On Tightly Secure Non-Interactive Key Exchange
|
|
- Christian Fields
- 5 years ago
- Views:
Transcription
1 On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universität Darmstadt) Dennis Hofheinz (Karlsruhe Institute of Technology) Lisa Kohl (Karlsruhe Institute of Technology) 1
2 Non-Interactive Key Exchange (NIKE) pk 1, pk 2 (pk 1, sk 1 ) KeyGen K 21 = SharedKey(pk 2, sk 1 ) = (pk 2, sk 2 ) KeyGen K 12 = SharedKey(pk 1, sk 2 ) 2
3 Tight security Scheme S secure if problem P hard: A attacks S = B attacks P s.t. Advantage S A }{{} L Advantage P B (+ similar runtime) security loss Asymptotic security: L polynomial 3
4 Tight security Scheme S secure if problem P hard: A attacks S = B attacks P s.t. Advantage S A }{{} L Advantage P B (+ similar runtime) security loss Asymptotic security: L polynomial Tight security: L small (e.g. small constant) 3
5 Tight security Scheme S secure if problem P hard: A attacks S = B attacks P s.t. Advantage S A }{{} L Advantage P B (+ similar runtime) security loss Asymptotic security: L polynomial Tight security: L small (e.g. small constant) Why do we care? Theory: closer relation between P and S Practice: smaller keys more efficient instantiations 3
6 Recap: Diffie-Hellman Key Exchange [DH76; CKS08] G group, g = G, p := G g a, g b a Z p K 21 = (g b ) a = g ab = b Z p K 12 = (g a ) b Decisional DH: a, b, c R Z p : (g a, g b, g ab ) c (g a, g b, g c ) 4
7 (Simplified) Security model pk1,, pkn 5
8 (Simplified) Security model pk1,, pkn 5
9 (Simplified) Security model pk1,, pkn 5
10 (Simplified) Security of NIKE w/ extractions (pk i, sk i ) KeyGen pk 1,..., pk n b {0, 1} K 0 SharedKey(pk i, sk j ) K 1 random key i, j {sk i } i / {i,j }, K b A b Advantage nike A := Pr[b = b] 1/2 6
11 Recap: DH Key Exchange - Security w/ extractions Idea: i, j R {1,..., n}, embed DDH-challenge in pk i, pk j 7
12 Recap: DH Key Exchange - Security w/ extractions Idea: i, j R {1,..., n}, embed DDH-challenge in pk i, pk j security loss of n 2 Reduction knows sk i i / {i, j } Reduction doesn t know sk i i {i, j } 7
13 Recap: DH Key Exchange - Security w/ extractions Idea: i, j R {1,..., n}, embed DDH-challenge in pk i, pk j security loss of n 2 Reduction knows sk i i / {i, j } Reduction doesn t know sk i i {i, j } [BJLS16]: This loss is inherent! 7
14 Our results Can we do better? 8
15 Our results Can we do better? Yes! First NIKE with security loss n (in the standard model). 8
16 Our results Can we do better? Yes! First NIKE with security loss n (in the standard model). Can we do even better? 8
17 Our results Can we do better? Yes! First NIKE with security loss n (in the standard model). Can we do even better? Seems hard! Lower bound of security loss n for broad class of NIKEs. 8
18 Our results Can we do better? Yes! First NIKE with security loss n (in the standard model). Can we do even better? Seems hard! Lower bound of security loss n for broad class of NIKEs. + Generic transformation with tight instantiation: NIKE with passive security NIKE with active security 8
19 The lower bound of [BJLS16] applies to all NIKEs w/ unique secret keys rules out tight simple black-box reductions 9
20 The lower bound of [BJLS16] applies to all NIKEs w/ unique secret keys rules out tight simple black-box reductions Instance of P pk 1,..., pk n Solution to P B i, j {sk i } i / {i,j }, K b b A 9
21 The lower bound of [BJLS16] applies to all NIKEs w/ unique secret keys rules out tight simple black-box reductions Instance of P Solution to P B pk 1,..., pk n i, j {sk i } i / {i,j }, K b b Metareduction Λ A sim Idea: simulate A by computing K i j 9
22 The lower bound of [BJLS16] applies to all NIKEs w/ unique secret keys rules out tight simple black-box reductions Instance of P rewind Solution to P B pk 1,..., pk n i, j {sk i } i / {i,j }, K b b Metareduction Λ A sim Idea: simulate A by computing K i j with extracted sk j (or sk i ) 9
23 The lower bound of [BJLS16] applies to all NIKEs w/ unique secret keys rules out tight simple black-box reductions Instance of P rewind Solution to P B pk 1,..., pk n i, j {sk i } i / {i,j }, K b b Metareduction Λ A sim Idea: simulate A by computing K i j with extracted sk j (or sk i ) run (i, j ) on which B does not abort 9
24 The lower bound of [BJLS16] applies to all NIKEs w/ unique secret keys rules out tight simple black-box reductions Instance of P rewind Solution to P B pk 1,..., pk n i, j {sk i } i / {i,j }, K b b Metareduction Λ A sim Idea: simulate A by computing K i j with extracted sk j (or sk i ) run (i, j ) on which B does not abort problem P easy 9
25 The lower bound of [BJLS16] applies to all NIKEs w/ unique secret keys rules out tight simple black-box reductions Instance of P rewind Solution to P B pk 1,..., pk n i, j {sk i } i / {i,j }, K b b Metareduction Λ A sim Idea: simulate A by computing K i j with extracted sk j (or sk i ) run (i, j ) on which B does not abort problem P easy security loss of at least Ω(n 2 ) 9
26 The lower bound of [BJLS16] applies to all NIKEs w/ unique secret keys rules out tight simple black-box reductions Instance of P pk 1,..., pk n Reduction doesn t know sk i rewind Solution to P B i, j {sk i } i / {i,j }, K b b Metareduction Λ A sim i {i, j } Idea: simulate A by computing K i j with extracted sk j (or sk i ) run (i, j ) on which B does not abort problem P easy security loss of at least Ω(n 2 ) 9
27 The lower bound of [BJLS16] applies to all NIKEs w/ unique secret keys rules out tight simple black-box reductions Instance of P pk 1,..., pk n Reduction doesn t know sk i rewind Solution to P B i, j {sk i } i / {i,j }, K b b Metareduction Λ A sim i {i, j } has to abort on all runs (i, j ) Idea: simulate A by computing K i j with extracted sk j (or sk i ) run (i, j ) on which B does not abort problem P easy security loss of at least Ω(n 2 ) 9
28 How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys uniqueness of shared key 10
29 How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys uniqueness of shared key Our scheme: public keys have many secret keys 10
30 How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys uniqueness of shared key Our scheme: public keys have many secret keys Not enough! By correctness: (pk 1, sk 1 ), (pk 2, sk 2 ): SharedKey(pk 2, sk 1 ) = SharedKey(pk 1, sk 2 ) 10
31 How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys uniqueness of shared key Our scheme: public keys have many secret keys Not enough! By correctness: (pk 1, sk 1 ), (pk 2, sk 2 ): SharedKey(pk 2, sk 1 ) = SharedKey(pk 1, sk 2 ) Solution: invalid public keys (w/o secret keys) 10
32 How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys uniqueness of shared key Our scheme: public keys have many secret keys Not enough! By correctness: (pk 1, sk 1 ), (pk 2, sk 2 ): SharedKey(pk 2, sk 1 ) = SharedKey(pk 1, sk 2 ) Solution: invalid public keys (w/o secret keys) valid public keys c invalid public keys 10
33 How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys uniqueness of shared key Our scheme: public keys have many secret keys Not enough! By correctness: (pk 1, sk 1 ), (pk 2, sk 2 ): SharedKey(pk 2, sk 1 ) = SharedKey(pk 1, sk 2 ) Solution: invalid public keys (w/o secret keys) valid public keys c invalid public keys (pk 1, sk 1 ), pk 2 : (pk 1, pk 2, SharedKey(pk 2, sk 1 )) (pk 1, pk 2, random) 10
34 How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys uniqueness of shared key Our scheme: public keys have many secret keys Not enough! By correctness: (pk 1, sk 1 ), (pk 2, sk 2 ): SharedKey(pk 2, sk 1 ) = SharedKey(pk 1, sk 2 ) Solution: invalid public keys (w/o secret keys) valid public keys c invalid public keys (pk 1, sk 1 ), pk 2 : (pk 1, pk 2, SharedKey(pk 2, sk 1 )) (pk 1, pk 2, random) Note: this requires entropy in sk 1 given pk 1 (and thus many secret keys)! 10
35 Recap: Subset membership problem (SMP) X set, L X NP-language Subset membership assumption for (X, L): {x x R L} c {x x R X \ L}
36 Recap: Subset membership problem (SMP) X set, L X NP-language Subset membership assumption for (X, L): {x x R L} c {x x R X \ L} valid public keys c invalid public keys 11
37 Recap: Hash proof system [CS98] HPS = (Gen, PubEval, PrivEval) is HPS for language L if: } PubEval(hpk, x, w) return the same key K for all x L with witness w PrivEval(hsk, x) Universality: x / L, (hpk, hsk ) Gen: (hpk, x, PrivEval(hsk, x)) (hpk, x, random) 12
38 Our NIKE Variation of the PAKE of [KOY01; GL03] HPS = (Gen, PubEval, PrivEval) for L, SMP for L X hard x 1, hpk 2 x 1 L with witness w 1 (hpk 2, hsk 2 ) Gen K 21 = PubEval(hpk 2, x 1, w 1 ) = K 12 = PrivEval(hsk 2, x 1 ) 13
39 Our NIKE Variation of the PAKE of [KOY01; GL03] HPS = (Gen, PubEval, PrivEval) for L, SMP for L X hard (hpk 1, x 1 ), (hpk 2, x 2 ) x 1 L with witness w 1 x 2 L with witness w 2 (hpk 1, hsk 1 ) Gen (hpk 2, hsk 2 ) Gen K 21 = PubEval(hpk 2, x 1, w 1 ) = K 12 = PrivEval(hsk 2, x 1 ) 13
40 Our NIKE Variation of the PAKE of [KOY01; GL03] HPS = (Gen, PubEval, PrivEval) for L, SMP for L X hard (hpk 1, x 1 ), (hpk 2, x 2 ) Note: hsk not unique can switch x to X \L x 1 L with witness w 1 (hpk 1, hsk 1 ) Gen K 21 = PubEval(hpk 2, x 1, w 1 ) = x 2 L with witness w 2 (hpk 2, hsk 2 ) Gen K 12 = PrivEval(hsk 2, x 1 ) 13
41 Proof of Security - Idea Idea: i R {1,..., n}, embed SMP-challenge as x i in pk i 14
42 Proof of Security - Idea Idea: i R {1,..., n}, embed SMP-challenge as x i in pk i j > i : K i j = PrivEval(hsk j, x i ) 14
43 Proof of Security - Idea Idea: i R {1,..., n}, embed SMP-challenge as x i in pk i j > i : K i j = PrivEval(hsk j, x i ) random if x i X \L and hsk j unknown 14
44 Proof of Security - Idea Idea: i R {1,..., n}, embed SMP-challenge as x i in pk i j > i : K i j = PrivEval(hsk j, x i ) random if x i X \L and hsk j unknown security loss of only n Reduction knows sk i i i Reduction doesn t know sk i i = i 14
45 Towards a new lower bound [BJLS16]: obtain sk i or sk j via rewinding to compute unique K i j 15
46 Towards a new lower bound [BJLS16]: obtain sk i or sk j via rewinding to compute unique K i j reduction aborts on all runs without i and all runs without j loss of Ω(n 2 ) 15
47 Towards a new lower bound [BJLS16]: obtain sk i or sk j via rewinding to compute unique K i j reduction aborts on all runs without i and all runs without j loss of Ω(n 2 ) Problem: sk i, sk j not unique 15
48 Towards a new lower bound [BJLS16]: obtain sk i or sk j via rewinding to compute unique K i j reduction aborts on all runs without i and all runs without j loss of Ω(n 2 ) Problem: sk i, sk j not unique Observation: uniqueness of K i j sufficient 15
49 Towards a new lower bound [BJLS16]: obtain sk i or sk j via rewinding to compute unique K i j reduction aborts on all runs without i and all runs without j loss of Ω(n 2 ) Problem: sk i, sk j not unique Observation: uniqueness of K i j sufficient shared keys between valid public keys unique 15
50 Towards a new lower bound [BJLS16]: obtain sk i or sk j via rewinding to compute unique K i j reduction aborts on all runs without i and all runs without j loss of Ω(n 2 ) Problem: sk i, sk j not unique Observation: uniqueness of K i j sufficient shared keys between valid public keys unique invalid public keys have no secret keys 15
51 Towards a new lower bound [BJLS16]: obtain sk i or sk j via rewinding to compute unique K i j reduction aborts on all runs without i and all runs without j loss of Ω(n 2 ) Problem: sk i, sk j not unique Observation: uniqueness of K i j sufficient shared keys between valid public keys unique invalid public keys have no secret keys Our metareduction: Idea: obtain sk i and sk j via rewinding to compute unique K i j 15
52 Towards a new lower bound [BJLS16]: obtain sk i or sk j via rewinding to compute unique K i j reduction aborts on all runs without i and all runs without j loss of Ω(n 2 ) Problem: sk i, sk j not unique Observation: uniqueness of K i j sufficient shared keys between valid public keys unique invalid public keys have no secret keys Our metareduction: Idea: obtain sk i and sk j via rewinding to compute unique K i j reduction aborts on all runs without i or on all runs without j 15
53 Towards a new lower bound [BJLS16]: obtain sk i or sk j via rewinding to compute unique K i j reduction aborts on all runs without i and all runs without j loss of Ω(n 2 ) Problem: sk i, sk j not unique Observation: uniqueness of K i j sufficient shared keys between valid public keys unique invalid public keys have no secret keys Our metareduction: Idea: obtain sk i and sk j via rewinding to compute unique K i j reduction aborts on all runs without i or on all runs without j loss of Ω(n) 15
54 From passive to active security Idea: add unbounded simulation sound NIZK proof of knowledge of secret key USS-NIZK allows to simulate during the reduction PoK allows to extract the secret key from corrupted users 16
55 From passive to active security Idea: add unbounded simulation sound NIZK proof of knowledge of secret key USS-NIZK allows to simulate during the reduction PoK allows to extract the secret key from corrupted users Instantiation: generic instantiation from standard components optimized tightly secure instantiation for our NIKE 16
56 Our results Reference pk sec. model sec. loss assumption uses [DH76] 1 G passive n 2 DDH - Ours 3 G passive n DDH - [CKS08] 2 G active 2 CDH ROM [FHKP13] 1 Z N active n 2 factoring ROM [FHKP13] 2 G + 1 Z p active n 2 DBDH pairing Ours 12 G active n DLIN pairing *w/o extractions Modular constructions New lower bound: applies to all schemes where invalid public keys have no secret keys yields a loss of Ω(n) for all simple black-box reductions Generic transformation from passive to active secure NIKE Thank you!! 17
57 Bibliography I Christoph Bader, Tibor Jager, Yong Li, and Sven Schäge. On the Impossibility of Tight Cryptographic Reductions. In: EUROCRYPT 2016, Part II. Ed. by Marc Fischlin and Jean-Sébastien Coron. Vol LNCS. Springer, Heidelberg, May 2016, pp doi: / _10. David Cash, Eike Kiltz, and Victor Shoup. The Twin Diffie-Hellman Problem and Applications. In: EUROCRYPT Ed. by Nigel P. Smart. Vol LNCS. Springer, Heidelberg, Apr. 2008, pp Ronald Cramer and Victor Shoup. A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack. In: CRYPTO 98. Ed. by Hugo Krawczyk. Vol LNCS. Springer, Heidelberg, Aug. 1998, pp
58 Bibliography II Whitfield Diffie and Martin E. Hellman. New Directions in Cryptography. In: IEEE Transactions on Information Theory 22.6 (1976), pp Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz, and Kenneth G. Paterson. Non-Interactive Key Exchange. In: PKC Ed. by Kaoru Kurosawa and Goichiro Hanaoka. Vol LNCS. Springer, Heidelberg, 2013, pp doi: / _17. Rosario Gennaro and Yehuda Lindell. A Framework for Password-Based Authenticated Key Exchange. In: EUROCRYPT Ed. by Eli Biham. Vol LNCS. Springer, Heidelberg, May 2003, pp
59 Bibliography III Jonathan Katz, Rafail Ostrovsky, and Moti Yung. Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords. In: EUROCRYPT Ed. by Birgit Pfitzmann. Vol LNCS. Springer, Heidelberg, May 2001, pp Eike Kiltz and Hoeteck Wee. Quasi-Adaptive NIZK for Linear Subspaces Revisited. In: EUROCRYPT 2015, Part II. Ed. by Elisabeth Oswald and Marc Fischlin. Vol LNCS. Springer, Heidelberg, Apr. 2015, pp doi: / _4. 20
On Tightly Secure Non-Interactive Key Exchange
On Tightly Secure Non-Interactive Key Exchange Julia Hesse,1, Dennis Hofheinz,2, and Lisa Kohl,2 1 Technische Universität Darmstadt, Germany julia.hesse@crisp-da.de 2 Karlsruhe Institute of Technology,
More informationKurosawa-Desmedt Meets Tight Security
Kurosw-Desmedt Meets Tight Security Romin Gy (École normle supérieure) Dennis Hofheinz (Krlsruhe Institute of Technology) Lis Kohl (Krlsruhe Institute of Technology) 1 Scenrio All illustrtions by John
More informationSmooth Projective Hash Function and Its Applications
Smooth Projective Hash Function and Its Applications Rongmao Chen University of Wollongong November 21, 2014 Literature Ronald Cramer and Victor Shoup. Universal Hash Proofs and a Paradigm for Adaptive
More informationTightly CCA-Secure Encryption without Pairings. Romain Gay, ENS Dennis Hofheinz, KIT Eike Kiltz, RUB Hoeteck Wee, ENS
Tightly CCA-Secure Encryption without Pairings Romain Gay, ENS Dennis Hofheinz, KIT Eike Kiltz, RUB Hoeteck Wee, ENS Security of encryption pk Alice Enc(pk, m) Bob sk Security of encryption pk Alice Enc(pk,
More informationAdaptive partitioning. Dennis Hofheinz (KIT, Karlsruhe)
Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Public-Key Encryption Accepted security
More informationShorter Quasi-Adaptive NIZK Proofs for Linear Subspaces
Shorter Quasi-Adaptive NIZK Proofs for Linear Subspaces Charanjit S. Jutla 1 and Arnab Roy 2 1 IBM T. J. Watson Research Center Yorktown Heights, NY 10598, USA csjutla@us.ibm.com 2 Fujitsu Laboratories
More informationA Framework for Password-Based Authenticated Key Exchange
A Framework for Password-Based Authenticated Key Exchange Extended Abstract Rosario Gennaro and Yehuda Lindell IBM T.J. Watson Research Center Yorktown Heights, NY 10528, USA. {rosario,lindell}@us.ibm.com
More informationA Twist on the Naor-Yung Paradigm and Its Application to Ecient CCA-Secure Encryption from Hard Search Problems
A Twist on the Naor-Yung Paradigm and Its Application to Ecient CCA-Secure Encryption from Hard Search Problems Ronald Cramer, Dennis Hofheinz, and Eike Kiltz Abstract. The Naor-Yung (NY) paradigm shows
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More informationNew Approach for Selectively Convertible Undeniable Signature Schemes
New Approach for Selectively Convertible Undeniable Signature Schemes Kaoru Kurosawa 1 and Tsuyoshi Takagi 2 1 Ibaraki University, Japan, kurosawa@mx.ibaraki.ac.jp 2 Future University-Hakodate, Japan,
More informationOptimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample
Optimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample Fuchun Guo 1, Rongmao Chen 2, Willy Susilo 1, Jianchang Lai 1, Guomin Yang 1, and Yi Mu 1 1 Institute
More informationAn Algebraic Framework for Diffie-Hellman Assumptions
An Algebraic Framework for Diffie-Hellman Assumptions Alex Escala 1, Gottfried Herold 2, Eike Kiltz 2, Carla Ràfols 2, and Jorge Villar 3 1 Universitat Autònoma de Barcelona, Spain 2 Horst-Görtz Institute
More informationEfficient Smooth Projective Hash Functions and Applications
Efficient Smooth Projective Hash Functions and Applications David Pointcheval Joint work with Olivier Blazy, Céline Chevalier and Damien Vergnaud Ecole Normale Supérieure Isaac Newton Institute for Mathematical
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationThe Cramer-Shoup Cryptosystem
The Cramer-Shoup Cryptosystem Eileen Wagner October 22, 2014 1 / 28 The Cramer-Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive
More informationDisjunctions for Hash Proof Systems: New Constructions and Applications
Disjunctions for Hash Proof Systems: New Constructions and Applications Michel Abdalla, Fabrice Benhamouda, and David Pointcheval ENS, Paris, France Abstract. Hash Proof Systems were first introduced by
More informationA New Variant of the Cramer-Shoup KEM Secure against Chosen Ciphertext Attack
A New Variant of the Cramer-Shoup KEM Secure against Chosen Ciphertext Attack Joonsang Baek 1 Willy Susilo 2 Joseph K. Liu 1 Jianying Zhou 1 1 Institute for Infocomm Research, Singapore 2 University of
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani Mathematical Institute Oxford University 1 of 60 Outline 1 RSA Encryption Scheme 2 Discrete Logarithm and Diffie-Hellman Algorithm 3 ElGamal Encryption Scheme 4
More informationPassword-Authenticated Key Exchange David Pointcheval
Password-Authenticated Key Exchange Privacy and Contactless Services May 27th, 2015 AKE AKE: Authenticated Key Exchange allows two players to agree on a common key authentication of partners 2 Diffie-Hellman
More informationKey Encapsulation Mechanisms from Extractable Hash Proof Systems, Revisited
Key Encapsulation Mechanisms from Extractable Hash Proof Systems, Revisited Takahiro Matsuda and Goichiro Hanaoka Research Institute for Secure Systems, National Institute of Advanced Industrial Science
More informationWaters Signatures with Optimal Security Reduction
Waters Signatures with Optimal Security Reduction Dennis Hofheinz 1, Tibor Jager 1, and Edward Knapp 2 1 Institut für Kryptographie und Sicherheit, Karlsruhe Institute of Technology, Germany, {dennis.hofheinz,tibor.jager}@kit.edu.
More informationLossy Trapdoor Functions from Smooth Homomorphic Hash Proof Systems
Lossy Trapdoor Functions from Smooth Homomorphic Hash Proof Systems Brett Hemenway UCLA bretth@mathuclaedu Rafail Ostrovsky UCLA rafail@csuclaedu January 9, 2010 Abstract In STOC 08, Peikert and Waters
More informationEfficient Chosen-Ciphertext Security via Extractable Hash Proofs
Efficient Chosen-Ciphertext Security via Extractable Hash Proofs Hoeteck Wee Queens College, CUNY hoeteck@cs.qc.cuny.edu Abstract. We introduce the notion of an extractable hash proof system. Essentially,
More informationEfficient Password-based Authenticated Key Exchange without Public Information
An extended abstract of this paper appears in ESORICS 2007, J. Biskup and J. Lopez (Eds.), volume 4734 of LNCS, pp. 299-310, Sringer-Verlag, 2007. Efficient Password-based Authenticated Key Exchange without
More informationA New Paradigm of Hybrid Encryption Scheme
A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa 1 and Yvo Desmedt 2 1 Ibaraki University, Japan kurosawa@cis.ibaraki.ac.jp 2 Dept. of Computer Science, University College London, UK, and Florida
More informationRound-Optimal Password-Based Authenticated Key Exchange
Round-Optimal Password-Based Authenticated Key Exchange Jonathan Katz 1 and Vinod Vaikuntanathan 2 1 University of Maryland, USA jkatz@cs.umd.edu 2 Microsoft Research vinodv@alum.mit.edu Abstract. We show
More informationForward Secure Non-Interactive Key Exchange
This Extended Abstract appears in Proceedings of the 9th International Conference on Security and Cryptography for Networks (SCN 14) 3 5 September 2014, Amalfi, Italy Michel Abdalla and Roberto de Prisco
More informationSecure Certificateless Public Key Encryption without Redundancy
Secure Certificateless Public Key Encryption without Redundancy Yinxia Sun and Futai Zhang School of Mathematics and Computer Science Nanjing Normal University, Nanjing 210097, P.R.China Abstract. Certificateless
More informationOn the Impossibility of Tight Cryptographic Reductions
On the Impossibility of Tight Cryptographic Reductions Christoph Bader, Tibor Jager, Yong Li, and Sven Schäge Horst Görtz Institute for IT Security, Ruhr-University Bochum Abstract. The existence of tight
More information2 Preliminaries 2.1 Notations Z q denotes the set of all congruence classes modulo q S denotes the cardinality of S if S is a set. If S is a set, x R
A Public Key Encryption In Standard Model Using Cramer-Shoup Paradigm Mahabir Prasad Jhanwar and Rana Barua mahabir r, rana@isical.ac.in Stat-Math Unit Indian Statistical Institute Kolkata, India Abstract.
More informationOn The Security of The ElGamal Encryption Scheme and Damgård s Variant
On The Security of The ElGamal Encryption Scheme and Damgård s Variant J. Wu and D.R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, ON, Canada {j32wu,dstinson}@uwaterloo.ca
More informationPAPER An Identification Scheme with Tight Reduction
IEICE TRANS. FUNDAMENTALS, VOL.Exx A, NO.xx XXXX 200x PAPER An Identification Scheme with Tight Reduction Seiko ARITA, Member and Natsumi KAWASHIMA, Nonmember SUMMARY There are three well-known identification
More informationShort Exponent Diffie-Hellman Problems
Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and
More informationDual Projective Hashing and its Applications Lossy Trapdoor Functions and More
Dual Projective Hashing and its Applications Lossy Trapdoor Functions and More Hoeteck Wee George Washington University hoeteck@gwu.edu Abstract. We introduce the notion of dual projective hashing. This
More informationPractical Verifiable Encryption and Decryption of Discrete Logarithms
Practical Verifiable Encryption and Decryption of Discrete Logarithms Jan Camenisch IBM Zurich Research Lab Victor Shoup New York University p.1/27 Verifiable encryption of discrete logs Three players:
More informationThe Twin Diffie-Hellman Problem and Applications
The Twin Diffie-Hellman Problem and Applications David Cash 1 Eike Kiltz 2 Victor Shoup 3 February 10, 2009 Abstract We propose a new computational problem called the twin Diffie-Hellman problem. This
More informationAlmost Optimal Oblivious Transfer from QA-NIZK
Almost Optimal Oblivious Transfer from QA-NIZK Olivier Blazy 1, Céline Chevalier 2, and Paul Germouty 1 1 Université de Limoges, XLim, France olivier.blazy@unilim.fr, paul.germouty@unilim.fr 2 CRED, Université
More informationTight Proofs for Signature Schemes without Random Oracles
Tight Proofs for Signature Schemes without Random Oracles Sven Schäge Horst Görtz Institute for IT-Security, Ruhr-University of Bochum, Germany sven.schaege@rub.de Abstract. We present the first tight
More informationTwo-Round PAKE from Approximate SPH and Instantiations from Lattices
Two-Round PAKE from Approximate SPH and Instantiations from Lattices Jiang Zhang 1 and Yu Yu 2,1,3 1 State Key Laboratory of Cryptology, P.O. Box 5159, Beijing 100878, China 2 Department of Computer Science
More informationTight Proofs for Signature Schemes without Random Oracles
Tight Proofs for Signature Schemes without Random Oracles Sven Schäge Horst Görtz Institute for IT-Security Ruhr-University of Bochum sven.schaege@rub.de Abstract. We present the first tight security proofs
More informationSharing a Secret in Plain Sight. Gregory Quenell
Sharing a Secret in Plain Sight Gregory Quenell 1 The Setting: Alice and Bob want to have a private conversation using email or texting. Alice Bob 2 The Setting: Alice and Bob want to have a private conversation
More informationRound-Optimal Password-Based Authenticated Key Exchange
Round-Optimal Password-Based Authenticated Key Exchange Jonathan Katz Vinod Vaikuntanathan Abstract We show a general framework for constructing password-based authenticated key-exchange protocols with
More informationFang Song. Joint work with Sean Hallgren and Adam Smith. Computer Science and Engineering Penn State University
Fang Song Joint work with Sean Hallgren and Adam Smith Computer Science and Engineering Penn State University Are classical cryptographic protocols secure against quantum attackers? 2 Are classical cryptographic
More informationOn the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups
On the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups Goichiro Hanaoka, Takahiro Matsuda, Jacob C.N. Schuldt Research Institute for Secure Systems (RISEC)
More informationShort Unique Signatures from RSA with a Tight Security Reduction (in the Random Oracle Model)
Short Unique Signatures from RSA with a Tight Security Reduction (in the Random Oracle Model) Hovav Shacham UC San Diego and UT Austin Abstract. A signature scheme is unique if for every public key and
More informationNon-Interactive Zero-Knowledge Proofs of Non-Membership
Non-Interactive Zero-Knowledge Proofs of Non-Membership O. Blazy, C. Chevalier, D. Vergnaud XLim / Université Paris II / ENS O. Blazy (XLim) Negative-NIZK CT-RSA 2015 1 / 22 1 Brief Overview 2 Building
More informationOn Homomorphic Encryption and Chosen-Ciphertext Security
On Homomorphic Encryption and Chosen-Ciphertext Security Brett Hemenway 1 and Rafail Ostrovsky 2 1 University of Michigan 2 UCLA Abstract. Chosen-Ciphertext (IND-CCA) security is generally considered the
More informationf (x) f (x) easy easy
A General Construction of IND-CCA2 Secure Public Key Encryption? Eike Kiltz 1 and John Malone-Lee 2 1 Lehrstuhl Mathematik & Informatik, Fakultat fur Mathematik, Ruhr-Universitat Bochum, Germany. URL:
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationLecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge
CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to
More informationRobust Password- Protected Secret Sharing
Robust Password- Protected Secret Sharing Michel Abdalla, Mario Cornejo, Anca Niţulescu, David Pointcheval École Normale Supérieure, CNRS and INRIA, Paris, France R E S E A R C H UNIVERSITY PPSS: Motivation
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More information3-Move Undeniable Signature Scheme
3-Move Undeniable Signature Scheme Kaoru Kurosawa 1 and Swee-Huay Heng 2 1 Ibaraki University, 4-12-1 Nakanarusawa, Hitachi, Ibaraki 316-8511, Japan kurosawa@cis.ibaraki.ac.jp 2 Multimedia University,
More informationThe Group of Signed Quadratic Residues and Applications
The Group of Signed Quadratic Residues and Applications Dennis Hofheinz and Eike Kiltz Abstract. We consider the cryptographic group of Signed Quadratic Residues. This group is particularly useful for
More informationNon-malleability under Selective Opening Attacks: Implication and Separation
Non-malleability under Selective Opening Attacks: Implication and Separation Zhengan Huang 1, Shengli Liu 1, Xianping Mao 1, and Kefei Chen 2,3 1. Department of Computer Science and Engineering, Shanghai
More informationSimple SK-ID-KEM 1. 1 Introduction
1 Simple SK-ID-KEM 1 Zhaohui Cheng School of Computing Science, Middlesex University The Burroughs, Hendon, London, NW4 4BT, United Kingdom. m.z.cheng@mdx.ac.uk Abstract. In 2001, Boneh and Franklin presented
More information14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption. Victor Shoup New York University
14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption Victor Shoup New York University A Historical Perspective The wild years (mid 70 s-mid 80 s): Diffie-Hellman, RSA, ElGamal The
More informationA Strong Identity Based Key-Insulated Cryptosystem
A Strong Identity Based Key-Insulated Cryptosystem Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275, P.R.China
More informationThe Group Diffie-Hellman Problems
This extended abstract appears in: Workshop on Selected Areas in Cryptography 2002 (15 16 august 2002, St John s, Newfoundland, Canada H Heys and K Nyberg Eds Springer-Verlag, LNCS 2595, pages 325 338
More informationSimple Password-Based Encrypted Key Exchange Protocols
An extended abstract of this work appears in Topics in Cryptology CT-RSA 2005 (14 18 February 2005, San Francisco, CA) A. J. Menezes Ed., Springer-Verlag, LNCS 3376, pages 191 208 Simple Password-Based
More informationA New Randomness Extraction Paradigm for Hybrid Encryption
An extended abstract of this paper appears in Advances in Cryptology EUROCRYPT 09, Lecture Notes in Computer Science Vol.????, A. Joux ed., Springer-Verlag, 2009. This is the full version. A New Randomness
More informationAn Efficient Transform from Sigma Protocols to NIZK with a CRS and Non-Programmable Random Oracle
An Efficient Transform from Sigma Protocols to NIZK with a CRS and Non-Programmable Random Oracle Yehuda Lindell Dept. of Computer Science Bar-Ilan University, Israel lindell@biu.ac.il September 6, 2015
More informationEfficient Chosen Ciphertext Secure Public Key Encryption under the Computational Diffie-Hellman Assumption
Efficient Chosen Ciphertext Secure Public Key Encryption under the Computational Diffie-Hellman Assumption Goichiro Hanaoka 1 and Kaoru Kurosawa 2 1 RCIS, AIST 2 Ibaraki University Abstract. Recently Cash,
More informationSecure and Practical Identity-Based Encryption
Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.
More informationTighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)
1 Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shuichi Katsumata (The University of Tokyo /AIST) Shota Yamada (AIST) Takashi Yamakawa
More informationShort and Stateless Signatures from the RSA Assumption
Short and Stateless Signatures from the RSA Assumption Susan Hohenberger 1, and Brent Waters 2, 1 Johns Hopkins University, susan@cs.jhu.edu 2 University of Texas at Austin, bwaters@cs.utexas.edu Abstract.
More informationLecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]
CMSC 858K Advanced Topics in Cryptography February 19, 2004 Lecturer: Jonathan Katz Lecture 8 Scribe(s): Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan 1 Introduction Last time we introduced
More informationParallel Decryption Queries in Bounded Chosen Ciphertext Attacks
Parallel Decryption Queries in Bounded Chosen Ciphertext Attacks Takahiro Matsuda and Kanta Matsuura The University of Tokyo, Japan {tmatsuda,kanta}@iis.u-tokyo.ac.jp Abstract. Whether it is possible to
More informationHardness of Distinguishing the MSB or LSB of Secret Keys in Diffie-Hellman Schemes
Hardness of Distinguishing the MSB or LSB of Secret Keys in Diffie-Hellman Schemes Pierre-Alain Fouque, David Pointcheval, Jacques Stern, and Sébastien Zimmer CNRS-École normale supérieure Paris, France
More informationOn Two Round Rerunnable MPC Protocols
On Two Round Rerunnable MPC Protocols Paul Laird Dublin Institute of Technology, Dublin, Ireland email: {paul.laird}@dit.ie Abstract. Two-rounds are minimal for all MPC protocols in the absence of a trusted
More informationSharing DSS by the Chinese Remainder Theorem
Sharing DSS by the Chinese Remainder Theorem Kamer Kaya,a, Ali Aydın Selçuk b a Ohio State University, Columbus, 43210, OH, USA b Bilkent University, Ankara, 06800, Turkey Abstract In this paper, we propose
More informationShort Signatures from Diffie-Hellman, Revisited: Sublinear Public Key, CMA Security, and Tighter Reduction
Short Signatures from Diffie-Hellman, Revisited: Sublinear Public Key, CMA Security, and Tighter Reduction Jae Hong Seo Myongji University jaehongseo@mju.ac.kr Abstract. Designing efficient signature scheme
More informationLecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko
CMSC 858K Advanced Topics in Cryptography February 26, 2004 Lecturer: Jonathan Katz Lecture 10 Scribe(s): Jeffrey Blank Chiu Yuen Koo Nikolai Yakovenko 1 Summary We had previously begun to analyze the
More informationLecture 7: Boneh-Boyen Proof & Waters IBE System
CS395T Advanced Cryptography 2/0/2009 Lecture 7: Boneh-Boyen Proof & Waters IBE System Instructor: Brent Waters Scribe: Ioannis Rouselakis Review Last lecture we discussed about the Boneh-Boyen IBE system,
More informationDual-System Simulation-Soundness with Applications to UC-PAKE and More
Dual-System Simulation-Soundness with Applications to UC-PAKE and More Charanjit S. Jutla IBM T. J. Watson Research Center Yorktown Heights, NY 10598, USA csjutla@us.ibm.com Arnab Roy Fujitsu Laboratories
More informationThe Gap-Problems: a New Class of Problems for the Security of Cryptographic Schemes
Proceedings of the 2001 International Workshop on Practice and Theory in Public Key Cryptography (PKC 2001) (13 15 february 2001, Cheju Islands, South Korea) K. Kim Ed. Springer-Verlag, LNCS 1992, pages
More informationChosen-Ciphertext Security from Subset Sum
Chosen-Ciphertext Security from Subset Sum Sebastian Faust 1, Daniel Masny 1, and Daniele Venturi 2 1 Horst-Görtz Institute for IT Security and Faculty of Mathematics, Ruhr-Universität Bochum, Bochum,
More informationNon-interactive Designated Verifier Proofs and Undeniable Signatures
Non-interactive Designated Verifier Proofs and Undeniable Signatures Caroline Kudla and Kenneth G. Paterson Information Security Group Royal Holloway, University of London, UK {c.j.kudla,kenny.paterson}@rhul.ac.uk
More informationOn the Selective-Opening Security of DHIES
On the Selective-Opening Security of DHIES and other practical encryption schemes UbiCrypt Research Retreat, Schloss Raesfeld: 29.& 30. Sep. 2014 Felix Heuer, Tibor Jager, Eike Kiltz, Sven Schäge Horst
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationStructure Preserving CCA Secure Encryption
Structure Preserving CCA Secure Encryption presented by ZHANG Tao 1 / 9 Introduction Veriable Encryption enable validity check of the encryption (Camenisch et al. @ CRYPTO'03): veriable encryption of discrete
More informationHow to Strengthen any Weakly Unforgeable Signature into a Strongly Unforgeable Signature
How to Strengthen any Weakly Unforgeable Signature into a Strongly Unforgeable Signature Ron Steinfeld 1, Josef Pieprzyk 1, and Huaxiong Wang 1,2 1 Centre for Advanced Computing Algorithms and Cryptography
More informationOn Tight Security Proofs for Schnorr Signatures
On Tight Security Proofs for Schnorr Signatures Nils Fleischhacker 1, Tibor Jager 2, and Dominique Schröder 3 1 Ruhr University Bochum 2 Paderborn University 3 Friedrich-Alexander-University Erlangen-Nürnberg
More informationCryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05
Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05 Fangguo Zhang 1 and Xiaofeng Chen 2 1 Department of Electronics and Communication Engineering, Sun Yat-sen
More informationShort Structure-Preserving Signatures
This is the full version of the extended abstract which appears in Proceedings of the Cryptographers Track at the RSA Conference (CT-RSA 2016). Short Structure-Preserving Signatures Essam Ghadafi University
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationEncryption Schemes Secure Against Chosen-Ciphertext Selective Opening Attacks
Encryption Schemes Secure Against Chosen-Ciphertext Selective Opening Attacks Serge Fehr 1 and Dennis Hofheinz 2 and Eike Kiltz 1 and Hoeteck Wee 3 1 CWI, Amsterdam 2 Karlsruhe Institute of Technology
More informationPublic Key Encryption Against Related Key Attacks
Public Key Encryption Against Related Key Attacks Hoeteck Wee George Washington University hoeteck@gwu.edu Abstract. In this work, we present efficient public-key encryption schemes resilient against linear
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationOn the Provable Security of the Dragonfly Protocol
On the Provable Security of the Dragonfly Protocol Jean Lancrenon and Marjan Škrobot Interdisciplinary Centre for Security, Reliability and Trust (SnT), University of Luxembourg {jean.lancrenon, marjan.skrobot}@uni.lu
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationZero-Knowledge Proofs with Witness Elimination
Zero-Knowledge Proofs with Witness Elimination Aggelos Kiayias and Hong-Sheng Zhou Computer Science and Engineering University of Connecticut Storrs, CT, USA {aggelos,hszhou}@cse.uconn.edu Abstract. Zero-knowledge
More informationEfficient Identity-Based Encryption Without Random Oracles
Efficient Identity-Based Encryption Without Random Oracles Brent Waters Abstract We present the first efficient Identity-Based Encryption (IBE) scheme that is fully secure without random oracles. We first
More informationTightly Secure CCA-Secure Encryption without Pairings
Tightly Secure CCA-Secure Encryption without Pairings Romain Gay 1,, Dennis Hofheinz 2,, Eike Kiltz 3,, and Hoeteck Wee 1, 1 ENS, Paris, France rgay,wee@di.ens.fr 2 Ruhr-Universität Bochum, Bochum, Germany
More informationA New RSA-Based Signature Scheme
1 / 13 A New RSA-Based Signature Scheme Sven Schäge, Jörg Schwenk Horst Görtz Institute for IT-Security Africacrypt 2010 2 / 13 RSA-Based Signature Schemes Naïve RSA signature scheme not secure under the
More informationVerifier-Based Password-Authenticated Key Exchange: New Models and Constructions
Verifier-Based Password-Authenticated Key Exchange: New Models and Constructions Fabrice Benhamouda and David Pointcheval ENS, Paris, France October 14, 2014 Abstract. While password-authenticated key
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationConstructions Secure against Receiver Selective Opening and Chosen Ciphertext Attacks
Constructions Secure against Receiver Selective Opening and Chosen Ciphertext Attacks Dingding Jia 1,2, Xianhui Lu 1,2, and Bao Li 1,2 1 State Key Laboratory of Information Security, Institute of Information
More informationMemory Lower Bounds of Reductions Revisited
Memory Lower Bounds of Reductions Revisited Yuyu Wang 1,2,3, Takahiro Matsuda 2, Goichiro Hanaoka 2, and Keisuke Tanaka 1 1 Tokyo Institute of Technology, Tokyo, Japan wang.y.ar@m.titech.ac.jp, keisuke@is.titech.ac.jp
More information