Strand Spaces Proving Protocols Corr. Jonathan Herzog 6 April 2001
|
|
- Nancy Barker
- 5 years ago
- Views:
Transcription
1 Strand Spaces Proving Protocols Corr Jonathan Herzog 6 April 2001
2 Introduction 3Second part of talk given early last month Introduced class of cryptographic protocols Modeled at high level of abstraction Imposed strong assumptions Showed that flaws can exist independent of u cryptography Discussed one approach to analysis (model ch 3This talk: Strand Spaces Pencil & paper proof technique Joint work with Guttman, Thayer
3 Overview of talk 3Brief review of problem Running example: Otway-Rees protocols 3Strand Space formalization Standard assumptions Regular participants, penetrator (adversary) Model protocol executions Global view from local views Definitions and machinery Proofs of security conditions Discovery of previously unpublished flaw
4 Protocols 3Sequence of messages between small number (2 o cipals No conditionals (except to abort) 3Abstract cryptographic primitives (encryption, sign 3Achieve authentication and/or key transmission
5 Otway-Rees Protocol 1.A B: M A B { N a M A B } Kas 2.B S: M A B { N a M A B } Kas { N b M A B } Kbs 3.S B: { N a K ab } Kas { N b K ab } Kbs 4.B A: { N a K ab } Kas 3 M: Public, unique session ID 3 N a, N b : fresh nonces 3 K as, K bs : secret keys shared with distinguished se 3 K ab : fresh session key 3Designed to provide mutual authentication and s K ab Formalized later in terms of strands
6 Message Algebra 3Messages are elements of an algebra A 32 disjoint sets of atomic messages: Texts (T ) Keys (K) 3 2 operators: enc : K A A (Range: E) pair : A A A (Range: C) 3 Often distinguish T Names T, T Nonces T T Names T Nonces =
7 Message Algebra (continued) 3Message algebra is free Unique representation of terms Exactly one way to build elements from atom ations Formulas, rather than bit-strings 3 K, T, E, C mutually disjoint 3 For all M 1, M 2, M 3, M 4 A, k 1, k 2 K, T T M 1 M 2 M 3 M 4, unless M 1 = M 3, M 2 = M 4 { M 1 } k1 { M 2 } k2 unless M 1 = M 2, k 1 = k 2
8 Message Algebra Structure 3 3 There is structure in the message algebra to explo Define the subterm relation as the smallest rela that for all a, g and h: a a, a g a { g } k a g a g h a h g
9 Strands 3Two types of actions: transmissions and receptio Written M and M (sign omitted when irre Assumed to have unsecured sender, recipient Ignored in this framework 3 Trace: sequence of actions 3 Strand: trace unique identifier Particular execution of a trace Two different strands may have the same trac Represent two different executions Actions on strands called nodes A, B, C, D
10
11 Regular Participants 3 Regular participants: All non-adversary agents 3Protocol defines all possible regular traces 3Regular participants represented by strands conta sible traces 3Internal actions, knowledge not modeled
12 Regular Participants (continued) 3Strand patterns for regular participants (Otway-Re Initiator (A) Responder: (B) M A C { N a M A C } Kas { N a K ac } Kas M D B { g } k M D B { g } k { N b M D B } Kbs { h } k { N b K db } Kbs { h } k Server: (S) M A B { N a M A B } Kbs { N b M A B { N a K ab } Kas { N b K ab } Kbs
13
14 Regular Participants (continued) 3Strands refuse to receive any messages other expected ones Implicit abort/fail operation in such cases 3Regular strands completely defined by values No variables These are different strands: M A B { Na M A B } Kas, { N a K ab } K M A B { Na M A B } Kas, { N a K ab } K
15 Regular Participants (continued) 3Often convenient to define sets of strands with sim Init-Strands[A, B, M, N a, k ab ] = { s : s has trace M A B { Na M A B } Kas, { N a K (Empty if parameters of wrong types) 3Build larger sets from these: Init-Strands[, B, M,, k ab ] = A T Names, N a T Nonces Init-Strands[A, B, M, N a, k
16 Penetrator (Adversary) 3Represented in terms of atomic (abstract) actions More complex actions can be built from these 3Unbounded number of strands of the forms: [C]: g, h, gh [S]: gh, g, h [E]: g, k, { g } k [D]: { g } k, k 1, g 3 3 [M]: g, if g T P T [K]: k, if k K P K (Often assume limits on T P, K P ) Communication channels double as penetrator wo Model penetrator control over network later
17
18 Bundles 3Consider graphs where Nodes are actions on regular, penetrator stran Two types of edges: We write g g (transmission/receptio We write g h if (g, h) are consecutive s strand 3A bundle is such a graph C (finite) where If n is a node of C, then there exists a un n of C such that n n is an edge of C If n 1 is a node of C, and n 0 n 1, then n 0 is C and n 0 n 1 is an edge of C C is acyclic 3Models concepts of causality
19
20 Example Bundle A B S M A B M 1 M A B M 1 M A B M 1 M 2 M A B M 1 M M 3 M 4 M 3 M 4 M 4 M 4
21 Example Bundle M M M A B K K A B { M } K B M A B M A B { M } K M M A B { M } K N (Where N = { N b M A B } Kbs )
22 Bundle Properties 3Bundles are partial orders Any non-empty set has minimal elements 3Important Definition 1: A value v originates on a node n if n is a positive node (transmission) v n, If n... n, then v n Origination points are where values spontane pear Minimal elements of {n v n} are origination We model the freshness of a value by saying t a unique origination point in the bundle
23
24 Bundle Properties (continued) 3Important Definition 2: A set H A is honest, with respect to a set trator strands, if For all bundles C, minimal elements of {n nodes(c) term(n) H} are not on penetrator nodes. Important tool for proving security conditions Example of honest set will come later
25 Secrecy Conditions 3Intuitively, a value v is secret if no penetrator can v from the messages of regular participants 3A value v is secret, with respect to a set of assum if no bundle that satisfies A contains a node of the 3One proof technique: Show that v is in an honest set H Fix an arbitrary bundle that satisfies A. Through case analysis, show that H has no m ements on regular strands Because H is honest, no minimal elements on p strands Hence, no nodes in bundle in H
26 Authentication Conditions 3Example: If a bundle contains all of a given initiat then it must also contain a given responder strand 3Formalized as inference: If a bundle contains a str α, then the bundle also contains a strand from a s β 3One proof technique: Suppose the bundle contains a strand s α Find a honest set H s so that s contains a nod Since the bundle has a node in H s, it must ha imal element Minimal elements must be on regular strands Show that those strands must be in β
27 Ideals Honest sets only useful if they exist Let k K. Then a k-ideal I is a set such that g I g h I, h g I g I, k k { g } k I Let S be a set of messages. Then I k [S] is the smallest k-ideal that contain 3Big theorem: If S T K, S (T P K P ) =, k = (K \ S) 1, and Then I k [S] is honest
28 Ideals Intuition 3 Typically, S is a set of secrets Since k = (K \ S) 1, k contains (inverse of) e key 3 I k [S] contains every term in which a secret is encry with non-secret keys 3Theorem: penetrator can only produce one of thes ing one first
29 Otway-Rees Secrecy 3 Wish to show secrecy of K ab: Suppose K ab is uniquely originating Suppose K as, K bs K P Suppose the bundle C contains a strand in Serv-Strands[A, B, M, N a, N b, K ab ] Let S = {K as, K bs, K ab }, k = K \ S Then no node in C is in I k [S] 3 Proof: S, k meet criteria of big theorem Case analysis: no regular node are minimal el I k [S] Hence, no nodes in bundle in I k [S]
30 Corollary to Big Theorem 3 Suppose S T K, (K \ S) 1 = k, and S (T P K P ) No regular node is a minimal element of I k [S Then any message of the form { g } k for k S m originated on a regular node.
31 Otway-Rees Authentication 3Suppose C contains a strand in Init-Strands[A, B, M 3 If: A B, N a is uniquely originating, All keys that originate on server strands uniqu nate on server strands K as, K bs K P, 3 Then for some N b, C contains strands in Serv-Strands[A, B, M, N a, N b, K ab ], and Resp-Strands[A, B, M, N b, ]
32 Otway-Rees Authentication: Proof 3Proof: Messy 3 Let S = {K as}, k = K \ S. 3 Show no regular nodes are minimal elements I k [S 3 Apply Corollary: Any term of the form { g } K as orig regular node 3 Hence, { N a K ab } Kas originates on regular node Case analysis: strand in Serv-Strands[A, B, M, N a, N b, K ab ] (for some 3 Apply previous result: No minimal elements of I k [ S = {K as, K bs, K ab }, k = K \ S 3 Hence { M N b A B } Kbs originates on regular strand Case analysis: Resp-Strands[A, B, M, N b, ]
33 Otway-Rees Authentication (continued) 3Similar result for Responder: suppose C contains a strand in 3 3 Resp-Strands[A, B, M, N a, K ab ] A B, N b is uniquely originating, All keys that originate on server strands uniqu nate on server strands K as, K bs K P, Then C contains strands in Serv-Strands[A, B, M, and Init-Strands[A, B, M,, ] Note: Cannot show that initiator, responder agree key
34 Closing Remarks 3Further developments: Protocol composition Automated protocol analysis Athena (Song) Simpler results Authentication tests 3Open questions Non-free algebras (Xor, Diffie Hellman) Reconciliation with computational viewpoint
35 What Good are Proofs? 3Strands: proof technique Uses (standard) strong assumptions Proves (at present) protocol-specific statemen 3Proof fails: Find cryptography-independent flaw 3Proof works: What have you shown? Strong motivation for justifying assumptions Goal for further work on cryptographic primiti
36 Formalization of Security Conditions 3In practice, two types of security conditions to pro Secrecy of values (keys, nonces) Authentication 3State of the art: Competing models, formalizations, intuitions Most methods prove protocol-specific condi pressed in model Why? Still debate over right definitions Protocols seem to satisfy points on cont conditions 3No reason Strand Space reasoning would be inva universal definitions
37 Origination Vs. Minimality g g h h g h g h g g h h g h a a b b a b a b a
38 Subterm relation 3 Note that k { g } k k g Intuition: a b means that a can be learned To say that k { g } k (unless k g) prohibits attacks Other definitions of subterm possible Lead to similar results
39 Ideals (continued) 3Proof of big theorem case analysis 3 Example: [D] strand ( { g } k, k 1, g ) If g is a minimal element, then k 1 I k [S k 1 S Since (K \ S) 1 = k, k 1 k 1. Hence, k But since g I k [S], { g } k I k [S]
40 Ideals (continued) 3More complex example: [E] strand ( g, k, { g Suppose { g } k I k [S], but g I k [S] Let I = I k [S] \ {{ g } k }. I still contains S S T K I still closed under join operator I still closed under encryption with keys in k If not, because g Ik [S] and k k Hence, I a smaller k-ideal containing S, a con
Authentication Tests and the Structure of Bundles
Authentication Tests and the Structure of Bundles Joshua D. Guttman F. Javier Thayer September 2000 Today s Lecture Authentication Tests: How to find out what a protocol achieves How to prove it achieves
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationCPSA and Formal Security Goals
CPSA and Formal Security Goals John D. Ramsdell The MITRE Corporation CPSA Version 2.5.1 July 8, 2015 Contents 1 Introduction 3 2 Syntax 6 3 Semantics 8 4 Examples 10 4.1 Needham-Schroeder Responder.................
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationNotes on BAN Logic CSG 399. March 7, 2006
Notes on BAN Logic CSG 399 March 7, 2006 The wide-mouthed frog protocol, in a slightly different form, with only the first two messages, and time stamps: A S : A, {T a, B, K ab } Kas S B : {T s, A, K ab
More informationThe Faithfulness of Abstract Protocol Analysis: Message Authentication
The Faithfulness of Abstract Protocol Analysis: Message Authentication Joshua D. Guttman F. Javier Thayer Lenore D. Zuck December 18, 2002 Abstract Dolev and Yao initiated an approach to studying cryptographic
More informationTHE SHAPES OF BUNDLES
THE SHAPES OF BUNDLES SHADDIN F. DOGHMI, JOSHUA D. GUTTMAN, AND F. JAVIER THAYER Contents 1. Introduction 2 2. Background 2 2.1. Protocols 2 2.2. An Example: The Yahalom Protocol 3 2.3. Occurrences and
More informationProving Security Protocols Correct. Lawrence C. Paulson Computer Laboratory
Proving Security Protocols Correct Lawrence C. Paulson Computer Laboratory How Detailed Should a Model Be? too detailed too simple concrete abstract not usable not credible ``proves'' everything ``attacks''
More informationThe Sizes of Skeletons: Security Goals are Decidable
The Sizes of Skeletons: Security Goals are Decidable Joshua D. Guttman and F. Javier Thayer The MITRE Corporation guttman, jt@mitre.org Abstract. We show how to collapse executions of a cryptographic protocol,
More informationTerm Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool
Term Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool Santiago Escobar Departamento de Sistemas Informáticos y Computación Universitat Politècnica de València sescobar@dsic.upv.es
More informationProtocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete
Protocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete Michaël Rusinowitch and Mathieu Turuani LORIA-INRIA- Université Henri Poincaré, 54506 Vandoeuvre-les-Nancy cedex, France
More informationProving Properties of Security Protocols by Induction
Proving Security Protocols 1 L. C. Paulson Proving Properties of Security Protocols by Induction Lawrence C. Paulson Computer Laboratory University of Cambridge Proving Security Protocols 2 L. C. Paulson
More informationTHE SHAPES OF BUNDLES
THE SHAPES OF BUNDLES SHADDIN F. DOGHMI, JOSHUA D. GUTTMAN, AND F. JAVIER THAYER Contents 1. Introduction 2 2. Background 2 2.1. Protocols 2 2.2. An Example: The Yahalom Protocol 3 2.3. Occurrences and
More informationSymbolic Protocol Analysis with Products and Diffie-Hellman Exponentiation
Symbolic Protocol Analysis with Products and Diffie-Hellman Exponentiation Jonathan Millen and Vitaly Shmatikov Computer Science Laboratory SRI International millenshmat @cslsricom Abstract We demonstrate
More informationVerification of the TLS Handshake protocol
Verification of the TLS Handshake protocol Carst Tankink (0569954), Pim Vullers (0575766) 20th May 2008 1 Introduction In this text, we will analyse the Transport Layer Security (TLS) handshake protocol.
More informationComputing on Encrypted Data
Computing on Encrypted Data COSIC, KU Leuven, ESAT, Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium. August 31, 2018 Computing on Encrypted Data Slide 1 Outline Introduction Multi-Party
More informationOn the Automatic Analysis of Recursive Security Protocols with XOR
On the Automatic Analysis of Recursive Security Protocols with XOR Ralf Küsters 1 and Tomasz Truderung 2 1 ETH Zurich ralf.kuesters@inf.ethz.ch 2 University of Kiel, Wrocław University tomasz.truderung@ii.uni.wroc.pl
More informationComplexity of Checking Freshness of Cryptographic Protocols
Complexity of Checking Freshness of Cryptographic Protocols Zhiyao Liang Rakesh M Verma Computer Science Department, University of Houston, Houston TX 77204-3010, USA Email: zliang@cs.uh.edu, rmverma@cs.uh.edu
More informationModels and analysis of security protocols 1st Semester Security Protocols Lecture 6
Models and analysis of security protocols 1st Semester 2010-2011 Security Protocols Lecture 6 Pascal Lafourcade Université Joseph Fourier, Verimag Master: October 18th 2010 1 / 46 Last Time (I) Symmetric
More informationLecture Notes on Secret Sharing
COMS W4261: Introduction to Cryptography. Instructor: Prof. Tal Malkin Lecture Notes on Secret Sharing Abstract These are lecture notes from the first two lectures in Fall 2016, focusing on technical material
More informationEncoding security protocols in the cryptographic λ-calculus. Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania
Encoding security protocols in the cryptographic λ-calculus Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania An obvious fact Security is important Cryptography is a major way to
More informationLectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols
CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation
More informationAutomata-based analysis of recursive cryptographic protocols
1 Automata-based analysis of recursive cryptographic protocols Thomas Wilke Joint work with Ralf Küsters Christian-Albrechts-Universität zu Kiel June 13, 2004 Un-/Decidability of security in the DY model
More informationCS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing
Lecture 11: Key Management, Secret Sharing Céline Blondeau Email: celine.blondeau@aalto.fi Department of Computer Science Aalto University, School of Science Key Management Secret Sharing Shamir s Threshold
More informationAnalysing Layered Security Protocols
Analysing Layered Security Protocols Thomas Gibson-Robinson St Catherine s College University of Oxford A thesis submitted for the degree of Doctor of Philosophy Trinity 2013 Abstract Many security protocols
More informationDiscrete Logarithm Problem
Discrete Logarithm Problem Finite Fields The finite field GF(q) exists iff q = p e for some prime p. Example: GF(9) GF(9) = {a + bi a, b Z 3, i 2 = i + 1} = {0, 1, 2, i, 1+i, 2+i, 2i, 1+2i, 2+2i} Addition:
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationAutomatic, computational proof of EKE using CryptoVerif
Automatic, computational proof of EKE using CryptoVerif (Work in progress) Bruno Blanchet blanchet@di.ens.fr Joint work with David Pointcheval CNRS, École Normale Supérieure, INRIA, Paris April 2010 Bruno
More information6.897: Advanced Topics in Cryptography. Lecturer: Ran Canetti
6.897: Advanced Topics in Cryptography Lecturer: Ran Canetti Focus for first half (until Spring Break): Foundations of cryptographic protocols Goal: Provide some theoretical foundations of secure cryptographic
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More information1 Secure two-party computation
CSCI 5440: Cryptography Lecture 7 The Chinese University of Hong Kong, Spring 2018 26 and 27 February 2018 In the first half of the course we covered the basic cryptographic primitives that enable secure
More informationA progress report on using Maude to verify protocol properties using the strand space model
A progress report on using Maude to verify protocol properties using the strand space model Presented by Robert P. Graham, MAJ, USAF/AFIT Stephen W. Mancini, 1Lt, USAF/AFIT Presentation date: 01 Oct 03
More informationCryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols
CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno Blanchet CNRS, École Normale Supérieure, INRIA, Paris March 2009 Bruno Blanchet (CNRS, ENS, INRIA) CryptoVerif March
More informationA Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols
ASIAN 07 A Formal Analysis for Capturing Replay Attacks in Cryptographic s Han Gao 1, Chiara Bodei 2, Pierpaolo Degano 2, Hanne Riis Nielson 1 Informatics and Mathematics Modelling, Technical University
More informationNSL Verification and Attacks Agents Playing Both Roles
NSL Verification and Attacks Agents Playing Both Roles Pedro Adão Gergei Bana Abstract Background: [2] and eprint version: [1] 1 The Axioms Equality is a Congruence. The first axiom says that the equality
More informationGroup Diffie Hellman Protocols and ProVerif
Group Diffie Hellman Protocols and ProVerif CS 395T - Design and Analysis of Security Protocols Ankur Gupta Secure Multicast Communication Examples: Live broadcast of a match, stock quotes, video conferencing.
More informationRound-Efficient Multi-party Computation with a Dishonest Majority
Round-Efficient Multi-party Computation with a Dishonest Majority Jonathan Katz, U. Maryland Rafail Ostrovsky, Telcordia Adam Smith, MIT Longer version on http://theory.lcs.mit.edu/~asmith 1 Multi-party
More informationState and Protocols: The Envelope Example
State and Protocols: The Envelope Example rigorous design for protocols using state Daniel J. Dougherty and Joshua D. Guttman Worcester Polytechnic Institute Thanks to: National Science Foundation (Grant
More informationVerification of Security Protocols in presence of Equational Theories with Homomorphism
Verification of Security Protocols in presence of Equational Theories with Homomorphism Stéphanie Delaune France Télécom, division R&D, LSV CNRS & ENS Cachan February, 13, 2006 Stéphanie Delaune (FT R&D,
More informationPERFECTLY secure key agreement has been studied recently
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 45, NO. 2, MARCH 1999 499 Unconditionally Secure Key Agreement the Intrinsic Conditional Information Ueli M. Maurer, Senior Member, IEEE, Stefan Wolf Abstract
More informationAn Efficient Cryptographic Protocol Verifier Based on Prolog Rules
An Efficient Cryptographic Protocol Verifier Based on Prolog Rules Bruno Blanchet INRIA Rocquencourt Domaine de Voluceau B.P. 105 78153 Le Chesnay Cedex, France Bruno.Blanchet@inria.fr Abstract We present
More information2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms
CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationCHRISTIAN-ALBRECHTS-UNIVERSITÄT KIEL
INSTITUT FÜR INFORMATIK UND PRAKTISCHE MATHEMATIK A Constraint-Based Algorithm for Contract-Signing Protocols Detlef Kähler, Ralf Küsters Bericht Nr. 0503 April 2005 CHRISTIAN-ALBRECHTS-UNIVERSITÄT KIEL
More informationCryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1
Cryptography CS 555 Topic 25: Quantum Crpytography CS555 Topic 25 1 Outline and Readings Outline: What is Identity Based Encryption Quantum cryptography Readings: CS555 Topic 25 2 Identity Based Encryption
More informationAPPLICATIONS OF BAN-LOGIC JAN WESSELS CMG FINANCE B.V.
APPLITIONS OF AN-LOGIC JAN WESSELS CMG FINANCE.V. APRIL 19, 2001 Chapter 1 Introduction This document is meant to give an overview of the AN-logic. The AN-logic is one of the methods for the analysis of
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationCryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1
Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes
More informationA Relay-assisted Handover Pre-authentication Protocol in the LTE Advanced Network
ICNS 2012 : he Eighth International Conference on Networing and Services A Re-assisted Handover Pre-authentication Protocol in the LE Advanced Networ Ling ie he Department of Information Science and echnique
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 10
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 10 Lecture date: 14 and 16 of March, 2005 Scribe: Ruzan Shahinian, Tim Hu 1 Oblivious Transfer 1.1 Rabin Oblivious Transfer
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationSymbolic Protocol Analysis for Diffie-Hellman
Symbolic Protocol Analysis for Diffie-Hellman Daniel J. Dougherty Joshua D. Guttman Worcester Polytechnic Institute {dd,guttman}@wpi.edu Abstract. We extend symbolic protocol analysis to apply to protocols
More informationPeculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology
1 / 19 Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 7 May 2010 2 / 19 Talk Agenda Encryption schemes
More informationStrand Spaces: Why is a Security Protocol Correct?
Strand Spaces: Why is a Security Protocol Correct? F. Javier Thayer Fábrega Jonathan C. Herzog Joshua D. Guttman The MITRE Corporation fjt, jherzog, guttmang@mitre.org Abstract A strand is a sequence of
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationOn Achieving the Best of Both Worlds in Secure Multiparty Computation
On Achieving the Best of Both Worlds in Secure Multiparty Computation Yuval Ishai Jonathan Katz Eyal Kushilevitz Yehuda Lindell Erez Petrank Abstract Two settings are traditionally considered for secure
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationLecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics
0368.4162: Introduction to Cryptography Ran Canetti Lecture 11 12th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics Introduction to cryptographic protocols Commitments 1 Cryptographic
More informationLecture 8: The Dummy Adversary
6.897: Selected Topics in Cryptography 27 February 2004 Lecture 8: The Dummy dversary Instructor: Ran Canetti Scribed by: Jonathan Herzog 1 Previous Lecture Motivation for the Universally Composable (UC)
More informationEvent structure semantics for security protocols
Event structure semantics for security protocols Jonathan Hayman and Glynn Winskel Computer Laboratory, University of Cambridge, United Kingdom Abstract. We study the use of event structures, a well-known
More informationA Logic of Authentication
A Logic of Authentication by Burrows, Abadi, and Needham Presented by Adam Schuchart, Kathryn Watkins, Michael Brotzman, Steve Bono, and Sam Small Agenda The problem Some formalism The goals of authentication,
More informationAuthentication Tests and Disjoint Encryption: a Design Method for Security Protocols
Authentication Tests and Disjoint Encryption: a Design Method for Security Protocols Joshua D. Guttman The MITRE Corporation guttman@mitre.org 20 August 2003 Abstract We describe a protocol design process,
More informationSkeletons and the Shapes of Bundles
Skeletons and the Shapes of Bundles Shaddin F. Doghmi, Joshua D. Guttman, and F. Javier Thayer The MITRE Corporation Abstract. The shapes of a protocol are its minimal, essentially different executions.
More information14 Diffie-Hellman Key Agreement
14 Diffie-Hellman Key Agreement 14.1 Cyclic Groups Definition 14.1 Example Let д Z n. Define д n = {д i % n i Z}, the set of all powers of д reduced mod n. Then д is called a generator of д n, and д n
More informationFundamentals of Modern Cryptography
Fundamentals of Modern Cryptography BRUCE MOMJIAN This presentation explains the fundamentals of modern cryptographic methods. Creative Commons Attribution License http://momjian.us/presentations Last
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationarxiv: v1 [cs.cr] 27 May 2016
Towards the Automated Verification of Cyber-Physical Security Protocols: Bounding the Number of Timed Intruders Vivek Nigam 1, Carolyn Talcott 2 and Abraão Aires Urquiza 1 arxiv:1605.08563v1 [cs.cr] 27
More informationLecture 3: Interactive Proofs and Zero-Knowledge
CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic
More informationPractice Assignment 2 Discussion 24/02/ /02/2018
German University in Cairo Faculty of MET (CSEN 1001 Computer and Network Security Course) Dr. Amr El Mougy 1 RSA 1.1 RSA Encryption Practice Assignment 2 Discussion 24/02/2018-29/02/2018 Perform encryption
More informationCredential Authenticated Identification and Key Exchange
Credential Authenticated Identification and Key Exchange Jan Camenisch Nathalie Casati Thomas Gross Victor Shoup May 25, 2010 Abstract Secure two-party authentication and key exchange are fundamental problems.
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationMSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.
MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ PPL 01 March 21 st, 2001 Outline I. Security Protocols II. MSR by Examples
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018
Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationLecture 9 - Symmetric Encryption
0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationIntroduction to Modern Cryptography Lecture 11
Introduction to Modern Cryptography Lecture 11 January 10, 2017 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00
More informationTime-Bounding Needham-Schroeder Public Key Exchange Protocol
Time-Bounding Needham-Schroeder Public Key Exchange Protocol Max Kanovich, Queen Mary, University of London, UK University College London, UCL-CS, UK Tajana Ban Kirigin, University of Rijeka, HR Vivek
More informationMSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.
MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ IITD, CSE Dept. Delhi, India April 24 th,2002 Outline Security Protocols
More informationMultiparty Computation
Multiparty Computation Principle There is a (randomized) function f : ({0, 1} l ) n ({0, 1} l ) n. There are n parties, P 1,...,P n. Some of them may be adversarial. Two forms of adversarial behaviour:
More informationCredential Authenticated Identification and Key Exchange
Credential Authenticated Identification and Key Exchange Jan Camenisch Nathalie Casati Thomas Gross Victor Shoup February 2, 2010 Abstract Secure two-party authentication and key exchange are fundamental
More informationOn Expected Constant-Round Protocols for Byzantine Agreement
On Expected Constant-Round Protocols for Byzantine Agreement Jonathan Katz Chiu-Yuen Koo Abstract In a seminal paper, Feldman and Micali show an n-party Byzantine agreement protocol in the plain model
More informationElliptic Curves. Giulia Mauri. Politecnico di Milano website:
Elliptic Curves Giulia Mauri Politecnico di Milano email: giulia.mauri@polimi.it website: http://home.deib.polimi.it/gmauri May 13, 2015 Giulia Mauri (DEIB) Exercises May 13, 2015 1 / 34 Overview 1 Elliptic
More informationChapter 2 : Perfectly-Secret Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 2 : Perfectly-Secret Encryption 1 2.1 Definitions and Basic Properties We refer to probability
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationPERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY
PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY BURTON ROSENBERG UNIVERSITY OF MIAMI Contents 1. Perfect Secrecy 1 1.1. A Perfectly Secret Cipher 2 1.2. Odds Ratio and Bias 3 1.3. Conditions for Perfect
More informationBAN Logic A Logic of Authentication
BAN Logic A Logic of Authentication Sape J. Mullender Huygens Systems Research Laboratory Universiteit Twente Enschede 1 BAN Logic The BAN logic was named after its inventors, Mike Burrows, Martín Abadí,
More informationTyped MSR: Syntax and Examples
Typed MSR: Syntax and Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ MMM 01 St. Petersburg, Russia May 22 nd, 2001 Outline
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Takeaway: Crypto is Hard Designing crypto is hard, even experts get it wrong Just because I don t know
More informationOn the Cryptographic Complexity of the Worst Functions
On the Cryptographic Complexity of the Worst Functions Amos Beimel 1, Yuval Ishai 2, Ranjit Kumaresan 2, and Eyal Kushilevitz 2 1 Dept. of Computer Science, Ben Gurion University of the Negev, Be er Sheva,
More informationSecure Multiparty Computation with General Interaction Patterns
Extended abstract of this work published in ITCS 2016 Secure Multiparty Computation with General Interaction Patterns Shai Halevi Yuval Ishai Abhishek Jain Eyal Kushilevitz Tal Rabin Abstract We present
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationModeling and Verifying Ad Hoc Routing Protocols
Modeling and Verifying Ad Hoc Routing Protocols Mathilde Arnaud, Véronique Cortier and Stéphanie Delaune LORIA, CNRS & INRIA Nancy Grand Est, France Email: cortier@loria.fr LSV, ENS Cachan & CNRS & INRIA
More informationAbstract Specification of Crypto- Protocols and their Attack Models in MSR
Abstract Specification of Crypto- Protocols and their Attack Models in MSR Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ Software
More information