Extracting a Secret Key from a Wireless Channel
|
|
- Felix Pope
- 6 years ago
- Views:
Transcription
1 Extracting a Secret Key from a Wireless Channel Suhas Mathur suhas@winlab.rutgers.edu W. Trappe, N. Mandayam (WINLAB) Chunxuan Ye, Alex Reznik (InterDigital) Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 1 / 28
2 Introduction Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 2 / 28
3 Alice & Bob have never met. Alice Bob Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 3 / 28
4 Alice & Bob have never met. They d like to exchange a secret message. Alice Bob Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 3 / 28
5 Alice & Bob have never met. They d like to exchange a secret message. Alice Bob Eve Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 3 / 28
6 Alice & Bob have never met. They d like to exchange a secret message. Alice But they don t share a secret key. Bob Eve Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 3 / 28
7 Alice? Bob Eve Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 4 / 28
8 Alice Diffie Hellman key exchange! Bob Eve Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 5 / 28
9 Alice Diffie Hellman key exchange! Bob Eve Computational Secrecy (Computationally bounded Eve) k = key, Y = Eve s obervations It should be computationally infeasible to compute k from Y. Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 5 / 28
10 Alice Bob Eve Unconditional secrecy (Computationally unbounded Eve) H(k Y ) = H(k). Y is useless to the attacker in computing any useful information about k. Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 6 / 28
11 Alice RANDOMLY VARYING CHANNEL BETWEEN ALICE AND BOB Bob Eve Unconditional secrecy (Computationally unbounded Eve) H(k Y ) = H(k). Y is useless to the attacker in computing any useful information about k. Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 6 / 28
12 [Maurer 93] and [Ahlswede & Csiszar 93] showed correlated random variables can be used to derive keys by public discussion Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 7 / 28
13 [Maurer 93] and [Ahlswede & Csiszar 93] showed correlated random variables can be used to derive keys by public discussion Quantum Key Distribution Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 7 / 28
14 [Maurer 93] and [Ahlswede & Csiszar 93] showed correlated random variables can be used to derive keys by public discussion Quantum Key Distribution Everyday wireless channels can enable this! Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 7 / 28
15 Summary of fading wireless channels Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 8 / 28
16 Summary of fading wireless channels Fading is a multiplicative distortion h(t) due to the channel that is Random Time varying Reciprocal (Alice Bob Alice Bob) Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 8 / 28
17 Summary of fading wireless channels Fading is a multiplicative distortion h(t) due to the channel that is Random Time varying Reciprocal (Alice Bob Alice Bob) 2 h(t) Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 8 / 28
18 Summary of fading wireless channels Fading is a multiplicative distortion h(t) due to the channel that is Random Time varying Reciprocal (Alice Bob Alice Bob) 2 h(t) The fading parameter h(t) decorrelates in space and time Space: Over distances of λ/2 (= Ghz) Time: Over one coherence time T c 1 f d (f d 10 1 m/s) Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 8 / 28
19 So how do Alice and Bob actually obtain identical secret bits? Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 9 / 28
20 First, they probe the channel many times Alice Bob Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 10 / 28
21 First, they probe the channel many times Alice h(t) Bob Y 1 Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 10 / 28
22 First, they probe the channel many times X 1 Alice h(t) Bob Y 1 Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 10 / 28
23 First, they probe the channel many times X 1 Alice h(t) Bob Y 1 Y 2 Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 10 / 28
24 First, they probe the channel many times X 1 X 2 Alice h(t) Bob Y 1 Y 2 Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 10 / 28
25 First, they probe the channel many times X 1 X 2. X n X n = {X 1,... X n} Alice h(t) Bob Y 1 Y 2. Y n Y n = {Y 1,...Y n} Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 10 / 28
26 First, they probe the channel many times X 1 X 2. X n X n = {X 1,... X n} Alice h(t) Bob Y 1 Y 2. Y n Y n = {Y 1,...Y n} 1.6 Alice Bob Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 10 / 28
27 First, they probe the channel many times X 1 X 2. X n X n = {X 1,... X n} Alice h(t) Bob Y 1 Y 2. Y n Y n = {Y 1,...Y n} 1.6 Alice Bob Eve overhears Z n, which is uncorrelated with X n and Y n Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 10 / 28
28 Then they each locally compute thresholds Thresholds q + q = median + α SD = median α SD = One-bit quantizer { 1 if x > q+ Q(x) = 0 if x < q q + q Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 11 / 28
29 Then they each locally compute thresholds Thresholds q + q = median + α SD = median α SD = One-bit quantizer { 1 if x > q+ Q(x) = 0 if x < q q + Positive Excursion q Negative Excursion m = Min # of points to be considered an excursion Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 12 / 28
30 Positive Excursions Negative Excursion q + q X n Y n Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 13 / 28
31 Positive Excursions Negative Excursion q + q X n Find locations of excursions in X n of size m. e.g. {6, 27, 42, 52, 64,98,...} Send a random subset to Bob L = {6, 42, 52, 98,...} Y n Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 13 / 28
32 Positive Excursions Negative Excursion q + q X n Find locations of excursions in X n of size m. e.g. {6, 27, 42, 52, 64,98,...} Send a random subset to Bob L = {6, 42, 52, 98,...} Y n Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 13 / 28
33 Positive Excursions Negative Excursion q + q X n Find locations of excursions in X n of size m. e.g. {6, 27, 42, 52, 64,98,...} Send a random subset to Bob L = {6, 42, 52, 98,...} L Y n Find those indices L L where Y n has excursions. L = {6, 52,...} Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 13 / 28
34 Positive Excursions Negative Excursion q + q X n Find locations of excursions in X n of size m. e.g. {6, 27, 42, 52, 64,98,...} Send a random subset to Bob L = {6, 42, 52, 98,...} L Y n Find those indices L L where Y n has excursions. L = {6, 52,...} If L / L < ǫ for some 0 < ǫ < 1 2, declare attack & abort. Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 13 / 28
35 Positive Excursions Negative Excursion q + q X n Find locations of excursions in X n of size m. e.g. {6, 27, 42, 52, 64,98,...} Send a random subset to Bob L = {6, 42, 52, 98,...} L Y n Find those indices L L where Y n has excursions. L = {6, 52,...} If L / L < ǫ for some 0 < ǫ < 1 2, declare attack & abort. ELSE Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 13 / 28
36 Positive Excursions Negative Excursion q + q X n Find locations of excursions in X n of size m. e.g. {6, 27, 42, 52, 64,98,...} Send a random subset to Bob L = {6, 42, 52, 98,...} L Y n Find those indices L L where Y n has excursions. L = {6, 52,...} If L / L < ǫ for some 0 < ǫ < 1 2, declare attack & abort. ELSE Quantize Y n at indices in L { } First N bits = for MAC. Remaining bits = secret key. Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 13 / 28
37 Positive Excursions Negative Excursion q + q X n Find locations of excursions in X n of size m. e.g. {6, 27, 42, 52, 64,98,...} Send a random subset to Bob L = {6, 42, 52, 98,...} L Y n Find those indices L L where Y n has excursions. L = {6, 52,...} If L / L < ǫ for some 0 < ǫ < 1 2, declare attack & abort. ELSE Quantize Y n at indices in L { } First N bits = for MAC. Remaining bits = secret key. o Send n L,MAC to Alice. Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 13 / 28
38 Positive Excursions Negative Excursion q + q X n Find locations of excursions in X n of size m. e.g. {6, 27, 42, 52, 64,98,...} Send a random subset to Bob L = {6, 42, 52, 98,...} L Y n Find those indices L L where Y n has excursions. L = {6, 52,...} If L / L < ǫ for some 0 < ǫ < 1 2, declare attack & abort. ELSE Quantize X n at indices in L { } Verify MAC using first N bits L,mac Quantize Y n at indices in L { } First N bits = for MAC. Remaining bits = secret key. o Send n L,MAC to Alice. Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 13 / 28
39 How well does this work? Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 14 / 28
40 How many secret bits / sec? Secre bit rate Rate of channel variation (Doppler) At 2.4 Ghz, 1 m/s, Secret bit rate Doppler 10 s-bits/sec Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 15 / 28
41 How many secret bits / sec? Secre bit rate Rate of channel variation (Doppler) At 2.4 Ghz, 1 m/s, Secret bit rate Doppler 10 s-bits/sec Secret bits / sec Doppler = 10 Hz Min. excursion size Probes / sec x 10 3 Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 15 / 28
42 How many secret bits / sec? Secre bit rate Rate of channel variation (Doppler) At 2.4 Ghz, 1 m/s, Secret bit rate Doppler 10 s-bits/sec Secret bits / sec Doppler = 10 Hz Min. excursion size Probes / sec x 10 3 What secret bit rate do we need? Renew a 256 bit key every hour 0.08 bits/sec Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 15 / 28
43 Prob. of error Prob. of error (log 10 scale) db 10 db 20 db 30 db 40 db Value of m Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 16 / 28
44 Prob. of error Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 17 / 28
45 What if Eve causes trouble? (Active attacks) Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 18 / 28
46 Attack 1: Fake L or L messages 1 The integrity of L is protected by msg auth. code (MAC) Eve doesnt have the N bits needed for MAC But Alice does (from L and X n ) Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 19 / 28
47 Attack 1: Fake L or L messages 1 The integrity of L is protected by msg auth. code (MAC) Eve doesnt have the N bits needed for MAC But Alice does (from L and X n ) 2 Modification of L: Can reveal Eve to Alice, by causing L L. Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 19 / 28
48 Attack 1: Fake L or L messages 1 The integrity of L is protected by msg auth. code (MAC) Eve doesnt have the N bits needed for MAC But Alice does (from L and X n ) 2 Modification of L: Can reveal Eve to Alice, by causing L L. What if Eve plays a man-in-the-middle attack from the very beginning? Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 19 / 28
49 Attack 1: Fake L or L messages 1 The integrity of L is protected by msg auth. code (MAC) Eve doesnt have the N bits needed for MAC But Alice does (from L and X n ) 2 Modification of L: Can reveal Eve to Alice, by causing L L. What if Eve plays a man-in-the-middle attack from the very beginning? Man-in-the-middle Cannot be protected against without mutual authentication. Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 19 / 28
50 Attack 2: Eve inserts her own probes 1 Test each received probe for similarity against the last few probes [Xiao 08] Hypothesis test Non-zero prob. of miss and false alarm Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 20 / 28
51 Attack 2: Eve inserts her own probes 1 Test each received probe for similarity against the last few probes [Xiao 08] Hypothesis test Non-zero prob. of miss and false alarm 2 Use two separate one-way hash-chains One-way hash chain (f ( ) = one-way fn.) build f ( ) w n 1... f ( ) w 1 w n f ( ) reveal Apply f ( ) to w i in probe i to verify source A simple but crypto-based solution Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 20 / 28
52 Experimental validation using (Two methods) Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 21 / 28
53 Method 1: Using CIR from customized h/w Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 22 / 28
54 Method 1: Using CIR from customized h/w 1 64-point Channel Impulse Response from preamble 2 We use only tallest peak in CIR 3 Bob sends PROBE request every 110 msec 4 Alice sends PROBE response 5 Eve listens on to Alice Ghz channel Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 22 / 28
55 Experimental setup for the CIR-method Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 23 / 28
56 Method 1: Using CIR from customized h/w Alice s CIR 0.2 Bob s CIR Eve s CIR 0.3 "1" bits "0" bits q q Key generated by Alice: Key generated by Bob: Key inferred by Eve: Indoors, 1.13 s-bits/sec error-free Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 24 / 28
57 Where can channel-based secret keys be used? Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 25 / 28
58 Some applications Can be used to generate fresh session keys in : Session keys in i are linked to authentication credentials. Keys for newer sessions are depend upon older sessions. All messages prior to getting session keys are sent in the clear! In an ad-hoc network, Alice may not care who Bob is. Building trust-based relationships. Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 26 / 28
59 Summary The channel contains valuable info that can enhance confidentiality and authentication in a practical way. Existing wireless platforms already already have access to this info But usually thrown away at PHY layer. Can instead be preserved & utilized at higher layers. Future standards: MIMO, OFDM, TDD are ideally suited. Channel info. readily available Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 27 / 28
60 Questions? Suhas Mathur (WINLAB) Secret bits from the channel 12/10/08 28 / 28
Information-theoretically Secret Key. Generation for Fading Wireless Channels
Information-theoretically Secret Key 1 Generation for Fading Wireless Channels Chunxuan Ye, Suhas Mathur, Alex Reznik, Yogendra Shah, Wade Trappe and Narayan Mandayam arxiv:0910.5027v1 [cs.cr] 27 Oct 2009
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More information5th March Unconditional Security of Quantum Key Distribution With Practical Devices. Hermen Jan Hupkes
5th March 2004 Unconditional Security of Quantum Key Distribution With Practical Devices Hermen Jan Hupkes The setting Alice wants to send a message to Bob. Channel is dangerous and vulnerable to attack.
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationPractice Assignment 2 Discussion 24/02/ /02/2018
German University in Cairo Faculty of MET (CSEN 1001 Computer and Network Security Course) Dr. Amr El Mougy 1 RSA 1.1 RSA Encryption Practice Assignment 2 Discussion 24/02/2018-29/02/2018 Perform encryption
More informationSecret-Key Generation from Channel Reciprocity: A Separation Approach
Secret-ey Generation from Channel Reciprocity: Separation pproach shish histi Department of Electrical and Computer Engineering University of Toronto Feb 11, 2013 Security at PHY-Layer Use PHY Resources
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationKeyless authentication in the presence of a simultaneously transmitting adversary
Keyless authentication in the presence of a simultaneously transmitting adversary Eric Graves Army Research Lab Adelphi MD 20783 U.S.A. ericsgra@ufl.edu Paul Yu Army Research Lab Adelphi MD 20783 U.S.A.
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More information2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms
CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such
More informationSecret-Key Generation over Reciprocal Fading Channels
Secret-ey Generation over Reciprocal Fading Channels shish histi Department of Electrical and Computer Engineering University of oronto Nov. 14, 2012 Motivation Secret-ey Generation in Wireless Fading
More informationInformation-Theoretic Security: an overview
Information-Theoretic Security: an overview Rui A Costa 1 Relatório para a disciplina de Seminário, do Mestrado em Informática da Faculdade de Ciências da Universidade do Porto, sob a orientação do Prof
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationSecret-Key Agreement over Unauthenticated Public Channels Part I: Definitions and a Completeness Result
Secret-Key Agreement over Unauthenticated Public Channels Part I: Definitions and a Completeness Result Ueli Maurer, Fellow, IEEE Stefan Wolf Abstract This is the first part of a three-part paper on secret-key
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationCryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1
Cryptography CS 555 Topic 25: Quantum Crpytography CS555 Topic 25 1 Outline and Readings Outline: What is Identity Based Encryption Quantum cryptography Readings: CS555 Topic 25 2 Identity Based Encryption
More informationCrypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.
Crypto math II Alin Tomescu alinush@mit.edu May 7, 015 Abstract A quick overview on group theory from Ron Rivest s 6.857 course in Spring 015. 1 Overview Group theory review Diffie-Hellman (DH) key exchange
More informationGroup Secret Key Agreement over State-Dependent Wireless Broadcast Channels
Group Secret Key Agreement over State-Dependent Wireless Broadcast Channels Mahdi Jafari Siavoshani Sharif University of Technology, Iran Shaunak Mishra, Suhas Diggavi, Christina Fragouli Institute of
More informationSIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography
SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 8 of Trappe and Washington DIGITAL SIGNATURES message sig 1. How do we bind
More informationPassword Cracking: The Effect of Bias on the Average Guesswork of Hash Functions
Password Cracking: The Effect of Bias on the Average Guesswork of Hash Functions Yair Yona, and Suhas Diggavi, Fellow, IEEE Abstract arxiv:608.0232v4 [cs.cr] Jan 207 In this work we analyze the average
More informationCS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing
Lecture 11: Key Management, Secret Sharing Céline Blondeau Email: celine.blondeau@aalto.fi Department of Computer Science Aalto University, School of Science Key Management Secret Sharing Shamir s Threshold
More informationQuantum Wireless Sensor Networks
Quantum Wireless Sensor Networks School of Computing Queen s University Canada ntional Computation Vienna, August 2008 Main Result Quantum cryptography can solve the problem of security in sensor networks.
More informationSecret Key Establishment Using Wireless Channels as Common Randomness in Time-Variant MIMO Systems
Brigham Young University BYU ScholarsArchive All Theses and Dissertations 2010-04-08 Secret Key Establishment Using Wireless Channels as Common Randomness in Time-Variant MIMO Systems Chan Chen Brigham
More informationDiscrete Logarithm Problem
Discrete Logarithm Problem Finite Fields The finite field GF(q) exists iff q = p e for some prime p. Example: GF(9) GF(9) = {a + bi a, b Z 3, i 2 = i + 1} = {0, 1, 2, i, 1+i, 2+i, 2i, 1+2i, 2+2i} Addition:
More informationMessage Authentication Codes (MACs)
Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands October 8, 2015 1 / 22 About Me 2 / 22 About Me Tung Chou (Tony) 2 / 22 About Me Tung Chou (Tony) Ph.D.
More informationLecture V : Public Key Cryptography
Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional
More informationVEHICULAR networks have attracted much research
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI.9/TMC..5577, IEEE
More informationarxiv:quant-ph/ v1 27 Dec 2004
Multiparty Quantum Secret Sharing Zhan-jun Zhang 1,2, Yong Li 3 and Zhong-xiao Man 2 1 School of Physics & Material Science, Anhui University, Hefei 230039, China 2 Wuhan Institute of Physics and Mathematics,
More informationRSA RSA public key cryptosystem
RSA 1 RSA As we have seen, the security of most cipher systems rests on the users keeping secret a special key, for anyone possessing the key can encrypt and/or decrypt the messages sent between them.
More informationSecurity Implications of Quantum Technologies
Security Implications of Quantum Technologies Jim Alves-Foss Center for Secure and Dependable Software Department of Computer Science University of Idaho Moscow, ID 83844-1010 email: jimaf@cs.uidaho.edu
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationarxiv:quant-ph/ v1 6 Dec 2005
Quantum Direct Communication with Authentication Hwayean Lee 1,,4, Jongin Lim 1,, HyungJin Yang,3 arxiv:quant-ph/051051v1 6 Dec 005 Center for Information Security TechnologiesCIST) 1, Graduate School
More informationEntanglement and Quantum Teleportation
Entanglement and Quantum Teleportation Stephen Bartlett Centre for Advanced Computing Algorithms and Cryptography Australian Centre of Excellence in Quantum Computer Technology Macquarie University, Sydney,
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationPublic Key Cryptography
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Public Key Cryptography EECE 412 1 What is it? Two keys Sender uses recipient s public key to encrypt Receiver uses his private key to decrypt
More informationINTEGERS. In this section we aim to show the following: Goal. Every natural number can be written uniquely as a product of primes.
INTEGERS PETER MAYR (MATH 2001, CU BOULDER) In this section we aim to show the following: Goal. Every natural number can be written uniquely as a product of primes. 1. Divisibility Definition. Let a, b
More informationTHE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY
THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY Mark Zhandry - Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical
More informationQuantum threat...and quantum solutions
Quantum threat...and quantum solutions How can quantum key distribution be integrated into a quantum-safe security infrastructure Bruno Huttner ID Quantique ICMC 2017 Outline Presentation of ID Quantique
More informationThe odd couple: MQV and HMQV
The odd couple: MQV and HMQV Jean-Philippe Aumasson 1 / 49 Summary MQV = EC-DH-based key agreement protocol, proposed by Menezes, Qu and Vanstone (1995), improved with Law and Solinas (1998), widely standardized
More informationPERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY
PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY BURTON ROSENBERG UNIVERSITY OF MIAMI Contents 1. Perfect Secrecy 1 1.1. A Perfectly Secret Cipher 2 1.2. Odds Ratio and Bias 3 1.3. Conditions for Perfect
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously Digital Signatures Algorithms: Gen() à (sk,pk) Sign(sk,m) à σ Ver(pk,m,σ) à 0/1 Correctness: Pr[Ver(pk,m,Sign(sk,m))=1:
More informationA Genetic Algorithm to Analyze the Security of Quantum Cryptographic Protocols
A Genetic Algorithm to Analyze the Security of Quantum Cryptographic Protocols Walter O. Krawec walter.krawec@gmail.com Iona College Computer Science Department New Rochelle, NY USA IEEE WCCI July, 2016
More informationMATH 158 FINAL EXAM 20 DECEMBER 2016
MATH 158 FINAL EXAM 20 DECEMBER 2016 Name : The exam is double-sided. Make sure to read both sides of each page. The time limit is three hours. No calculators are permitted. You are permitted one page
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationOn the Simulatability Condition in Key Generation Over a Non-authenticated Public Channel
On the Simulatability Condition in Key Generation Over a Non-authenticated Public Channel Wenwen Tu and Lifeng Lai Department of Electrical and Computer Engineering Worcester Polytechnic Institute Worcester,
More informationLecture 7: Boneh-Boyen Proof & Waters IBE System
CS395T Advanced Cryptography 2/0/2009 Lecture 7: Boneh-Boyen Proof & Waters IBE System Instructor: Brent Waters Scribe: Ioannis Rouselakis Review Last lecture we discussed about the Boneh-Boyen IBE system,
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions
ENEE 457: Computer Systems Security 09/19/16 Lecture 6 Message Authentication Codes and Hash Functions Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationPing Pong Protocol & Auto-compensation
Ping Pong Protocol & Auto-compensation Adam de la Zerda For QIP seminar Spring 2004 02.06.04 Outline Introduction to QKD protocols + motivation Ping-Pong protocol Security Analysis for Ping-Pong Protocol
More informationQuantum key distribution for the lazy and careless
Quantum key distribution for the lazy and careless Noisy preprocessing and twisted states Joseph M. Renes Theoretical Quantum Physics, Institut für Angewandte Physik Technische Universität Darmstadt Center
More informationHashes and Message Digests Alex X. Liu & Haipeng Dai
Hashes and Message Digests Alex X. Liu & Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University Integrity vs. Secrecy Integrity: attacker cannot
More informationIntroduction to Quantum Cryptography
Università degli Studi di Perugia September, 12th, 2011 BunnyTN 2011, Trento, Italy This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. Quantum Mechanics
More informationLecture 10: Zero-Knowledge Proofs
Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam
More informationCosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks
1 Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks Michael Albert michael.albert@cs.otago.ac.nz 2 This week Arithmetic Knapsack cryptosystems Attacks on knapsacks Some
More informationExam Security January 19, :30 11:30
Exam Security January 19, 2016. 8:30 11:30 You can score a maximum of 100. Each question indicates how many it is worth. You are NOT allowed to use books or notes, or a (smart) phone. You may answer in
More informationProblem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed
Problem 1 n bits k zero bits IV Block Block Block Block removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Missing bits January 27, 2011 Practical
More informationENEE 459-C Computer Security. Message authentication (continue from previous lecture)
ENEE 459-C Computer Security Message authentication (continue from previous lecture) Last lecture Hash function Cryptographic hash function Message authentication with hash function (attack?) with cryptographic
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationFundamentals of Modern Cryptography
Fundamentals of Modern Cryptography BRUCE MOMJIAN This presentation explains the fundamentals of modern cryptographic methods. Creative Commons Attribution License http://momjian.us/presentations Last
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More information3F1: Signals and Systems INFORMATION THEORY Examples Paper Solutions
Engineering Tripos Part IIA THIRD YEAR 3F: Signals and Systems INFORMATION THEORY Examples Paper Solutions. Let the joint probability mass function of two binary random variables X and Y be given in the
More informationGround-Satellite QKD Through Free Space. Steven Taylor
Ground-Satellite QKD Through Free Space Steven Taylor Quantum Computation and Quantum Information, Spring 2014 Introduction: In this paper I will provide a brief introduction on what Quantum Key Distribution
More informationCryptanalysis of a Group Key Transfer Protocol Based on Secret Sharing: Generalization and Countermeasures
Cryptanalysis of a Group Key Transfer Protocol Based on Secret Sharing: Generalization and Countermeasures Kallepu Raju, Appala Naidu Tentu, V. Ch. Venkaiah Abstract: Group key distribution protocol is
More informationAutomatic, computational proof of EKE using CryptoVerif
Automatic, computational proof of EKE using CryptoVerif (Work in progress) Bruno Blanchet blanchet@di.ens.fr Joint work with David Pointcheval CNRS, École Normale Supérieure, INRIA, Paris April 2010 Bruno
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationA FEW E-COMMERCE APPLICATIONS. CIS 400/628 Spring 2005 Introduction to Cryptography. This is based on Chapter 9 of Trappe and Washington
A FEW E-COMMERCE APPLICATIONS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 9 of Trappe and Washington E-COMMERCE: SET SET = Secure Electronic Transaction Consider a credit
More informationCryptographic Protocols. Steve Lai
Cryptographic Protocols Steve Lai This course: APPLICATIONS (security) Encryption Schemes Crypto Protocols Sign/MAC Schemes Pseudorandom Generators And Functions Zero-Knowledge Proof Systems Computational
More informationMESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1
MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Mihir Bellare UCSD 1 Integrity and authenticity The goal is to ensure that M really originates with Alice and not someone else M has not been modified
More informationEvidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs
Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs Jonah Brown-Cohen 1 Introduction The Diffie-Hellman protocol was one of the first methods discovered for two people, say Alice
More informationAN INTRODUCTION TO SECRECY CAPACITY. 1. Overview
AN INTRODUCTION TO SECRECY CAPACITY BRIAN DUNN. Overview This paper introduces the reader to several information theoretic aspects of covert communications. In particular, it discusses fundamental limits
More informationNetwork Security Based on Quantum Cryptography Multi-qubit Hadamard Matrices
Global Journal of Computer Science and Technology Volume 11 Issue 12 Version 1.0 July Type: Double Blind Peer Reviewed International Research Journal Publisher: Global Journals Inc. (USA) Online ISSN:
More informationTechnical Report Communicating Secret Information Without Secret Messages
Technical Report 013-605 Communicating Secret Information Without Secret Messages Naya Nagy 1, Marius Nagy 1, and Selim G. Akl 1 College of Computer Engineering and Science Prince Mohammad Bin Fahd University,
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationPERFECTLY secure key agreement has been studied recently
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 45, NO. 2, MARCH 1999 499 Unconditionally Secure Key Agreement the Intrinsic Conditional Information Ueli M. Maurer, Senior Member, IEEE, Stefan Wolf Abstract
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationLECTURE NOTES ON Quantum Cryptography
Department of Software The University of Babylon LECTURE NOTES ON Quantum Cryptography By Dr. Samaher Hussein Ali College of Information Technology, University of Babylon, Iraq Samaher@itnet.uobabylon.edu.iq
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Solution Serge Vaudenay 29.1.2018 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices
More informationIntroduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions
Introduction to Modern Cryptography Lecture 7 1. RSA Public Key CryptoSystem 2. One way Trapdoor Functions Diffie and Hellman (76) New Directions in Cryptography Split the Bob s secret key K to two parts:
More informationWeek 12: Hash Functions and MAC
Week 12: Hash Functions and MAC 1. Introduction Hash Functions vs. MAC 2 Hash Functions Any Message M Hash Function Generate a fixed length Fingerprint for an arbitrary length message. No Key involved.
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationSecurity Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography
Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationVerification of a Diffie-Hellman Password-based Authentication Protocol by Extending the Inductive Method
Verification of a Diffie-Hellman Password-based Authentication Protocol by Extending the Inductive Method Pasquale Noce Security Certification Specialist at Arjo Systems, Italy pasquale dot noce dot lavoro
More informationIntroduction to Quantum Key Distribution
Fakultät für Physik Ludwig-Maximilians-Universität München January 2010 Overview Introduction Security Proof Introduction What is information? A mathematical concept describing knowledge. Basic unit is
More informationQuantum Key Distribution. The Starting Point
Quantum Key Distribution Norbert Lütkenhaus The Starting Point Quantum Mechanics allows Quantum Key Distribution, which can create an unlimited amount of secret key using -a quantum channel -an authenticated
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationASPECIAL case of the general key agreement scenario defined
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL 49, NO 4, APRIL 2003 839 Secret-Key Agreement Over Unauthenticated Public Channels Part III: Privacy Amplification Ueli Maurer, Fellow, IEEE, and Stefan Wolf
More informationSharing a Secret in Plain Sight. Gregory Quenell
Sharing a Secret in Plain Sight Gregory Quenell 1 The Setting: Alice and Bob want to have a private conversation using email or texting. Alice Bob 2 The Setting: Alice and Bob want to have a private conversation
More informationBound Information: The Classical Analog to Bound Quantum Entanglement
Bound Information: The Classical Analog to Bound Quantum Entanglement Nicolas Gisin, Renato Renner and Stefan Wolf Abstract. It was recently pointed out that there is a close connection between information-theoretic
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationHIMMO. Oscar Garcia-Morchon, Ronald Rietman, Ludo Tolhuizen. July PHILIPS RESEARCH
HIMMO Oscar Garcia-Morchon, Ronald Rietman, Ludo Tolhuizen July 2016 1 1 Aims of the presentation To share work done at Philips Research To discuss rationale of HIMMO To get feedback on our work 2 Contents
More informationA NOVEL APPROACH FOR SECURE MULTI-PARTY SECRET SHARING SCHEME VIA QUANTUM CRYPTOGRAPHY
A NOVEL APPROACH FOR SECURE MULI-PARY SECRE SHARING SCHEME VIA QUANUM CRYPOGRAPHY Noor Ul Ain Dept. of Computing, SEECS National University of Sciences and echnology H-1 Islamabad, Pakistan 13msccsnaain@seecs.edu.pk
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/
More informationQuantum Cryptography
Quantum Cryptography Christian Schaffner Research Center for Quantum Software Institute for Logic, Language and Computation (ILLC) University of Amsterdam Centrum Wiskunde & Informatica Winter 17 QuantumDay@Portland
More informationSecret Key Agreement Using Asymmetry in Channel State Knowledge
Secret Key Agreement Using Asymmetry in Channel State Knowledge Ashish Khisti Deutsche Telekom Inc. R&D Lab USA Los Altos, CA, 94040 Email: ashish.khisti@telekom.com Suhas Diggavi LICOS, EFL Lausanne,
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationBasics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018
Basics in Cryptology II Distributed Cryptography David Pointcheval Ecole normale supérieure, CNRS & INRIA ENS Paris 2018 NS/CNRS/INRIA Cascade David Pointcheval 1/26ENS/CNRS/INRIA Cascade David Pointcheval
More information9. Distance measures. 9.1 Classical information measures. Head Tail. How similar/close are two probability distributions? Trace distance.
9. Distance measures 9.1 Classical information measures How similar/close are two probability distributions? Trace distance Fidelity Example: Flipping two coins, one fair one biased Head Tail Trace distance
More information