper Philipp Gamper 2017-04-25 1 Yao s millionaires problem Two millionaires
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously Digital Signatures Algorithms: Gen() à (sk,pk) Sign(sk,m) à σ Ver(pk,m,σ) à 0/1 Correctness: Pr[Ver(pk,m,Sign(sk,m))=1:
More informationENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions
ENEE 457: Computer Systems Security 09/19/16 Lecture 6 Message Authentication Codes and Hash Functions Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More information8.1 Principles of Public-Key Cryptosystems
Public-key cryptography is a radical departure from all that has gone before. Right up to modern times all cryptographic systems have been based on the elementary tools of substitution and permutation.
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 23 (rev. 1) Professor M. J. Fischer November 29, 2005 1 Oblivious Transfer Lecture Notes 23 In the locked
More informationRSA RSA public key cryptosystem
RSA 1 RSA As we have seen, the security of most cipher systems rests on the users keeping secret a special key, for anyone possessing the key can encrypt and/or decrypt the messages sent between them.
More informationDistribution of the Number of Encryptions in Revocation Schemes for Stateless Receivers
Discrete Mathematics and Theoretical Computer Science DMTCS vol. subm., by the authors, 1 1 Distribution of the Number of Encryptions in Revocation Schemes for Stateless Receivers Christopher Eagle 1 and
More informationSecret Sharing CPT, Version 3
Secret Sharing CPT, 2006 Version 3 1 Introduction In all secure systems that use cryptography in practice, keys have to be protected by encryption under other keys when they are stored in a physically
More informationRSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer
RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis Daniel Genkin, Adi Shamir, Eran Tromer Mathematical Attacks Input Crypto Algorithm Key Output Goal: recover the key given access to the inputs
More informationCourse MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography
Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography David R. Wilkins Copyright c David R. Wilkins 2000 2013 Contents 9 Introduction to Number Theory 63 9.1 Subgroups
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationLecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations
CMSC 858K Advanced Topics in Cryptography April 20, 2004 Lecturer: Jonathan Katz Lecture 22 Scribe(s): agaraj Anthapadmanabhan, Ji Sun Shin 1 Introduction to These otes In the previous lectures, we saw
More informationA new security notion for asymmetric encryption Draft #8
A new security notion for asymmetric encryption Draft #8 Muhammad Rezal Kamel Ariffin 1,2 1 Al-Kindi Cryptography Research Laboratory, Institute for Mathematical Research, 2 Department of Mathematics,
More informationSemantic Security of RSA. Semantic Security
Semantic Security of RSA Murat Kantarcioglu Semantic Security As before our goal is to come up with a public key system that protects against more than total break We want our system to be secure against
More information6.080/6.089 GITCS Apr 15, Lecture 17
6.080/6.089 GITCS pr 15, 2008 Lecturer: Scott aronson Lecture 17 Scribe: dam Rogal 1 Recap 1.1 Pseudorandom Generators We will begin with a recap of pseudorandom generators (PRGs). s we discussed before
More informationInteractive protocols & zero-knowledge
Interactive protocols & zero-knowledge - interactive protocols formalize what can be recognized by polynomial time restricted verifiers in arbitrary protocols - generalizes NP - zero-knowledge formalizes
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationIntroduction to Cryptography Lecture 4
Data Integrity, Message Authentication Introduction to Cryptography Lecture 4 Message authentication Hash functions Benny Pinas Ris: an active adversary might change messages exchanged between and M M
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationPublic Key Encryption
Public Key Encryption 3/13/2012 Cryptography 1 Facts About Numbers Prime number p: p is an integer p 2 The only divisors of p are 1 and p s 2, 7, 19 are primes -3, 0, 1, 6 are not primes Prime decomposition
More informationHenning Schulzrinne Columbia University, New York Columbia University, Fall 2000
1 Network Security: Hashes Henning Schulzrinne Columbia University, New York schulzrinne@cs.columbia.edu Columbia University, Fall 2000 cfl1999-2000, Henning Schulzrinne Last modified October 5, 2000 Slide
More informationImproving the trade-o between storage and communication in broadcast encryption schemes
Discrete Applied Mathematics 143 (2004) 213 220 www.elsevier.com/locate/dam Improving the trade-o between storage and communication in broadcast encryption schemes Carles Padro, Ignacio Gracia, Sebastia
More informationLecture Notes, Week 10
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 10 (rev. 2) Professor M. J. Fischer March 29 & 31, 2005 Lecture Notes, Week 10 1 Zero Knowledge Interactive
More informationAdvanced Cryptography Quantum Algorithms Christophe Petit
The threat of quantum computers Advanced Cryptography Quantum Algorithms Christophe Petit University of Oxford Christophe Petit -Advanced Cryptography 1 Christophe Petit -Advanced Cryptography 2 The threat
More informationProblem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed
Problem 1 n bits k zero bits IV Block Block Block Block removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Missing bits January 27, 2011 Practical
More informationPseudo-random Number Generation. Qiuliang Tang
Pseudo-random Number Generation Qiuliang Tang Random Numbers in Cryptography The keystream in the one-time pad The secret key in the DES encryption The prime numbers p, q in the RSA encryption The private
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationENEE 459-C Computer Security. Message authentication (continue from previous lecture)
ENEE 459-C Computer Security Message authentication (continue from previous lecture) Last lecture Hash function Cryptographic hash function Message authentication with hash function (attack?) with cryptographic
More informationCryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups
Great Theoretical Ideas in CS V. Adamchik CS 15-251 Upcoming Interview? Lecture 24 Carnegie Mellon University Cryptography and RSA How the World's Smartest Company Selects the Most Creative Thinkers Groups
More informationFault-Tolerant Consensus
Fault-Tolerant Consensus CS556 - Panagiota Fatourou 1 Assumptions Consensus Denote by f the maximum number of processes that may fail. We call the system f-resilient Description of the Problem Each process
More informationFoundations of Cryptography
- 111 - Foundations of Cryptography Notes of lecture No. 10B & 11 (given on June 11 & 18, 1989) taken by Sergio Rajsbaum Summary In this lecture we define unforgeable digital signatures and present such
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More informationTHE RSA ENCRYPTION SCHEME
THE RSA ENCRYPTION SCHEME Contents 1. The RSA Encryption Scheme 2 1.1. Advantages over traditional coding methods 3 1.2. Proof of the decoding procedure 4 1.3. Security of the RSA Scheme 4 1.4. Finding
More informationMidterm 2. Your Exam Room: Name of Person Sitting on Your Left: Name of Person Sitting on Your Right: Name of Person Sitting in Front of You:
CS70 Discrete Mathematics and Probability Theory, Fall 2018 Midterm 2 8:00-10:00pm, 31 October Your First Name: SIGN Your Name: Your Last Name: Your SID Number: Your Exam Room: Name of Person Sitting on
More informationScribe for Lecture #5
CSA E0 235: Cryptography 28 January 2016 Scribe for Lecture #5 Instructor: Dr. Arpita Patra Submitted by: Nidhi Rathi 1 Pseudo-randomness and PRG s We saw that computational security introduces two relaxations
More informationPublic Key Algorithms
Public Key Algorithms Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-09/
More informationCosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks
1 Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks Michael Albert michael.albert@cs.otago.ac.nz 2 This week Arithmetic Knapsack cryptosystems Attacks on knapsacks Some
More informationCryptosystem. Traditional Cryptosystems: The two parties agree on a secret (one to one) function f. To send a message M, thesendersendsthemessage
Cryptosystem Traditional Cryptosystems: The two parties agree on a secret (one to one) function f. To send a message M, thesendersendsthemessage f(m). The receiver computes f 1 (f(m)). Advantage: Cannot
More informationKTH, NADA , and D1449 Kryptografins grunder. Lecture 6: RSA. Johan Håstad, transcribed by Martin Lindkvist
Lecture 6: RSA Johan Håstad, transcribed by Martin Lindkvist 2006-01-31, 2006-02-02 and 2006-02-07 1 Introduction Using an ordinary cryptosystem, encryption uses a key K and decryption is performed by
More informationLecture 4: DES and block ciphers
Lecture 4: DES and block ciphers Johan Håstad, transcribed by Ernir Erlingsson 2006-01-25 1 DES DES is a 64 bit block cipher with a 56 bit key. It selects a 64 bit block and modifies it depending on the
More informationCryptography. pieces from work by Gordon Royle
Cryptography pieces from work by Gordon Royle The set-up Cryptography is the mathematics of devising secure communication systems, whereas cryptanalysis is the mathematics of breaking such systems. We
More informationCSE 21 Math for Algorithms and Systems Analysis. Lecture 11 Bayes Rule and Random Variables
CSE 21 Math for Algorithms and Systems Analysis Lecture 11 Bayes Rule and Random Variables Outline Review of CondiConal Probability Bayes Rule Random Variables DefiniCon of CondiConal Probability U P (A
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More information