Minimal Design for Decentralized Wallet. Omer Shlomovits
|
|
- Madeleine Armstrong
- 5 years ago
- Views:
Transcription
1 Minimal Design for Decentralized Wallet Omer Shlomovits 1
2 !2 Motivation Imagine we had a private key management system where: No single point of failure Move of assets (signing) cannot happen without Owner approval Recovery is possible at all times
3 !3 Our Heroes Rick Morty
4 !4 The Journey Verifiable Social Recovery Mixed Model KMS TMOVE
5 !5 Key Management System Three main functionalities in the context of blockchains: Key generation and custody Signatures Key backup and recovery
6 !6 Problem: Key Management is hard Side channel attacks Social engineering attacks Human errors etc
7 !7 Trusted Party to the rescue?
8 !8 Trusted Party to the rescue?
9 !9 Trusted Party to the rescue? How can we optimize on keys security without compromising on keys usability?
10 !10 From single to distributed keys Enter threshold cryptography
11 !11 From single to distributed keys Enter threshold cryptography Given n parties, we divide the key management responsibilities Distributed key generation Signing requires cooperation of t out of n
12 !12 From single to distributed keys Enter threshold cryptography Given n parties, we divide the key management responsibilities Distributed key generation Signing requires cooperation of t out of n Efficient protocols exists Threshold ECDSA [GG18, DKLS18, LNR18]
13 !13 Sounds a lot like Multisig to me
14 !14 Multisig vs Threshold Signing Max number of parties Interactiveness Rotation Access policy privacy Chain support Low cost Efficiency (communication/ computation)
15 !15 Multisig vs Threshold Signing Max number of parties Interactiveness Rotation Access policy privacy Chain support Low cost Efficiency (communication/ computation)
16 !16 Mixed Model Roles Owner x 1 Service Providers
17 !17 Mixed Model {t=n=2} Roles Owner x 1 Service Providers x 1
18 !18 Mixed Model {t=n=2} Roles Owner x 1 Service Providers x 1 System Requirements No single point of failure Move of assets (signing) cannot happen without Owner approval Recovery is possible at all times?
19 !19 Choosing Parameters {t,n} Depends on the adversary model and specific use case different access structures can be considered Axiom: assuming SP is motivated solely by Economical Gain, We cannot avoid the Recovery problem Fact: two-party protocols are simpler than multi-party protocols
20 !20 Recovery in Mixed Model {t=n=2}
21 !21 Recovery in Mixed Model {t=n=2} Recovery in the two party setting can mean: Self recovery: Owner s secret share Counter party recovery: SP secret share sk = f(, ) SP Owner
22 !22 Recovery in Mixed Model {t=n=2} Owner self-recovery reduces to classical backup Cloud/ Paper/etc Owner
23 !23 Recovery in Mixed Model{t=n=2} Owner self-recovery reduces to classical backup Assuming Authentication: Cloud SP Owner
24 !24 Recovery in Mixed Model{t=n=2} Recovery in the two party setting can mean: Self recovery: Owner s secret share Counter party recovery: SP secret share How can the Owner recover if SP goes offline / hacked / becomes malicious? sk = f(, ) SP Owner
25 !25 Recovery of Counter Party Secret How can we recover Counter secret share if SP goes offline / hacked / becomes malicious? Under certain assumptions this can be done easily Escrow service that is triggered to release SP secret share once SP is not sending a life signal for a certain period of time Escrow sk = f(, ) SP Owner
26 Recovery of Counter Party Secret General idea: If enough Owners collaborate, they each get to recover their Counter party secret share at the same time SP!26 Owner_1 Owner_2 Owner_n
27 Recovery of Counter Party Secret General idea: If enough Owners collaborate, they each get to recover their Counter party secret share at the same time TMOVE!27 Owner_1 Owner_2 Owner_n
28 Recovery of Counter Party Secret General idea: If enough Owners collaborate, they each get to recover their Counter party secret share at the same time!28 Owner_1 Owner_2 Owner_n
29 !29 Background: PVSS Publicly Verifiable Secret Sharing
30 !30 Background: PVSS Publicly Verifiable Secret Sharing Dealer Distribution s ss 1 ss 2 ss n 1 ss n pk n 1 pk n pk 2 pk 1
31 !31 Background: PVSS Publicly Verifiable Secret Sharing Dealer Public proofs : A dealer cannot send incorrect shares s ss 1 ss 2 pk 2 pk n 1 pk n ss n 1 ss n {π di } n 1 pk 1
32 !32 Background: PVSS Publicly Verifiable Secret Sharing Dealer Reconstruction: t out of n s pk t ss t pk t 1 ss t 1 pk 2 ss 2 s ss 1 pk 1
33 !33 Background: PVSS Publicly Verifiable Secret Sharing Dealer Public proofs :Participants cannot submit incorrect shares s {π di } n 1 {π ri } t 1 pk t ss n pk t 1 ss n 1 Pk 2 ss 2 s ss 1 pk 1
34 !34 Background: DLog VE[CS03] Verifiable Encryption of Discrete Log
35 !35 Background: DLog VE[CS03] Verifiable Encryption of Discrete Log {Gen, Enc, Dec} {x, ω} R dlog [x = g ω ] {sk m, pk m } Gen(1 n )
36 !36 Background: DLog VE[CS03] Verifiable Encryption of Discrete Log {Gen, Enc, Dec} {x, ω} R dlog c, π Enc (ω, pk m ) {sk m, pk m } Gen(1 n )
37 !37 Background: DLog VE[CS03] Verifiable Encryption of Discrete Log {Gen, Enc, Dec} {x, ω} R dlog c, π Enc (ω, pk m ) {sk m, pk m } Gen(1 n ) 1/0 V(c, π, x, pk m )
38 !38 Background: DLog VE[CS03] Verifiable Encryption of Discrete Log {Gen, Enc, Dec} {x, ω} R dlog c, π Enc (ω, pk m ) {sk m, pk m } Gen(1 n ) 1/0 V(c, π, x, pk m ) ω Dec (c, sk m )
39 !39 TVE Threshold Verifiable Encryption
40 !40 TVE Threshold Verifiable Encryption {Gen, Enc, Dec} {x, ω} R dlog [x = g ω ] pk 1 pk 2 pk n {sk m, pk m } Gen(1 n )
41 !41 TVE Threshold Verifiable Encryption {Gen, Enc, Dec} {x, ω} R dlog c, π Enc (ω, {pk i } n 1, pk m ) 1/0 V(c, π, x, pk m ) pk 1 pk 2 pk n {sk m, pk m } Gen(1 n )
42 !42 TVE Threshold Verifiable Encryption {Gen, Enc, Dec} {x, ω} R dlog c, π Enc (ω, {pk i } n 1, pk m ) 1/0 V(c, π, x, pk m ) {π di } n 1 pk 1 PVSS::distribute pk 2 pk n {sk m, pk m } Gen(1 n )
43 !43 TVE Threshold Verifiable Encryption {Gen, Enc, Dec} {x, ω} R dlog c, π Enc (ω, {pk i } n 1, pk m ) 1/0 V(c, π, x, pk m ) pk 1 {π di } n 1 {π ri } t 1 PVSS::reconstruct pk 2 pk n {sk m, pk m } Gen(1 n )
44 !44 TVE Threshold Verifiable Encryption {Gen, Enc, Dec} {x, ω} R dlog c, π Enc (ω, {pk i } n 1, pk m ) 1/0 V(c, π, x, pk m ) pk 1 {π di } n 1 {π ri } t 1 pk 2 pk n ω Dec (c, sk m, {ss i } t 1 ) {sk m, pk m } Gen(1 n )
45 !45 TMOVE Threshold Multiple Output Verifiable Encryption
46 !46 TMOVE Threshold Multiple Output Verifiable Encryption {Gen, Enc, Dec} {x, ω} R dlog pk 1 pk 2 pk n
47 !47 TMOVE Threshold Multiple Output Verifiable Encryption {Gen, Enc, Dec} {x, ω} R dlog {c i } n 1, π Enc ({ω i } n 1, {pk i }n 1 ) 1/0 V({c i } n 1, π, x, {pk i }n 1 ) pk 1 pk 2 pk n
48 !48 TMOVE Threshold Multiple Output Verifiable Encryption {Gen, Enc, Dec} {x, ω} R dlog {c i } n 1, π Enc ({ω i } n 1, {pk i }n 1 ) 1/0 V({c i } n 1, π, x, {pk i }n 1 ) PVSS::distribute pk 1 pk 2 pk n {{π dij } n i=1 }m j=1
49 !49 TMOVE Threshold Multiple Output Verifiable Encryption {Gen, Enc, Dec} {x, ω} R dlog {c i } n 1, π Enc ({ω i } n 1, {pk i }n 1 ) 1/0 V({c i } n 1, π, x, {pk i }n 1 ) PVSS::reconstruct pk 1 pk 2 pk n {{π dij } n i=1 }m j=1 {{π rij } t j i=1 }m j=1
50 !50 TMOVE Threshold Multiple Output Verifiable Encryption {Gen, Enc, Dec} {x, ω} R dlog {c i } n 1, π Enc ({ω i } n 1, {pk i }n 1 ) 1/0 V({c i } n 1, π, x, {pk i }n 1 ) pk 1 pk 2 {{π dij } n i=1 }m j=1 {{π rij } t j i=1 }m j=1 pk n ω k Dec (c k, sk k, {{ss i } t j i=1 }m j=1 )
51 !51 TMOVE Properties TVE per party Gradual release (up to one segment) ω 1 ω 2 ω k ω n 1 ω n
52 !52 TMOVE Properties TVE per party Gradual release (up to one segment) ω 1 ω 2 ω k ω n 1 ω n
53 !53 TMOVE Properties TVE per party Gradual release (up to one segment) ω 1 ω 2 ω k ω n 1 ω n
54 !54 TMOVE Properties TVE per party Gradual release (up to one segment) ω 1 ω 2 ω k ω n 1 ω n
55 !55 TMOVE Properties TVE per party Gradual release (up to one segment) ω 1 ω 2 ω k ω n 1 ω n
56 !56 TMOVE Instantiation Additive Homomorphic Encryption scheme: ElGamal in the exponent (homomorphic ElGamal) : Enc Y (ω) = {C 1, C 2 } = { ωg + ry, rg} Additively-Homomorphism: + = (B 1, B 2 ) = {ωg + ry, rg} (C 1, C 2 ) = {ag + sy, sg} (D 1, D 2 ) = {(a + ω)g + (r + s)y, (r + s)g}
57 !57 TMOVE Instantiation Additive Homomorphic Encryption scheme: ElGamal in the exponent (homomorphic ElGamal) : Enc Y (ω) = {C 1, C 2 } = { ωg + ry, rg} We do the following for party i and PVSS secret α j : C 1 [i, j] = [ω i ] j G + α j pk i
58 !58 TMOVE Instantiation Additive Homomorphic Encryption scheme: ElGamal in the exponent (homomorphic ElGamal) : Enc Y (ω) = {C 1, C 2 } = { ωg + ry, rg} We do the following for party i and PVSS secret α j : Verifiable Encryption: ZK proof that segment under public key of party C 1 [i, j] = [ω i ] j G + α j pk i C 1 [i, j] i is an encryption of a small witness with randomness equal to α j
59 !59 TMOVE Instantiation Additive Homomorphic Encryption scheme: ElGamal in the exponent (homomorphic ElGamal) : Enc Y (ω) = {C 1, C 2 } = { ωg + ry, rg} We do the following for party i and PVSS secret α j : Verifiable Encryption: ZK proof that segment under public key of party C 1 [i, j] = [ω i ] j G + α j pk i C 1 [i, j] i is an encryption of a small witness with randomness equal to α j α j Gradual release: are reconstructed one at a time such that at any given moment the difference between parties is no more than one encrypted segment
60 !60 Verifiable Social Recovery via TMOVE Service Provider Owner i
61 !61 Verifiable Social Recovery via TMOVE Service Provider Owner i 2P keygen s r sk = f(s r, s m ) s m
62 !62 Verifiable Social Recovery via TMOVE Service Provider Owner i s r 2P keygen s m s r TMOVE::encrypt( ) TMOVE::distribute::party(i)
63 !63 Verifiable Social Recovery via TMOVE (Part 2) s m
64 !64 Verifiable Social Recovery via TMOVE (Part 2) TMOVE::reconstruct s m {α j } m 1 {α j } m 1 {α j } m 1
65 !65 Verifiable Social Recovery via TMOVE (Part 2) sk = f(s r, s m ) s r s m {α j } m 1 {α j } m 1 {α j } m 1 TMOVE::decrypt::party(i)
66 !66 Mixed Model{t=n=2} Roles Owner x 1 Service Providers x 1 System Requirements No single point of failure Move of assets (signing) cannot happen without Owner approval Recovery is possible at all times?
67 !67 Mixed Model{t=n=2} Roles Owner x 1 Service Providers x 1 System Requirements No single point of failure Move of assets (signing) cannot happen without Owner approval Recovery is possible at all times
68 68 The Journey Trust that other users in the same situation will act rationally 1 owner, 1 sp No single point of failure Verifiable Social Recovery Mixed Model KMS Key management is hard TMOVE Threshold multiple output verifiable encryption
69 !69 Questions? Trust that other users in the same situation will act rationally 1 owner, 1 sp No single point of failure Verifiable Social Recovery Mixed Model KMS Key management is hard TMOVE Threshold multiple output verifiable encryption kzencorpcom twittercom/kzencorp githubcom/kzen-networks
70 !70 Practical Considerations One SP can handle millions of Owners Owners can join the service Asynchronously Owners of the same SP must have similar stake in the system PKI: Owners of the same SP must know each other public key (blockchain pk s are good)
Secret sharing schemes
Secret sharing schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction Shamir s secret sharing scheme perfect secret
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Secret Sharing Vault should only open if both Alice and Bob are present Vault should only open if Alice, Bob, and Charlie are
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationRobust Password- Protected Secret Sharing
Robust Password- Protected Secret Sharing Michel Abdalla, Mario Cornejo, Anca Niţulescu, David Pointcheval École Normale Supérieure, CNRS and INRIA, Paris, France R E S E A R C H UNIVERSITY PPSS: Motivation
More informationMulti-Party Computation with Conversion of Secret Sharing
Multi-Party Computation with Conversion of Secret Sharing Josef Pieprzyk joint work with Hossein Ghodosi and Ron Steinfeld NTU, Singapore, September 2011 1/ 33 Road Map Introduction Background Our Contribution
More informationCS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing
Lecture 11: Key Management, Secret Sharing Céline Blondeau Email: celine.blondeau@aalto.fi Department of Computer Science Aalto University, School of Science Key Management Secret Sharing Shamir s Threshold
More informationBroadcast and Verifiable Secret Sharing: New Security Models and Round-Optimal Constructions
Broadcast and Verifiable Secret Sharing: New Security Models and Round-Optimal Constructions Dissertation submitted to the Faculty of the Graduate School of the University of Maryland, College Park in
More informationAre you the one to share? Secret Transfer with Access Structure
Are you the one to share? Secret Transfer with Access Structure Yongjun Zhao, Sherman S.M. Chow Department of Information Engineering The Chinese University of Hong Kong, Hong Kong Private Set Intersection
More information15 Public-Key Encryption
15 Public-Key Encryption So far, the encryption schemes that we ve seen are symmetric-key schemes. The same key is used to encrypt and decrypt. In this chapter we introduce public-key (sometimes called
More informationMultiparty Computation (MPC) Arpita Patra
Multiparty Computation (MPC) Arpita Patra MPC offers more than Traditional Crypto! > MPC goes BEYOND traditional Crypto > Models the distributed computing applications that simultaneously demands usability
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationMTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Zero-knowledge Proofs Sven Laur University of Tartu Formal Syntax Zero-knowledge proofs pk (pk, sk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) (pk,sk)? R
More informationSCRAPE: Scalable Randomness Attested by Public Entities
SCRAPE: Scalable Randomness Attested by Public Entities Ignacio Cascudo 1 and Bernardo David 23 1 Aalborg University, Denmark 2 Aarhus University, Denmark 3 IOHK, Hong Kong Abstract. Uniform randomness
More informationCryptanalysis of a Group Key Transfer Protocol Based on Secret Sharing: Generalization and Countermeasures
Cryptanalysis of a Group Key Transfer Protocol Based on Secret Sharing: Generalization and Countermeasures Kallepu Raju, Appala Naidu Tentu, V. Ch. Venkaiah Abstract: Group key distribution protocol is
More informationCryptography for Blockchains beyond ECDSA and SHA256
Cryptography for Blockchains beyond ECDSA and SHA256 S IGNATURES AND Z ERO K NOWLEDGE P ROOFS Benedikt Bünz Stanford University Overview 1. Signatures 1. ECDSA 2. BLS 3. Threshold Signatures 4. Ring Signatures
More informationNon-Interactive Zero-Knowledge Proofs of Non-Membership
Non-Interactive Zero-Knowledge Proofs of Non-Membership O. Blazy, C. Chevalier, D. Vergnaud XLim / Université Paris II / ENS O. Blazy (XLim) Negative-NIZK CT-RSA 2015 1 / 22 1 Brief Overview 2 Building
More informationSecurity Protocols and Application Final Exam
Security Protocols and Application Final Exam Solution Philippe Oechslin and Serge Vaudenay 25.6.2014 duration: 3h00 no document allowed a pocket calculator is allowed communication devices are not allowed
More informationEvaluating 2-DNF Formulas on Ciphertexts
Evaluating 2-DNF Formulas on Ciphertexts Dan Boneh, Eu-Jin Goh, and Kobbi Nissim Theory of Cryptography Conference 2005 Homomorphic Encryption Enc. scheme is homomorphic to function f if from E[A], E[B],
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationCryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1
Cryptography CS 555 Topic 25: Quantum Crpytography CS555 Topic 25 1 Outline and Readings Outline: What is Identity Based Encryption Quantum cryptography Readings: CS555 Topic 25 2 Identity Based Encryption
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationIntroduction to Modern Cryptography Lecture 11
Introduction to Modern Cryptography Lecture 11 January 10, 2017 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00
More informationLecture 3,4: Multiparty Computation
CS 276 Cryptography January 26/28, 2016 Lecture 3,4: Multiparty Computation Instructor: Sanjam Garg Scribe: Joseph Hui 1 Constant-Round Multiparty Computation Last time we considered the GMW protocol,
More informationOverview of the Talk. Secret Sharing. Secret Sharing Made Short Hugo Krawczyk Perfect Secrecy
Overview of the Talk Secret Sharing CS395T Design and Implementation of Trusted Services Ankur Gupta Hugo Krawczyk. Secret Sharing Made Short, 1993. Josh Cohen Benaloh. Secret Sharing Homomorphisms: Keeping
More informationBasics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018
Basics in Cryptology II Distributed Cryptography David Pointcheval Ecole normale supérieure, CNRS & INRIA ENS Paris 2018 NS/CNRS/INRIA Cascade David Pointcheval 1/26ENS/CNRS/INRIA Cascade David Pointcheval
More informationSCRAPE: Scalable Randomness Attested by Public Entities
SCRAPE: Scalable Randomness Attested by Public Entities Ignacio Cascudo 1 and Bernardo David 23 1 Aalborg University, Denmark 2 Aarhus University, Denmark 3 IOHK, Hong Kong Abstract. Uniform randomness
More informationPractical Verifiable Encryption and Decryption of Discrete Logarithms
Practical Verifiable Encryption and Decryption of Discrete Logarithms Jan Camenisch IBM Zurich Research Lab Victor Shoup New York University p.1/27 Verifiable encryption of discrete logs Three players:
More informationLectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols
CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation
More informationLecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle
More informationCRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16
CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16 Groth-Sahai proofs helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Interactive zero knowledge from Σ-protocols
More informationThreshold Undeniable RSA Signature Scheme
Threshold Undeniable RSA Signature Scheme Guilin Wang 1, Sihan Qing 1, Mingsheng Wang 1, and Zhanfei Zhou 2 1 Engineering Research Center for Information Security Technology; State Key Laboratory of Information
More informationINFORMATION-THEORETICALLY SECURE STRONG VERIFIABLE SECRET SHARING
INFORMATION-THEORETICALLY SECURE STRONG VERIFIABLE SECRET SHARING Changlu Lin State Key Lab. of Information Security, Graduate University of Chinese Academy of Sciences, China Key Lab. of Network Security
More informationMASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer
MASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer Tore Frederiksen Emmanuela Orsini Marcel Keller Peter Scholl Aarhus University University of Bristol 31 May 2016 Secure Multiparty
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationLecture 10. Public Key Cryptography: Encryption + Signatures. Identification
Lecture 10 Public Key Cryptography: Encryption + Signatures 1 Identification Public key cryptography can be also used for IDENTIFICATION Identification is an interactive protocol whereby one party: prover
More informationANALYSIS OF PRIVACY-PRESERVING ELEMENT REDUCTION OF A MULTISET
J. Korean Math. Soc. 46 (2009), No. 1, pp. 59 69 ANALYSIS OF PRIVACY-PRESERVING ELEMENT REDUCTION OF A MULTISET Jae Hong Seo, HyoJin Yoon, Seongan Lim, Jung Hee Cheon, and Dowon Hong Abstract. The element
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More informationData-Mining on GBytes of
Data-Mining on GBytes of Encrypted Data In collaboration with Dan Boneh (Stanford); Udi Weinsberg, Stratis Ioannidis, Marc Joye, Nina Taft (Technicolor). Outline Motivation Background on cryptographic
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationADVERTISING AGGREGATIONARCHITECTURE
SOMAR LAPS PRIVACY-PRESERVING LATTICE-BASED PRIVATE-STREAM SOCIAL MEDIA ADVERTISING AGGREGATIONARCHITECTURE OR: HOW NOT TO LEAVE YOUR PERSONAL DATA AROUND REVISITING PRIVATE-STREAM AGGREGATION: LATTICE-BASED
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Fun with Public-Key Tonight we ll Introduce some basic tools of public-key crypto Combine the tools to create more powerful tools Lay the ground work for substantial
More informationMarch 19: Zero-Knowledge (cont.) and Signatures
March 19: Zero-Knowledge (cont.) and Signatures March 26, 2013 1 Zero-Knowledge (review) 1.1 Review Alice has y, g, p and claims to know x such that y = g x mod p. Alice proves knowledge of x to Bob w/o
More informationLecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge
CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to
More informationOn the CCA1-Security of Elgamal and Damgård s Elgamal
On the CCA1-Security of Elgamal and Damgård s Elgamal Cybernetica AS, Estonia Tallinn University, Estonia October 21, 2010 Outline I Motivation 1 Motivation 2 3 Motivation Three well-known security requirements
More informationAdditive Conditional Disclosure of Secrets
Additive Conditional Disclosure of Secrets Sven Laur swen@math.ut.ee Helsinki University of Technology Motivation Consider standard two-party computation protocol. x f 1 (x, y) m 1 m2 m r 1 mr f 2 (x,
More informationThreshold RSA for Dynamic and Ad-Hoc Groups
Threshold RSA for Dynamic and Ad-Hoc Groups Rosario Gennaro, Shai Halevi, Hugo Krawczyk, Tal Rabin IBM T.J.Watson Research Center Hawthorne, NY USA Abstract. We consider the use of threshold signatures
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationRemote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant
Remote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant Roberto Araújo, Amira Barki, Solenn Brunet and Jacques Traoré 1st Workshop on Advances in Secure Electronic Voting Schemes VOTING
More informationABSTRACT BROADCAST AND VERIFIABLE SECRET SHARING: NEW SECURITY MODELS AND ROUND-OPTIMAL CONSTRUCTIONS. Ranjit Kumaresan, Doctor of Philosophy, 2012
ABSTRACT Title of dissertation: BROADCAST AND VERIFIABLE SECRET SHARING: NEW SECURITY MODELS AND ROUND-OPTIMAL CONSTRUCTIONS Ranjit Kumaresan, Doctor of Philosophy, 2012 Dissertation directed by: Professor
More informationPrivacy Preserving Multiset Union with ElGamal Encryption
Privacy Preserving Multiset Union with ElGamal Encryption Jeongdae Hong 1, Jung Woo Kim 1, and Jihye Kim 2 and Kunsoo Park 1, and Jung Hee Cheon 3 1 School of Computer Science and Engineering, Seoul National
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationChapter 11 : Private-Key Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 1 Chapter 11 Public-Key Encryption Apologies: all numbering
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationRandomized Component and Group Oriented (t,m,n)-secret Sharing
Randomized Component and Group Oriented (t,m,n)-secret Sharing Miao Fuyou School of Computer Sci. & Tech.,USTC 2016.4.10 Outline (t,n)-secret Sharing 2 Attacks Against (t,n)-ss Randomized Component (t,m,n)-group
More informationRate-Limited Secure Function Evaluation: Definitions and Constructions
An extended abstract of this paper is published in the proceedings of the 16th International Conference on Practice and Theory in Public-Key Cryptography PKC 2013. This is the full version. Rate-Limited
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationA Posteriori Openable Public Key Encryption *
A Posteriori Openable Public Key Encryption * Xavier Bultel 1, Pascal Lafourcade 1, CNRS, UMR 6158, LIMOS, F-63173 Aubière, France Université Clermont Auvergne, LIMOS, BP 10448, 63000 Clermont-Ferrand,
More informationMultiparty Computation from Somewhat Homomorphic Encryption. November 9, 2011
Multiparty Computation from Somewhat Homomorphic Encryption Ivan Damgård 1 Valerio Pastro 1 Nigel Smart 2 Sarah Zakarias 1 1 Aarhus University 2 Bristol University CTIC 交互计算 November 9, 2011 Damgård, Pastro,
More informationProofs of Retrievability via Fountain Code
Proofs of Retrievability via Fountain Code Sumanta Sarkar and Reihaneh Safavi-Naini Department of Computer Science, University of Calgary, Canada Foundations and Practice of Security October 25, 2012 Outsourcing
More informationAn Introduction to Pairings in Cryptography
An Introduction to Pairings in Cryptography Craig Costello Information Security Institute Queensland University of Technology INN652 - Advanced Cryptology, October 2009 Outline 1 Introduction to Pairings
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationEfficient Public-Key Distance Bounding
Efficient Public-Key Distance Bounding HNDN KILINÇ ND SERGE VUDENY 1 1. Introduction of Distance Bounding 2. Formal Definitions for Security and Privacy 3. Weak uthenticated Key greement 4. Our Protocols:
More informationSecurity of Symmetric Primitives under Incorrect Usage of Keys
Security of Symmetric Primitives under Incorrect Usage of Keys Pooya Farshim 1 Claudio Orlandi 2 Răzvan Roşie 1 1 ENS, CNRS, INRIA & PSL Research University, Paris, France 2 Aarhus University, Aarhus,
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationGroup Diffie Hellman Protocols and ProVerif
Group Diffie Hellman Protocols and ProVerif CS 395T - Design and Analysis of Security Protocols Ankur Gupta Secure Multicast Communication Examples: Live broadcast of a match, stock quotes, video conferencing.
More informationSecure Computation. Unconditionally Secure Multi- Party Computation
Secure Computation Unconditionally Secure Multi- Party Computation Benny Pinkas page 1 Overview Completeness theorems for non-cryptographic faulttolerant distributed computation M. Ben-Or, S. Goldwasser,
More informationBenny Pinkas. Winter School on Secure Computation and Efficiency Bar-Ilan University, Israel 30/1/2011-1/2/2011
Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Benny Pinkas Bar-Ilan University 1 What is N? Bar-Ilan University 2 Completeness theorems for non-cryptographic fault-tolerant
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationHow to Use Bitcoin to Incentivize Correct Computations CCS 2014
How to Use Bitcoin to Incentivize Correct Computations Ranjit Kumaresan Technion Iddo Bentov Technion CCS 2014 Formal model that incorporates coins Ideal functionalities F with coins If party P i has (say)
More informationYou submitted this homework on Wed 31 Jul :50 PM PDT (UTC -0700). You got a score of out of You can attempt again in 10 minutes.
Feedback Week 6 - Problem Set You submitted this homework on Wed 31 Jul 2013 1:50 PM PDT (UTC -0700) You got a score of 1000 out of 1 You can attempt again in 10 minutes Question 1 Recall that with symmetric
More informationDigital signature schemes
Digital signature schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction digital signature scheme security of digital
More informationCRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 11
CRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 11 Sigma protocols for DL helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Introduction to malicious model Σ-protocols:
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationAn Efficient and Secure Protocol for Privacy Preserving Set Intersection
An Efficient and Secure Protocol for Privacy Preserving Set Intersection PhD Candidate: Yingpeng Sang Advisor: Associate Professor Yasuo Tan School of Information Science Japan Advanced Institute of Science
More informationCSA E0 312: Secure Computation September 09, [Lecture 9-10]
CSA E0 312: Secure Computation September 09, 2015 Instructor: Arpita Patra [Lecture 9-10] Submitted by: Pratik Sarkar 1 Summary In this lecture we will introduce the concept of Public Key Samplability
More informationAttribute-Based Encryption Optimized for Cloud Computing
ttribute-based Encryption Optimized for Cloud Computing Máté Horváth 27 January 1 / 17 Roadmap 1 Encryption in the Cloud 2 User Revocation 3 Background 4 The Proposed Scheme 5 Conclusion 2 / 17 Traditional
More informationLossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More information2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms
CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationEntity Authentication
Entity Authentication Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie? α k The
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationNew Notions of Security: Universal Composability without Trusted Setup
New Notions of Security: Universal Composability without Trusted Setup Manoj Prabhakaran & Amit Sahai Princeton University To appear in STOC 04 Defining Security Central Problem in Cryptography Understanding
More informationLeakage Resilient ElGamal Encryption
Asiacrypt 2010, December 9th, Singapore Outline 1 Hybrid Encryption, the KEM/DEM framework 2 ElGamal KEM 3 Leakage Resilient Crypto Why? How? Other models? 4 Leakage Resilient ElGamal CCA1 secure KEM (Key
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationA New Approach to Practical Secure Two-Party Computation. Jesper Buus Nielsen Peter Sebastian Nordholt Claudio Orlandi Sai Sheshank
A New Approach to Practical Secure Two-Party Computation Jesper Buus Nielsen Peter Sebastian Nordholt Claudio Orlandi Sai Sheshank Secure Two-Party Computation Alice has an input a {0,1} * Bob has an input
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More informationA NOVEL APPROACH FOR SECURE MULTI-PARTY SECRET SHARING SCHEME VIA QUANTUM CRYPTOGRAPHY
A NOVEL APPROACH FOR SECURE MULI-PARY SECRE SHARING SCHEME VIA QUANUM CRYPOGRAPHY Noor Ul Ain Dept. of Computing, SEECS National University of Sciences and echnology H-1 Islamabad, Pakistan 13msccsnaain@seecs.edu.pk
More informationABSTRACT. a Byzantine adversary who controls at most t out of the n parties running the
ABSTRACT Title of dissertation: BROADCAST AND VERIFIABLE SECRET SHARING: NEW SECURITY MODELS AND ROUND-OPTIMAL CONSTRUCTIONS Ranjit Kumaresan, Doctor of Philosophy, 2012 Dissertation directed by: Professor
More informationIntroduction to Cybersecurity Cryptography (Part 5)
Introduction to Cybersecurity Cryptography (Part 5) Prof. Dr. Michael Backes 13.01.2017 February 17 th Special Lecture! 45 Minutes Your Choice 1. Automotive Security 2. Smartphone Security 3. Side Channel
More informationCRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 12
CRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 12 Sigma protocols for DL helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Introduction to malicious model Σ-protocols:
More informationECash and Anonymous Credentials
ECash and Anonymous Credentials CS/ECE 598MAN: Applied Cryptography Nikita Borisov November 9, 2009 1 E-cash Chaum s E-cash Offline E-cash 2 Anonymous Credentials e-cash-based Credentials Brands Credentials
More informationCryptographic Multilinear Maps. Craig Gentry and Shai Halevi
Cryptographic Multilinear Maps Craig Gentry and Shai Halevi China Summer School on Lattices and Cryptography, June 2014 Multilinear Maps (MMAPs) A Technical Tool A primitive for building applications,
More informationCut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings
Cut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings Yehuda Lindell Bar-Ilan University, Israel Technion Cryptoday 2014 Yehuda Lindell Online/Offline and Batch Yao 30/12/2014
More informationLecture 1. 1 Introduction. 2 Secret Sharing Schemes (SSS) G Exposure-Resilient Cryptography 17 January 2007
G22.3033-013 Exposure-Resilient Cryptography 17 January 2007 Lecturer: Yevgeniy Dodis Lecture 1 Scribe: Marisa Debowsky 1 Introduction The issue at hand in this course is key exposure: there s a secret
More informationPseudonym and Anonymous Credential Systems. Kyle Soska 4/13/2016
Pseudonym and Anonymous Credential Systems Kyle Soska 4/13/2016 Moving Past Encryption Encryption Does: Hide the contents of messages that are being communicated Provide tools for authenticating messages
More informationNotes for Lecture 16
COS 533: Advanced Cryptography Lecture 16 (11/13/2017) Lecturer: Mark Zhandry Princeton University Scribe: Boriana Gjura Notes for Lecture 16 1 Lattices (continued) 1.1 Last time. We defined lattices as
More information