14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption. Victor Shoup New York University
|
|
- Wesley Garrison
- 6 years ago
- Views:
Transcription
1 14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption Victor Shoup New York University
2 A Historical Perspective The wild years (mid 70 s-mid 80 s): Diffie-Hellman, RSA, ElGamal The rigorous years (mid 80 s-early 90 s) Definitions, Definitions, Definitions, Definitions,... The practical years (early 90 s-present)
3 Notions of Secure Encryption Semantic Security [GM84] Security Against Non-adaptive Chosen Ciphertext Attack [NY90] Security Against Adaptive Chosen Ciphertext Attack [RS91,DDN91]
4 Semantic Security M = M 0 or M = M 1? Key Generator E D M 0, M 1 C M M 0 or M 1 C E(M ) E Encryption Oracle
5 Non-adaptive Semantic CCA Security Security M = M 0 or M = M 1? E Key Generator D C M M 0, M 1 C M D(C) D M M 0 or M 1 C E(M ) E Decryption Oracle Encryption Oracle
6 Non-adaptive Adaptive Semantic CCA CCA Security M = M 0 or M = M 1? E Key Generator D C M M 0, M 1 C C C M M D(C) D M M 0 or M 1 C E(M ) E D M D(C) Decryption Oracle Encryption Oracle Decryption Oracle
7 Case Study: RSA n RSA modulus e encryption exponent d decryption exponent Encrypt M Z n : Decrypt C Z n : C M e M C d
8 Case Study: RSA n RSA modulus e encryption exponent d decryption exponent Encrypt M Z n : Decrypt C Z n : C M e M C d Not even semantically secure! Compare C to M e 0 and Me 1
9 RSA with Random Padding RSA PKCS#1 padding: padding string 00 M } {{ } M pad C = (M pad ) e
10 Bleichenbacher s Attack on RSA PKCS#1 [B98] C (M pad )e n, e M! C 1 error code d. C k error code
11 Case Study: ElGamal G group of prime order q g generator for G KeyGen: z c Z }{{} q, h g z }{{} D E Encrypt M G: w c Z q a g w e Mh w C (a, e) Decrypt C = (a, e): M e/a z
12 ElGamal Encryption: Security Semantically Secure under DDH (Decisional Diffie-Hellman) (g r, g s, g rs ) (g r, g s, g t ) looks like
13 ElGamal Encryption: Security Semantically Secure under DDH (Decisional Diffie-Hellman) (g r, g s, g rs ) (g r, g s, g t ) looks like Insecure against Adaptive CCA
14 Security Key Gen h G0: Original Game b =?!? z M 0, M 1 C w b c {0, 1} c Z q a g w e M b h w C (a, e )
15 Security Key Gen h b =?!? z M 0, M 1 C w b c {0, 1} c Z q a g w e M b C (a, e ) h w
16 Security h w Key Gen G1: DDH (g w, g z, g w z ) (g w, g z, Random) h b =?!? z M 0, M 1 C w b c {0, 1} c Z q a g w e M b Random C (a, e )
17 CCA against ElGamal C = (g w, M h w ) }{{} a }{{} e h M! C = (a, g e ) z g M
18 Example: Key Escrow C E(K H(Alice )) E D?!#*$! C, Michael Moore, reject Bob s Escrow Service
19 Labeled Encryption A label L is input to E and D Security: Adverary submits L, M 0, M 1 to encryption oracle Adversary submits (C, L) to decryption oracle Restriction: (C, L) (C, L )
20 Two Key Construction [NY90,DDN91,S01,L03] Ingredients: NIZK semantically secure PKE Public Key: NIZK reference string public keys and for PKE E L E R Private Key: corresponding private keys D L and D R
21 Two Key Construction [NY90,DDN91,S01,L03] Ingredients: NIZK semantically secure PKE Public Key: NIZK reference string public keys and for PKE E L E R Private Key: corresponding private keys D L and D R
22 Two Key Construction [NY90,DDN91,S01,L03] Encryption of M: (C L, C R, π) where C L = E L (M), C R = E R (M), π is a proof that C L and C R encrypt the same message Decryption of (C L, C R, π): check π output D L (C L )
23 Security G0: Original Game b =?!? Key Gen E L E R D L D R C M M 0, M 1 C C C M (C L, C R, π) C check π M D L (C L ) b c {0, 1} CL E L( ) M b CR E R( M b ) π proof C (CL, C R, π ) (C L, C R, π) C check π M D L (C L )
24 Security b =?!? Key Gen E L E R D L D R C M M 0, M 1 C C C M (C L, C R, π) C check π M D L (C L ) b c {0, 1} CL E L( ) M b CR E R( M b ) π proof C (CL, C R, π ) (C L, C R, π) C check π M D L (C L )
25 Security proof G1: Zero Knowledge b =?!? Key Gen E L E R D L D R C M M 0, M 1 C C C M (C L, C R, π) C check π M D L (C L ) b c {0, 1} CL E L( ) M b CR E R( M b ) π fake proof C (CL, C R, π ) (C L, C R, π) C check π M D L (C L )
26 Security b =?!? Key Gen E L E R D L D R C M M 0, M 1 C C C M (C L, C R, π) C check π M D L (C L ) b c {0, 1} CL E L( ) M b CR E R( M b ) π fake proof C (CL, C R, π ) (C L, C R, π) C check π M D L (C L )
27 Security M b G2: Semantic Security (right) b =?!? Key Gen E L E R D L D R C M M 0, M 1 C C C M (C L, C R, π) C check π M D L (C L ) b c {0, 1} CL E L( ) M b CR E R( M 0 ) π fake proof C (CL, C R, π ) (C L, C R, π) C check π M D L (C L )
28 Security b =?!? Key Gen E L E R D L D R C M M 0, M 1 C C C M (C L, C R, π) C check π M D L (C L ) b c {0, 1} CL E L( ) M b CR E R( M 0 ) π fake proof C (CL, C R, π ) (C L, C R, π) C check π M D L (C L )
29 Security D L (C L ) G3: Simulation Soundness b =?!? Key Gen E L E R D C L D R C M 0, M 1 C M M C b c {0, 1} (C L, C R, π) C (C L, C R, π) C CL E L( M b ) check π C check π R E R( M 0 ) π fake proof M D R (C R ) C (CL, C R, M D π ) R (C R )
30 Security b =?!? Key Gen E L E R D C L D R C M 0, M 1 C M M C b c {0, 1} (C L, C R, π) C (C L, C R, π) C CL E L( M b ) check π C check π R E R( M 0 ) π fake proof M D R (C R ) C (CL, C R, M D π ) R (C R )
31 Security M b Key Gen G4: Semantic Security (left) E L E R b =?!? D C L D R C M 0, M 1 C M M C b c {0, 1} (C L, C R, π) C (C L, C R, π) C CL E L( M 0 ) check π C check π R E R( M 0 ) π fake proof M D R (C R ) C (CL, C R, M D π ) R (C R )
32 Security M b Key Gen G4: Semantic Security (left) E L E R b =?!? D C L D R C M 0, M 1 C M M C b c {0, 1} (C L, C R, π) C (C L, C R, π) C CL E L( M 0 ) check π C check π R E R( M 0 ) π fake proof M D R (C R ) C (CL, C R, M D π ) R (C R )
33 Efficient NIZKs General NIZKs are impractical, but... Proofs for special languages Designated verifier proofs
34 Hash Proof Systems L U; for a L, W a = {witnesses for a} W KeyGen (P, V) Proof Function P : L W Π Verification Function V : U Π P, w W a a L V π P(a, w) π V(a)? = π Prover Verifier
35 Completeness: Hash Proof Systems a L, w W a : P(a, w) = V(a) Soundness: L U; for a L, W a = {witnesses for a} W a L : V(a) looks random, given P KeyGen (P, V) Simulation Soundness: Proof Function P : L W Π a, b L with a b : Verification V(b) Function looks random, V : given U ΠV(a) and P P, w W a a L V π P(a, w) π V(a)? = π Prover Verifier
36 Example: Equality of DL G a group of large prime order q g 1, g 2 generators for G w is the witness U = G G, L = {(g w 1, gw 2 ) : w Z q}
37 Example: Equality of DL G g 1, g 2 a group of large prime order q generators for G U = G G, L = {(g w 1, gw 2 ) : w Z q} KeyGen: c x 1, x 2 Z q, c g x 1 }{{} V }{{} P 1 gx 2 2
38 Example: Equality of DL G g 1, g 2 a group of large prime order q generators for G U = G G, L = {(g w 1, gw 2 ) : w Z q} KeyGen: c x 1, x 2 Z q, c g x 1 }{{} V }{{} P 1 gx 2 2 Verification Function: V(a 1, a 2 ) = a x 1 1 ax 2 2
39 Example: Equality of DL G g 1, g 2 a group of large prime order q generators for G U = G G, L = {(g w 1, gw 2 ) : w Z q} KeyGen: c x 1, x 2 Z q, c g x 1 }{{} V }{{} P 1 gx 2 2 Proof Function: for (a 1, a 2 ) L with witness w, P(a 1, a 2 ; w) = c w Verification Function: V(a 1, a 2 ) = a x 1 1 ax 2 2
40 Example: Equality of DL G a group of large prime order q g 1, g 2 generators for G U = G G, L = {(g w 1, gw 2 ) : w Z q} KeyGen: x 1, x 2 c Z q, c g x 1 c y }{{} 1, y 2 Z q, }{{} d g y 1 V P 1 gx gy 2 2 Simulation Soundness Proof Function: for (a 1, a 2 ) L with witness w, d wh(a 1,a 2 ) P(a 1, a 2 ; w) = c w Verification Function: V(a 1, a 2 ) = a x 1 1 ax 2 2 (a y 1 1 ay 2 2 )H(a 1,a 2 )
41 From Hash Proofs to CCA Security Efficient Semantically Secure PKE Efficient Hash Proof for Plaintext Equality + Two Key Construction Efficient and CCA Secure Encryption
42 Example: Equal ElGamal Plaintexts C 1 = (a 1, e 1 ) = (g w 1, h w 1 C 2 = (a 2, e 2 ) = (g w 2, h w 1 M) 2 2 M) Simulation Soundness c 1 g x 1 h x 3 d c 1 1 g y 1 h y 3 1 x 1, x 2, x 3, y } {{ 1, y 2, y Z } 3 q c 2 g x 2 h x 3 2 d 2 g y 2 h y 3 2 V } {{ } P V(C 1, C 2 ) = a x 1 1 ax 2 2 f x 3 P(C 1, C 2 ; w 1, w 2 ) = c w 1 1 cw 2 2 where f = e 1 /e 2, (a y 1 1 ay 2 2 f y 3 ) α (d w 1 1 dw 2 2 )α α = H(C 1, C 2 )
43 Improvements and Extensions More efficient schemes [CS98,S00,KD04] Extensions [CS02]: Quadratic Residuosity Paillier s Decisional Composite Residuosity
44 Standards: ISO RSA-OAEP Hybrid Encryption Schemes: RSA based ElGamal based
45 A Hybrid Encryption Paradigm Secure Key Encapsulation + Secure Data Encapsulation Secure Hybrid Encryption
46 A Hybrid Encryption Paradigm Secure Key Encapsulation + Secure Data Encapsulation Secure Hybrid Encryption
47 A Hybrid Encryption Paradigm E KEM C KEM D KEM K K Key Encapsulation Mechanism (KEM) Security: K looks random after a CCA
48 A Hybrid Encryption Paradigm E KEM C KEM D KEM K K Key Encapsulation Mechanism (KEM) Security: K looks random after a CCA
49 A Hybrid Encryption Paradigm Data Encapsulation Mechanism (DEM) Security: M is hidden after a CCA Implementation: Encrypt then MAC, OCB Mode K K M E DEM C DEM L D DEM M
50 A Hybrid Encryption Paradigm Data Encapsulation Mechanism (DEM) Security: M is hidden after a CCA Implementation: Encrypt then MAC, OCB Mode K K M E DEM C DEM L D DEM M
51 A Hybrid Encryption Paradigm E KEM C KEM D KEM K K M E DEM C DEM L D DEM M Secure KEM + Secure DEM = Secure Hybrid
52 RSA KEM n RSA modulus e encryption exponent d decryption exponent Encrypt: w c Z n a w e K KDF(w) C a Decrypt C = a: w a d K KDF(w)
53 secure in ROM under RSA RSA KEM n RSA modulus e encryption exponent d decryption exponent Encrypt: w c Z n a w e K KDF(w) C a Decrypt C = a: w a d K KDF(w)
54 ElGamal KEM G a group of large prime order q g generator for G D E { { z c Z q, h g z Encrypt: w c Z q, a g w K KDF(h w ) C a Decrypt C = a: [ check 1 = a q ] K KDF(a z )
55 secure in ROM under GapDH ElGamal KEM G a group of large prime order q g generator for G D E { { z c Z q, h g z Encrypt: w c Z q, a g w K KDF(h w ) C a Decrypt C = a: [ check 1 = a q ] K KDF(a z )
56 Hash Proof KEM G g 1 D E a group of large prime order q { { generator for G t, x, y, z c Z q, g 2 g t 1, c gx 1, d gy 1, h gz 1 Encrypt: w c Z q, a 1 g w 1, a 2 g w 2 v c w d wh(a 1,a 2 ) K KDF(h w ) C (a 1, a 2, v) Decrypt (a 1, a 2, v): [ 1 = a q 1 ] check a 2 = a t 1 v = a x+yh(a 1,a 2 ) 1 K KDF(a z 1 )
57 secure under DDH Hash Proof KEM G g 1 D E a group of large prime order q { { generator for G t, x, y, z c Z q, g 2 g t 1, c gx 1, d gy 1, h gz 1 Encrypt: w c Z q, a 1 g w 1, a 2 g w 2 v c w d wh(a 1,a 2 ) K KDF(h w ) C (a 1, a 2, v) Decrypt (a 1, a 2, v): [ 1 = a q 1 ] check a 2 = a t 1 v = a x+yh(a 1,a 2 ) 1 K KDF(a z 1 )
58 secure under DDH Hash Proof KEM no less secure than ElGamal KEM G g 1 D E a group of large prime order q { { generator for G t, x, y, z c Z q, g 2 g t 1, c gx 1, d gy 1, h gz 1 Encrypt: w c Z q, a 1 g w 1, a 2 g w 2 v c w d wh(a 1,a 2 ) K KDF(h w ) C (a 1, a 2, v) Decrypt (a 1, a 2, v): [ 1 = a q 1 ] check a 2 = a t 1 v = a x+yh(a 1,a 2 ) 1 K KDF(a z 1 )
59 secure under DDH Hash Proof KEM no less secure than ElGamal KEM G g 1 D E a group of large prime order q { { generator for G secure in ROM under CDH t, x, y, z c Z q, g 2 g t 1, c gx 1, d gy 1, h gz 1 Encrypt: w c Z q, a 1 g w 1, a 2 g w 2 v c w d wh(a 1,a 2 ) K KDF(h w ) C (a 1, a 2, v) Decrypt (a 1, a 2, v): [ 1 = a q 1 ] check a 2 = a t 1 v = a x+yh(a 1,a 2 ) 1 K KDF(a z 1 )
60 secure under DDH Hash Proof KEM no less secure than ElGamal KEM G g 1 D E a group of large prime order q { { generator for G secure in ROM under CDH exponentiation with pre-processing t, x, y, z c Z q, g 2 g t 1, c gx 1, d gy 1, h gz 1 Encrypt: w c Z q, a 1 g w 1, a 2 g w 2 v c w d wh(a 1,a 2 ) K KDF(h w ) C (a 1, a 2, v) Decrypt (a 1, a 2, v): [ 1 = a q 1 ] check a 2 = a t 1 v = a x+yh(a 1,a 2 ) 1 K KDF(a z 1 )
61 secure under DDH Hash Proof KEM no less secure than ElGamal KEM G g 1 D E a group of large prime order q { { generator for G t, x, y, z c Z q, secure in ROM under CDH exponentiation with pre-processing confounds patent lawyers g 2 g t 1, c gx 1, d gy 1, h gz 1 Encrypt: w c Z q, a 1 g w 1, a 2 g w 2 v c w d wh(a 1,a 2 ) K KDF(h w ) C (a 1, a 2, v) Decrypt (a 1, a 2, v): [ 1 = a q 1 ] check a 2 = a t 1 v = a x+yh(a 1,a 2 ) 1 K KDF(a z 1 )
62 And now for something completely different... [CHK04, BB04] CCA Secure Encryption using elliptic curves, equipped with bilinear maps Different assumptions and techniques Hashed decisional (or even computational) assumption Distribute decryption service, without interaction (Improves [CG99])
63 Conclusions Adaptive CCA security is now widely accepted as the right definition Demanded by standards bodies Science fiction is becoming reality Progress continues!
64 Conclusions Adaptive CCA security is now widely Thanks for Listening! accepted as the right definition Demanded by standards bodies Science fiction is becoming reality Progress continues!
G Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationThe Cramer-Shoup Cryptosystem
The Cramer-Shoup Cryptosystem Eileen Wagner October 22, 2014 1 / 28 The Cramer-Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationDiscrete logarithm and related schemes
Discrete logarithm and related schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Discrete logarithm problem examples, equivalent
More informationLossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More informationRSA-OAEP and Cramer-Shoup
RSA-OAEP and Cramer-Shoup Olli Ahonen Laboratory of Physics, TKK 11th Dec 2007 T-79.5502 Advanced Cryptology Part I: Outline RSA, OAEP and RSA-OAEP Preliminaries for the proof Proof of IND-CCA2 security
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationPractical Verifiable Encryption and Decryption of Discrete Logarithms
Practical Verifiable Encryption and Decryption of Discrete Logarithms Jan Camenisch IBM Zurich Research Lab Victor Shoup New York University p.1/27 Verifiable encryption of discrete logs Three players:
More informationA New Paradigm of Hybrid Encryption Scheme
A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa 1 and Yvo Desmedt 2 1 Ibaraki University, Japan kurosawa@cis.ibaraki.ac.jp 2 Dept. of Computer Science, University College London, UK, and Florida
More informationLecture Note 3 Date:
P.Lafourcade Lecture Note 3 Date: 28.09.2009 Security models 1st Semester 2007/2008 ROUAULT Boris GABIAM Amanda ARNEDO Pedro 1 Contents 1 Perfect Encryption 3 1.1 Notations....................................
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani Mathematical Institute Oxford University 1 of 60 Outline 1 RSA Encryption Scheme 2 Discrete Logarithm and Diffie-Hellman Algorithm 3 ElGamal Encryption Scheme 4
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationAdvanced Cryptography 1st Semester Public Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 1st 2007 1 / 64 Last Time (I) Indistinguishability Negligible function Probabilities Indistinguishability
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationOn The Security of The ElGamal Encryption Scheme and Damgård s Variant
On The Security of The ElGamal Encryption Scheme and Damgård s Variant J. Wu and D.R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, ON, Canada {j32wu,dstinson}@uwaterloo.ca
More informationAdvanced Cryptography 03/06/2007. Lecture 8
Advanced Cryptography 03/06/007 Lecture 8 Lecturer: Victor Shoup Scribe: Prashant Puniya Overview In this lecture, we will introduce the notion of Public-Key Encryption. We will define the basic notion
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationA New Variant of the Cramer-Shoup KEM Secure against Chosen Ciphertext Attack
A New Variant of the Cramer-Shoup KEM Secure against Chosen Ciphertext Attack Joonsang Baek 1 Willy Susilo 2 Joseph K. Liu 1 Jianying Zhou 1 1 Institute for Infocomm Research, Singapore 2 University of
More informationSmooth Projective Hash Function and Its Applications
Smooth Projective Hash Function and Its Applications Rongmao Chen University of Wollongong November 21, 2014 Literature Ronald Cramer and Victor Shoup. Universal Hash Proofs and a Paradigm for Adaptive
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationTrapdoor functions from the Computational Diffie-Hellman Assumption
Trapdoor functions from the Computational Diffie-Hellman Assumption Sanjam Garg 1 Mohammad Hajiabadi 1,2 1 University of California, Berkeley 2 University of Virginia August 22, 2018 1 / 18 Classical Public-Key
More informationCS 355: Topics in Cryptography Spring Problem Set 5.
CS 355: Topics in Cryptography Spring 2018 Problem Set 5 Due: June 8, 2018 at 5pm (submit via Gradescope) Instructions: You must typeset your solution in LaTeX using the provided template: https://crypto.stanford.edu/cs355/homework.tex
More informationShort Exponent Diffie-Hellman Problems
Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and
More information5.4 ElGamal - definition
5.4 ElGamal - definition In this section we define the ElGamal encryption scheme. Next to RSA it is the most important asymmetric encryption scheme. Recall that for a cyclic group G, an element g G is
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationAdvanced Topics in Cryptography
Advanced Topics in Cryptography Lecture 6: El Gamal. Chosen-ciphertext security, the Cramer-Shoup cryptosystem. Benny Pinkas based on slides of Moni Naor page 1 1 Related papers Lecture notes of Moni Naor,
More informationWeek : Public Key Cryptosystem and Digital Signatures
Week 10-11 : Public Key Cryptosystem and Digital Signatures 1. Public Key Encryptions RSA, ElGamal, 2 RSA- PKC(1/3) 1st public key cryptosystem R.L.Rivest, A.Shamir, L.Adleman, A Method for Obtaining Digital
More informationUniversal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption
Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup October 12, 2001 Abstract We present several new and fairly practical public-key
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationOn the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups
On the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups Goichiro Hanaoka, Takahiro Matsuda, Jacob C.N. Schuldt Research Institute for Secure Systems (RISEC)
More informationCONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS
CONSRUCIONS SECURE AGAINS RECEIVER SELECIVE OPENING AND CHOSEN CIPHEREX AACKS Dingding Jia, Xianhui Lu, Bao Li jiadingding@iie.ac.cn C-RSA 2017 02-17 Outline Background Motivation Our contribution Existence:
More informationStructure Preserving CCA Secure Encryption
Structure Preserving CCA Secure Encryption presented by ZHANG Tao 1 / 9 Introduction Veriable Encryption enable validity check of the encryption (Camenisch et al. @ CRYPTO'03): veriable encryption of discrete
More informationLecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge
CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More informationPairing-Based Cryptography An Introduction
ECRYPT Summer School Samos 1 Pairing-Based Cryptography An Introduction Kenny Paterson kenny.paterson@rhul.ac.uk May 4th 2007 ECRYPT Summer School Samos 2 The Pairings Explosion Pairings originally used
More information2 Preliminaries 2.1 Notations Z q denotes the set of all congruence classes modulo q S denotes the cardinality of S if S is a set. If S is a set, x R
A Public Key Encryption In Standard Model Using Cramer-Shoup Paradigm Mahabir Prasad Jhanwar and Rana Barua mahabir r, rana@isical.ac.in Stat-Math Unit Indian Statistical Institute Kolkata, India Abstract.
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationLecture 14 - CCA Security
Lecture 14 - CCA Security Boaz Barak November 7, 2007 Key exchange Suppose we have following situation: Alice wants to buy something from the well known website Bob.com Since they will exchange private
More informationMATH 158 FINAL EXAM 20 DECEMBER 2016
MATH 158 FINAL EXAM 20 DECEMBER 2016 Name : The exam is double-sided. Make sure to read both sides of each page. The time limit is three hours. No calculators are permitted. You are permitted one page
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationSimple SK-ID-KEM 1. 1 Introduction
1 Simple SK-ID-KEM 1 Zhaohui Cheng School of Computing Science, Middlesex University The Burroughs, Hendon, London, NW4 4BT, United Kingdom. m.z.cheng@mdx.ac.uk Abstract. In 2001, Boneh and Franklin presented
More informationOn the Selective-Opening Security of DHIES
On the Selective-Opening Security of DHIES and other practical encryption schemes UbiCrypt Research Retreat, Schloss Raesfeld: 29.& 30. Sep. 2014 Felix Heuer, Tibor Jager, Eike Kiltz, Sven Schäge Horst
More informationPractice Assignment 2 Discussion 24/02/ /02/2018
German University in Cairo Faculty of MET (CSEN 1001 Computer and Network Security Course) Dr. Amr El Mougy 1 RSA 1.1 RSA Encryption Practice Assignment 2 Discussion 24/02/2018-29/02/2018 Perform encryption
More informationTightly Secure CCA-Secure Encryption without Pairings
Tightly Secure CCA-Secure Encryption without Pairings Romain Gay 1,, Dennis Hofheinz 2,, Eike Kiltz 3,, and Hoeteck Wee 1, 1 ENS, Paris, France rgay,wee@di.ens.fr 2 Ruhr-Universität Bochum, Bochum, Germany
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationStrong Security Models for Public-Key Encryption Schemes
Strong Security Models for Public-Key Encryption Schemes Pooya Farshim (Joint Work with Manuel Barbosa) Information Security Group, Royal Holloway, University of London, Egham TW20 0EX, United Kingdom.
More informationSlides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013
RSA Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013 Recap Recap Number theory o What is a prime number? o What is prime factorization? o What is a GCD? o What does relatively prime
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationMaster s thesis, defended on June 20, 2007, supervised by Dr. Oleg Karpenkov. Mathematisch Instituut. Universiteit Leiden
Master s thesis, defended on June 20, 2007, supervised by Dr. Oleg Karpenkov Angela Zottarel Encryption from Weaker Assumptions Master thesis defended on June 28, 2010. Thesis Advisor: dr. Eike Kiltz.
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationA ROBUST AND PLAINTEXT-AWARE VARIANT OF SIGNED ELGAMAL ENCRYPTION
A ROBUST AND PLAINTEXT-AWARE VARIANT OF SIGNED ELGAMAL ENCRYPTION Joana Treger ANSSI, France. Session ID: CRYP-W21 Session Classification: Advanced ELGAMAL ENCRYPTION & BASIC CONCEPTS CDH / DDH Computational
More informationModels and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5
Models and analysis of security protocols 1st Semester 2009-2010 Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: September 29th 2009 1 / 60 Last Time (I) Security
More informationKurosawa-Desmedt Key Encapsulation Mechanism, Revisited and More
Kurosawa-Desmedt Key Encapsulation Mechanism, Revisited and More Kaoru Kurosawa 1 and Le Trieu Phong 1 Ibaraki University, Japan kurosawa@mx.ibaraki.ac.jp NICT, Japan phong@nict.go.jp Abstract. While the
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationAdaptive partitioning. Dennis Hofheinz (KIT, Karlsruhe)
Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Public-Key Encryption Accepted security
More informationChapter 11 : Private-Key Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 1 Chapter 11 Public-Key Encryption Apologies: all numbering
More informationExam Security January 19, :30 11:30
Exam Security January 19, 2016. 8:30 11:30 You can score a maximum of 100. Each question indicates how many it is worth. You are NOT allowed to use books or notes, or a (smart) phone. You may answer in
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationAn Introduction to Pairings in Cryptography
An Introduction to Pairings in Cryptography Craig Costello Information Security Institute Queensland University of Technology INN652 - Advanced Cryptology, October 2009 Outline 1 Introduction to Pairings
More informationA Practical Elliptic Curve Public Key Encryption Scheme Provably Secure Against Adaptive Chosen-message Attack
A Practical Elliptic Curve Public Key Encryption Scheme Provably Secure Against Adaptive Chosen-message Attack Huafei Zhu InfoComm Security Department, Institute for InfoComm Research. 21 Heng Mui Keng
More informationCryptography from Pairings
DIAMANT/EIDMA Symposium, May 31st/June 1st 2007 1 Cryptography from Pairings Kenny Paterson kenny.paterson@rhul.ac.uk May 31st 2007 DIAMANT/EIDMA Symposium, May 31st/June 1st 2007 2 The Pairings Explosion
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationSecure Certificateless Public Key Encryption without Redundancy
Secure Certificateless Public Key Encryption without Redundancy Yinxia Sun and Futai Zhang School of Mathematics and Computer Science Nanjing Normal University, Nanjing 210097, P.R.China Abstract. Certificateless
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationLecture V : Public Key Cryptography
Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional
More informationEfficient Identity-based Encryption Without Random Oracles
Efficient Identity-based Encryption Without Random Oracles Brent Waters Weiwei Liu School of Computer Science and Software Engineering 1/32 Weiwei Liu Efficient Identity-based Encryption Without Random
More informationShorter Quasi-Adaptive NIZK Proofs for Linear Subspaces
Shorter Quasi-Adaptive NIZK Proofs for Linear Subspaces Charanjit S. Jutla 1 and Arnab Roy 2 1 IBM T. J. Watson Research Center Yorktown Heights, NY 10598, USA csjutla@us.ibm.com 2 Fujitsu Laboratories
More informationLecture 7: ElGamal and Discrete Logarithms
Lecture 7: ElGamal and Discrete Logarithms Johan Håstad, transcribed by Johan Linde 2006-02-07 1 The discrete logarithm problem Recall that a generator g of a group G is an element of order n such that
More informationLecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]
CMSC 858K Advanced Topics in Cryptography February 19, 2004 Lecturer: Jonathan Katz Lecture 8 Scribe(s): Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan 1 Introduction Last time we introduced
More informationVerifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin
Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Béguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationEfficient Identity-Based Encryption Without Random Oracles
Efficient Identity-Based Encryption Without Random Oracles Brent Waters Abstract We present the first efficient Identity-Based Encryption (IBE) scheme that is fully secure without random oracles. We first
More informationDATA PRIVACY AND SECURITY
DATA PRIVACY AND SECURITY Instructor: Daniele Venturi Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Interlude: Number Theory Cubum autem in duos cubos, aut quadratoquadratum
More informationA Robust and Plaintext-Aware Variant of Signed ElGamal Encryption
A Robust and Plaintext-Aware Variant of Signed ElGamal Encryption Yannick Seurin and Joana Treger ANSSI, Paris, France yannick.seurin@m4x.org,joana.marim@ssi.gouv.fr Revised, 24 February 2013 Abstract.
More informationHighly-Efficient Universally-Composable Commitments based on the DDH Assumption
Highly-Efficient Universally-Composable Commitments based on the DDH Assumption Yehuda Lindell March 6, 2013 Abstract Universal composability (or UC security) provides very strong security guarantees for
More informationCSC 774 Advanced Network Security
CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu Outline Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow
More informationCSC 774 Advanced Network Security
CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu Outline Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow
More informationChosen-Ciphertext Secure Key-Encapsulation Based on Gap Hashed Diffie-Hellman
A preliminary version of this paper appears in the proceedings of the 10th International Workshop on Practice and Theory in Public Key Cryptography, PKC 2007, Lecture Notes in Computer Science Vol.???,
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationPassword-Authenticated Key Exchange David Pointcheval
Password-Authenticated Key Exchange Privacy and Contactless Services May 27th, 2015 AKE AKE: Authenticated Key Exchange allows two players to agree on a common key authentication of partners 2 Diffie-Hellman
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018
Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationCryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg
Course 1: Remainder: RSA Université du Luxembourg September 21, 2010 Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and
More informationNetwork Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30
Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) LIU Zhen Due Date: March 30 Questions: 1. RSA (20 Points) Assume that we use RSA with the prime numbers p = 17 and q = 23. (a) Calculate
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationON CIPHERTEXT UNDETECTABILITY. 1. Introduction
Tatra Mt. Math. Publ. 41 (2008), 133 151 tm Mathematical Publications ON CIPHERTEXT UNDETECTABILITY Peter Gaži Martin Stanek ABSTRACT. We propose a novel security notion for public-key encryption schemes
More information