Provable security. Michel Abdalla

Size: px
Start display at page:

Download "Provable security. Michel Abdalla"

Transcription

1 Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS

2 Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender Receiver Only possible if parties possess information (called keys) not known to adversary 2

3 Two main security goals in data communication Adversary Sender Receiver Pi Privacy: prevent exposure of transmitted data Adversary Sender Receiver Authenticity/Integrity: prevent modification of transmitted data 3

4 Symmetric encryption (a.k.a. private-key encryption) Adversary Sender Receiver M E C C M? D Secret Information (key) 4

5 Vernam cipher / One-time pad Sender M C C M Receiver Key Good: ciphertext reveals no more information about the plaintext than what was known a priori [Shannon] Bad: key size message size 5

6 Modern cryptography Computational security: System can be broken in principle, but it would take a lot of computing time Small keys Public-key cryptography Security usually relies on some known computationally hard mathematical problems (e.g. the scheme is secure if factoring is hard) 6

7 How can we be confident that a given cryptosystem is secure? Try to find an attack Yes Attack found No Insecure? Prove that t breaking cryptosystem t is as hard as solving an underlying well-known computational problem Attack found Yes Underlying computational problem is easy (unlikely) 7

8 Computational problems conjectured to be hard NP-complete problems Factoring large composites Computing discrete logs Basis for cryptography Diffie-Hellman problem 8

9 Provable security impacts practice Proven secure schemes are in standards like SSL, SSH, and IPSEC Product developers, security architects and users turn to theoreticians to tell them: which systems to use how different cryptosystems compare 9

10 Plan Security proof methodology Algorithmic assumptions Ideal models Game playing technique Case studies 10

11 When are algorithmic i assumptions sufficient? Security proofs give the guarantee that the assumption is sufficient i for secrecy: IF an adversary can break the secrecy THEN one can break the assumption proof by reduction 11

12 Proof by Reduction Let A be an adversary that breaks the scheme Then A can be used to solve a hard problem P Instance I of P A Solution of I P intractable scheme is secure 12

13 Provably Secure Scheme To prove the security of a cryptographic scheme, one has to precise The algorithmic assumptions E.g., Factoring, computational Diffie-Hellman The security notions being achieved According to the scheme and primitive A reduction Show how to use adversary to break assumptions 13

14 Plan Security proof methodology Algorithmic assumptions Ideal models Game playing technique Case studies 14

15 Factorization and RSA Multiplication/Factorization: p, q N=p q N = p.q p, q easy (quadratic) difficult (super-polynomial) RSA Function, from Z N in Z N (with N=pq) for a fixed exponent e [RSA 1978] x x e mod N easy (cubic) y=x e mod N x difficult (without p or q) x = y d mod N where d = e -1 mod φ(n) 15

16 The RSA problems Let n=pq where p and q are large primes The RSA problem: for a fixed exponent e = y = x n y = x rsa e Succ ne, ( A ) Pr mod ( ) y A * Z n The Flexible RSA problem: with the restriction for e to be prime fl-rsa e Succ n ( A ) = Pr y= x mod na ( y ) = ( xe, ) * y Z n 16

17 Other RSA variants Let n=pq where p and q are large primes The Rabin Problem Given y, find x such that y = x 2 mod n (if it exists) This problem is equivalent to integer factoring The Dependent RSA Problems Given x e mod n, find (x+1) e mod n For small e: equivalent to RSA Given x e mod n and y e mod n, decide whether y = x+1 mod n 17

18 Residue Problems Let n=pq where p and q are large primes The Quadratic Residuosity Given yinz Z * n, decide whether there exists x such that y = x 2 mod n The High Residuosity Problem (Paillier) Given y in Z * n2, decide whether there exists x such that y = x n mod n 2 18

19 Discrete-log-based assumptions: Background Fix a cyclic group G This means: there is an element g G which generates G G={g 0, g 1,, g G -1 } The discrete log of y G is the unique integer i {0,1,, G -1} such that y=g i * E.g.: if p is prime, then Z p is a cyclic group of order p-1 * Eg:Z E.g.: 17 ={1,,16} 16} is a cyclic group and 3 is a generator The discrete log of 14 base 3 in Z * 17 is 9 because 3 9 = mod 17 19

20 Discrete log assumption (DL) Fix a cyclic group G Eg E.g., G=Z * p, where p=2q+1 and q is a large prime DL problem: g u g Algorithm u Assumption: there is no practical algorithm to solve the discrete log gproblem in G 20

21 Computational Diffie-Hellman assumption (CDH) Fix a cyclic group G * E.g., G = Z p, where p=2q+1 and q is a large prime CDH problem: u v g u g v g Algorithm g uv Assumption: there is no practical algorithm to solve the computational Diffie-Hellman problem in G 21

22 Decisional Diffie-Hellman assumption (DDH) DDH problem: g u g v g g uv b=0 Algorithm g $ b=1 b b=b? yes no Win Lose Assumption: there is no practical algorithm that wins with probability significantly better than ½ 22

23 Success probabilities dl Succ ( ) Pr ( ) x y x y g = = = A A Succ ( ) Pr ( ) q g x y x y g = = = A A Z cdh, Succ ( ) Pr (, ),, q a b ab g ab AB CA g B g C g = = = = = A A Z,, 1 ),, ( Pr ) ( Ad,, ddh c b a c b a g C g B g A C B A q A A Z,, 1 ),, ( Pr ) ( Adv,,, ddh ab b a b a g g C g B g A C B A q q A A Z 23

24 Relation among assumptions P NP sing Str rength Increa DL - Discrete Log CDH - Computational Diffie-Hellman DDH - Decisional Diffie-Hellman 24

25 Plan Security proof methodology Algorithmic assumptions Ideal models Game playing technique Case studies 25

26 Ideal Models Ideal random hash function Random-oracle model Ideal symmetric encryption Ideal-cipher model 26

27 The Random-Oracle Model [BR93] Perhaps the most used ideal model in cryptography The hash function is modeled as a perfectly random function Hash function is replaced with a random oracle Each query is answered with a random value from the domain The oracle is stateful and returns the same answer if a given query is asked twice 27

28 Modeling a Random Oracle The usual way to model a random oracle H is to maintain a list Λ H which contains all query-response pairs (x,ρ) Λ H is initially set to an empty list If a query x is asked of H and (x,ρ) Λ H for some ρ, then ρ is returned If a query x is asked of H and there is no ρ such that t (x,ρ) Λ H, then a random ρ is drawn from the appropriate range (x,ρ) is appended to Λ H ρ is returned 28

29 Two equivalent views of a random oracle H is a random function a query x to H is answered with H(x) ρ 1, ρ 2,... is a random sequence a new query x to H is answered by the next element in the sequence 29

30 The random-permutation model Similar to the random-oracle model, but with a permutation instead of a function A permutation P is modeled as a perfectly random permutation Λ P is initially set to an empty list If a query x is asked of P or a query y is asked of P -1 and d( (x,y) Λ Λ P, then the corresponding value is returned Otherwise, a new random value (y or x) is chosen, (x,y) is appended to Λ P, and y or x is returned 30

31 The ideal-cipher model An extension of the random-permutation model A block cipher is seen as a family of truly random and independent permutations (for each key) The simulation works as follows: Λ C is initially set to an empty list If a query (k,m) is asked of E or a query (k,c) is asked of D=E -1 and (k,m,c) Λ C, then the corresponding value is returned Otherwise, a new random value (c or m) is drawn from the appropriate range, (k,m,c) is appended to Λ C, and c or m is returned 31

32 Plan Security proof methodology Algorithmic assumptions Ideal models Game playing technique Case studies 32

33 The game-playing technique: Motivation Widely used in cryptographic proofs Easy to employ Can be used in the standard model as well as in ideal models Can lead to new results Three-key triple-encryption [BR06] Less error-prone Easier to verify 33

34 Game-based proofs [Shoup,BR] A game is conceptualization of the interaction of the adversary with its environment The proof is defined as a sequence of games Initial game is the real attack environment Proof proceeds by stepwise refinement of the original game The difference in probability bilit of an event S between consecutive games is usually upper-bounded by the probability of a bad event E Success probability of adversary in final game is equal or negligibly close to target probability 34

35 Code-based game playing [BR] Game is seen as an actual program that is run with an adversary Oracles are seen as procedure calls Bad events are Boolean variables Fundamental lemma: If two games are identical until the variable bad is set, then the difference in the probabilities of a given outcome is bounded by the probability that bad gets set (in either game) 35

36 Shoup s approach Games are seen as probability spaces and random variables defined over them Bad events do not need to be explicitly announced Games are defined on a common probability space Game modification can be seen as a rewriting rule of the probability distribution of the variables 36

37 The difference lemma [Shoup] Modifications of the probability space may impact the success probabilities Probability space P unchanged unless a bad event E happens Difference lemma: Let S, S, E be events defined in some probability distribution, and S E S E. Then, Pr[S] Pr[S ] Pr[E] Pr[S ] - Pr[S] = Pr[S E] + Pr[S E] -Pr[S E] -Pr[S E] = Pr[S E] Pr[E] + Pr[S E] Pr[ E] -Pr[S E] Pr[E] - Pr[S E] Pr[ E] = Pr[S E] - Pr[S E] Pr[E] Pr[E] 37

38 Game transitions Indistinguishability of distributions Detection by the adversary would imply py an efficient method of distinguishing between two indistinguishable distributions (statistically or computationally) Failures and bad events Distance follows from the difference lemma Poisoned points Rewriting of variables Restating how certain quantities can be computed in a completely equivalent way Swapping dependent and independent variables Code motion 38

39 Plan Security proof methodology Algorithmic assumptions Ideal models Game playing technique Case studies 39

40 Case studies ElGamal Encryption Hybrid Encryption 40

41 Example 1: ElGamal encryption To formally prove the security of ElGamal l encryption, we need to: Define security primitive: PKE Define security model: IND-CPA Specify security assumption: DDH Provide a proof of security: Show that if one breaks the security of the ElGamal encryption scheme, then one has to break the DDH assumption 41

42 ElGamal: A DDH-based encryption scheme Secret Key: v Public Key: g, g v Generator Ephemeral Key Public Key Plaintext g u g v Message Exponentiation Exponentiation g uv Multiplication g u Message g uv 42

43 Public-key encryption (PKE) Sender Receiver M E C C M? D Public key Secret key Goal: it should be hard for an adversary to get information about M from C 43

44 IND-CPA security model: Privacy against chosen-plaintext attacks A scheme is IND-CPA secure when, for any two messages M 0 and M 1 chosen by the adversary after seeing the public key pk: Adversary cannot tell apart the encryption E(pk,M 0 ) of M 0 from the encryption E(pk,MM 1 ) of M 1 44

45 IND-CPA security experiment: Privacy against chosen-plaintext attacks Adversary pk (sk,pk) KeyGen(1 k ) m 0,m 1 b {0,1} C C Enc(pk,m b ) b b = b? YES NO Win Lose 45

46 IND-CPA security experiment: Privacy against chosen-plaintext attacks Adversary pk Initialize(1 k ) m 0,m 1 Enc(pk,m b ) C b Finalize(b) Win Lose 46

47 Security statement Theorem: The ElGamal encryption scheme is semantically secure against chosen-plaintext attacks (IND-CPA) if the DDH problem is hard 47

48 Proof idea Given an adversary A against the IND-CPA security of ElGamal encryption scheme, show how to build an adversary B for the DDH problem Adversary A Adversary B A PKE DDH 48

49 Reduction proof g, g u, g v, W pk = (g, g v ) Adversary B Adversary A M 0, M 1 b {0,1} C=(g u, W M b ) b b If b =b, then b =0 else b =1 49

50 Case study 2: Hybrid encryption Let AE = (AKG, AE, AD) be an asymmetric encryption scheme Let SE = (SKG, SE, SD) be an symmetric encryption scheme Hybrid encryption scheme HE = (HKG, HE, HD) HKG AKG HE(m): k SKG; C 1 AE(pk,k); C 2 SE(k,m) HD ( C 1,C 2 ) : k AD(sk,C 1 ); m SD(k,C 2 ) 50

51 Security statement Theorem: The hybrid encryption scheme is semantically secure against chosenplaintext attacks (IND-CPA) if the both the asymmetric and symmetric encryption schemes are IND-CPA 51

52 Proof by games The proof is defined as a sequence of games Game 0 - the original attack Adversary outputs (m 0,m 1 ), gets C * 1,C * 2 = HE(m b ) and outputs b Adversary wins if b=b Pr[S 0 ]=ε ε Game 1 C * 1 and C * 2 are computed using different k values C * 1 = AE(pk,k ) and C * 2 = SE(k,m b ) 1 2 b Pr[S 0 ] - Pr[S 1 ] Adv AE () ε 1 Game 2 - C * 2 encrypts a random message C * 2 = SE(k,$) Pr[S 1 ] - Pr[S 2 ] Adv SE () ε 2 Pr[S 2 ] = 0 52

53 Game 0 pk Adversary A M 0, M 1 b {0,1} k $ C* =(AE(k), SE(k,M b )) b If b =b, then A wins else A loses 53

54 Game 1 pk Adversary A M 0, M 1 b {0,1} k $; k $ C* =(AE(k ), SE(k,M b )) b If b =b, then A wins else A loses 54

55 Game 2 pk Adversary A M 0, M 1 b {0,1} M $; k $; k $ C* =(AE(k ), SE(k,$)) b If b =b, then A wins else A loses 55

56 Hybrid Encryption: Summary Pr[S 0 ] = Adv HE ind-cpa (A) = ε Pr[S 1 ] - Pr[S 0 ] Adv AE ind-cpa (B) = ε 1 Pr[S - ind-cpa 2 ] Pr[S 1 ] Adv SE (C) = ε 2 Pr[S 2 ] = 0 Pr[S 0 ] = Adv ind-cpa HE (A) Adv ind-cpa AE (B) + Adv ind-cpa SE (C) ε 1 + ε 2 56

57 Acknowledgements Some of slides on provable security were provided d by David Pointcheval The slides about asymmetric encryption are part of Mihir Bellare s course on Modern Cryptography 57

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction

More information

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key

More information

Lecture Note 3 Date:

Lecture Note 3 Date: P.Lafourcade Lecture Note 3 Date: 28.09.2009 Security models 1st Semester 2007/2008 ROUAULT Boris GABIAM Amanda ARNEDO Pedro 1 Contents 1 Perfect Encryption 3 1.1 Notations....................................

More information

ASYMMETRIC ENCRYPTION

ASYMMETRIC ENCRYPTION ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall

More information

Advanced Cryptography 1st Semester Public Encryption

Advanced Cryptography 1st Semester Public Encryption Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 1st 2007 1 / 64 Last Time (I) Indistinguishability Negligible function Probabilities Indistinguishability

More information

On The Security of The ElGamal Encryption Scheme and Damgård s Variant

On The Security of The ElGamal Encryption Scheme and Damgård s Variant On The Security of The ElGamal Encryption Scheme and Damgård s Variant J. Wu and D.R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, ON, Canada {j32wu,dstinson}@uwaterloo.ca

More information

Introduction to Cybersecurity Cryptography (Part 4)

Introduction to Cybersecurity Cryptography (Part 4) Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message

More information

Introduction to Cryptography. Lecture 8

Introduction to Cryptography. Lecture 8 Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication

More information

5.4 ElGamal - definition

5.4 ElGamal - definition 5.4 ElGamal - definition In this section we define the ElGamal encryption scheme. Next to RSA it is the most important asymmetric encryption scheme. Recall that for a cyclic group G, an element g G is

More information

Introduction to Cybersecurity Cryptography (Part 4)

Introduction to Cybersecurity Cryptography (Part 4) Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message

More information

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,

More information

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004 CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key

More information

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004 CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed

More information

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.

More information

Advanced Topics in Cryptography

Advanced Topics in Cryptography Advanced Topics in Cryptography Lecture 6: El Gamal. Chosen-ciphertext security, the Cramer-Shoup cryptosystem. Benny Pinkas based on slides of Moni Naor page 1 1 Related papers Lecture notes of Moni Naor,

More information

Cryptography IV: Asymmetric Ciphers

Cryptography IV: Asymmetric Ciphers Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline

More information

ECS 189A Final Cryptography Spring 2011

ECS 189A Final Cryptography Spring 2011 ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I

More information

The Cramer-Shoup Cryptosystem

The Cramer-Shoup Cryptosystem The Cramer-Shoup Cryptosystem Eileen Wagner October 22, 2014 1 / 28 The Cramer-Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive

More information

5199/IOC5063 Theory of Cryptology, 2014 Fall

5199/IOC5063 Theory of Cryptology, 2014 Fall 5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.

More information

Public-Key Encryption: ElGamal, RSA, Rabin

Public-Key Encryption: ElGamal, RSA, Rabin Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption

More information

RSA-OAEP and Cramer-Shoup

RSA-OAEP and Cramer-Shoup RSA-OAEP and Cramer-Shoup Olli Ahonen Laboratory of Physics, TKK 11th Dec 2007 T-79.5502 Advanced Cryptology Part I: Outline RSA, OAEP and RSA-OAEP Preliminaries for the proof Proof of IND-CCA2 security

More information

Advanced Cryptography 03/06/2007. Lecture 8

Advanced Cryptography 03/06/2007. Lecture 8 Advanced Cryptography 03/06/007 Lecture 8 Lecturer: Victor Shoup Scribe: Prashant Puniya Overview In this lecture, we will introduce the notion of Public-Key Encryption. We will define the basic notion

More information

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1 SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2

More information

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7 CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a

More information

14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption. Victor Shoup New York University

14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption. Victor Shoup New York University 14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption Victor Shoup New York University A Historical Perspective The wild years (mid 70 s-mid 80 s): Diffie-Hellman, RSA, ElGamal The

More information

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator

More information

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies

More information

Lecture 28: Public-key Cryptography. Public-key Cryptography

Lecture 28: Public-key Cryptography. Public-key Cryptography Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access

More information

CS 6260 Applied Cryptography

CS 6260 Applied Cryptography CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space

More information

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem

More information

Identity-based encryption

Identity-based encryption Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages

More information

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,

More information

G Advanced Cryptography April 10th, Lecture 11

G Advanced Cryptography April 10th, Lecture 11 G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems

More information

Lectures 2+3: Provable Security

Lectures 2+3: Provable Security Lectures 2+3: Provable Security Contents 1 Motivation 1 2 Syntax 3 3 Correctness 5 4 Security Definitions 6 5 Important Cryptographic Primitives 8 6 Proofs of Security 10 7 Limitations of Provable Security

More information

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern

More information

Public Key Cryptography

Public Key Cryptography Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44

More information

Chapter 11 : Private-Key Encryption

Chapter 11 : Private-Key Encryption COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 1 Chapter 11 Public-Key Encryption Apologies: all numbering

More information

Public Key Cryptography

Public Key Cryptography Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:

More information

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it

More information

Public-Key Cryptosystems CHAPTER 4

Public-Key Cryptosystems CHAPTER 4 Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:

More information

Lecture 1: Introduction to Public key cryptography

Lecture 1: Introduction to Public key cryptography Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means

More information

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley dbrumley@cmu.edu Carnegie Mellon University The Landscape Jargon in Cryptography 2 Good News: OTP has perfect secrecy Thm:

More information

An Introduction to Probabilistic Encryption

An Introduction to Probabilistic Encryption Osječki matematički list 6(2006), 37 44 37 An Introduction to Probabilistic Encryption Georg J. Fuchsbauer Abstract. An introduction to probabilistic encryption is given, presenting the first probabilistic

More information

Digital Signatures. Adam O Neill based on

Digital Signatures. Adam O Neill based on Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE

More information

Outline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.

Outline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval. Provable Security in the Computational Model III Signatures David Pointcheval Ecole normale supérieure, CNRS & INRI Public-Key Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions

More information

A New Paradigm of Hybrid Encryption Scheme

A New Paradigm of Hybrid Encryption Scheme A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa 1 and Yvo Desmedt 2 1 Ibaraki University, Japan kurosawa@cis.ibaraki.ac.jp 2 Dept. of Computer Science, University College London, UK, and Florida

More information

Lecture Notes, Week 6

Lecture Notes, Week 6 YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several

More information

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor

More information

Short Exponent Diffie-Hellman Problems

Short Exponent Diffie-Hellman Problems Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and

More information

Public-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP

Public-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP Public-Key Cryptography Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP Diffie-Hellman Key-exchange Secure under DDH: (g x,g x,g xy ) (g x,g x,g r ) Random x {0,..,

More information

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography 1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to

More information

Lecture 7: ElGamal and Discrete Logarithms

Lecture 7: ElGamal and Discrete Logarithms Lecture 7: ElGamal and Discrete Logarithms Johan Håstad, transcribed by Johan Linde 2006-02-07 1 The discrete logarithm problem Recall that a generator g of a group G is an element of order n such that

More information

1 Number Theory Basics

1 Number Theory Basics ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his

More information

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017 Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total

More information

ON CIPHERTEXT UNDETECTABILITY. 1. Introduction

ON CIPHERTEXT UNDETECTABILITY. 1. Introduction Tatra Mt. Math. Publ. 41 (2008), 133 151 tm Mathematical Publications ON CIPHERTEXT UNDETECTABILITY Peter Gaži Martin Stanek ABSTRACT. We propose a novel security notion for public-key encryption schemes

More information

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Intro to Public Key Cryptography Diffie & Hellman Key Exchange Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part

More information

Lecture 17: Constructions of Public-Key Encryption

Lecture 17: Constructions of Public-Key Encryption COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,

More information

Adaptive Security of Compositions

Adaptive Security of Compositions emester Thesis in Cryptography Adaptive ecurity of Compositions Patrick Pletscher ETH Zurich June 30, 2005 upervised by: Krzysztof Pietrzak, Prof. Ueli Maurer Email: pat@student.ethz.ch In a recent paper

More information

COMS W4995 Introduction to Cryptography October 12, Lecture 12: RSA, and a summary of One Way Function Candidates.

COMS W4995 Introduction to Cryptography October 12, Lecture 12: RSA, and a summary of One Way Function Candidates. COMS W4995 Introduction to Cryptography October 12, 2005 Lecture 12: RSA, and a summary of One Way Function Candidates. Lecturer: Tal Malkin Scribes: Justin Cranshaw and Mike Verbalis 1 Introduction In

More information

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1). 1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not

More information

Introduction to Modern Cryptography Recitation 3. Orit Moskovich Tel Aviv University November 16, 2016

Introduction to Modern Cryptography Recitation 3. Orit Moskovich Tel Aviv University November 16, 2016 Introduction to Modern Cryptography Recitation 3 Orit Moskovich Tel Aviv University November 16, 2016 The group: Z N Let N 2 be an integer The set Z N = a 1,, N 1 gcd a, N = 1 with respect to multiplication

More information

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

Notes for Lecture Decision Diffie Hellman and Quadratic Residues U.C. Berkeley CS276: Cryptography Handout N19 Luca Trevisan March 31, 2009 Notes for Lecture 19 Scribed by Cynthia Sturton, posted May 1, 2009 Summary Today we continue to discuss number-theoretic constructions

More information

REMARKS ON IBE SCHEME OF WANG AND CAO

REMARKS ON IBE SCHEME OF WANG AND CAO REMARKS ON IBE SCEME OF WANG AND CAO Sunder Lal and Priyam Sharma Derpartment of Mathematics, Dr. B.R.A.(Agra), University, Agra-800(UP), India. E-mail- sunder_lal@rediffmail.com, priyam_sharma.ibs@rediffmail.com

More information

Modern Cryptography Lecture 4

Modern Cryptography Lecture 4 Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html

More information

CS 6260 Applied Cryptography

CS 6260 Applied Cryptography CS 6260 Applied Cryptography Alexandra (Sasha) Boldyreva Symmetric encryption, encryption modes, security notions. 1 Symmetric encryption schemes A scheme is specified by a key generation algorithm K,

More information

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots

More information

Lecture 11: Key Agreement

Lecture 11: Key Agreement Introduction to Cryptography 02/22/2018 Lecture 11: Key Agreement Instructor: Vipul Goyal Scribe: Francisco Maturana 1 Hardness Assumptions In order to prove the security of cryptographic primitives, we

More information

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle

More information

Lossy Trapdoor Functions from Smooth Homomorphic Hash Proof Systems

Lossy Trapdoor Functions from Smooth Homomorphic Hash Proof Systems Lossy Trapdoor Functions from Smooth Homomorphic Hash Proof Systems Brett Hemenway UCLA bretth@mathuclaedu Rafail Ostrovsky UCLA rafail@csuclaedu January 9, 2010 Abstract In STOC 08, Peikert and Waters

More information

CPA-Security. Definition: A private-key encryption scheme

CPA-Security. Definition: A private-key encryption scheme CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of

More information

Public Key Cryptography

Public Key Cryptography Public Key Cryptography Ali El Kaafarani Mathematical Institute Oxford University 1 of 60 Outline 1 RSA Encryption Scheme 2 Discrete Logarithm and Diffie-Hellman Algorithm 3 ElGamal Encryption Scheme 4

More information

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup October 12, 2001 Abstract We present several new and fairly practical public-key

More information

Lecture 1. 1 Introduction to These Notes. 2 Trapdoor Permutations. CMSC 858K Advanced Topics in Cryptography January 27, 2004

Lecture 1. 1 Introduction to These Notes. 2 Trapdoor Permutations. CMSC 858K Advanced Topics in Cryptography January 27, 2004 CMSC 858K Advanced Topics in Cryptography January 27, 2004 Lecturer: Jonathan Katz Lecture 1 Scribe(s): Jonathan Katz 1 Introduction to These Notes These notes are intended to supplement, not replace,

More information

Notes for Lecture 17

Notes for Lecture 17 U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,

More information

Chosen-Ciphertext Security without Redundancy

Chosen-Ciphertext Security without Redundancy This is the full version of the extended abstract which appears in Advances in Cryptology Proceedings of Asiacrypt 03 (30 november 4 december 2003, Taiwan) C. S. Laih Ed. Springer-Verlag, LNCS 2894, pages

More information

Encoding-Free ElGamal Encryption Without Random Oracles

Encoding-Free ElGamal Encryption Without Random Oracles Encoding-Free ElGamal Encryption Without Random Oracles Benoît Chevallier-Mames 1,2, Pascal Paillier 3, and David Pointcheval 2 1 Gemplus, Security Technology Department, La Vigie, Avenue du Jujubier,

More information

Secure and Practical Identity-Based Encryption

Secure and Practical Identity-Based Encryption Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.

More information

A Practical Elliptic Curve Public Key Encryption Scheme Provably Secure Against Adaptive Chosen-message Attack

A Practical Elliptic Curve Public Key Encryption Scheme Provably Secure Against Adaptive Chosen-message Attack A Practical Elliptic Curve Public Key Encryption Scheme Provably Secure Against Adaptive Chosen-message Attack Huafei Zhu InfoComm Security Department, Institute for InfoComm Research. 21 Heng Mui Keng

More information

Modern symmetric-key Encryption

Modern symmetric-key Encryption Modern symmetric-key Encryption Citation I would like to thank Claude Crepeau for allowing me to use his slide from his crypto course to mount my course. Some of these slides are taken directly from his

More information

SYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:

SYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: Syntax symmetric encryption scheme = (K, E, D) consists of three algorithms: SYMMETRIC ENCRYPTION K is randomized E can be randomized or stateful D is deterministic 1/ 116 2/ 116 Correct decryption requirement

More information

Computer Science A Cryptography and Data Security. Claude Crépeau

Computer Science A Cryptography and Data Security. Claude Crépeau Computer Science 308-547A Cryptography and Data Security Claude Crépeau These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308-647A)

More information

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time

More information

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy Symmetric Cryptography Review Alice Bob Public Key x e K (x) y d K (y) x K K Instructor: Dr. Wei (Lisa) Li Department of Computer Science, GSU Two properties of symmetric (secret-key) crypto-systems: The

More information

f (x) f (x) easy easy

f (x) f (x) easy easy A General Construction of IND-CCA2 Secure Public Key Encryption? Eike Kiltz 1 and John Malone-Lee 2 1 Lehrstuhl Mathematik & Informatik, Fakultat fur Mathematik, Ruhr-Universitat Bochum, Germany. URL:

More information

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How

More information

Simple SK-ID-KEM 1. 1 Introduction

Simple SK-ID-KEM 1. 1 Introduction 1 Simple SK-ID-KEM 1 Zhaohui Cheng School of Computing Science, Middlesex University The Burroughs, Hendon, London, NW4 4BT, United Kingdom. m.z.cheng@mdx.ac.uk Abstract. In 2001, Boneh and Franklin presented

More information

The Theory and Applications of Homomorphic Cryptography

The Theory and Applications of Homomorphic Cryptography The Theory and Applications of Homomorphic Cryptography by Kevin Henry A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master of Mathematics

More information

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.

More information

Chapter 11. Asymmetric Encryption Asymmetric encryption schemes

Chapter 11. Asymmetric Encryption Asymmetric encryption schemes Chapter 11 Asymmetric Encryption The setting of public-key cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret

More information

RSA RSA public key cryptosystem

RSA RSA public key cryptosystem RSA 1 RSA As we have seen, the security of most cipher systems rests on the users keeping secret a special key, for anyone possessing the key can encrypt and/or decrypt the messages sent between them.

More information

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30 CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).

More information

Introduction to Elliptic Curve Cryptography. Anupam Datta

Introduction to Elliptic Curve Cryptography. Anupam Datta Introduction to Elliptic Curve Cryptography Anupam Datta 18-733 Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups

More information

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance

More information

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without

More information

CTR mode of operation

CTR mode of operation CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext

More information

An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem

An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem An extended abstract of this paper appears in Advances in Cryptology EUROCRYPT 04, Lecture Notes in Computer Science Vol., C. Cachin and J. Camenisch ed., Springer-Verlag, 2004. This is the full version.

More information

Historical cryptography. cryptography encryption main applications: military and diplomacy

Historical cryptography. cryptography encryption main applications: military and diplomacy Historical cryptography cryptography encryption main applications: military and diplomacy ancient times world war II Historical cryptography All historical cryptosystems badly broken! No clear understanding

More information

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3. COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption

More information

8.1 Principles of Public-Key Cryptosystems

8.1 Principles of Public-Key Cryptosystems Public-key cryptography is a radical departure from all that has gone before. Right up to modern times all cryptographic systems have been based on the elementary tools of substitution and permutation.

More information

Candidates must show on each answer book the type of calculator used. Only calculators permitted under UEA Regulations may be used.

Candidates must show on each answer book the type of calculator used. Only calculators permitted under UEA Regulations may be used. UNIVERSITY OF EAST ANGLIA School of Mathematics May/June UG Examination 2010 2011 CRYPTOGRAPHY Time allowed: 2 hours Attempt THREE questions. Candidates must show on each answer book the type of calculator

More information