Abstract Specification of Crypto- Protocols and their Attack Models in MSR

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Abstract Specification of Crypto- Protocols and their Attack Models in MSR"

Transcription

1 Abstract Specification of Crypto- Protocols and their Attack Models in MSR Iliano Cervesato ITT Industries, NRL Washington DC Software Engineering Institute - CMU August 6 th, 2001

2 Outline I. Dolev-Yao specifications II. Specifying Protocols in MSR III.Access Control IV. Specifying Attacker Models V. Inferring the Dolev-Yao Attacker Specifying Crypto-Protocols and their Intruder Models in MSR 2

3 Part I Dolev-Yao Specification of Security Protocols Specifying Crypto-Protocols and their Intruder Models in MSR 3

4 Why is Protocol Analysis Difficult? Subtle cryptographic primitives Dolev-Yao abstraction Distributed hostile environment Prudent engineering practice Inadequate specification languages the devil is in details Specifying Crypto-Protocols and their Intruder Models in MSR 4

5 Dolev-Yao Abstraction Symbolic data No bit-strings Perfect cryptography No guessing of keys Public knowledge soup Magic access to data Specifying Crypto-Protocols and their Intruder Models in MSR 5

6 pictorially s a k b k a Specifying Crypto-Protocols and their Intruder Models in MSR 6

7 Languages to Specify What? Message flow Message constituents Operating environment Protocol goals Specifying Crypto-Protocols and their Intruder Models in MSR 7

8 Desirable Properties Unambiguous Simple Flexible Applies to a wide class of protocols Insightful Gives insight about protocols Specifying Crypto-Protocols and their Intruder Models in MSR 8

9 Part II Specifying Protocols in MSR Specifying Crypto-Protocols and their Intruder Models in MSR 9

10 What s in MSR 2.0? Multiset rewriting with existentials Dependent types w/ subsorting Memory predicates New New Constraints New Specifying Crypto-Protocols and their Intruder Models in MSR 10

11 Terms Atomic terms Principal names Keys Nonces Term constructors ( ) {_} _ [_] _ {{_}} _ A k n D e f i n a b l e Specifying Crypto-Protocols and their Intruder Models in MSR 11

12 Rules x 1 : τ 1. x n : τ n. y 1 : τ 1. lhs rhs y n : τ n. N(t) Network L(t,, t) Local state M A (t,, t) Memory χ Constraints N(t) Network L(t,, t) Local state M A (t,, t) Memory Specifying Crypto-Protocols and their Intruder Models in MSR 12

13 Types of Terms A: princ n: nonce k: shk A B k: pubk A Types can depend on term Captures relations between objects k : privk k (definable) Specifying Crypto-Protocols and their Intruder Models in MSR 13

14 Subtyping τ :: msg Allows atomic terms in messages Definable Non-transmittable terms Sub-hierarchies Specifying Crypto-Protocols and their Intruder Models in MSR 14

15 Role state predicates Hold data local to a role instance Lifespan = role L l (A,t,, t) Invoke next rule L l = control (A,t,, t) = data Specifying Crypto-Protocols and their Intruder Models in MSR 15

16 Memory Predicates New M A (t,, t) Hold private info. across role exec. Support for subprotocols Communicate data Pass control Interface to outside system Implements intruder Specifying Crypto-Protocols and their Intruder Models in MSR 16

17 Constraints New χ Guards over interpreted domain Abstract Modular Invoke constraint handler E.g.: timestamps (T E = T N + T d ) (T N < T E ) Specifying Crypto-Protocols and their Intruder Models in MSR 17

18 Type of predicates Dependent sums Σx: τ. τ τ (x) x τ Forces associations among arguments x E.g.: princ (A) x pubk A (k A) x privk k A Specifying Crypto-Protocols and their Intruder Models in MSR 18

19 Roles Role state pred. var. declarations Generic roles Role owner Anchored roles L: τ (x 1 ) 1 x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs L: τ (x1) 1 x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs A A Specifying Crypto-Protocols and their Intruder Models in MSR 19

20 Needham-Schroeder Public-Key Protocol (fragment) A B: {n A, A} kb B A: {n A, n B } ka A B: {n B } kb ( Usual Notation ) Specifying Crypto-Protocols and their Intruder Models in MSR 20

21 MSR 2.0 NS Initiator A L: princ x princ (B) x pubk B x nonce. B: princ k B : pubk B n A :nonce. L(A,B,k B,n A ) N({n A,A} kb ) k A : pubk A k A : privk k A n A,n B : nonce L(A,B,k B,n A ) N({n A,n B } ka ) N({n B } kb ) Specifying Crypto-Protocols and their Intruder Models in MSR 21

22 MSR 2.0 NS Responder L: princ (B) x princ (A) x pubk B (kb) x privk k B x nonce x pubk A x nonce. B k B : pubk B k B : privk k B A: princ n A : nonce k A : pubk A N({n A,A} kb ) n B :nonce. L( ) N({n A,n B } ka ) n B : nonce L(B,k B,k B,A,n A,k A,n B ) N({n B } kb ) Specifying Crypto-Protocols and their Intruder Models in MSR 22

23 Type Checking New Σ P t has type τ in Γ Catches: Γ t : τ Encryption with a nonce P is welltyped in Σ Transmission of a long term key Circular key hierarchies, Static and dynamic uses Decidable Specifying Crypto-Protocols and their Intruder Models in MSR 23

24 Execution Model 1-step firing P C C Activate roles Generates new role state pred. names Instantiate variables Apply rules Skips rules Specifying Crypto-Protocols and their Intruder Models in MSR 24

25 Snapshots Active role set C = [S] R Σ State N(t) L l (t,, t) M A (t,, t) Signature a : τ L l : τ M _ : τ Specifying Crypto-Protocols and their Intruder Models in MSR 25

26 Rule application Constraint check F, χ n:τ. G(n) Σ = χ (constraint handler) Firing [S 1 ] R Σ [S 2 ] R Σ, c:τ c not in S 1 S, F S, G(c) Specifying Crypto-Protocols and their Intruder Models in MSR 26

27 Properties Admissibility of parallel firing Type preservation Access control preservation Completeness of Dolev-Yao intruder New Specifying Crypto-Protocols and their Intruder Models in MSR 27

28 Part III Access Control Specifying Crypto-Protocols and their Intruder Models in MSR 28

29 Access Control r is AC-valid for A in Γ Catches Γ A r New P is ACvalid in Σ Σ P A signing/encrypting with B s key A accessing B s private data, Static Decidable Gives meaning to Dolev-Yao intruder Specifying Crypto-Protocols and their Intruder Models in MSR 29

30 Overview Interpret incoming information Collect received data Access unknown data Construct outgoing information Generate data Use known data Access new data Verify access to data Specifying Crypto-Protocols and their Intruder Models in MSR 30

31 Processing a Rule Γ A lhs >> Δ Γ; Δ A rhs Γ A lhs rhs Specifying Crypto-Protocols and their Intruder Models in MSR 31

32 Processing Predicates on the LHS Network messages Γ ; Δ A t >> Δ Γ; Δ A N(t) >> Δ Memory predicates Γ ; Δ A t 1,,t n >> Δ Γ; Δ A M A (t 1,,t n ) >> Δ Specifying Crypto-Protocols and their Intruder Models in MSR 32

33 Interpreting Data on the LHS Pairs Γ; Δ A t 1, t 2 >> Δ Γ; Δ A (t 1, t 2 ) >> Δ Encrypted terms Γ; Δ A k >> Δ Γ; Δ A t >> Δ Γ; Δ A {t} k >> Δ Elementary terms Γ; (Δ,x) A x >> (Δ,x) (Γ,x:τ); Δ A x >> (Δ,x) Specifying Crypto-Protocols and their Intruder Models in MSR 33

34 Accessing Data on the LHS Shared keys Γ; (Δ,k) A k >> (Δ,k) (Γ,x:shK A B); Δ A x >> (Δ,x) Public keys (Γ,k:pubK A,k :privk k); (Δ,k ) A k >> (Δ,k ) (Γ,k:pubK A,k :privk k); Δ A k >> (Δ,k ) Specifying Crypto-Protocols and their Intruder Models in MSR 34

35 Generating Data on the RHS Nonces (Γ, x:nonce); (Δ, x) A rhs Γ; Δ A x:nonce. rhs Specifying Crypto-Protocols and their Intruder Models in MSR 35

36 Constructing Terms on the RHS Pairs Γ; Δ A t 1 Γ; Δ A t 2 Γ; Δ A (t 1, t 2 ) Shared-key encryptions Γ; Δ A t Γ; Δ A k Γ; Δ A {t} k Specifying Crypto-Protocols and their Intruder Models in MSR 36

37 Accessing Data on the RHS Principal Γ, B:princ A B Shared key Γ, B:princ, k:shk A B A k Public key Γ, B:princ, k:pubk B A k Private key Γ, k:pubk A, k :privk k A k Specifying Crypto-Protocols and their Intruder Models in MSR 37

38 Part IV Specifying Attacker Models Specifying Crypto-Protocols and their Intruder Models in MSR 38

39 Execution with an Attacker P, P I C C Selected principal(s): Generic capabilities: Well-typed AC-valid I P I Modeled completely within MSR Specifying Crypto-Protocols and their Intruder Models in MSR 39

40 The Dolev-Yao Intruder Specific protocol suite P DY Underlies every protocol analysis tool Completeness still unproved!!! Specifying Crypto-Protocols and their Intruder Models in MSR 40

41 Capabilities of the D-Y Intruder Intercept / emit messages Split / form pairs Decrypt / encrypt with known key Look up public information Generate fresh data Specifying Crypto-Protocols and their Intruder Models in MSR 41

42 DY Intruder Data access M I (t) : Intruder knowledge A: princ. M I (A) I A: princ k: shk I A M I (k) I + dual A: princ k: pubk A M I (k) I k: pubk I k : privk k M I (k ) I No nonces, no other keys, Specifying Crypto-Protocols and their Intruder Models in MSR 42

43 DY Intruder Data Generation Safe data n:nonce. M I (n) I m:msg. M I (m) I Anything else? A,B:princ. k:shk A B. M I (k) I??? It depends on the protocol!!! Automated generation Specifying Crypto-Protocols and their Intruder Models in MSR 43

44 DY Intruder vs. AC AC-valid Well-typed Dolev-Yao intruder New/ D-Y Intruder inferred from AC rules AC rules inferred from prot. spec. (with help) Specifying Crypto-Protocols and their Intruder Models in MSR 44

45 Completeness of D-Y Intruder If P [S] R Σ [S ] R Σ with all well-typed and AC-valid Then P, P DY [S] R Σ [S ] R Σ Specifying Crypto-Protocols and their Intruder Models in MSR 45

46 Consequences Justifies design of current tools Support optimizations D-Y intr. often too general/inefficient Generic optimizations Per protocol optimizations Restrictive environments Caps multi-intruder situations Specifying Crypto-Protocols and their Intruder Models in MSR 46

47 Part V New Inferring the Dolev-Yao Intruder Specifying Crypto-Protocols and their Intruder Models in MSR 47

48 The Dolev-Yao Intruder Model Interpret incoming information Collect received data Access unknown data Construct outgoing information Generate data Use known data Access new data Same operations as AC! Specifying Crypto-Protocols and their Intruder Models in MSR 48

49 Accessing Principal Names Γ, B:princ A B I B:princ. M I (B) I Specifying Crypto-Protocols and their Intruder Models in MSR 49

50 What did we do? Instantiate acting principal to I Accessed data Intruder knowledge Meta-variables Rule variables Ignore context Γ Specifying Crypto-Protocols and their Intruder Models in MSR 50

51 Checking it out: Shared Keys Γ, A:princ, B:princ, k:shk A B A k I I I B: princ k: shk I B M I (k) I + dual Specifying Crypto-Protocols and their Intruder Models in MSR 51

52 Getting Confident: Pub./Priv. Keys Γ, B:princ, k:pubk B A k I B: princ k: pubk B M I (k) I Γ, A:princ, k:pubk A, k :privk k A k I k: pubk I k : privk k M I (k ) Specifying Crypto-Protocols and their Intruder Models in MSR 52 I I I

53 Constructing Messages: Pairs Γ; Δ A t 1 Γ; Δ A t I I 2 Γ; Δ A (t 1, t 2 ) I t 1,t 2 :msg. M I (t 1 ), M I (t 2 ) M I ((t 1,t 2 )) I Specifying Crypto-Protocols and their Intruder Models in MSR 53

54 Now, what did we do? Instantiate acting principal to I Accessed data Intruder knowledge Meta-variables Rule variables Ignore Γ and knowledge context Δ Premises antecedent Conclusion consequent Auxiliary typing derivation gives types Specifying Crypto-Protocols and their Intruder Models in MSR 54

55 Carrying on: Shared-Key Encrypt. Γ; Δ A t Γ; Δ A k I Γ; Δ A {t} I k I A,B: princ k: shk A B t: msg M I (t), M I (k) M I ({t} k ) I Similar for public-key encryption Specifying Crypto-Protocols and their Intruder Models in MSR 55

56 Generating Data: Nonces (Γ, x:nonce); (Δ, x) A rhs Γ; Δ A x:nonce. rhs I I x:nonce. M I (x) I Similarly for other generated data Specifying Crypto-Protocols and their Intruder Models in MSR 56

57 Now, what did we do? Instantiate acting principal to I Accessed data Intruder knowledge Meta-variables Rule variables Ignore Γ and knowledge context Δ Premises antecedent Conclusion consequent Auxiliary typing derivation gives types One intruder rule for each AC rule Save generated object Specifying Crypto-Protocols and their Intruder Models in MSR 57

58 Interpreting Shared-Key Encrypt. Γ; Δ A k >> Δ Γ; Δ A t >> Δ I Γ; Δ A {t} k >> Δ I I A,B: princ k: shk A B t: msg M I ({t} k ), M I (k) M I (t) I Similar for public-key encryption pairing Specifying Crypto-Protocols and their Intruder Models in MSR 58

59 Now, what did we do? Instantiate acting principal to I Accessed data Intruder knowledge Meta-variables Rule variables Ignore Γ and knowledge context Δ Premises antecedent Conclusion consequent Auxiliary typing derivation gives types One intruder rule for each AC rule Save generated object Premises consequent Conclusion antecedant Specifying Crypto-Protocols and their Intruder Models in MSR 59

60 Network Rules Γ ; Δ A t >> Δ Γ; Δ A N(t) >> Δ t:msg. N(t) M I (t) I Γ ; Δ A t Γ; Δ A N(t) t:msg. M I (t) N(t) I Specifying Crypto-Protocols and their Intruder Models in MSR 60

61 Other Rules? Either redundant, or t:msg. N(t) N(t) I or, innocuous (but sensible) t 1,,t n :msg. M I (t 1,,t n ) M I (t 1 ),,M I (t n ) I Specifying Crypto-Protocols and their Intruder Models in MSR 61

62 Dissecting AC 5 activities: Interpret message components on LHS Constructors atoms Pattern matching Trivial Access data (keys) on LHS Generate data on RHS Trivial Construct messages on RHS Access data on RHS Trivial Specifying Crypto-Protocols and their Intruder Models in MSR 62

63 Accessing data Annotate the type of freely accessible data princ: + type Make it conditional for dep. types pubk: * princ -> + type privk: ΠA: + princ. + pubk A -> + type Specifying Crypto-Protocols and their Intruder Models in MSR 63

64 Generating data Again, annotate types nonce:! type shk: + princ -> + princ ->! type shk: + princ -> + princ ->! type Specifying Crypto-Protocols and their Intruder Models in MSR 64

65 Interpreting constructors Mark arguments as input or output _,_: -msg -> -msg -> msg {_} _ : - msg -> ΠA: + princ. ΠB: + princ. + shk A B -> msg {{_}} _ : - msg -> ΠA: + princ. Πk: + pubk A. + privk k -> msg hash: + msg -> msg [_] _ : + msg -> ΠA: * princ. Πk: * sigk A. * verk k -> msg Specifying Crypto-Protocols and their Intruder Models in MSR 65

66 Annotating declarations Integrates semantics of types and constructors Trimmed down version of AC Allows constructing AC rules Allows constructing the Dolev-Yao intruder Specifying Crypto-Protocols and their Intruder Models in MSR 66

67 alternatively Compute AC rules from protocol There are finitely many annotations Check protocol against each of them Keep the most restrictive ones that validate the protocol Exponential! More efficient algorithms? Specifying Crypto-Protocols and their Intruder Models in MSR 67

68 Wrap-up Specifying Crypto-Protocols and their Intruder Models in MSR 68

69 Case-Studies Full Needham-Schroeder public-key Otway-Rees Neuman-Stubblebine repeated auth. OFT group key management Specifying Crypto-Protocols and their Intruder Models in MSR 69

70 Conclusions Framework for specifying protocols Precise Flexible Powerful Provides Type /AC checking Sequential / parallel execution model Insights about Dolev-Yao intruder Specifying Crypto-Protocols and their Intruder Models in MSR 70

71 Future work Experimentation Clark-Jacob library Fair-exchange protocols More multicast Pragmatics Type-reconstruction Operational execution model(s) Implementation Automated specification techniques Specifying Crypto-Protocols and their Intruder Models in MSR 71

MSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.

MSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC. MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ PPL 01 March 21 st, 2001 Outline I. Security Protocols II. MSR by Examples

More information

MSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.

MSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC. MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ IITD, CSE Dept. Delhi, India April 24 th,2002 Outline Security Protocols

More information

Lecture 7: Specification Languages

Lecture 7: Specification Languages Graduate Course on Computer Security Lecture 7: Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ DIMI, Universita

More information

One Year Later. Iliano Cervesato. ITT Industries, NRL Washington, DC. MSR 3.0:

One Year Later. Iliano Cervesato. ITT Industries, NRL Washington, DC.  MSR 3.0: MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra MSR 3: Iliano Cervesato iliano@itd.nrl.navy.mil One Year Later ITT Industries, inc @ NRL Washington, DC http://www.cs.stanford.edu/~iliano

More information

A Logic of Authentication

A Logic of Authentication A Logic of Authentication by Burrows, Abadi, and Needham Presented by Adam Schuchart, Kathryn Watkins, Michael Brotzman, Steve Bono, and Sam Small Agenda The problem Some formalism The goals of authentication,

More information

Time-Bounding Needham-Schroeder Public Key Exchange Protocol

Time-Bounding Needham-Schroeder Public Key Exchange Protocol Time-Bounding Needham-Schroeder Public Key Exchange Protocol Max Kanovich, Queen Mary, University of London, UK University College London, UCL-CS, UK Tajana Ban Kirigin, University of Rijeka, HR Vivek

More information

Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis. Standard analysis methods. Compositionality

Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis. Standard analysis methods. Compositionality Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis J. Mitchell, A. Ramanathan, A. Scedrov, V. Teague P. Lincoln, P. Mateus, M. Mitchell Standard analysis methods Finite-state

More information

A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols

A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols ASIAN 07 A Formal Analysis for Capturing Replay Attacks in Cryptographic s Han Gao 1, Chiara Bodei 2, Pierpaolo Degano 2, Hanne Riis Nielson 1 Informatics and Mathematics Modelling, Technical University

More information

On the Verification of Cryptographic Protocols

On the Verification of Cryptographic Protocols On the Verification of Cryptographic Protocols Federico Cerutti Dipartimento di Ingegneria dell Informazione, Università di Brescia Via Branze 38, I-25123 Brescia, Italy January 11, 2011 Talk at Prof.

More information

The Faithfulness of Abstract Protocol Analysis: Message Authentication

The Faithfulness of Abstract Protocol Analysis: Message Authentication The Faithfulness of Abstract Protocol Analysis: Message Authentication Joshua D. Guttman F. Javier Thayer Lenore D. Zuck December 18, 2002 Abstract Dolev and Yao initiated an approach to studying cryptographic

More information

Proving Security Protocols Correct. Lawrence C. Paulson Computer Laboratory

Proving Security Protocols Correct. Lawrence C. Paulson Computer Laboratory Proving Security Protocols Correct Lawrence C. Paulson Computer Laboratory How Detailed Should a Model Be? too detailed too simple concrete abstract not usable not credible ``proves'' everything ``attacks''

More information

Handling Encryption in an Analysis for Secure Information Flow

Handling Encryption in an Analysis for Secure Information Flow Handling Encryption in an Analysis for Secure Information Flow Peeter Laud peeter l@ut.ee Tartu Ülikool Cybernetica AS ESOP 2003, 7.-11.04.2003 p.1/15 Overview Some words about the overall approach. Definition

More information

A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols

A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols Han Gao 1,ChiaraBodei 2, Pierpaolo Degano 2, and Hanne Riis Nielson 1 1 Informatics and Mathematical Modelling, Technical University

More information

Authentication Tests and Disjoint Encryption: a Design Method for Security Protocols

Authentication Tests and Disjoint Encryption: a Design Method for Security Protocols Authentication Tests and Disjoint Encryption: a Design Method for Security Protocols Joshua D. Guttman The MITRE Corporation guttman@mitre.org 20 August 2003 Abstract We describe a protocol design process,

More information

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography 1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to

More information

A derivation system and compositional logic for security protocols

A derivation system and compositional logic for security protocols Journal of Computer Security 13 2005) 423 482 423 IOS Press A derivation system and compositional logic for security protocols Anupam Datta a,, Ante Derek a, John C. Mitchell a and Dusko Pavlovic b a Computer

More information

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Yehuda Lindell Dept. of Computer Science and Applied Math. The Weizmann Institute of Science Rehovot 76100, Israel. lindell@wisdom.weizmann.ac.il

More information

A Theory of Dictionary Attacks and its Complexity

A Theory of Dictionary Attacks and its Complexity A Theory of Dictionary Attacks and its Complexity Stéphanie Delaune, Florent Jacquemard To cite this version: Stéphanie Delaune, Florent Jacquemard. A Theory of Dictionary Attacks and its Complexity. 17th

More information

CHRISTIAN-ALBRECHTS-UNIVERSITÄT KIEL

CHRISTIAN-ALBRECHTS-UNIVERSITÄT KIEL INSTITUT FÜR INFORMATIK UND PRAKTISCHE MATHEMATIK A Constraint-Based Algorithm for Contract-Signing Protocols Detlef Kähler, Ralf Küsters Bericht Nr. 0503 April 2005 CHRISTIAN-ALBRECHTS-UNIVERSITÄT KIEL

More information

Optimal Error Rates for Interactive Coding II: Efficiency and List Decoding

Optimal Error Rates for Interactive Coding II: Efficiency and List Decoding Optimal Error Rates for Interactive Coding II: Efficiency and List Decoding Mohsen Ghaffari MIT ghaffari@mit.edu Bernhard Haeupler Microsoft Research haeupler@cs.cmu.edu Abstract We study coding schemes

More information

Cryptography 2017 Lecture 2

Cryptography 2017 Lecture 2 Cryptography 2017 Lecture 2 One Time Pad - Perfect Secrecy Stream Ciphers November 3, 2017 1 / 39 What have seen? What are we discussing today? Lecture 1 Course Intro Historical Ciphers Lecture 2 One Time

More information

A Semantics for a Logic of Authentication. Cambridge, MA : A; B

A Semantics for a Logic of Authentication. Cambridge, MA : A; B A Semantics for a Logic of Authentication (Extended Abstract) Martn Abadi Digital Equipment Corporation Systems Research Center 130 Lytton Avenue Palo Alto, CA 94301 ma@src.dec.com Abstract: Burrows, Abadi,

More information

Lecture 10: Zero-Knowledge Proofs

Lecture 10: Zero-Knowledge Proofs Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam

More information

Singular curve point decompression attack

Singular curve point decompression attack Singular curve point decompression attack Peter Günther joint work with Johannes Blömer University of Paderborn FDTC 2015, September 13th, Saint Malo Peter Günther (UPB) Decompression Attack FDTC 2015

More information

Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols

Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation

More information

PKZIP. PKZIP Stream Cipher 1

PKZIP. PKZIP Stream Cipher 1 PKZIP PKZIP Stream Cipher 1 PKZIP Phil Katz s ZIP program Katz invented zip file format o ca 1989 Before that, Katz created PKARC utility o ARC compression was patented by SEA, Inc. o SEA successfully

More information

From Unpredictability to Indistinguishability: A Simple. Construction of Pseudo-Random Functions from MACs. Preliminary Version.

From Unpredictability to Indistinguishability: A Simple. Construction of Pseudo-Random Functions from MACs. Preliminary Version. From Unpredictability to Indistinguishability: A Simple Construction of Pseudo-Random Functions from MACs Preliminary Version Moni Naor Omer Reingold y Abstract This paper studies the relationship between

More information

Analysing Layered Security Protocols

Analysing Layered Security Protocols Analysing Layered Security Protocols Thomas Gibson-Robinson St Catherine s College University of Oxford A thesis submitted for the degree of Doctor of Philosophy Trinity 2013 Abstract Many security protocols

More information

Compositional System Security in the Presence of Interface-Confined Adversaries

Compositional System Security in the Presence of Interface-Confined Adversaries Compositional System Security in the Presence of Interface-Confined Adversaries Deepak Garg, Jason Franklin, Dilsun Kaynar, Anupam Datta February 19, 2010 CMU-CyLab-10-004 CyLab Carnegie Mellon University

More information

Asymmetric Unification: A New Unification Paradigm for Cryptographic Protocol Analysis

Asymmetric Unification: A New Unification Paradigm for Cryptographic Protocol Analysis Asymmetric Unification: A New Unification Paradigm for Cryptographic Protocol Analysis Serdar Erbatur 6, Santiago Escobar 1, Deepak Kapur 2, Zhiqiang Liu 3, Christopher Lynch 3, Catherine Meadows 4, José

More information

Semantics for Enough-Certainty and Fitting s Embedding of Classical Logic in S4

Semantics for Enough-Certainty and Fitting s Embedding of Classical Logic in S4 Semantics for Enough-Certainty and Fitting s Embedding of Classical Logic in S4 Gergei Bana 1 and Mitsuhiro Okada 2 1 INRIA de Paris, Paris, France bana@math.upenn.edu 2 Department of Philosophy, Keio

More information

Modular Multiset Rewriting in Focused Linear Logic

Modular Multiset Rewriting in Focused Linear Logic Modular Multiset Rewriting in Focused Linear Logic Iliano Cervesato and Edmund S. L. Lam July 2015 CMU-CS-15-117 CMU-CS-QTR-128 School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213

More information

Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers

Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers Sarani Bhattacharya and Debdeep Mukhopadhyay Indian Institute of Technology Kharagpur PROOFS 2016 August

More information

A Composition Theorem for Universal One-Way Hash Functions

A Composition Theorem for Universal One-Way Hash Functions A Composition Theorem for Universal One-Way Hash Functions Victor Shoup IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland sho@zurich.ibm.com Abstract. In this paper we present a new scheme

More information

Introduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions

Introduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions Introduction to Modern Cryptography Lecture 7 1. RSA Public Key CryptoSystem 2. One way Trapdoor Functions Diffie and Hellman (76) New Directions in Cryptography Split the Bob s secret key K to two parts:

More information

DM49-2. Obligatoriske Opgave

DM49-2. Obligatoriske Opgave DM49-2. Obligatoriske Opgave Jacob Christiansen, moffe42, 130282 Thomas Nordahl Pedersen, nordahl, 270282 1/4-05 Indhold 1 Opgave 1 - Public Exponent 2 1.1 a.................................. 2 1.2 b..................................

More information

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 15 October 20, 2014 CPSC 467, Lecture 15 1/37 Common Hash Functions SHA-2 MD5 Birthday Attack on Hash Functions Constructing New

More information

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup October 12, 2001 Abstract We present several new and fairly practical public-key

More information

A Proof Theory for Generic Judgments

A Proof Theory for Generic Judgments A Proof Theory for Generic Judgments Dale Miller INRIA/Futurs/Saclay and École Polytechnique Alwen Tiu École Polytechnique and Penn State University LICS 2003, Ottawa, Canada, 23 June 2003 Outline 1. Motivations

More information

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,

More information

On the computational soundness of cryptographically masked flows

On the computational soundness of cryptographically masked flows On the computational soundness of cryptographically masked flows Peeter Laud peeter.laud@ut.ee http://www.ut.ee/ peeter l Tartu University & Cybernetica AS & Institute of Cybernetics Mobius annual meeting,

More information

Discrete Logarithm Problem

Discrete Logarithm Problem Discrete Logarithm Problem Finite Fields The finite field GF(q) exists iff q = p e for some prime p. Example: GF(9) GF(9) = {a + bi a, b Z 3, i 2 = i + 1} = {0, 1, 2, i, 1+i, 2+i, 2i, 1+2i, 2+2i} Addition:

More information

CTR mode of operation

CTR mode of operation CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext

More information

TAuth: Verifying Timed Security Protocols

TAuth: Verifying Timed Security Protocols TAuth: Verifying Timed Security Protocols Li Li 1, Jun Sun 2, Yang Liu 3, and Jin Song Dong 1 1 National University of Singapore 2 Singapore University of Technology and Design 3 Nanyang Technological

More information

STRIBOB : Authenticated Encryption

STRIBOB : Authenticated Encryption 1 / 19 STRIBOB : Authenticated Encryption from GOST R 34.11-2012 or Whirlpool Markku-Juhani O. Saarinen mjos@item.ntnu.no Norwegian University of Science and Technology Directions in Authentication Ciphers

More information

On the Complexity of the Hybrid Approach on HFEv-

On the Complexity of the Hybrid Approach on HFEv- On the Complexity of the Hybrid Approach on HFEv- Albrecht Petzoldt National Institute of Standards and Technology, Gaithersburg, Maryland, USA albrecht.petzoldt@gmail.com Abstract. The HFEv- signature

More information

Théorie de l'information et codage. Master de cryptographie Cours 10 : RSA. 20,23 et 27 mars Université Rennes 1

Théorie de l'information et codage. Master de cryptographie Cours 10 : RSA. 20,23 et 27 mars Université Rennes 1 Théorie de l'information et codage Master de cryptographie Cours 10 : RSA 20,23 et 27 mars 2009 Université Rennes 1 Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 1

More information

Dan Boneh. Stream ciphers. The One Time Pad

Dan Boneh. Stream ciphers. The One Time Pad Online Cryptography Course Stream ciphers The One Time Pad Symmetric Ciphers: definition Def: a cipher defined over is a pair of efficient algs (E, D) where E is often randomized. D is always deterministic.

More information

Strongly Unforgeable Signatures Based on Computational Diffie-Hellman

Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu

More information

State and Protocols: The Envelope Example

State and Protocols: The Envelope Example State and Protocols: The Envelope Example rigorous design for protocols using state Daniel J. Dougherty and Joshua D. Guttman Worcester Polytechnic Institute Thanks to: National Science Foundation (Grant

More information

B. Encryption using quasigroup

B. Encryption using quasigroup Sequence Randomization Using Quasigroups and Number Theoretic s Vaignana Spoorthy Ella Department of Computer Science Oklahoma State University Stillwater, Oklahoma, USA spoorthyella@okstateedu Abstract

More information

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today: Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how

More information

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

CSA E0 235: Cryptography March 16, (Extra) Lecture 3 CSA E0 235: Cryptography March 16, 2015 Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Ajith S 1 Chosen Plaintext Attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which

More information

Analysing the Security of a Non-repudiation Communication Protocol with Mandatory Proof of Receipt

Analysing the Security of a Non-repudiation Communication Protocol with Mandatory Proof of Receipt Analysing the Security of a Non-repudiation Communication Protocol with Mandatory Proof of Receipt TOM COFFEY, PUNEET SAIDHA, PETER URROWS Data Communication Security Laboratory University of Limerick

More information

An Improved Pseudo-Random Generator Based on Discrete Log

An Improved Pseudo-Random Generator Based on Discrete Log An Improved Pseudo-Random Generator Based on Discrete Log Rosario Gennaro IBM T.J.Watson Research Center, P.O. Box 704, Yorktown Heights, NY 10598, rosario@watson.ibm.com Abstract. Under the assumption

More information

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,

More information

Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions

Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions Chapter 1 Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions 1.1 The IMP Language IMP is a programming language with an extensible syntax that was developed in the late 1960s. We will

More information

Type-Based Automated Verification of Authenticity in Asymmetric Cryptographic Protocols

Type-Based Automated Verification of Authenticity in Asymmetric Cryptographic Protocols Type-Based Automated Verification of Authenticity in Asymmetric Cryptographic Protocols Morten Dahl 2, Naoki Kobayashi 1, Yunde Sun 1, and Hans Hüttel 2 1 Tohoku University 2 Aalborg University Abstract.

More information

Advanced Cryptography 1st Semester Public Encryption

Advanced Cryptography 1st Semester Public Encryption Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 1st 2007 1 / 64 Last Time (I) Indistinguishability Negligible function Probabilities Indistinguishability

More information

Crypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.

Crypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015. Crypto math II Alin Tomescu alinush@mit.edu May 7, 015 Abstract A quick overview on group theory from Ron Rivest s 6.857 course in Spring 015. 1 Overview Group theory review Diffie-Hellman (DH) key exchange

More information

Quantitative Evaluation of Chaotic CBC Mode of Operation

Quantitative Evaluation of Chaotic CBC Mode of Operation Quantitative Evaluation of Chaotic CBC Mode of Operation Abdessalem Abidi 1, Qianxue Wang 3, Belgacem bouallègue 1, Mohsen Machhout 1 and Christophe Gyeux 2 1 Electronics and Microelectronics Laboratory

More information

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator

More information

Lecture Notes on Secret Sharing

Lecture Notes on Secret Sharing COMS W4261: Introduction to Cryptography. Instructor: Prof. Tal Malkin Lecture Notes on Secret Sharing Abstract These are lecture notes from the first two lectures in Fall 2016, focusing on technical material

More information

Complexity of automatic verification of cryptographic protocols

Complexity of automatic verification of cryptographic protocols Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1 Cryptographic protocols Communication on public network Cryptographic

More information

Causal Consistency for Geo-Replicated Cloud Storage under Partial Replication

Causal Consistency for Geo-Replicated Cloud Storage under Partial Replication Causal Consistency for Geo-Replicated Cloud Storage under Partial Replication Min Shen, Ajay D. Kshemkalyani, TaYuan Hsu University of Illinois at Chicago Min Shen, Ajay D. Kshemkalyani, TaYuan Causal

More information

Arithmétique et Cryptographie Asymétrique

Arithmétique et Cryptographie Asymétrique Arithmétique et Cryptographie Asymétrique Laurent Imbert CNRS, LIRMM, Université Montpellier 2 Journée d inauguration groupe Sécurité 23 mars 2010 This talk is about public-key cryptography Why did mathematicians

More information

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY BURTON ROSENBERG UNIVERSITY OF MIAMI Contents 1. Perfect Secrecy 1 1.1. A Perfectly Secret Cipher 2 1.2. Odds Ratio and Bias 3 1.3. Conditions for Perfect

More information

Cryptography. pieces from work by Gordon Royle

Cryptography. pieces from work by Gordon Royle Cryptography pieces from work by Gordon Royle The set-up Cryptography is the mathematics of devising secure communication systems, whereas cryptanalysis is the mathematics of breaking such systems. We

More information

Introduction to Isabelle/HOL

Introduction to Isabelle/HOL Introduction to Isabelle/HOL 1 Notes on Isabelle/HOL Notation In Isabelle/HOL: [ A 1 ;A 2 ; ;A n ]G can be read as if A 1 and A 2 and and A n then G 3 Note: -Px (P x) stands for P (x) (P(x)) -P(x, y) can

More information

Single Database Private Information Retrieval with Logarithmic Communication

Single Database Private Information Retrieval with Logarithmic Communication Single Database Private Information Retrieval with Logarithmic Communication Yan-Cheng Chang Harvard University ycchang@eecs.harvard.edu February 10, 2004 Abstract In this paper, we study the problem of

More information

Provable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design

Provable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design Practical Cryptography: Provable Security as a Tool for Protocol Design Phillip Rogaway UC Davis & Chiang Mai Univ rogaway@csucdavisedu http://wwwcsucdavisedu/~rogaway Summer School on Foundations of Internet

More information

Chapter 4 Asymmetric Cryptography

Chapter 4 Asymmetric Cryptography Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman [NetSec/SysSec], WS 2008/2009 4.1 Asymmetric Cryptography General idea: Use two different keys -K and +K for

More information

Asymmetric Cryptography

Asymmetric Cryptography Asymmetric Cryptography Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman General idea: Use two different keys -K and +K for encryption and decryption Given a

More information

Pseudo-random Number Generation. Qiuliang Tang

Pseudo-random Number Generation. Qiuliang Tang Pseudo-random Number Generation Qiuliang Tang Random Numbers in Cryptography The keystream in the one-time pad The secret key in the DES encryption The prime numbers p, q in the RSA encryption The private

More information

On Expected Constant-Round Protocols for Byzantine Agreement

On Expected Constant-Round Protocols for Byzantine Agreement On Expected Constant-Round Protocols for Byzantine Agreement Jonathan Katz Chiu-Yuen Koo Abstract In a seminal paper, Feldman and Micali show an n-party Byzantine agreement protocol in the plain model

More information

Mathematics of Public Key Cryptography

Mathematics of Public Key Cryptography Mathematics of Public Key Cryptography Eric Baxter April 12, 2014 Overview Brief review of public-key cryptography Mathematics behind public-key cryptography algorithms What is Public-Key Cryptography?

More information

CS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing

CS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing Lecture 11: Key Management, Secret Sharing Céline Blondeau Email: celine.blondeau@aalto.fi Department of Computer Science Aalto University, School of Science Key Management Secret Sharing Shamir s Threshold

More information

14 Diffie-Hellman Key Agreement

14 Diffie-Hellman Key Agreement 14 Diffie-Hellman Key Agreement 14.1 Cyclic Groups Definition 14.1 Example Let д Z n. Define д n = {д i % n i Z}, the set of all powers of д reduced mod n. Then д is called a generator of д n, and д n

More information

15 Public-Key Encryption

15 Public-Key Encryption 15 Public-Key Encryption So far, the encryption schemes that we ve seen are symmetric-key schemes. The same key is used to encrypt and decrypt. In this chapter we introduce public-key (sometimes called

More information

Private Authentication

Private Authentication Private Authentication Martín Abadi University of California at Santa Cruz Cédric Fournet Microsoft Research Abstract Frequently, communication between two principals reveals their identities and presence

More information

Yale University Department of Computer Science

Yale University Department of Computer Science Yale University Department of Computer Science On Backtracking Resistance in Pseudorandom Bit Generation (preliminary version) Michael J. Fischer Mike Paterson Ewa Syta YALEU/DCS/TR-1466 October 24, 2012

More information

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004 CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce

More information

Slides for Chapter 14: Time and Global States

Slides for Chapter 14: Time and Global States Slides for Chapter 14: Time and Global States From Coulouris, Dollimore, Kindberg and Blair Distributed Systems: Concepts and Design Edition 5, Addison-Wesley 2012 Overview of Chapter Introduction Clocks,

More information

Partial Key Exposure: Generalized Framework to Attack RSA

Partial Key Exposure: Generalized Framework to Attack RSA Partial Key Exposure: Generalized Framework to Attack RSA Cryptology Research Group Indian Statistical Institute, Kolkata 12 December 2011 Outline of the Talk 1 RSA - A brief overview 2 Partial Key Exposure

More information

Private Key Cryptography. Fermat s Little Theorem. One Time Pads. Public Key Cryptography

Private Key Cryptography. Fermat s Little Theorem. One Time Pads. Public Key Cryptography Fermat s Little Theorem Private Key Cryptography Theorem 11 (Fermat s Little Theorem): (a) If p prime and gcd(p, a) = 1, then a p 1 1 (mod p). (b) For all a Z, a p a (mod p). Proof. Let A = {1, 2,...,

More information

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2 Contents 1 Recommended Reading 1 2 Public Key/Private Key Cryptography 1 2.1 Overview............................................. 1 2.2 RSA Algorithm.......................................... 2 3 A Number

More information

Introduction to Cryptography. Lecture 8

Introduction to Cryptography. Lecture 8 Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication

More information

A Constructor-Based Reachability Logic for Rewrite Theories

A Constructor-Based Reachability Logic for Rewrite Theories A Constructor-Based Reachability Logic for Rewrite Theories Stephen Skeirik, Andrei Stefanescu, Jose Meseguer October 10th, 2017 Outline 1 Introduction 2 Reachability Logic Semantics 3 The Invariant Paradox

More information

Maximal Noise in Interactive Communication over Erasure Channels and Channels with Feedback

Maximal Noise in Interactive Communication over Erasure Channels and Channels with Feedback Maximal Noise in Interactive Communication over Erasure Channels and Channels with Feedback Klim Efremenko UC Berkeley klimefrem@gmail.com Ran Gelles Princeton University rgelles@cs.princeton.edu Bernhard

More information

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 19 November 8, 2017 CPSC 467, Lecture 19 1/37 Zero Knowledge Interactive Proofs (ZKIP) ZKIP for graph isomorphism Feige-Fiat-Shamir

More information

Cross-Tool Semantics for Protocol Security Goals

Cross-Tool Semantics for Protocol Security Goals Approved for Public Release; Distribution Unlimited. Case Number 16-1919. Cross-Tool Semantics for Protocol Security Goals Joshua D. Guttman, John D. Ramsdell, and Paul D. Rowe {guttman,ramsdell,prowe}@mitre.org

More information

Group Diffie Hellman Protocols and ProVerif

Group Diffie Hellman Protocols and ProVerif Group Diffie Hellman Protocols and ProVerif CS 395T - Design and Analysis of Security Protocols Ankur Gupta Secure Multicast Communication Examples: Live broadcast of a match, stock quotes, video conferencing.

More information

Multiparty Computation from Threshold Homomorphic Encryption

Multiparty Computation from Threshold Homomorphic Encryption Multiparty Computation from Threshold Homomorphic Encryption Ronald Cramer Ivan Damgård Jesper Buus Nielsen Aarhus University, Dept. of Computer Science, BRICS October 31, 2000 Abstract We introduce a

More information

Lecture Notes on Quantification

Lecture Notes on Quantification Lecture Notes on Quantification 15-317: Constructive Logic Frank Pfenning Lecture 5 September 8, 2009 1 Introduction In this lecture, we introduce universal and existential quantification As usual, we

More information

Solving LPN Using Covering Codes

Solving LPN Using Covering Codes Solving LPN Using Covering Codes Qian Guo 1,2 Thomas Johansson 1 Carl Löndahl 1 1 Dept of Electrical and Information Technology, Lund University 2 School of Computer Science, Fudan University ASIACRYPT

More information

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to

More information

Algebraic Intruder Deductions

Algebraic Intruder Deductions Algebraic Intruder Deductions David Basin, Sebastian Mödersheim, and Luca Viganò Information Security Group, Dep. of Computer Science, ETH Zurich, Switzerland www.infsec.ethz.ch/~{basin,moedersheim,vigano}

More information

8.1 Principles of Public-Key Cryptosystems

8.1 Principles of Public-Key Cryptosystems Public-key cryptography is a radical departure from all that has gone before. Right up to modern times all cryptographic systems have been based on the elementary tools of substitution and permutation.

More information

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4 CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky Lecture 4 Lecture date: January 26, 2005 Scribe: Paul Ray, Mike Welch, Fernando Pereira 1 Private Key Encryption Consider a game between

More information

Deterministic Finite Automata

Deterministic Finite Automata Deterministic Finite Automata COMP2600 Formal Methods for Software Engineering Ranald Clouston Australian National University Semester 2, 2013 COMP 2600 Deterministic Finite Automata 1 Pop quiz What is

More information