Outline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.
|
|
- Nelson Willis
- 6 years ago
- Views:
Transcription
1 Provable Security in the Computational Model III Signatures David Pointcheval Ecole normale supérieure, CNRS & INRI Public-Key Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions Hash-then-Invert Paradigm Zero-Knowledge Proofs The Forking Lemma MPRI Paris NS/CNRS/INRI Cascade David Pointcheval 1/51ENS/CNRS/INRI Cascade David Pointcheval 2/51 Public-Key Encryption Public-Key Encryption Signatures 2 dvanced Security for Signature Goal: Privacy/Secrecy of the plaintext NS/CNRS/INRI Cascade David Pointcheval 3/51ENS/CNRS/INRI Cascade David Pointcheval 4/51
2 OW CP Security Game IND CP Security Game m * random r * random m * c * r * m * =? m E m Succ ow S () = Pr[(sk, pk) K(); m R M; c = E pk (m) : (pk, c) m] k e G k d b {0,1} r random? b = b m 0 m 1 m r b E c * b k e G (sk, pk) K();(m 0, m 1, state) (pk); b R {0, 1};c = E pk (m b ); b (state, c) k d dv ind cpa S ()=Pr[b = 1 b = 1] Pr[b = 1 b = 0] = 2 Pr[b = b] 1 NS/CNRS/INRI Cascade David Pointcheval 5/51ENS/CNRS/INRI Cascade David Pointcheval 6/51 Signature Public-Key Encryption Signatures 2 dvanced Security for Signature Goal: uthentication of the sender NS/CNRS/INRI Cascade David Pointcheval 7/51ENS/CNRS/INRI Cascade David Pointcheval 8/51
3 EUF NM k v G k s V(k v,m,σ)? (m,σ) 2 dvanced Security for Signature dvanced Security Notions Hash-then-Invert Paradigm Succ euf SG () = Pr[(sk, pk) K(); (m, σ) (pk) : V pk(m, σ) = 1] NS/CNRS/INRI Cascade David Pointcheval 9/51ENS/CNRS/INRI Cascade David Pointcheval 10/51 Signature EUF NM k v G k s (m,σ) V(k v,m,σ)? Goal: uthentication of the sender The adversary knows the public key only, whereas signatures are not private! NS/CNRS/INRI Cascade David Pointcheval 11/51ENS/CNRS/INRI Cascade David Pointcheval 12/51
4 EUF CM SUF CM [Stern-Pointcheval-Malone-Lee-Smart Crypto 01] k v G k s k v G k s i, m m i V(k v,m,σ)? (m,σ) The adversary has access to any signature of its choice: Chosen-Message ttacks (oracle access): [ (sk, pk) K(); (m, σ) SG () = Pr S (pk) : i, m m i V pk (m, σ) = 1 m i σ i S ] (m,σ) i, (m,σ) (m i,σ i ) V(k v,m,σ)? The notion is even stronger (in case of probabilistic signature): also known as non-malleability: [ Succ suf cma (sk, pk) K(); (m, σ) SG () = Pr S (pk) : i, (m, σ) (m i, σ i ) V pk (m, σ) = 1 m i σ i S ] NS/CNRS/INRI Cascade David Pointcheval 13/51ENS/CNRS/INRI Cascade David Pointcheval 14/51 Full-Domain Hash Signature [Bellare-Rogaway Eurocrypt 94] Signature Scheme 2 dvanced Security for Signature dvanced Security Notions Hash-then-Invert Paradigm R Key generation: the public key f P is a trapdoor one-way bijection from X onto Y ; the private key is the inverse g : Y X; Signature of M Y : σ = g(m); Verification of (M, σ): check f (σ) = M Full-Domain Hash (Hash-and-Invert) H : {0, 1} Y in order to sign m, one computes M = H(m) Y, and σ = g(m) and the verification consists in checking whether f (σ) = H(m) NS/CNRS/INRI Cascade David Pointcheval 15/51ENS/CNRS/INRI Cascade David Pointcheval 16/51
5 Random Oracle Model Security of the Signature Random Oracle H is modelled as a truly random function, from {0, 1} into Y. Formally, H is chosen at random at the beginning of the game. More concretely, for any new query, a random element in Y is uniformly and independently drawn ny security game becomes: [ SG ()=Pr H R Y ; (sk, pk) K(); (m, σ) S,H (pk) : i, m m i V pk (m, σ) = 1 ] Theorem The signature achieves EUF CM security, under the One-Wayness of P, in the Random Oracle Model: ssumptions: (t) q H Succ ow P (t + q Hτ f ) any signing query has been first asked to H the forgery has been asked to H τ f is the maximal time to evaluate f P NS/CNRS/INRI Cascade David Pointcheval 17/51ENS/CNRS/INRI Cascade David Pointcheval 18/51 Real ttack Game Simulations Game 0 K Oracles S H Game 0 : use of the oracles K, S and H Game 1 : use of the simulation of the Random Oracle Random Oracle dversary H(m): M R Y, output M pk m,σ Challenger (pk, sk) K() Checks (m,σ) if new and valid: 1 else 0 0 / 1 Key Generation Oracle K(): (f, g) R P, sk g, pk f Simulation of H H(m): µ R X, output M = f (µ) = Hop-D-Perfect: Pr Game1 [1] = Pr Game0 [1] Game 2 : use of the simulation of the Signing Oracle Simulation of S S(m): find µ such that M = H(m) = f (µ), output σ = µ Signing Oracle S(m): M = H(m), output σ = g(m) = Hop-S-Perfect: Pr Game2 [1] = Pr Game1 [1] NS/CNRS/INRI Cascade David Pointcheval 19/51ENS/CNRS/INRI Cascade David Pointcheval 20/51
6 H-Query Selection OW Instance Game 3 : random index t Event Ev R {1,..., q H } If the t-th query to H is not the output forgery We terminate the game and output 0 if Ev happens = Hop-S-Non-Negl Then, clearly = Pr[ Ev] Game 3 Game 2 = 1 Game 3 Game 2 q H Pr[Ev] = 1 1/q H R Game 4 : P OW instance (f, y) (where f P, x R X, y = f (x)) Use of the simulation of the Key Generation Oracle Simulation of K K(): set pk f Modification of the simulation of the Random Oracle Simulation of H If this is the t-th query, H(m): M y, output M The unique difference is for the t-th simulation of the random oracle, for which we cannot compute a signature. But since it corresponds to the forgery output, it cannot be queried to the signing oracle: = Hop-S-Perfect: Pr Game4 [1] = Pr Game3 [1] NS/CNRS/INRI Cascade David Pointcheval 21/51ENS/CNRS/INRI Cascade David Pointcheval 22/51 Summary Key Size In Game 4, when the output is 1, σ = g(y) = g(f (x)) = x and the simulator computes one exponentiation per hashing: Game 4 Succ ow P (t + q Hτ f ) Game 4 = Game 3 Game 3 = 1 Game 2 q H Game 2 = Game 1 Game 1 = Game 0 = () Game 0 () q H Succ ow P (t + q Hτ f ) () q H Succ ow P (t + q Hτ f ) If one wants (t) ε with t/ε 280 If one allows q H up to 2 60 Then one needs Succ ow P (t) ε with t/ε If one uses -RS: at least 3072 bit keys are needed. NS/CNRS/INRI Cascade David Pointcheval 23/51ENS/CNRS/INRI Cascade David Pointcheval 24/51
7 Improvement [Coron Crypto 00] Signature Oracle In the case that f is homomorphic (as RS): f (ab) = f (a)f (b) Game 0 : use of the oracles K, S and H Game 1 : use of the simulation of the Random Oracle Simulation of H H(m): µ R X, output M = f (µ) = Hop-D-Perfect: Pr Game1 [1] = Pr Game0 [1] Game 2 : use of the homomorphic property R P OW instance (f, y) (where f P, x R X, y = f (x)) Game 3 : use of the simulation of the Signing Oracle Simulation of S S(m): find µ such that M = H(m) = f (µ), output σ = µ Fails (with output 0) if H(m) = M = y f (µ): but with probability p q S = Hop-S-Non-Negl: Pr Game3 [1] = Pr Game2 [1] p q S Simulation of H H(m): flip a biased coin b (with Pr[b = 0] = p), µ R X. If b = 0, output M = f (µ), otherwise output M = y f (µ) = Hop-D-Perfect: Pr Game2 [1] = Pr Game1 [1] NS/CNRS/INRI Cascade David Pointcheval 25/51ENS/CNRS/INRI Cascade David Pointcheval 26/51 Summary Key Size In Game 3, when the output is 1, with probability 1 p: σ = g(m) = g(y f (µ)) = g(y) g(f (µ)) = g(f (x)) µ = x µ Succ ow Game 3 P (t + q Hτ f )/(1 p) Game 3 = p q S Game 2 Game 2 = Game 1 Game 1 = Game 0 = () Game 0 () 1 (1 p)p q S Succ ow P (t + q Hτ f ) () 1 (1 p)p q S The maximal for p (1 p)p q S is reached for p = 1 1 q S + 1 Succ ow P (t + q Hτ f ) ( 1 q S ) qs e 1 q S + 1 q S If one wants (t) ε with t/ε 280 If one allows q S up to 2 30 Then one needs Succ ow P (t) ε with t/ε If one uses -RS: 2048 bit keys are enough. NS/CNRS/INRI Cascade David Pointcheval 27/51ENS/CNRS/INRI Cascade David Pointcheval 28/51
8 Proof of Knowledge How do I prove that I know a solution s to a problem P? Public Data P 2 dvanced Security for Signature Prover Verifier Zero-Knowledge Proofs The Forking Lemma ω Secret s communication Polynomial Size B ω B Polynomial Time NS/CNRS/INRI Cascade David Pointcheval 29/51ENS/CNRS/INRI Cascade David Pointcheval 30/51 Proof of Knowledge: Soundness Proof of Knowledge: Zero-Knowledge If I can be accepted, I really know a solution: extractor Public Data P How do I prove that I know a solution s to a problem P? I reveal the solution... How can do it without revealing any information? Zero-knowledge: simulator Prover Extractor Public Data P s ω communication ω E s ω E s Prover Simulator ω communication Indistinguishable Verifier B S ωs communication ω B NS/CNRS/INRI Cascade David Pointcheval 31/51ENS/CNRS/INRI Cascade David Pointcheval 32/51
9 Proof of Knowledge How do I prove that I know a 3-color covering, without revealing any information? Secure Multiple Proofs of Knowledge: uthentication If there exists an efficient adversary, then one can solve the underlying problem: Cheater C 1 ω1 communication Simulator S ω S (a) Hist Public Data P I choose a random permutation on the colors and I apply it to the vertices I mask the vertices and send it to the verifier The verifier chooses an edge I open it The verifier checks the validity: 2 different colors Cheater C 2 ω2 communication ω 2 Extractor E ωe s NS/CNRS/INRI Cascade David Pointcheval 33/51ENS/CNRS/INRI Cascade David Pointcheval 34/51 Schnorr Proofs [Schnorr Eurocrypt 89 - Crypto 89] Generic Zero-Knowledge Proofs Zero-Knowledge Proof Setting: (G = g ) of order q P knows x, such thaty = g x and wants to prove it to V P chooses K R Z q sets and sends r = g K V chooses h R {0, 1} k and sends it to P P computes and sends s = K + xh mod q V checks whether r? = g s y h Signature (G = g ) of order q H: {0, 1} Z q Key Generation (y, x) private key x Z q public key y = g x Signature of m (r, h, s) K R Z q r = g K h = H(m, r) and s = K + xh mod q Verification of (m, r, s) compute h = H(m, r) and check r? = g s y h Zero-Knowledge Proof Proof of knowledge of x, such that R(x, y) P builds a commitment r and sends it to V V chooses a challenge h R {0, 1} k for P P computes and sends the answer s V checks (r, h, s) Signature H viewed as a random oracle Key Generation (y, x) private: x public: y Signature of m (r, h, s) Commitment r Challenge h = H(m, r) nswer s Verification of (m, r, s) compute h = H(m, r) and check (r, h, s) NS/CNRS/INRI Cascade David Pointcheval 35/51ENS/CNRS/INRI Cascade David Pointcheval 36/51
10 Σ Protocols Zero-Knowledge Proof Proof of knowledge of x P sends a commitment r V sends a challenge h P sends the answer s V checks (r, h, s) Signature Key Generation (y, x) Signature of m (r, h, s) Commitment r Challenge h = H(m, r) nswer s Verification of (m, r, s) compute h = H(m, r) and check (r, h, s) 2 dvanced Security for Signature Zero-Knowledge Proofs The Forking Lemma Special soundness If one can answer to two different challenges h h : s and s for a unique commitment r, one can extract x NS/CNRS/INRI Cascade David Pointcheval 37/51ENS/CNRS/INRI Cascade David Pointcheval 38/51 Splitting Lemma Splitting Lemma Proof Idea When a subset is large in a product space X Y, it has many large sections. The Splitting Lemma Let X Y such that Pr[(x, y) ] ε. For any α < ε, define { } B α = (x, y) X Y Pr [(x, y ) ] ε α, then y Y (i) Pr[B α ] α (ii) (x, y) B α, Pr y Y [(x, y ) ] ε α. (iii) Pr[B α ] α/ε. (i) we argue by contradiction, using the notation B for the complement of B in X Y. ssume that Pr[B α ] < α. Then, ε Pr[B] Pr[ B] + Pr[ B] Pr[ B] < α (ε α) = ε. (ii) straightforward. (iii) using Bayes law: Pr[B ] = 1 Pr[ B ] = 1 Pr[ B] Pr[ B]/ Pr[] 1 (ε α)/ε = α/ε. NS/CNRS/INRI Cascade David Pointcheval 39/51ENS/CNRS/INRI Cascade David Pointcheval 40/51
11 Forking Lemma [Pointcheval-Stern Eurocrypt 96] Forking Lemma Proof Theorem (The Forking Lemma) Let (K, S, V) be a digital signature scheme with security parameter k, with a signature as above, of the form (m, r, h, s), where h = H(m, r) and s depends on r and h only. Let be a probabilistic polynomial time Turing machine whose input only consists of public data and which can ask q H queries to the random oracle, with q H > 0. We assume that, within the time bound T, produces, with probability ε 7q H /2 k, a valid signature (m, r, h, s). Then, within time T 16q H T /ε, and with probability ε 1/9, a replay of this machine outputs two valid signatures (m, r, h, s) and (m, r, h, s ) such that h h. is a PPTM with random tape ω. During the attack, asks a polynomial number of queries to H. We may assume that these questions are distinct: Q 1,..., Q qh are the q H distinct questions and let H = (h 1,..., h qh ) be the list of the q H answers of H. Note: a random choice of H = a random choice of H. For a random choice of (ω, H), with probability ε, outputs a valid signature (m, r, h, s). Since H is a random oracle, the probability for h to be equal to H(m, r) is less than 1/2 k, unless it has been asked during the attack. ccordingly, we define Ind H (ω) to be the index of this question: (m, r) = Q IndH (ω) (Ind H (ω) = if the question is never asked). NS/CNRS/INRI Cascade David Pointcheval 41/51ENS/CNRS/INRI Cascade David Pointcheval 42/51 Forking Lemma Proof Forking Lemma Proof We then define the sets S = { (ω, H) H (ω) succeeds & Ind H (ω) }, S i = { (ω, H) H (ω) succeeds & Ind H (ω) = i } i {1,..., q H }. Note: the set {S i } is a partition of S. ν = Pr[S] ε 1/2 k. Since ε 7q H /2 k 7/2 k, then ν 6ε/7. Let I be the set consisting of the most likely indices i, I = {i Pr[S i S] 1/2q H }. Lemma Pr[Ind H (ω) I S] 1 2. By definition of S i, Pr[Ind H (ω) I S] = Pr[S i S] = 1 Pr[S i S]. i I i I Since the complement of I contains fewer than q H elements, Pr[S i S] q H 1/2q H 1/2. i I NS/CNRS/INRI Cascade David Pointcheval 43/51ENS/CNRS/INRI Cascade David Pointcheval 44/51
12 Forking Lemma Proof Forking Lemma Proof We run 2/ε times, with independent random ω and random H. Since ν = Pr[S] 6ε/7, with probability greater than 1 (1 ν) 2/ε 4/5, we get at least one pair (ω, H) in S. We apply the Splitting Lemma, with ε = ν/2q h and α = ε/2, for i I. We denote by H i the restriction of H to queries of index < i. Since Pr[S i ] ν/2q H, there exists a subset Ω i such that, (ω, H) Ω i, Pr H [(ω, H ) S i H i = H i ] ν 4q H Pr[Ω i S i ] 1 2. Since all the subsets S i are disjoint, Pr [( i I) (ω, H) Ω i S i S] ω,h [ ] = Pr (Ω i S i ) S = Pr[Ω i S i S] i I i I = ( ) Pr[Ω i S i ] Pr[S i S] Pr[S i S] / i I i I We let β denote the index Ind H (ω) of to the successful pair. With prob. at least 1/4, β I and (ω, H) S β Ω β. With prob. greater than 4/5 1/4 = 1/5, the 2/ε attacks provided a successful pair (ω, H), with β = Ind H (ω) I and (ω, H) S β. NS/CNRS/INRI Cascade David Pointcheval 45/51ENS/CNRS/INRI Cascade David Pointcheval 46/51 Forking Lemma Proof Forking Lemma Proof We know that Pr H [(ω, H ) S β H β = H β] ν/4q H. Then Pr H [(ω, H ) S β and h β h β H β = H β] Pr H [(ω, H ) S β H β = H β] Pr H [h β = h β] ν/4q H 1/2 k, where h β = H(Q β ) and h β = H (Q β ). Using the assumption that ε 7q H /2 k, the above prob. is ε/14q H. We replay the attack 14q H /ε times with a new random oracle H such that H β = H β, and get another success with probability greater than 1 (1 ε/14q H ) 14q H/ε 3/5. H H Q 1 h 1 (m, r) Q i 1 Q i hi 1 h i h i Q j... (m, r, h h j i, s) h j (m, r, h i, s ) Finally, after less than 2/ε + 14q H /ε repetitions of the attack, with probability greater than 1/5 3/5 1/9, we have obtained two signatures (m, r, h, s) and (m, r, h, s ), both valid w.r.t. their specific random oracle H or H : Q β = (m, r) and h = H(Q β ) H (Q β ) = h. NS/CNRS/INRI Cascade David Pointcheval 47/51ENS/CNRS/INRI Cascade David Pointcheval 48/51
13 Chosen-Message ttacks In order to answer signing queries, one simply uses the simulator of the zero-knowledge proof: (r, h, s), and we set H(m, r) h. The random oracle programming may fail, but with negligible probability. Public-Key Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions Hash-then-Invert Paradigm Zero-Knowledge Proofs The Forking Lemma NS/CNRS/INRI Cascade David Pointcheval 49/51ENS/CNRS/INRI Cascade David Pointcheval 50/51 Conclusion Two generic methodologies for signatures hash and invert the Forking Lemma Both in the random-oracle model Cramer-Shoup: based on the flexible RS problem Based on Pairings etc NS/CNRS/INRI Cascade David Pointcheval 51/51
Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationLecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004
CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce
More informationSchnorr Signature. Schnorr Signature. October 31, 2012
. October 31, 2012 Table of contents Salient Features Preliminaries Security Proofs Random Oracle Heuristic PKS and its Security Models Hardness Assumption The Construction Oracle Replay Attack Security
More informationSome Security Comparisons of GOST R and ECDSA Signature Schemes
Some Security Comparisons of GOST R 34.10-2012 and ECDSA Signature Schemes Trieu Quang Phong Nguyen Quoc Toan Institute of Cryptography Science and Technology Gover. Info. Security Committee, Viet Nam
More informationSecurity Arguments for Digital Signatures and Blind Signatures
J. Cryptology (2000) 13: 361 396 DOI: 10.1007/s001450010003 2000 International Association for Cryptologic Research Security Arguments for Digital Signatures and Blind Signatures David Pointcheval and
More informationAdvanced Cryptography 1st Semester Public Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 1st 2007 1 / 64 Last Time (I) Indistinguishability Negligible function Probabilities Indistinguishability
More informationConstructing Provably-Secure Identity-Based Signature Schemes
Constructing Provably-Secure Identity-Based Signature Schemes Chethan Kamath Indian Institute of Science, Bangalore November 23, 2013 Overview Table of contents Background Formal Definitions Schnorr Signature
More informationQ B (pk, sk) Gen x u M pk y Map pk (x) return [B(pk, y)? = x]. (m, s) A O h
MTAT.07.003 Cryptology II Spring 2012 / Exercise session?? / Example Solution Exercise (FRH in RO model). Show that the full domain hash signature is secure against existential forgeries in the random
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationDigital Signatures from Challenge-Divided Σ-Protocols
Digital Signatures from Challenge-Divided Σ-Protocols Andrew C. Yao Yunlei Zhao Abstract Digital signature is one of the basic primitives in cryptography. A common paradigm of obtaining signatures, known
More informationProvable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design
Practical Cryptography: Provable Security as a Tool for Protocol Design Phillip Rogaway UC Davis & Chiang Mai Univ rogaway@csucdavisedu http://wwwcsucdavisedu/~rogaway Summer School on Foundations of Internet
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationDesign Validations for Discrete Logarithm Based Signature Schemes
Proceedings of the 2000 International Workshop on Practice and Theory in Public Key Cryptography (PKC 2000) (18 20 january 2000, Melbourne, Australia) H. Imai and Y. Zheng Eds. Springer-Verlag, LNCS 1751,
More informationSecurity Proofs for Signature Schemes. Ecole Normale Superieure. 45, rue d'ulm Paris Cedex 05
Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern Jacques.Stern@ens.fr Ecole Normale Superieure Laboratoire d'informatique 45, rue d'ulm 75230 Paris Cedex 05
More informationChosen-Ciphertext Security without Redundancy
This is the full version of the extended abstract which appears in Advances in Cryptology Proceedings of Asiacrypt 03 (30 november 4 december 2003, Taiwan) C. S. Laih Ed. Springer-Verlag, LNCS 2894, pages
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationUninstantiability of Full-Domain Hash
Uninstantiability of based on On the Generic Insecurity of, Crypto 05, joint work with Y.Dodis and R.Oliveira Krzysztof Pietrzak CWI Amsterdam June 3, 2008 Why talk about this old stuff? Why talk about
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationBasics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018
Basics in Cryptology II Distributed Cryptography David Pointcheval Ecole normale supérieure, CNRS & INRIA ENS Paris 2018 NS/CNRS/INRIA Cascade David Pointcheval 1/26ENS/CNRS/INRIA Cascade David Pointcheval
More informationSecure and Practical Identity-Based Encryption
Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.
More informationChosen Ciphertext Security with Optimal Ciphertext Overhead
Chosen Ciphertext Security with Optimal Ciphertext Overhead Masayuki Abe 1, Eike Kiltz 2 and Tatsuaki Okamoto 1 1 NTT Information Sharing Platform Laboratories, NTT Corporation, Japan 2 CWI Amsterdam,
More informationNew Approach for Selectively Convertible Undeniable Signature Schemes
New Approach for Selectively Convertible Undeniable Signature Schemes Kaoru Kurosawa 1 and Tsuyoshi Takagi 2 1 Ibaraki University, Japan, kurosawa@mx.ibaraki.ac.jp 2 Future University-Hakodate, Japan,
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationON CIPHERTEXT UNDETECTABILITY. 1. Introduction
Tatra Mt. Math. Publ. 41 (2008), 133 151 tm Mathematical Publications ON CIPHERTEXT UNDETECTABILITY Peter Gaži Martin Stanek ABSTRACT. We propose a novel security notion for public-key encryption schemes
More informationRSA OAEP is Secure under the RSA Assumption
RSA OAEP is Secure under the RSA Assumption Eiichiro Fujisaki 1, Tatsuaki Okamoto 1, David Pointcheval 2, and Jacques Stern 2 1 NTT Labs, 1-1 Hikarino-oka, Yokosuka-shi, 239-0847 Japan. E-mail: {fujisaki,okamoto}@isl.ntt.co.jp.
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationFrom Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes
From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 2001, vol. 2020 of Lecture Notes in Computer
More informationThe Gap-Problems: a New Class of Problems for the Security of Cryptographic Schemes
Proceedings of the 2001 International Workshop on Practice and Theory in Public Key Cryptography (PKC 2001) (13 15 february 2001, Cheju Islands, South Korea) K. Kim Ed. Springer-Verlag, LNCS 1992, pages
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationDigital Signature Schemes and the Random Oracle Model. A. Hülsing
Digital Signature Schemes and the Random Oracle Model A. Hülsing Today s goal Review provable security of in use signature schemes. (PKCS #1 v2.x) PAGE 1 Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/dsa.jpg
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationOAEP Reconsidered. Victor Shoup. IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland
OAEP Reconsidered Victor Shoup IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland sho@zurich.ibm.com February 13, 2001 Abstract The OAEP encryption scheme was introduced by Bellare and
More informationModern symmetric-key Encryption
Modern symmetric-key Encryption Citation I would like to thank Claude Crepeau for allowing me to use his slide from his crypto course to mount my course. Some of these slides are taken directly from his
More informationNon-malleability under Selective Opening Attacks: Implication and Separation
Non-malleability under Selective Opening Attacks: Implication and Separation Zhengan Huang 1, Shengli Liu 1, Xianping Mao 1, and Kefei Chen 2,3 1. Department of Computer Science and Engineering, Shanghai
More informationOn The Security of The ElGamal Encryption Scheme and Damgård s Variant
On The Security of The ElGamal Encryption Scheme and Damgård s Variant J. Wu and D.R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, ON, Canada {j32wu,dstinson}@uwaterloo.ca
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationA DL Based Short Strong Designated Verifier Signature Scheme with Low Computation
JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 27, 451-463 (2011) A DL Based Short Strong Designated Verifier Signature Scheme with Low Computation HAN-YU LIN, TZONG-SUN WU + AND YI-SHIUNG YEH Department
More informationAdvanced Topics in Cryptography
Advanced Topics in Cryptography Lecture 6: El Gamal. Chosen-ciphertext security, the Cramer-Shoup cryptosystem. Benny Pinkas based on slides of Moni Naor page 1 1 Related papers Lecture notes of Moni Naor,
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationEquivalence between Semantic Security and Indistinguishability against Chosen Ciphertext Attacks
Equivalence between Semantic Security and Indistinguishability against Chosen Ciphertext Attacks Yodai Watanabe 1, Junji Shikata 2, and Hideki Imai 3 1 RIKEN Brain Science Institute 2-1 Hirosawa, Wako-shi,
More informationPAPER An Identification Scheme with Tight Reduction
IEICE TRANS. FUNDAMENTALS, VOL.Exx A, NO.xx XXXX 200x PAPER An Identification Scheme with Tight Reduction Seiko ARITA, Member and Natsumi KAWASHIMA, Nonmember SUMMARY There are three well-known identification
More informationRandom Oracles in a Quantum World
Dan Boneh 1 Özgür Dagdelen 2 Marc Fischlin 2 Anja Lehmann 3 Christian Schaffner 4 Mark Zhandry 1 1 Stanford University, USA 2 CASED & Darmstadt University of Technology, Germany 3 IBM Research Zurich,
More informationProvable Security Proofs and their Interpretation in the Real World
Provable Security Proofs and their Interpretation in the Real World Vikram Singh Abstract This paper analyses provable security proofs, using the EDL signature scheme as its case study, and interprets
More informationExtractable Perfectly One-way Functions
Extractable Perfectly One-way Functions Ran Canetti 1 and Ronny Ramzi Dakdouk 2 1 IBM T. J. Watson Research Center, Hawthorne, NY. canetti@watson.ibm.com 2 Yale University, New Haven, CT. dakdouk@cs.yale.edu
More informationMTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Zero-knowledge Proofs Sven Laur University of Tartu Formal Syntax Zero-knowledge proofs pk (pk, sk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) (pk,sk)? R
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationAn Identification Scheme Based on KEA1 Assumption
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More informationThe Random Oracle Model and the Ideal Cipher Model are Equivalent
The Random Oracle Model and the Ideal Cipher Model are Equivalent Jean-ébastien Coron 1, Jacques Patarin 2, and Yannick eurin 2,3 (1) Univ. Luxembourg, (2) Univ. Versailles, (3)Orange Labs éminaire EN
More informationHow to Enhance the Security of Public-Key. Encryption at Minimum Cost 3. NTT Laboratories, 1-1 Hikarinooka Yokosuka-shi Kanagawa Japan
How to Enhance the Security of Public-Key Encryption at Minimum Cost 3 Eiichiro Fujisaki Tatsuaki Okamoto NTT Laboratories, 1-1 Hikarinooka Yokosuka-shi Kanagawa 239-0847 Japan ffujisaki,okamotog@isl.ntt.co.jp
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More information10 Concrete candidates for public key crypto
10 Concrete candidates for public key crypto In the previous lecture we talked about public key cryptography and saw the Diffie Hellman system and the DSA signature scheme. In this lecture, we will see
More informationFoundations of Cryptography
- 111 - Foundations of Cryptography Notes of lecture No. 10B & 11 (given on June 11 & 18, 1989) taken by Sergio Rajsbaum Summary In this lecture we define unforgeable digital signatures and present such
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationRSA and Rabin Signatures Signcryption
T-79.5502 Advanced Course in Cryptology RSA and Rabin Signatures Signcryption Alessandro Tortelli 26-04-06 Overview Introduction Probabilistic Signature Scheme PSS PSS with message recovery Signcryption
More informationEfficient Smooth Projective Hash Functions and Applications
Efficient Smooth Projective Hash Functions and Applications David Pointcheval Joint work with Olivier Blazy, Céline Chevalier and Damien Vergnaud Ecole Normale Supérieure Isaac Newton Institute for Mathematical
More informationDigital signature schemes
Digital signature schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction digital signature scheme security of digital
More informationTransitive Signatures Based on Non-adaptive Standard Signatures
Transitive Signatures Based on Non-adaptive Standard Signatures Zhou Sujing Nanyang Technological University, Singapore, zhousujing@pmail.ntu.edu.sg Abstract. Transitive signature, motivated by signing
More informationCertificateless Signcryption without Pairing
Certificateless Signcryption without Pairing Wenjian Xie Zhang Zhang College of Mathematics and Computer Science Guangxi University for Nationalities, Nanning 530006, China Abstract. Certificateless public
More informationOn the (In)security of the Fiat-Shamir Paradigm
On the (In)security of the Fiat-Shamir Paradigm Shafi Goldwasser Yael Tauman February 2, 2004 Abstract In 1986, Fiat and Shamir proposed a general method for transforming secure 3-round public-coin identification
More informationSmooth Projective Hash Function and Its Applications
Smooth Projective Hash Function and Its Applications Rongmao Chen University of Wollongong November 21, 2014 Literature Ronald Cramer and Victor Shoup. Universal Hash Proofs and a Paradigm for Adaptive
More informationLecture 14 - CCA Security
Lecture 14 - CCA Security Boaz Barak November 7, 2007 Key exchange Suppose we have following situation: Alice wants to buy something from the well known website Bob.com Since they will exchange private
More informationBoneh-Franklin Identity Based Encryption Revisited
Boneh-Franklin Identity Based Encryption Revisited David Galindo Institute for Computing and Information Sciences Radboud University Nijmegen P.O.Box 9010 6500 GL, Nijmegen, The Netherlands. d.galindo@cs.ru.nl
More informationIII. Pseudorandom functions & encryption
III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion:
More informationLecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]
CMSC 858K Advanced Topics in Cryptography February 19, 2004 Lecturer: Jonathan Katz Lecture 8 Scribe(s): Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan 1 Introduction Last time we introduced
More informationEvaluation Report on the ECDSA signature scheme
Evaluation Report on the ECDSA signature scheme Jacques Stern 1 Introduction This document is an evaluation of the ECDSA signature scheme. Our work is based on the analysis of various documents [1, 32,
More informationModels and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5
Models and analysis of security protocols 1st Semester 2009-2010 Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: September 29th 2009 1 / 60 Last Time (I) Security
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More informationOn The (In)security Of Fischlin s Paradigm
On The (In)security Of Fischlin s Paradigm Prabhanjan Ananth 1, Raghav Bhaskar 1, Vipul Goyal 1, and Vanishree Rao 2 1 Microsoft Research India prabhanjan.va@gmail.com,{rbhaskar,vipul}@microsoft.com 2
More informationJohn Hancock enters the 21th century Digital signature schemes. Table of contents
John Hancock enters the 21th century Digital signature schemes Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents From last time: Good news and bad There
More informationEncoding-Free ElGamal Encryption Without Random Oracles
Encoding-Free ElGamal Encryption Without Random Oracles Benoît Chevallier-Mames 1,2, Pascal Paillier 3, and David Pointcheval 2 1 Gemplus, Security Technology Department, La Vigie, Avenue du Jujubier,
More information1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds
1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds Amos Beimel Department of Computer Science Ben Gurion University Be er Sheva, Israel Eran Omri Department of Computer
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationID-based tripartite key agreement with signatures
-based tripartite key agreement with signatures 1 Divya Nalla ILab, Dept of omputer/info Sciences, University of Hyderabad, Gachibowli, Hyderabad, 500046, India divyanalla@yahoocom bstract : This paper
More informationVI. The Fiat-Shamir Heuristic
VI. The Fiat-Shamir Heuristic - as already seen signatures can be used and are used in practice to design identification protocols - next we show how we can obtain signatures schemes from - protocols using
More informationAugmented Black-Box Simulation and Zero Knowledge Argument for NP
Augmented Black-Box Simulation and Zero Knowledge Argument for N Li Hongda, an Dongxue, Ni eifang The Data Assurance and Communication Security Research Center, School of Cyber Security, University of
More informationSimple SK-ID-KEM 1. 1 Introduction
1 Simple SK-ID-KEM 1 Zhaohui Cheng School of Computing Science, Middlesex University The Burroughs, Hendon, London, NW4 4BT, United Kingdom. m.z.cheng@mdx.ac.uk Abstract. In 2001, Boneh and Franklin presented
More informationParallel Decryption Queries in Bounded Chosen Ciphertext Attacks
Parallel Decryption Queries in Bounded Chosen Ciphertext Attacks Takahiro Matsuda and Kanta Matsuura The University of Tokyo, Japan {tmatsuda,kanta}@iis.u-tokyo.ac.jp Abstract. Whether it is possible to
More informationShort Unique Signatures from RSA with a Tight Security Reduction (in the Random Oracle Model)
Short Unique Signatures from RSA with a Tight Security Reduction (in the Random Oracle Model) Hovav Shacham UC San Diego and UT Austin Abstract. A signature scheme is unique if for every public key and
More informationShort Exponent Diffie-Hellman Problems
Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and
More informationSIS-based Signatures
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin February 26, 2013 Basics We will use the following parameters: n, the security parameter. =poly(n). m 2n log s 2 n
More informationProvably Secure Partially Blind Signatures
Provably Secure Partially Blind Signatures Masayuki ABE and Tatsuaki OKAMOTO NTT Laboratories Nippon Telegraph and Telephone Corporation 1-1 Hikari-no-oka Yokosuka-shi Kanagawa-ken, 239-0847 Japan E-mail:
More informationf (x) f (x) easy easy
A General Construction of IND-CCA2 Secure Public Key Encryption? Eike Kiltz 1 and John Malone-Lee 2 1 Lehrstuhl Mathematik & Informatik, Fakultat fur Mathematik, Ruhr-Universitat Bochum, Germany. URL:
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationLecture 1. 1 Introduction to These Notes. 2 Trapdoor Permutations. CMSC 858K Advanced Topics in Cryptography January 27, 2004
CMSC 858K Advanced Topics in Cryptography January 27, 2004 Lecturer: Jonathan Katz Lecture 1 Scribe(s): Jonathan Katz 1 Introduction to These Notes These notes are intended to supplement, not replace,
More informationCryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols
CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno Blanchet CNRS, École Normale Supérieure, INRIA, Paris March 2009 Bruno Blanchet (CNRS, ENS, INRIA) CryptoVerif March
More informationType-based Proxy Re-encryption and its Construction
Type-based Proxy Re-encryption and its Construction Qiang Tang Faculty of EWI, University of Twente, the Netherlands q.tang@utwente.nl Abstract. Recently, the concept of proxy re-encryption has been shown
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationPSS Is Secure against Random Fault Attacks
PSS Is Secure against Random Fault Attacks Jean-Sébastien Coron and Avradip Mandal University of Luxembourg Abstract. A fault attack consists in inducing hardware malfunctions in order to recover secrets
More informationLecture 15 & 16: Trapdoor Permutations, RSA, Signatures
CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationA Practical Elliptic Curve Public Key Encryption Scheme Provably Secure Against Adaptive Chosen-message Attack
A Practical Elliptic Curve Public Key Encryption Scheme Provably Secure Against Adaptive Chosen-message Attack Huafei Zhu InfoComm Security Department, Institute for InfoComm Research. 21 Heng Mui Keng
More informationAnalysis of Random Oracle Instantiation Scenarios for OAEP and other Practical Schemes
Analysis of Random Oracle Instantiation Scenarios for OAEP and other Practical Schemes Alexandra Boldyreva 1 and Marc Fischlin 2 1 College of Computing, Georgia Institute of Technology, 801 Atlantic Drive,
More informationCommunication-Efficient Non-Interactive Proofs of Knowledge with Online Extractors
Communication-Efficient Non-Interactive Proofs of Knowledge with Online Extractors Marc Fischlin Institute for Theoretical Computer Science, ETH Zürich, Switzerland marc.fischlin @ inf.ethz.ch http://www.fischlin.de/
More information