COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
|
|
- Audrey Brooks
- 6 years ago
- Views:
Transcription
1 COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017
2 Previously
3 Digital Signatures Algorithms: Gen() à (sk,pk) Sign(sk,m) à σ Ver(pk,m,σ) à 0/1 Correctness: Pr[Ver(pk,m,Sign(sk,m))=1: (sk,pk)ß Gen()] = 1
4 Many- time Signatures pk (sk,pk)ß Gen() m i (m*,σ*) σ i σ ß Sign(sk,m) CMA-Adv( ) = Pr[ outputs 1] Output 1 iff: m* {m 1, } Ver(pk,m*,σ*) = 1
5 Strong Security pk (sk,pk)ß Gen() m i (m*,σ*) σ i σ ß Sign(sk,m) CMA-Adv( ) = Pr[ outputs 1] Output 1 iff: (m*, σ*) {(m 1,σ 1 ) } Ver(pk,m*,σ*) = 1
6 Signatures from TDPs Gen Sig () = Gen() Sign(sk,m) = F -1 (sk, H(m) ) Ver(pk,m,σ): F(pk, σ) == H(m) Theorem: If (Gen,F,F -1 ) is a secure TDP, and H is modeled as a random oracle, then (Gen Sig,Sign,Ver) is (strongly) CMA- secure
7 Basic Rabin Signatures Gen Sig (): let p,q be random large primes sk = (p,q), pk = N = pq Sign(sk,m): Solve equation σ 2 = H(m) mod N using factors p,q Output σ Ver(pk,m,σ): σ 2 mod N == H(m)
8 Signatures from One- way Functions One- way functions are sufficient to build signature schemes Therefore, can build signatures from: RSA, DDH, Block Ciphers, CRHF, etc. Limitation: Poor performance in practice
9 Lamport Signatures Let F:Xà Y be a one- way function Let M={0,1} n be message space Gen(): X ß x 1,0 x 2,0 x 3,0 x 4,0 x 5,0 ß F y 1,0 y i,b =F(x i,b ) y 2,0 y 3,0 y 4,0 y 5,0 x 1,1 x 2,1 x 3,1 x 4,1 x 5,1 y 1,1 y 2,1 y 3,1 y 4,1 y 5,1 sk pk
10 Lamport Signatures Sign(sk, m): (x i,mi ) i=1,,n x 1,0 x 2,0 x 3,0 x 4,0 x 5,0 x 1,1 x 2,1 x 3,1 x 4,1 x 5,1 Ver(pk,m,σ): F(x i,mi ) = y i,mi y 1,0 y 2,0 y 3,0 y 4,0 y 5,0 y 1,1 y 2,1 y 3,1 y 4,1 y 5,1
11 Lamport Signatures Theorem: If F is a secure OWF, then (Gen,Sign,Ver) is a (weakly) secure one- time signature scheme
12 Proof y 1,0 y 2,0 y 3,0 y 4,0 y 5,0 y 1,1 y 2,1 y 3,1 y 4,1 y 5,1 y 2,0 y 3,0 y 5,0 y 1,1 y 4,1 x 1,0 x 2,0 x 3,0 x 4,0 x 5,0 x1,0 x 2,0 x 3,0 x 4,0 x 5,0 x 1,1 x 2,1 x 3,1 x 4,1 x 5,1 x 1,1 x 2,1 x 3,1 x 4,1 x 5,1 x 1,0 x 2,0 x 3,0 x 4,0 x 5,0 x 1,1 x 2,1 x 3,1 x 4,1 x 5,1
13 Proof Since m* m, i s.t. m* i m i Suppose we know i, m i = 1-b, m* i = b Construct adversary that inverts OWF
14 Proof y 1,0 y 2,0 y* y 4,0 y 5,0 y* y 1,1 y 2,1 y 3,1 y 4,1 y 5,1 y 1,1 y 2,0 y 3,0 y 4,1 y 5,0 F x 1,0 x 2,0 i,b x 4,0 x 5,0 x 1,0 x 2,0 x 3,0 x 4,0 x 5,0 x 1,1 x 2,1 x 3,1 x 4,1 x 5,1 x 1,1 x 2,1 x 3,1 x 4,1 x 5,1 x 1,0 x 2,0 x* x 4,0 x 5,0 x* x 1,1 x 2,1 x 3,1 x 4,1 x 5,1
15 Proof View of exactly as in 1- time CMA experiment, assuming ith bit of m = b ith bit of m* = 1-b If always chooses m,m* with these properties, and forges with probability ε, then inverts with probability ε
16 Proof In general, may choose m,m* to differ at arbitrary places May be randomly chosen, may depend on pk, may even depend on σ May never be at certain places How do we make still succeed?
17 Proof y 1,0 y 2,0 y* y 4,0 y 5,0 i,bß [n] {0,1} y* y 1,1 y 2,1 y 3,1 y 4,1 y 5,1 y 1,1 y 2,0 y 3,0 y 4,1 y 5,0 F x 1,0 x 2,0 i,b x 4,0 x 5,0 x 1,0 x 2,0 x 3,0 x 4,0 x 5,0 x 1,1 x 2,1 x 3,1 x 4,1 x 5,1 x 1,1 x 2,1 x 3,1 x 4,1 x 5,1 If need x i,b, abort x 1,0 x 2,0 x* x 4,0 x 5,0 If no x i,b, abort x* x 1,1 x 2,1 x 3,1 x 4,1 x 5,1
18 Proof pk independent of (i,b) m independent of (i,b) Therefore, Pr[m i =1-b]=½ Conditioned on m i =1-b, Signing succeeds σ independent of i forges with probability ε, independent of i
19 Proof We know if forges, then m* m Since m* independent of i, have prob at least 1/n that m* i =1-m i = b In this case, succeeds in inverting y* Prob = ½ ε 1/n = ε/2n
20 Limitations of Lamport Signatures Only weakly secure Why? How to fix? pk, σ >> m How to fix?
21 Theorem: Given a secure OWF, it is possible to construct a strongly secure 1- time signature scheme where m >> pk, σ
22 Signing Multiple Messages Once adversary sees two signed messages, security is lost (why?) How do we sign multiple messages?
23 Signature Chaining m 1 m 1, σ 1 ß Sign(sk 1,m 1 ) sk 1 pk 1 Ver(pk 1,m 1,σ 1 )
24 Signature Chaining m 1 m 1, σ 1 = (pk 2,σ 1 ) σ 1 ß Sign(sk 1, (m 1,pk 2 ) ) pk 1 sk 1 (sk 2,pk 2 )ß Gen() Ver(pk 1,(m 1,pk 2 ),σ 1 )
25 Signature Chaining m 2 m 2, σ 2 σ 1 ß Sign(sk 2, m 2 ) pk 1 sk 1 pk 2 (sk 2,pk 2 )ß Gen() Ver(pk 2,m 2,σ 2 )
26 Signature Chaining Idea: Bob can be assured that pk 2 was in fact generated by Alice If Eve tampered with pk 2, then signature on first message would have been invalid Therefore, Alice can sign m 2 using sk 2, and Eve cannot produce a forgery m 2 with valid signature Can repeat process to sign arbitrarily many messages
27 Signature Chaining m 2 m 2, σ 2 = (pk 3,σ 2 ) σ 1 ß Sign(sk 2, (m 2,pk 3 ) ) pk 1 sk 1 pk 2 (sk 2,pk 2 )ß Gen() (sk Ver(pk 2,(m 2,pk 3 ),σ 2 ) 3,pk 3 )ß Gen()
28 Limitations Alice and Bob must stay synchronized Else, Bob won t be using correct public key to verify If many users, every pair needs to be syncronized What if Alice is sending messages to Bob and Charlie?
29 (Almost) Stateless Signature Chaining m 2 m 2, σ 2 = (m 1,pk 2,σ 1,pk 3,σ 2 ) sk 1 pk 1 (sk 2,pk 2 )ß Gen() (sk 3,pk 3 )ß Gen() σ 1 ß Sign(sk 2, (m 2,pk 3 ) ) Ver(pk 1,(m 1,pk 2 ),σ 1 ) Ver(pk 2,(m 2,pk 3 ),σ 2 )
30 Still Limitations Now Bob (and Charlie, etc) are stateless However, Alice is still stateful Needs to remember all messages sent Signature length grows with number of messages signed
31 Signature Trees pk pk 0 pk 1 σ ß Sign(sk, (pk 0,pk 1 )) σ 0 ß Sign(sk 0, (pk 00,pk 01 )) σ 1 ß Sign(sk 1, (pk 10,pk 11 )) pk 00 pk 01 pk 10 pk 11 σ 00, σ 01, σ 10, σ 11 pk 000 pk 001 pk 010 pk 011 pk 100 pk 101 pk 110 pk 111
32 Signature Trees To sign m i, Compute σ i ß Sign(sk i,m i ), where sk i is the ith leaf Must include pk i in signature so Bob can verify σ i Must authenticate pk i, so include σ P(i) (and pk S(i) ) Must include pk P(i) so Bob can verify σ P(i) Must auth pk P(i), so include σ P(P(i)) (and pk S(P(i)) )
33 Comparison to Chaining Limitations: Bounded number of messages (2 d ) Still requires Alice to keep state (all the sk s, pk s). Size of state 2 d Advantages: Signature size d, logarithmic in number of messages signed
34 Avoid Large State? Alice keeps PRF key k as part of secret key For all internal nodes or leaves i, (sk i,pk i )ß Gen(; PRF(k, i) ) Alice never stores signatures or public keys Instead, she computes needed signatures/public keys on the fly
35 Unbounded Messages Set d=128 or 256 Can now sign up to messages Signature size d = 128, so shortish signatures Size of state independent of d, so short Time to compute signature? Only need pk s,σ s on path from root to leaf, plus neighbors Only O(d) terms Can efficiently compute from PRF key k
36 Fully Stateless? So far, still need to keep state to remember which leaf we should use next However, now we can do something different: Instead of choosing leafs sequentially, just choose leaf at random Except with probability O( messages 2 /2 d ), never use the same leaf twice
37 Putting it Together pk sk=(sk, k) iß {0,,2 d -1}
38 Putting it Together pk pk 0 pk 1 pk 00 pk 01 pk 010 pk 011 sk=(sk, k) (sk 0,pk 0 )ß Gen(; PRF(k, 0)) (sk 1,pk 1 )ß Gen(; PRF(k, 1)) (sk 00,pk 00 )ß Gen(; PRF(k, 00)) (sk 01,pk 01 )ß Gen(; PRF(k, 01)) σ ß Sign(sk, (pk 0,pk 1 )) σ 0 ß Sign(sk 0, (pk 00,pk 01 )) σß Sign(sk i, m) Output iß {0,,2 all pk d j s and -1} all σ s as signature
39 Putting it Together OWF to get 1- time signatures (with large pk s, σ s) Hash message 1- time signatures with small pk s, σ s Can accomplish using just OWFs Create tree of signatures (stateful scheme) Make stateless by using a PRF
40 What s Known OWP CRH CPA - PKE OWF PRG Com PRF MAC Auth Enc PRP SKE CCA - PKE Sig
41 What s Known OWP CRH CPA - PKE CCA - PKE TCR OWF PRG Com Sig PRF MAC Auth Enc PRP SKE
42 Theorem: Given a secure OWF, it is possible to construct a strongly CMA- secure signature scheme
43 Practical Use? Lamport signatures are fast: Signing is just revealing part of your secret key Verifying is just a few OWF evaluations Tree- based signatures are a bit slower Need to generate many signatures Need to generate many public keys Need many PRF evals
44 Practical Use? Main limitation: Signature size Basic Lamport: 128 bits per message bit With hashing, need to sign 256 bit messages For signature trees, signature consists of d Lamport signatures (plus public keys) d must be big enough to prevent collisions E.g. d = 128 Overall signature size: around a megabit
45 What s the Smallest Signature? Signature Trees: 1megabits RSA Hash- and- Sign: 2 kilobits ECDSA: around 512 bits BLS: 256 bits Are 128- bit signatures possible?
46 Obfuscation- Based Signatures Let (MAC,Ver) be a message authentication code Gen(): kß K sk = k pk = Obf( Ver(k,.,. ) ) Sign(sk,m) = MAC(k,m) Ver(pk,m,σ) = pk(m,σ) Signature size: 128 bits! But running time, public key size is horrible
47 Next Time Identification protocols: how to prove you are who you say you are
48 Reminders HW6 Due Wednesday HW7 out Tonight
COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Last Time Hardcore Bits Hardcore Bits Let F be a one- way function with domain x, range y Definition: A function h:xà {0,1} is
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationII. Digital signatures
II. Digital signatures Alice m Bob Eve 1. Did Bob send message m, or was it Eve? 2. Did Eve modify the message m, that was sent by Bob? 1 Digital signatures Digital signature - are equivalent of handwritten
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Integer Factorization iven an integer N, find it s prime factors Studied for centuries, presumed difficult rade school algorithm:
More informationLecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004
CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce
More informationCLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD
CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without
More informationEx1 Ex2 Ex3 Ex4 Ex5 Ex6
Technische Universität München (I7) Winter 2012/13 Dr. M. Luttenberger / M. Schlund Cryptography Endterm Last name: First name: Student ID no.: Signature: If you feel ill, let us know immediately. Please,
More informationBEYOND POST QUANTUM CRYPTOGRAPHY
BEYOND POST QUANTUM CRYPTOGRAPHY Mark Zhandry Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical Beyond Post-Quantum Cryptography
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Secret Sharing Vault should only open if both Alice and Bob are present Vault should only open if Alice, Bob, and Charlie are
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationLecture 15 & 16: Trapdoor Permutations, RSA, Signatures
CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationSecure Signatures and Chosen Ciphertext Security in a Post-Quantum World
Secure Signatures and Chosen Ciphertext Security in a Post-Quantum World Dan Boneh Mark Zhandry Stanford University {dabo,zhandry}@cs.stanford.edu Abstract We initiate the study of quantum-secure digital
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationHash-based signatures & Hash-and-sign without collision-resistance
Hash-based signatures & Hash-and-sign without collision-resistance Andreas Hülsing 22.12.2016 Hash-based Signature Schemes [Mer89] Post quantum Only secure hash function Security well understood Fast 22-12-2016
More informationSIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography
SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 8 of Trappe and Washington DIGITAL SIGNATURES message sig 1. How do we bind
More informationDigital Signatures. p1.
Digital Signatures p1. Digital Signatures Digital signature is the same as MAC except that the tag (signature) is produced using the secret key of a public-key cryptosystem. Message m MAC k (m) Message
More informationLecture 14 More on Digital Signatures and Variants. COSC-260 Codes and Ciphers Adam O Neill Adapted from
Lecture 14 More on Digital Signatures and Variants COSC-260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Setting the Stage We will cover in more depth some issues for
More informationHomework 7 Solutions
Homework 7 Solutions Due: March 22, 2018 CS 151: Intro. to Cryptography and Computer Security 1 Fun with PRFs a. F a s = F 0 k(x) F s (x) is not a PRF, for any choice of F. Consider a distinguisher D a
More informationMarch 19: Zero-Knowledge (cont.) and Signatures
March 19: Zero-Knowledge (cont.) and Signatures March 26, 2013 1 Zero-Knowledge (review) 1.1 Review Alice has y, g, p and claims to know x such that y = g x mod p. Alice proves knowledge of x to Bob w/o
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationJohn Hancock enters the 21th century Digital signature schemes. Table of contents
John Hancock enters the 21th century Digital signature schemes Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents From last time: Good news and bad There
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationG /G Introduction to Cryptography November 4, Lecture 10. Lecturer: Yevgeniy Dodis Fall 2008
G22.3210-001/G63.2170 Introduction to Cryptography November 4, 2008 Lecture 10 Lecturer: Yevgeniy Dodis Fall 2008 Last time we defined several modes of operation for encryption. Today we prove their security,
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Takeaway: Crypto is Hard Designing crypto is hard, even experts get it wrong Just because I don t know
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Announcements Reminder: Homework 1 due tomorrow 11:59pm Submit through Blackboard Homework 2 will hopefully be posted tonight
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More informationPractice Exam Winter 2018, CS 485/585 Crypto March 14, 2018
Practice Exam Name: Winter 2018, CS 485/585 Crypto March 14, 2018 Portland State University Prof. Fang Song Instructions This exam contains 8 pages (including this cover page) and 5 questions. Total of
More informationIntroduction to Cryptography
B504 / I538: Introduction to Cryptography Spring 2017 Lecture 12 Recall: MAC existential forgery game 1 n Challenger (C) k Gen(1 n ) Forger (A) 1 n m 1 m 1 M {m} t 1 MAC k (m 1 ) t 1 m 2 m 2 M {m} t 2
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationDigital Signature Schemes and the Random Oracle Model. A. Hülsing
Digital Signature Schemes and the Random Oracle Model A. Hülsing Today s goal Review provable security of in use signature schemes. (PKCS #1 v2.x) PAGE 1 Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/dsa.jpg
More informationHash-based Signatures. Andreas Hülsing
Hash-based Signatures Andreas Hülsing Post-Quantum Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters 23-2-2016 PAGE 2... 1 3 1 4 2 3 2 2 3 2 3 4 1 2 1 2 1 1 y x x x x
More informationNotes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.
COS 533: Advanced Cryptography Lecture 9 (October 11, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Udaya Ghai Notes for Lecture 9 1 Last Time Last time, we introduced zero knowledge proofs
More informationXMSS A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions
XMSS A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions Johannes Buchmann and Andreas Hülsing {buchmann,huelsing}@cdc.informatik.tu-darmstadt.de Cryptography and Computeralgebra
More informationENEE 459-C Computer Security. Message authentication (continue from previous lecture)
ENEE 459-C Computer Security Message authentication (continue from previous lecture) Last lecture Hash function Cryptographic hash function Message authentication with hash function (attack?) with cryptographic
More informationHash-based Signatures
Hash-based Signatures Andreas Hülsing Summer School on Post-Quantum Cryptography June 2017, TU Eindhoven Post-Quantum Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationCOS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7
COS 597C: Recent Developments in Program Obfuscation Lecture 7 10/06/16 Lecturer: Mark Zhandry Princeton University Scribe: Jordan Tran Notes for Lecture 7 1 Introduction In this lecture, we show how to
More informationDigital signature schemes
Digital signature schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction digital signature scheme security of digital
More informationTHE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY
THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY Mark Zhandry - Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical
More informationLecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers
1 Winter 2018 CS 485/585 Introduction to Cryptography Lecture 6 Portland State University Jan. 25, 2018 Lecturer: Fang Song Draft note. Version: February 4, 2018. Email fang.song@pdx.edu for comments and
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationIntroduction to Cryptography
B504 / I538: Introduction to Cryptography Spring 2017 Lecture 15 Assignment 3 is due! Assignment 4 is out and is due in three weeks! 1 Recall: One-way functions (OWFs) Intuitively, a one-way function (OWF)
More informationPublic-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP
Public-Key Cryptography Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP Diffie-Hellman Key-exchange Secure under DDH: (g x,g x,g xy ) (g x,g x,g r ) Random x {0,..,
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationQuestion 1. The Chinese University of Hong Kong, Spring 2018
CSCI 5440: Cryptography The Chinese University of Hong Kong, Spring 2018 Homework 2 Solutions Question 1 Consider the following encryption algorithm based on the shortlwe assumption. The secret key is
More informationU.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6
U.C. Berkeley CS276: Cryptography Handout N6 Luca Trevisan February 5, 2009 Notes for Lecture 6 Scribed by Ian Haken, posted February 8, 2009 Summary The encryption scheme we saw last time, based on pseudorandom
More informationLecture 11: Hash Functions, Merkle-Damgaard, Random Oracle
CS 7880 Graduate Cryptography October 20, 2015 Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle Lecturer: Daniel Wichs Scribe: Tanay Mehta 1 Topics Covered Review Collision-Resistant Hash Functions
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationDigital Signatures from Strong RSA without Prime Genera7on. David Cash Rafael Dowsley Eike Kiltz
Digital Signatures from Strong RSA without Prime Genera7on David Cash Rafael Dowsley Eike Kiltz Digital Signatures Digital signatures are one of mostly deployed cryptographic primi7ves. Digital Signatures
More informationLecture 10: Zero-Knowledge Proofs
Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam
More informationLecture 9 - Symmetric Encryption
0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019
Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationAn update on Hash-based Signatures. Andreas Hülsing
An update on Hash-based Signatures Andreas Hülsing Trapdoor- / Identification Scheme-based (PQ-)Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters 9-9-2015 PAGE 2... 1
More information18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018
18734: Foundations of Privacy Anonymous Cash Anupam Datta CMU Fall 2018 Today: Electronic Cash Goals Alice can ask for Bank to issue coins from her account. Alice can spend coins. Bank cannot track what
More informationA survey on quantum-secure cryptographic systems
A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum
More informationShort Signatures Without Random Oracles
Short Signatures Without Random Oracles Dan Boneh and Xavier Boyen (presented by Aleksandr Yampolskiy) Outline Motivation Preliminaries Secure short signature Extensions Conclusion Why signatures without
More informationEntity Authentication
Entity Authentication Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie? α k The
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018
Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationMESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1
MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Mihir Bellare UCSD 1 Integrity and authenticity The goal is to ensure that M really originates with Alice and not someone else M has not been modified
More informationSecurity of Symmetric Primitives under Incorrect Usage of Keys
Security of Symmetric Primitives under Incorrect Usage of Keys Pooya Farshim 1 Claudio Orlandi 2 Răzvan Roşie 1 1 ENS, CNRS, INRIA & PSL Research University, Paris, France 2 Aarhus University, Aarhus,
More informationImproved Security for Linearly Homomorphic Signatures: A Generic Framework
Improved Security for Linearly Homomorphic Signatures: A Generic Framework Stanford University, USA PKC 2012 Darmstadt, Germany 23 May 2012 Problem: Computing on Authenticated Data Q: How do we delegate
More informationMessage Authentication
Motivation Message Authentication 15-859I Spring 2003 Suppose Alice is an ATM and Bob is a Ban, and Alice sends Bob messages about transactions over a public channel Bob would lie to now that when he receives
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationShort Signatures From Diffie-Hellman: Realizing Short Public Key
Short Signatures From Diffie-Hellman: Realizing Short Public Key Jae Hong Seo Department of Mathematics, Myongji University Yongin, Republic of Korea jaehongseo@mju.ac.kr Abstract. Efficient signature
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationDATA PRIVACY AND SECURITY
DATA PRIVACY AND SECURITY Instructor: Daniele Venturi Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Interlude: Number Theory Cubum autem in duos cubos, aut quadratoquadratum
More informationPublic-Key Encryption
Public-Key Encryption 601.642/442: Modern Cryptography Fall 2017 601.642/442: Modern Cryptography Public-Key Encryption Fall 2017 1 / 14 The Setting Alice and Bob don t share any secret Alice wants to
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationMATH 158 FINAL EXAM 20 DECEMBER 2016
MATH 158 FINAL EXAM 20 DECEMBER 2016 Name : The exam is double-sided. Make sure to read both sides of each page. The time limit is three hours. No calculators are permitted. You are permitted one page
More informationCryptosystem. Traditional Cryptosystems: The two parties agree on a secret (one to one) function f. To send a message M, thesendersendsthemessage
Cryptosystem Traditional Cryptosystems: The two parties agree on a secret (one to one) function f. To send a message M, thesendersendsthemessage f(m). The receiver computes f 1 (f(m)). Advantage: Cannot
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationPublic Key Cryptography
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Public Key Cryptography EECE 412 1 What is it? Two keys Sender uses recipient s public key to encrypt Receiver uses his private key to decrypt
More informationCryptographic Solutions for Data Integrity in the Cloud
Cryptographic Solutions for Stanford University, USA Stanford Computer Forum 2 April 2012 Homomorphic Encryption Homomorphic encryption allows users to delegate computation while ensuring secrecy. Homomorphic
More informationMessage Authentication Codes (MACs)
Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands October 8, 2015 1 / 22 About Me 2 / 22 About Me Tung Chou (Tony) 2 / 22 About Me Tung Chou (Tony) Ph.D.
More informationSecure Signatures and Chosen Ciphertext Security in a Quantum Computing World. Dan Boneh and Mark Zhandry Stanford University
Secure Signatures and Chosen Ciphertext Security in a Quantu Coputing World Dan Boneh and Mark Zhandry Stanford University Classical Chosen Message Attack (CMA) σ = S(sk, ) signing key sk Classical CMA
More informationQ B (pk, sk) Gen x u M pk y Map pk (x) return [B(pk, y)? = x]. (m, s) A O h
MTAT.07.003 Cryptology II Spring 2012 / Exercise session?? / Example Solution Exercise (FRH in RO model). Show that the full domain hash signature is secure against existential forgeries in the random
More informationInstructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year
Data Privacy and Security Instructor: Daniele Venturi Master Degree in Data Science Sapienza University of Rome Academic Year 2017-2018 Interlude: Number Theory Cubum autem in duos cubos, aut quadratoquadratum
More information1 Basic Number Theory
ECS 228 (Franklin), Winter 2013, Crypto Review 1 Basic Number Theory This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationLecture 11: Key Agreement
Introduction to Cryptography 02/22/2018 Lecture 11: Key Agreement Instructor: Vipul Goyal Scribe: Francisco Maturana 1 Hardness Assumptions In order to prove the security of cryptographic primitives, we
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationLeftovers from Lecture 3
Leftovers from Lecture 3 Implementing GF(2^k) Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x): (1,1,0,1,1) *(0,1,0,1,1) = (1,1,0,0,1) For small size finite
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationProvable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design
Practical Cryptography: Provable Security as a Tool for Protocol Design Phillip Rogaway UC Davis & Chiang Mai Univ rogaway@csucdavisedu http://wwwcsucdavisedu/~rogaway Summer School on Foundations of Internet
More information