II. Digital signatures
|
|
- Susanna Kelly
- 6 years ago
- Views:
Transcription
1 II. Digital signatures Alice m Bob Eve 1. Did Bob send message m, or was it Eve? 2. Did Eve modify the message m, that was sent by Bob? 1
2 Digital signatures Digital signature - are equivalent of handwritten signatures - guarantee authenticity and integrity of documents - are publicly verifiable (unlike MACs) - are transferable (unlike MACs). 2
3 Digital signatures Definition 2.1 A digital signatur scheme Π is a triple of ppts ( Gen,Sign, Vrfy), where 1. Gen( 1 n ) outputs a key pair ( pk,sk) with pk = sk = n. 2. Sign takes as input a secret key sk and a message m { 0,1} and outputs a signature σ, σ Sign ( sk m). 3. Vrfy takes as input a public key pk, a message m { 0,1}, and a signature σ. It ouputs b { 0,1}, 1 valid, 0 invalid. Vrfy determinitic, b: = Vrfy ( pk m,σ). For every key pair ( pk,sk)and message m: Vrfy ( pk m,sign ( sk m) ) = 1. 3
4 Digital signatures pk pk Alice ( m,σ) pk ( pk,sk) Gen( 1 n ) Bob Vrfy pk? ( m,σ) = 1 Eve σ Sign sk ( m) 4
5 The forging game Signature forging game Sig-forge A,Π 1. ( pk,sk) Gen( 1 n ). ( n) 2. A is given 1 n,pk and oracle access to Sign ( sk ). It outputs pair ( m, σ). Q: = set of queries made by A to Sign ( sk ). 3. Output of experiment is 1, if and only if (1) Vrfy ( pk m,σ) = 1, and (2) m Q. Definition 2.2 Π is called existentially unforgeable under an adaptive chosen-message attack, or secure, if for every ppt adversary A there is a negligible function µ : N R + such that Pr Sig-forge A,Π ( n) = 1 µ ( n ). 5
6 Oracle access Algorithm D has oracle access to function f : U R, if 1. can write elements x U into special memory cells, 2. in one step receives function value f ( x). Notation Write D f ( ) to denote that algorithm D has oracle access to f ( ). 6
7 Existence of secure sigatures Theorem 2.3 Secure digital signature schemes exist if and only if one-way functions exist. 7
8 RSA signatures - prerequisits Z N := ring of integers modulo N Z N := { a Z N : gcd( a,n) = 1} φ ( N) := Z N gcd( a,m) = 1 u,v Z u a + v m = 1 (EEA) u a = 1mod m u = a 1 mod m N = K e p i i φ N i=1 K i=1 ( ) = N ( ) = p i e i p i e i 1 K i=1 ( 1 1 p ) i 8
9 RSA signatures Gen 1 n Sign sk Vrfy pk ( ) : choose 2 random primes p,q 2 n 1,2 n 1 N:= p q,e Z φ N ( ) pk := ( N,e),sk := ( N,d).,d:= e 1 mod φ ( N), ( m) m { 0,1} 2n 3 interpreted as element in Z N, σ := m d mod N. ( m,σ) output 1, if and only if σ e = m mod N., 9
10 RSA signatures - correctness For special case m Z N based on Lemma 2.4 Let N N and m Z N, then m φ ( N ) = 1mod N. 10
11 RSA signatures - efficiency Prime generation 1. choose p 2 n 1,2 n Test whether p is prime, if so output p, otherwise go back to 1. Efficiency based on 1. In 2 n 1,2 n 1 many primes exist (prime number theorem). 2. Efficient primality test exist (Miller-Rabin, AKS) 11
12 RSA signatures - efficiency Exponent generation 1. choose e Z φ ( N ). 2. Test whether gcd( e,φ ( N) ) = 1, if so compute d with e d = 1mod φ ( N), otherwise go back to 1. Efficiency based on 1. In Z M many elements relatively prime to M exist. 2. Can check efficiently whether a,b Z are relatively prime using Eucledean algorithm. 12
13 RSA signatures - efficiency Efficiency of Sign and Vrfy based on 1. arithmetic in Z N can be done efficiently. 2. Exponentiation requires few arithmetic operations using Square-and-Multiply. 13
14 RSA signatures - forgeries existential forgeries Sign ( sk 0) = 0 Sign ( sk 1) = 1 Sign ( sk 1) = 1 selective forgery of Sign sk ( m) query signature oracle with input ˆm := 2 e m mod N and obtain ˆσ. compute σ = 2 1 ˆσ mod N. 14
15 General problem of public-key cryptography Secret key sk must not be efficiently computable from public key pk! General problem for RSA Given e,n ( ) element d Z φ N be efficiently computable. ( ) with e d = 1mod φ ( N) must not Theorem 2.5 Given e,d,n, N = p q for primes p,q, and with e d = 1mod ϕ ( N), then the primes p,q can be computed in time polynomial in log( N). 15
16 Status of factoring problem Two factoring algorithms Number fielde sieve running time ( ( ) 1 3 loglog( N) 2 3 ) exp log N Elliptic curve method running time exp ( log( p) 1 2 loglog( p) 1 2 ), where p smallest prime factor 16
17 Hash-and-Sign ( ) signature scheme with message Π = Ge n,sig n,vrf y length n, Π H = ( Gen H,H) hash function with hash length n. Construction 2.6 Signature scheme Π = ( Gen,sign, Vrfy) defined as: Gen 1 n Sign sk ( ) : p ( k,s k ) Ge n pk := ( p k,s), sk := s k,s ( m) : σ := Sig n s ( k H s ( m) ). ( 1 n ),s Gen ( H 1 n ), ( ) Vrfy pk ( ) = 1. ( m,σ) : output = 1 Vrf y p k H s ( m),σ 17
18 Hash-and-Sign Construction 2.6 Signature scheme Π = ( Gen,sign, Vrfy) defined as: Gen 1 n Sign sk ( ) : p ( k,s k ) Ge n pk := ( p k,s),sk := s k,s ( m) : σ := Sig n s ( k H s ( m) ). ( 1 n ),s Gen ( H 1 n ), ( ) Vrfy pk ( ) = 1. ( m,σ) : output = 1 Vrf y p k H s ( m),σ Theorem 2.7 If Π is secure and Π H is collision-resistant, then Π is secure. 18
19 Hash-and-Sign Construction 2.6 Signature scheme Π = ( Gen,sign, Vrfy) defined as: Gen 1 n Sign sk ( ) : p ( k,s k ) Ge n pk := ( p k,s),sk := s k,s ( m) : σ := Sig n s ( k H s ( m) ). ( 1 n ),s Gen ( H 1 n ), ( ) Vrfy pk ( ) = 1. ( m,σ) : output = 1 Vrf y p k H s ( m),σ Theorem 2.7 If Π is secure and Π H is collision-resistant, then Π is secure. 19
20 RSA signatures ( ) n n 1 n Gen 1 : choose 2 random primes p,q 2,2 1, sk ( ) { } ( σ) N: = p q, pk : = N, 1 e Z φ( N),d: = e mo φ( N) ( e ),sk: = ( N,d). 2n 3 Sign m m 0,1 interpreted as element in Z, σ d : = m mod N. d, e Vrfyp k m, output 1, if and only if σ = m mod N. N 20
21 Random oracle model (ROM) Goal Construct H: { 0,1} R, R <,"random" function. H( x)? Q = ( x 1,H( x 1 )),( x 2,H( x 2 )), { } x Q? H( x) = y If x = x i for x i Q, return H( x i ). If x x i for all x i Q, a) y R b) return H x ( ) = y ( ) c) add pair x,h x ( ) to Q 21
22 Random oracle model (ROM) Q = {( x 1,H( x 1 )),( x 2,H( x 2 )), } H( x)? H x x Q? ( ) = y Random oracel model idealization of - one-way functions - random functions - collision-resistant hash functions. 22
23 RSA-Full-Domain-Hash (RSA-FDH) n By Gen denote an algorithm that on input 1 computes n 1 n 2 random primes p,q 2,2 1,p q, sets N= p q, choos, sets d : e mod N, and outputs 1 es e Z φ( N) = φ( ) ( N,e), sk: ( N, d). pk : = = Construction 2.11 (RSA-FDH) Run Gen 1 n ( ) to obtain pk := N,e ( ) and sk := N,d ( ). Let H: { 0,1} Z N be modeled as a random oracle. Sign on input m { 0,1} and ( N,d) outputs σ := ( H( m) ) d mod N. Vrfy on input m,σ, N,e ( ) outputs 1 σ e = H m ( ) mod N. 23
24 RSA assumption RSA inverting game RSA-inv A,Gen 1. Run Gen to obtain ( N,e). 2. y Z N. ( n) 3. A is given ( N,e) and y. A outputs x Z N. 4. Output of experiment is 1, if and only if x e = y mod N. Write RSA-inv A,Gen ( n) = 1, if output is 1. Definition 2.12 The RSA problem is hard relative to the generation algorithm Gen if for every ppt adversary A there is a negligible function µ : N R + such that Pr RSA-inv A,Gen ( n) = 1 µ ( n ). 24
25 RSA assumption Construction 2.11 (RSA-FDH) Run Gen 1 n ( ) to obtain pk := N,e ( ) and sk := N,d ( ). Let H: { 0,1} Z N be modeled as a random oracle. Sign on input m { 0,1} and ( N,d) outputs σ := ( H( m) ) d mod N. on input m,σ, ( N,e) output 1 σ e = H( m) mod N. Theorem 2.13 If the RSA problem is hard relative to the generation algorithm Gen, then RSA-FDH (Construction 2.11) is existentially unforgeable under an adaptive chosen-message attack. 25
26 From forger to inverter Signature forging game Sig-forge A,Π 1. ( pk,sk) Gen( 1 n ). ( n) 2. A is given 1 n,pk and oracle access to Sign ( sk ). It outputs pair ( m, σ). Q: = set of queries made by A to Sign ( sk ). 3. Output of experiment is 1, if and only if (1) Vrfy ( pk m,σ) = 1, and (2) m Q. ( ) Let q = q n denote number of queries made A, q bounded by polynomial in n. 26
27 From forger to inverter ( ) I on input N,e,y 1. Choose j { 1,,q}. 2. Simulate A with public key ( N,e). Table T stores triples ( m i,σ i,y i ) with meaning that I has set H( m i ) = y i and σ e i = y i mod N. 3. When A makes i-th random oracle query H( m i ), do if i = j, return y otherwise, σ i Z N,y i := σ e i mod N, return y, i add ( m i,σ i,y i ) to T. When A makes signature query m = m i, do if i j, then T contains triple ( m i,σ i,y i ), return σ i. if i = j, then abort experiment. ( ) be A's output. If m = m j and σ e = y mod N, then output σ Let m, σ
28 Existence of secure sigatures Theorem 2.3 Secure digital signature schemes exist if and only if one-way functions exist. 28
29 One-time signatures one One-time signature forging game Sig-forge A,Π 1. ( pk,sk) Gen( 1 n ). ( n) 2. A is given 1 n,pk and may ask single query m to Sign sk It outputs pair ( m,σ),where m m. ( ). 3. Output of experiment is 1, if and only if (1) Vrfy ( pk m,σ) = 1. Definition 2.8 Π is called existentially unforgeable under a single message attack, if for every ppt adversary A there is a negligible function µ : N R + such that one Pr Sig-forge A,Π ( n) = 1 µ ( n ). 29
30 Lamport s one-time signature Construction 2.9 f: { 0,1} { 0,1}, signature scheme Π f = ( Gen,Sign,Vrfy) for messages of length l( n) defined as: Gen( 1 n ) : x i,b { 0,1} n,y i,b = f ( x i,b ),i = 1,,l ( n), b { 0,1}. pk := sk := y 1,0 y 2,0 y l ( n ),0 y 1,1 y 2,1 y l ( n ),1 x 1,0 x 2,0 x l ( n ),0 x 1,1 x 2,1 x l ( n ),1,, Sign sk ( m) : output σ := x 1,m1,,x l n ( ),m = m 1 m l n ( ),m l ( n ) ( ). Vrfy pk ( m,σ) : output = 1 y i,mi = f ( x ) i,mi for i = 1,,l ( n). 30
31 Lamport s one-time signature Construction 2.9 f: 0,1 { } { 0,1} function. Signature scheme Π f = ( Gen,Sign,Vrfy) for messages of length l( n) defined as: Gen( 1 n ) : x i,b { 0,1} n,y i,b = f ( x i,b ),i = 1,,l ( n), b { 0,1}. pk := sk := y 1,0 y 2,0 y l ( n ),0 y 1,1 y 2,1 y l ( n ),1 x 1,0 x 2,0 x l ( n ),0 x 1,1 x 2,1 x l ( n ),1 Sign sk ( m) : output σ := x 1,m1,,x l n Vrfy pk ( ),m l ( n ) ( m,σ) : output = 1 y i,mi = f x i,mi,, ( ),m = m 1 m l n ( ) for i = 1,,l n ( ). ( ). Theorem 2.10 If f is a one-way function, then Π f from Construction 2.9 is existentially unforgeable under a single message attack. 31
32 One-time signatures one One-time signature forging game Sig-forge A,Π 1. ( pk,sk) Gen( 1 n ). ( n) 2. A is given 1 n,pk and may ask single query m to Sign sk It outputs pair ( m,σ),where m m. ( ). 3. Output of experiment is 1, if and only if (1) Vrfy ( pk m,σ) = 1. Definition 2.8 Π is called existentially unforgeable under a single message attack, if for every ppt adversary A there is a negligible function µ : N R + such that one Pr Sig-forge A,Π ( n) = 1 µ ( n ). 32
33 Lamport s one-time signature Theorem 2.10 If f is a one-way function, then Π f from Construction 2.9 is existentially unforgeable under a single message attack. m := message whose signature is requested by A ( m,σ) := A's final output Adverary A outputs forgery at ( i,b),if Vrfy ( pk m,σ) = 1 m i = b and m i m i 33
34 From forger to inverter I on input y * 1. Choose i * { 1,,l},b { 0,1}. 2. For all i { 1,,l},b 0,1 choose x i,b 0,1 { } with ( i,b) i *,b * { } n, set y i,b := f x i,b ( ) do ( ),y i *,b * := y * 3. y 1,0 y 2,0 y l ( n ),0 Simulate A on input pk: = y 1,1 y 2,1 y l ( n ),1 4. When A requests a signature on message m : if m i * = b *, stop otherwise return the correct signature σ = x 1, m1,,x l, ml ( ) with σ = ( x 1,,x l ) 5. When A outputs m, σ if A outputs a forgery at ( i *,b * ), output x i *. ( ) 34
35 Certificates and trusted authorities How can we guarantee that pk A belongs to A? - certificates from trusted authorities (TA) - certificates are signatures - leads to hierarchie of certificates/signatures - must stop at (really) trusted authority 35
Katz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationJohn Hancock enters the 21th century Digital signature schemes. Table of contents
John Hancock enters the 21th century Digital signature schemes Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents From last time: Good news and bad There
More informationLecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004
CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce
More informationVI. The Fiat-Shamir Heuristic
VI. The Fiat-Shamir Heuristic - as already seen signatures can be used and are used in practice to design identification protocols - next we show how we can obtain signatures schemes from - protocols using
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018
Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously Digital Signatures Algorithms: Gen() à (sk,pk) Sign(sk,m) à σ Ver(pk,m,σ) à 0/1 Correctness: Pr[Ver(pk,m,Sign(sk,m))=1:
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationDigital Signature Schemes and the Random Oracle Model. A. Hülsing
Digital Signature Schemes and the Random Oracle Model A. Hülsing Today s goal Review provable security of in use signature schemes. (PKCS #1 v2.x) PAGE 1 Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/dsa.jpg
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019
Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationTransitive Signatures Based on Non-adaptive Standard Signatures
Transitive Signatures Based on Non-adaptive Standard Signatures Zhou Sujing Nanyang Technological University, Singapore, zhousujing@pmail.ntu.edu.sg Abstract. Transitive signature, motivated by signing
More informationDigital signature schemes
Digital signature schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction digital signature scheme security of digital
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationConstructing secure MACs Message authentication in action. Table of contents
Constructing secure MACs Message authentication in action Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents From last time Recall the definition of message
More informationLecture 15 & 16: Trapdoor Permutations, RSA, Signatures
CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationDigital Signatures. p1.
Digital Signatures p1. Digital Signatures Digital signature is the same as MAC except that the tag (signature) is produced using the secret key of a public-key cryptosystem. Message m MAC k (m) Message
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationSchnorr Signature. Schnorr Signature. October 31, 2012
. October 31, 2012 Table of contents Salient Features Preliminaries Security Proofs Random Oracle Heuristic PKS and its Security Models Hardness Assumption The Construction Oracle Replay Attack Security
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationOptimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample
Optimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample Fuchun Guo 1, Rongmao Chen 2, Willy Susilo 1, Jianchang Lai 1, Guomin Yang 1, and Yi Mu 1 1 Institute
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationThreshold RSA for Dynamic and Ad-Hoc Groups
Threshold RSA for Dynamic and Ad-Hoc Groups Rosario Gennaro, Shai Halevi, Hugo Krawczyk, Tal Rabin IBM T.J.Watson Research Center Hawthorne, NY USA Abstract. We consider the use of threshold signatures
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes Lecture 8 Tel-Aviv University
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More information1 Basic Number Theory
ECS 228 (Franklin), Winter 2013, Crypto Review 1 Basic Number Theory This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationCryptographic Hardness Assumptions
Chapter 2 Cryptographic Hardness Assumptions As noted in the previous chapter, it is impossible to construct a digital signature scheme that is secure against an all-powerful adversary. Instead, the best
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationIntroduction to Cryptography
B504 / I538: Introduction to Cryptography Spring 2017 Lecture 12 Recall: MAC existential forgery game 1 n Challenger (C) k Gen(1 n ) Forger (A) 1 n m 1 m 1 M {m} t 1 MAC k (m 1 ) t 1 m 2 m 2 M {m} t 2
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationCLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD
CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without
More informationSIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography
SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 8 of Trappe and Washington DIGITAL SIGNATURES message sig 1. How do we bind
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationTightly-Secure Signatures From Lossy Identification Schemes
Tightly-Secure Signatures From Lossy Identification Schemes Michel Abdalla, Pierre-Alain Fouque, Vadim Lyubashevsky, and Mehdi Tibouchi 2 École normale supérieure {michel.abdalla,pierre-alain.fouque,vadim.lyubashevsky}@ens.fr
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationMATH 158 FINAL EXAM 20 DECEMBER 2016
MATH 158 FINAL EXAM 20 DECEMBER 2016 Name : The exam is double-sided. Make sure to read both sides of each page. The time limit is three hours. No calculators are permitted. You are permitted one page
More informationCryptographic Solutions for Data Integrity in the Cloud
Cryptographic Solutions for Stanford University, USA Stanford Computer Forum 2 April 2012 Homomorphic Encryption Homomorphic encryption allows users to delegate computation while ensuring secrecy. Homomorphic
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationPSS Is Secure against Random Fault Attacks
PSS Is Secure against Random Fault Attacks Jean-Sébastien Coron and Avradip Mandal University of Luxembourg Abstract. A fault attack consists in inducing hardware malfunctions in order to recover secrets
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #9 Sep 22 nd 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Midterm #1, next class (Tues, Sept 27 th ) All lecture materials and readings
More informationPublic Key Cryptography
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Public Key Cryptography EECE 412 1 What is it? Two keys Sender uses recipient s public key to encrypt Receiver uses his private key to decrypt
More informationConstructing Provably-Secure Identity-Based Signature Schemes
Constructing Provably-Secure Identity-Based Signature Schemes Chethan Kamath Indian Institute of Science, Bangalore November 23, 2013 Overview Table of contents Background Formal Definitions Schnorr Signature
More informationPractice Exam Winter 2018, CS 485/585 Crypto March 14, 2018
Practice Exam Name: Winter 2018, CS 485/585 Crypto March 14, 2018 Portland State University Prof. Fang Song Instructions This exam contains 8 pages (including this cover page) and 5 questions. Total of
More informationDATA PRIVACY AND SECURITY
DATA PRIVACY AND SECURITY Instructor: Daniele Venturi Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Interlude: Number Theory Cubum autem in duos cubos, aut quadratoquadratum
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationLecture 10. Public Key Cryptography: Encryption + Signatures. Identification
Lecture 10 Public Key Cryptography: Encryption + Signatures 1 Identification Public key cryptography can be also used for IDENTIFICATION Identification is an interactive protocol whereby one party: prover
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationLecture V : Public Key Cryptography
Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional
More informationSecurity Analysis of an Identity-Based Strongly Unforgeable Signature Scheme
Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme Kwangsu Lee Dong Hoon Lee Abstract Identity-based signature (IBS) is a specific type of public-key signature (PKS) where any
More informationSecure Signatures and Chosen Ciphertext Security in a Post-Quantum World
Secure Signatures and Chosen Ciphertext Security in a Post-Quantum World Dan Boneh Mark Zhandry Stanford University {dabo,zhandry}@cs.stanford.edu Abstract We initiate the study of quantum-secure digital
More information1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2
Contents 1 Recommended Reading 1 2 Public Key/Private Key Cryptography 1 2.1 Overview............................................. 1 2.2 RSA Algorithm.......................................... 2 3 A Number
More informationIntroduction to Cryptology. Lecture 20
Introduction to Cryptology Lecture 20 Announcements HW9 due today HW10 posted, due on Thursday 4/30 HW7, HW8 grades are now up on Canvas. Agenda More Number Theory! Our focus today will be on computational
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More informationLecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers
1 Winter 2018 CS 485/585 Introduction to Cryptography Lecture 6 Portland State University Jan. 25, 2018 Lecturer: Fang Song Draft note. Version: February 4, 2018. Email fang.song@pdx.edu for comments and
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationCSC 5930/9010 Modern Cryptography: Number Theory
CSC 5930/9010 Modern Cryptography: Number Theory Professor Henry Carter Fall 2018 Recap Hash functions map arbitrary-length strings to fixedlength outputs Cryptographic hashes should be collision-resistant
More informationShort Signatures Without Random Oracles
Short Signatures Without Random Oracles Dan Boneh and Xavier Boyen (presented by Aleksandr Yampolskiy) Outline Motivation Preliminaries Secure short signature Extensions Conclusion Why signatures without
More informationFoundations of Cryptography
- 111 - Foundations of Cryptography Notes of lecture No. 10B & 11 (given on June 11 & 18, 1989) taken by Sergio Rajsbaum Summary In this lecture we define unforgeable digital signatures and present such
More informationMATH UN Midterm 2 November 10, 2016 (75 minutes)
Name: UNI: Instructor: Shrenik Shah MATH UN3025 - Midterm 2 November 10, 2016 (75 minutes) This examination booklet contains 6 problems. There are 10 sheets of paper including the front cover. This is
More informationLecture 10: NMAC, HMAC and Number Theory
CS 6903 Modern Cryptography April 10, 2008 Lecture 10: NMAC, HMAC and Number Theory Instructor: Nitesh Saxena Scribes: Jonathan Voris, Md. Borhan Uddin 1 Recap 1.1 MACs A message authentication code (MAC)
More informationSecurity Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography
Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How
More informationMarch 19: Zero-Knowledge (cont.) and Signatures
March 19: Zero-Knowledge (cont.) and Signatures March 26, 2013 1 Zero-Knowledge (review) 1.1 Review Alice has y, g, p and claims to know x such that y = g x mod p. Alice proves knowledge of x to Bob w/o
More informationCS483 Design and Analysis of Algorithms
CS483 Design and Analysis of Algorithms Lectures 2-3 Algorithms with Numbers Instructor: Fei Li lifei@cs.gmu.edu with subject: CS483 Office hours: STII, Room 443, Friday 4:00pm - 6:00pm or by appointments
More informationNew Approach for Selectively Convertible Undeniable Signature Schemes
New Approach for Selectively Convertible Undeniable Signature Schemes Kaoru Kurosawa 1 and Tsuyoshi Takagi 2 1 Ibaraki University, Japan, kurosawa@mx.ibaraki.ac.jp 2 Future University-Hakodate, Japan,
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More informationENEE 459-C Computer Security. Message authentication (continue from previous lecture)
ENEE 459-C Computer Security Message authentication (continue from previous lecture) Last lecture Hash function Cryptographic hash function Message authentication with hash function (attack?) with cryptographic
More informationCS 355: Topics in Cryptography Spring Problem Set 5.
CS 355: Topics in Cryptography Spring 2018 Problem Set 5 Due: June 8, 2018 at 5pm (submit via Gradescope) Instructions: You must typeset your solution in LaTeX using the provided template: https://crypto.stanford.edu/cs355/homework.tex
More informationLecture 14 More on Digital Signatures and Variants. COSC-260 Codes and Ciphers Adam O Neill Adapted from
Lecture 14 More on Digital Signatures and Variants COSC-260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Setting the Stage We will cover in more depth some issues for
More informationInstructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year
Data Privacy and Security Instructor: Daniele Venturi Master Degree in Data Science Sapienza University of Rome Academic Year 2017-2018 Interlude: Number Theory Cubum autem in duos cubos, aut quadratoquadratum
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 15 2018 Review Hash functions Collision resistance Merkle-Damgaard
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationWinter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2
0368.3049.01 Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod Assignment #2 Published Sunday, February 17, 2008 and very slightly revised Feb. 18. Due Tues., March 4, in Rani Hod
More informationLecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]
CMSC 858K Advanced Topics in Cryptography February 19, 2004 Lecturer: Jonathan Katz Lecture 8 Scribe(s): Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan 1 Introduction Last time we introduced
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationChapter 7: Signature Schemes. COMP Lih-Yuan Deng
Chapter 7: Signature Schemes COMP 7120-8120 Lih-Yuan Deng lihdeng@memphis.edu Overview Introduction Security requirements for signature schemes ElGamal signature scheme Variants of ElGamal signature scheme
More informationOutline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.
Provable Security in the Computational Model III Signatures David Pointcheval Ecole normale supérieure, CNRS & INRI Public-Key Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions
More informationA Security Proof of KCDSA using an extended Random Oracle Model
A Security Proof of KCDSA using an extended Random Oracle Model Vikram Singh Abstract We describe a tight security reduction to the discrete logarithm problem for KCDSA under an extended Random Oracle
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationExam Security January 19, :30 11:30
Exam Security January 19, 2016. 8:30 11:30 You can score a maximum of 100. Each question indicates how many it is worth. You are NOT allowed to use books or notes, or a (smart) phone. You may answer in
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationMathematical Foundations of Public-Key Cryptography
Mathematical Foundations of Public-Key Cryptography Adam C. Champion and Dong Xuan CSE 4471: Information Security Material based on (Stallings, 2006) and (Paar and Pelzl, 2010) Outline Review: Basic Mathematical
More informationTheme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS
1 C Theme : Cryptography Instructor : Prof. C Pandu Rangan Speaker : Arun Moorthy 93115 CS 2 RSA Cryptosystem Outline of the Talk! Introduction to RSA! Working of the RSA system and associated terminology!
More informationSIS-based Signatures
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin February 26, 2013 Basics We will use the following parameters: n, the security parameter. =poly(n). m 2n log s 2 n
More informationMessage Authentication
Motivation Message Authentication 15-859I Spring 2003 Suppose Alice is an ATM and Bob is a Ban, and Alice sends Bob messages about transactions over a public channel Bob would lie to now that when he receives
More informationComparing With RSA. 1 ucl Crypto Group
Comparing With RSA Julien Cathalo 1, David Naccache 2, and Jean-Jacques Quisquater 1 1 ucl Crypto Group Place du Levant 3, Louvain-la-Neuve, b-1348, Belgium julien.cathalo@uclouvain.be, jean-jacques.quisquater@uclouvain.be
More informationRSA and Rabin Signatures Signcryption
T-79.5502 Advanced Course in Cryptology RSA and Rabin Signatures Signcryption Alessandro Tortelli 26-04-06 Overview Introduction Probabilistic Signature Scheme PSS PSS with message recovery Signcryption
More informationChapter 11 : Private-Key Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 1 Chapter 11 Public-Key Encryption Apologies: all numbering
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More information