Cryptographic Protocols
|
|
- Allan Rice
- 6 years ago
- Views:
Transcription
1 Cryptographc Protocols Entty Authentcaton Key Agreement Fat-Shamr Identfcaton Schemes Zero-Knowledge Proof Systems Shnorr s Identfcaton/Sgnature Scheme Commtment Schemes Secret Sharng Electronc Electon
2 Entty Authentcaton Problem: Alce wants to prove to Bob that she s Alce and/or vce versa. Prvate-key based schemes Publc-key based schemes Integrated wth key agreement Zero-knowledge dentfcaton schemes
3 Challenge-and-response usng a prvate key Alce and Bob share a secret key k. Protocol ( nsecure): 1. Bob Alce: a random challenge r. 2. Bob Alce: y = MAC ( r). 3. Bob computes y = MAC ( r) and checks f y = y. Or 1. Bob Alce: a random challenge r. 2. Bob Alce: y = E ( r). 3. Bob checks f D ( y) = r. k k k k
4 Parallel sesson attack Eve r r y= MAC ( r) k y Bob
5 Countermeasure Eve Bo b r r y= M A Ck ( r Bob) y= MAC ( r Alce)? k
6 Challenge-and-response usng a prvate key Alce and Bob share a secret key k. Protocol ( secure): 1. Bob Alce: a random challenge r. 2. Bob Alce: y = MAC ( ID(Alce) r). 3. Bob computes y = MAC ( ID(Alce) and checks f y = y. Or 1. Bob Alce: a random challenge r. 2. Bob Alce: y = E (ID(Alce) r). 3. Bob checks f D ( y) = ID(Alce) r. k k k k r)
7 Mutual authentcaton usng a prvate key Alce and Bob share a secret key k. Protocol ( nsecure) : 1. Bob Alce: a random challenge r. 2. Bob Alce: 3. Bob Alce: y y = MAC 1 k 1 1 (ID(Alce) = MAC (ID(Bob) r ). 2 k 2 r ) and r. 4. Alce and Bob verfy each other's response. 2
8 Man-n-the-mddle attack Alce 1 MAC (A r ), k 1 2 r MAC (B r ) k 2 r Eve Bob r 2 MAC (B r ), k 2 3 r
9 Countermeasure Alce 1 MAC (A k MAC (B r k 2 r r r )? ), r Eve r 2 MAC (B r r ), r Bob k 2 3 3
10 Mutual authentcaton usng a prvate key Alce and Bob share a secret key k. Protocol ( secure): 1. Bob Alce: a random challenge r. 2. Bob Alce: y = MAC (ID(Alce) r r ) and r. 3. Bob Alce: y 1 k 1 = MAC (ID(Bob) r ). 2 k 2 4. Alce and Bob verfy each other's response. Alternatvely: 3. Bob Alce: y = MAC (ID(Bob) r r ). 2 k
11 Publc-key mutual authentcaton Protocol ( secure): 1. Bob Alce: a random challenge r. 2. Bob Alce: y = Sgn (ID(Bob) r r ) and r. 1 sk (Allce) Bob Alce: y = Sgn (ID(Alce) r ). 2 sk (Bob) 2 4. Alce and Bob verfy each other's response. Alternatvely: 3. Bob Alce: y = Sgn (ID(Alce) r r ). 2 sk (Bob) 2 1 1
12 Key Agreement/Dstrbuton
13 Two levels of keys Master (long-lved) keys: used for entty authentcaton and sesson key agreement/dstrbuton. Sesson keys: (symmetrc) keys used only for a sesson. Reasons for usng sesson keys: 1. Lmtng the amount of cphertext avalable to attackers. 2. Lmtng the damage to only a sesson n case of sesson key comprose. 3. Symmetrc encrypton s faster.
14 Key establshment Key dstrbuton: an onlne TA (trusted authorty) chooses sesson keys and dstrbute them to users va a key dstrbuton protocol. Key agreement: two partes agree on a sesson key va a key agreement protocol wthout nvolvng a TA.
15 Dffe-Hellman key agreement Alce and Bob wsh to agree on a secret key. 1. Alce and Bob agree on a large prme p and a prmtve root α Z p such that p 1 has a large prme factor. a 2. Alce Bob: α mod p, where a Z. p 1 b 3. Alce Bob: α mod p where b Z. p 1 ab 4. They agree on the key: α mod p. Securty: Provdes protecton aganst eavesdroppers. Insecure aganst actve adversares. Problem: lack of authentcaton. R R
16 Publc-key mutual authentcaton Protocol: 1. Alce Bob: a random challenge r. 2. Bob Alce: y = Sgn (ID(Bob) r r ) and r. 1 sk (Bob) 3. Alce Bob: y = Sgn (ID(Alce) r ). 2 sk (Alce) 2 4. Alce and Bob verfy each other's response Combne Dffe-Hellman wth the above protocol a Alce uses α for r. b Bob uses α for r. 2 1
17 Staton-to-staton protocol Alce and Bob each have a sgnature key par. Protocol: 0. A and B agree on p and α Z p as n DH key agreement. a 1. A B: r = α, where a Z. 2. B A: 1 r 2 b = α, y = Sgn 1 B s A 2 s 2 1 R p 1 3. A B: y = Sgn (A r r). (B r r ),where b Z. 1 2 R p 1 ab 4. If all verfcatons pass, use k = α as the sesson key. Rema rk: sgnatures may be further encrypted wth k.
18 Publc-key based authentcated key agreement Alce and Bob each have an encrypton and a sgnature key par. Protocol: 1. A B: a random challenge r. 2. A B: y = Sgn (A r r c), r, c = E ( k), 1 s where k a chosen sesson key. 3. A B: y = Sgn (B r ). B 2 s 2 A 4. Alce and Bob verfy each other's response. If all verfcatons pass, Bob decrypts c to obtan k. They now can use k as the sesson key. Securty : ths protocol provdes no forward secrecy. 1 e A
19 Forward secrecy Suppose Eve records all (encrypted) messages exchanged between Alce and Bob durng a sesson. If later Eve gets Alce's decrypton key get the sesson key k. d A, she wll be able to decrypt c to A sesson-key exchange scheme s sad to provde forward secrecy f t ressts ths knd of attacks (.e., sesson keys are secure even f master keys are compromsed. ) Staton-to-staton provdes forward secrecy.
20 Identfcaton Schemes based on zero-knowledge nteractve proof systems
21 Interactve proof system There s a secret, say x, known only to ts owner, Peggy. The prover, Peggy, wshes to convnce the verfer that she knows the secret, thereby provng her dentty. The verfer, Vc, verfes f the prover knows the secret. Basc requrements (w/o adversares): Completeness: succeeds n convncng Peggy, who knows the secret, always Vc. Su ondness: Anyone who doesn't know the secret can only succeed n convncng Vc wth small probablty. Desred property: zero-knowledge
22 Password Scheme Secret: Peggy's password. Protocol: Peggy sends her username and password to Vc. Vc accepts Peggy's dentty f the submtted password equals the stored password. Comments: complete and sound. not zero-knowledge (Peggy reveals some nformaton that may be used later by the adversary).
23 Scheme based on publc-key encrypton Secret: Peggy has a secret key sk and publck key pk. Protocol: 1. Peggy Vc: c= E ( m), m randomly chosen. 2. Peggy Vc: m = Dsk ( c). 3. Vc accepts Peggy's dentty ff m= m. Comments: Complete and sound. Problem: f Vc s not honest and has a cphertext c of Peggy's, he can have c decrypted (by Peggy). Ths scheme s not zero-knowledge. pk
24 Zero-Knowledge The schemes based on passwords and encrypton are not zero-knowledge; the prover reveals some knowledge to the verfer or eavesdropper. We are nterested n a proof system n whch the prover proves her knowledge of some secret wthout revealng anythng about that secret. We wll formalze the noton of zero-knowledge. But frst let us look at a proof system, whch wll be proved to be zero-knowledge.
25 Fat-Shamr dentfcaton scheme (deas) Parameters: n= pq y = x n Keys: publc ( ny, ); secret x known to Peggy only. 2, mod ; computatons done n Zn. Frst attempt: 1. Peggy chooses a random r Zn, and 2 send ( ab, ) = ( r, rx) to Vc Vc accepts Peggy's dentty ff b = ay. Comments: The scheme s complete. Not sound: Eve can mpersonate Peggy by sendng ( a, b) 2 1 = ( by, b), where b R Z n.
26 Basc dea: Let f be a homomorphc one-way functon. x f f r a: = f( r) b f y f( b) Peggy sends ( ab, ), and Vc checks f f( b) = ay. Peggy s supposed to choose a: = f( r) and b: = xr. Eve can cheat by not followng ths rule. Countermeasure: wth probablty 1 2, ask Peggy to reveal r.
27 Fat-Shamr dentfcaton scheme (smplfed) Parameters: n= pq y = x Keys: publc ( ny, ), secret x. Protocol: 2, mod ; computatons done n Zn Peggy Vc: =, wth n randomly chosen. n a r r Z 2. Peggy Vc: e {0,1}, randomly chosen. e 3. Peggy Vc: b = rx (.e., r f e = 0, and rx f e = 1). 4. Vc accepts Peggy's dentty f 2 e f =. Comments: Step 1 s a co mmtment; step 2 a challenge; 3 a response. b ay
28 Completeness: obvous. Soundness: Wthout knowng x, Eve can only successfully mpersonate Peggy wth probablty negl( n ). To cheat wth probablty non-neglgbly better than1 2, Eve has to choose a n a way such that wth non-neglgble probablty she can answer both challenges e= 0 and e= 1. That s, wth prob non-negl( n ) Eve can come up wth a value a and two values b and b such that b = a and b = ay Thus, wth prob non-negl( n ), Eve can compute 1 y = b2b1 y n. Computng mod s ntract able.
29 Eve can cheat wth probablty1 2 : (Idea: Eve guesses e and prepares ( a, b) accordngly.) 1. Eve Vc: a = by, where b Z n 2. Eve Vc: e {0,1}, randomly chosen. 3. Eve Vc: b. 2 e R, e 2 e 4. Vc accepts Peggy' dentty ff. (Eve succeeds n cheatng ff e= e.) s b = ay R {0,1}.
30 Q: s t possble to cheat wth probablty p wth 1 2 < p negl( n )? If the protocol s run t tmes, Eve's probablty of cheatng t wll be reduced to 2 + negl( n ).
31 General Fat-Shamr scheme (deas) do ths t tmes n parallel: a1: = r1,, at= rt a: = r a: = r e e1,, et e1,, et e e1 e e1 1: = 1,, : t t = t : = 1 b: = rx b rx b rx b rx x t t e?? 2 e 2 2 b = ay b = a y b = ay e 1 1 e...? e t y t
32 General Fat-Shamr dentfcaton scheme Publc key: Secret key: Protocol: 2 ( n, y1,, yt ), where n= pq, y = x (mod n). ( x1,, xt ), where x Zn. Repeat the followng k tmes: 1. Peggy Vc: a = 2 r, r Zn e1 et 3. Peggy Vc:. 2 e1 et 4. Vc rejects f randomly chosen. t 2. Peggy Vc: e = ( e,, e ) {0,1}, randomly chosen. b = rx t x b ay y t t
33 Remarks: Eve can succeed n cheatng f she guesses ( e,, e ) 1 k 2 t correctly n each of the k nteratons. Pr. Same level of securty for varous kt,, f kt= constant. l Stll zero-knowledge for t = O(log 2 n ) and k = O( n ). If tk, are too large, the smulator wll no longer be polynomal n expected runnng tme. Number of exchanged bts: k(2 n + t). Number of multplcatons: 2 kt ( + 1). Sze of prover's secret: t n. t
34 We can always convert an nteractve proof system nto a dgtal sgnature scheme. commtment a: = r challenge e response b: = rx 2 = e 2 ( b ay e?) 1. Compute a, e, b n that order. 2. Involve m n e, and use ( e, b) as the sgnature. hash( m, a) e sgnature( m) = ( a, e, b) or just ( e, b)
35 Fat-Shamr sgnature scheme ( k = 1) 2 Publc key: ( ny, 1,, yt), where n= pq, y = x (mod n). Secret key: ( x1,, xt ), where x Zn. t Hash functon: h :{0,1} {0,1}. Sgn ( m) = ( e, b) sk 1. choose r Z n e1 et mpute b: = rx x. 2 at random; let a: = r. 2. compute e: = h( m a) = ( e, e,, e ). 3. co Verfy ( m, eb, ) : = pk and accept ff e= h( m a). t 2 e1 et compute a: b y y, 1 t t
36 Remarks: A straghtforward but less nterestng alternatve s to nclude a n the sgnature,.e., Sgn ( m) : = ( aeb,, ), and verfy the sgnature by checkng f e= h( m a) and 2 e1 a= b y y 1 e t. t sk What f we compute e: = h( m) wthout a?
37 Fat-Shamr sgnature scheme 2 Publc key: ( ny, 1,, yt), where n= pq, y = x (mod n). Secret key: ( x1,, xt), where x Zn. kt Hash functon: h :{0,1} {0,1}. Sgn ( m) = ( e, b) 1. ch sk 2 oose r1,, rk Zn at random; let a = r, 1 k. 2. compute e= h( m a a ) = ( e ). 1 e1 et 3. compute (,, ), wth, 1. Verfy ( meb,, ) : pk 1 k 1 t 2 e1 et compute, 1, and accept ff e = hm ( a1 a k ). k 1 j k t b= b b b = rx x k a = b y y k t
38 Zero-Knowledge Proof Systems
39 Zero knowledge An nteractve proof system conssts of two algorthms ( PV, ). Informally, ( PV, ) s zero-knowledge f anythng that can be effcently computed after nteractng wth P can also be effcently computed wthout nteractng wth P. Q: How to formally formulate ths notton of zero-knowledge. PVV P V,, : honest prover, honest verfer, any verfer V (honest or dshonest) Common nput: some publc object y. Peggy the prover wshes to prove that she knows some secret about y. x
40 Messages from P to V : m1, m3, Messages from V to P: m2, m4, Transcrpt nput y : tr ( y) = ( m, m,, m ). of the jont computaton of P and V on PV, 1 2 A transcrpt s a random varable, dependng on the random bts chosen by P and n durng ther executons. Acceptng transcrpt: f V accepts after the last move. If the proof system s complete and P does know the secret, then tr ( y) s an acceptng transcrpt. PV, V
41 Defnton of (perfect) zero-knowledge An nteractve proof system ( PV, ) s zero-knowledge f there s a probablstc smulator SV (, y) such that 1. S runs n expected polynomal tme; 2. for every verfer V (honest or not) and nput y, S always generates an acceptng transcrpt t ; SV (, y) 1 2 SV (, y) 3. the two random varables have the same dstrbuton: t = ( m, m,, m ) acceptng transcrpt tr ( y) = ( m, m,, m ) n PV, 1 2 (Assumpton: the proof system s complete and sound and P s honest.) n
42 Remrks a A smulator S s an algorthm. Its nput s a (publc) object y and a subroutne V. S smulates the communcatons between P and V wthout nteractng wth P. Snce S does not nteract wth P, t obtans zero knowledge from P. Any nformaton V may acqure by nteractng wth P, he can acqure from S wthout nteractng wth P. Thus, P does not reveal any knowledge about her secret by nteractng w th V. Zero-knowledge s a property of P ( honest).
43 Smplfed Fat-Shamr s zero-knowled ge For y and V, the set of acceptng transcrpts: { 2 e} n n T = ( a, e, b) QR {0,1} Z : b = ay. Smulator SV (, y) : 1. whle 1 do 2. select e {0, 1}, b Zn unformly at random 2 e 3. a b y 4. e V ( a ) 5. f e= e then return ( a, e, b )
44 Expected runnng tme of SV ( regardless of how generatng. Let Pr( 0)., y): polynomal. Pr( e = e ) = 1 2. Each teraton succeeds wth prob 1 2. V e e= = p Pr( e= e ) = Pr( e= 0 e = 0) + Pr( e= 1 e = 1) = 1 2. Expected number of teratons for SV ( an acceptng transcrpt: 2. What's the worst case runnng tme?, y) to generate
45 ( aeb,, ) T and ( aeb,, ) have the same dstrbuton: 1. a and a are both unformly dstrbuted over QRn. ( a = r, r Z. a = b y, e {0,1}, b Z.) 2 2 e R n R R n 2. e and e are dstrbt u ed accordng to V ( a, y). Pr( e = ) Pr( e= ) (Pr( e = e = e) = = Pr( e= ).) Pr( e = e) 3. b and b are unformly dstrbuted over Zn. e ( b= rx, r R Zn, e R {0,1}. b R Zn.) 4. b depends on ae,, same as b depends on ae,. 2 e 2 e ( b = ay. b = ay.) 5. a and e are ndependent; so are a and e.
46 Shnorr s Identfcaton Scheme Another example of zero-knowledge nteractve proof system Involvng proof of knowledge of dscrete logarthm
47 Shnorr's dentfcaton scheme System setup: p, q large prmes, wth q p 1; G g q the unque subgroup of order of p; any generator of G ; x y = g for some x Z known q R q q R Z only to Peggy; Problem: Peggy wshes to prove that she knows x. Protocol: r 1. Peggy Vc: a= g, where r Z. 2. Peggy Vc: c Z. q q (commtment) (challenge) 3. Peggy Vc: b= r cx. (response) b c 4. Vc accepts ff a= g y.
48 Remarks: Completeness: trval. Soundness: Eve can cheat wth Pr = 1 qby guessng a c, commttng r c a: = g y, and respondng wth b: = r. Eve cannot cheat wth probablty non-neglgbly > 1/ q. Otherwse, wth non-neglgble probablty she can choose an a for whch she can compute b and b and successfully answer two dstnct challenges c and c : b c b c a= g y and a= g y, = 1 From whch she can compute log g y ( b b)( c c).
49 Honest verfer zero-knowledge: { b c acb a g y} Accetpng transcrpts: (,, ) : =. = r a g Gq s unformly dstrbuted. c Z, generated by an honest V, s unformly dstrbuted. q b= r cx Z R R q s unformly dstrbuted. b c b depends on a and c by a= g y. Smulator ( g, y, V): 1. select b Z unformly; 2. select c Z unformly; q q b c 3. let a : = g y, and return ( a, c, b ). ( acb,, ) has the same dstrbuton as ( acb,, ).
50 Remarks: Suppose the verfer, say V, s not honest and chooses non-unformly. Q: does the followng smulator serve to prove Shnorr's scheme zero-knowledge? Smulator ( g, yv, ): 1. select b Z unformly; R q 2. select c accordng to V 's strategy; b c 3. let a : g y, and return ( a, c, b ). = c
51 Shnorr's sgnature scheme: Log-Sgn ( mgy,, ) Use Fat-Shamr's standard method to convert an nteractve dentfcaton scheme nto a sgnature scheme. Idea: use a hash functo h h Z n :{0,1} q to from the commtment a and message m. To sgn message m, r 1. Compute a: = g, where r Z. 2. Compute c: = h( m a). 3. Compute b : = r cx. 4. Sgn( m) : = ( c, b). b c 5. Verfy( mcb,, ) = true ff c= hm ( g y) R q compute a challenge c
52 Provng Equalty of Logarthms (an extenson of Shnorr's dentfcaton scheme) Problem: log y = log z ( = x) g Protocol: Gven g, h, y, z, Peggy wshes to prove h r r 1. Peggy Vc: ( a, b) = ( g, h ), where r R Zq. 2. Peggy Vc: c Z, unformly chosen at random. 3. Peggy Vc: d = r cx. d c d c 4. Vc accepts ff a= g y and b= h z. q
53 Non-nteractve Verson Fat-Shamr method: use a collson-resstant hash functon hash :{0,1} Zq to post the challenge. Protocol: r r 1. Let ( ab, ) = ( g, h), wth r Z q. 2. Let c= hash( g h y z a b). 3. Let d = r cx (mod q). 4. Accept ff c = hash( g h y z g y hz R d c d c ). Note: ths protocol wll be used n electronc votng.
54 Provng Partal Equalty of Logarthms Problem: ether or Gven g, h, y, y, z, z, Peggy wshes to prove 1 h log y = log z ( = x) log g g y = log z ( = x) h 2 2 but not both, wthout revealng whch one she proves. 2 Note: ths protocol wll be used n electronc votng.
55 log y = log z log y = log z 1 g 1 h 1 g 2 h 2 wr,, d a 2 2 : = g r d w r d r2 d2 w r d wr,, d 2 : = b : = h b : = h z a b : = w g y : = h z R Z q : = d : = c d d : = c d r : = w xd r : = w xd a a b g y g : = h w R Z 2 q a1, b1, a2, b2 c d1, d2, r1, r2 c R Z q c= d + d a b a b = 1 2 r d 1 1 = g y h z 1 1 r d 1 1 = 1 1 g y r d 2 2 = h z 2 2 r d ?????
56 Easer to understand ths one. Problem : Peggy proves that she knows log g y or log y : 1 g 2 log g wr,, d g w r d r2 d2 w wr,, d a : = g a : = g y a : = y g y R Z q log a : = c= d + d c= d + d r : = w xd r : = w xd y g R Z 2 q a1, a2 c R q d1, d2, r1, r2 c Z c= d + d a a = 1 2 g y r d 1 1 = 1 1 g y r d ???
57 Commtment Schemes
58 Commtment schemes Two partes: sender S and recever R. Scheme: 1. Commt: S sends a message c, commtted to a bt b. 2. Reveal: S sends an addtonal message m to reveal b. 3. Verf y: Rc (, m) = accept ff the commtted bt equals the revealed bt. Securty equrements: b b 1. Hdng: R cannot learn anythng about b from c. 2. Bndng: S cannot change the commtted bt wthout beng detected. b b b
59 Hdng: Computatonally hdng: cannot n polynomal tme Uncondtonally hdng: absolutely cannot Bndng: Computatonally bndng: cannot n polynomal tme Uncondtonall y bnn d g: absolutely cannot
60 An applcaton: con tossng by emal or phone Problem: Alce and Bob want to toss a con by emal to decde who wns. Protocol: 1. Alce sends c to Bob, commtted to a random bt b. 2. Bob generates b a random bt b and sends t to Alce. 3. Alce sends her commtted bt b to Bob. 4. Bob verfes that R( c, b) = accept, and both partes agree on the outcome b b. Note: f b or b s random then b b s random. b
61 Usng symmetrc encrypton Protocol: 1. Commt: To commt a value m, Alce sends c: = E ( m) to Bob, where k s a symmetrc encrypton k key chosen by Alce. 2. Reveal: Alce sends k to Bob. 3. Verfy: Bob accepts the value m: = D ( c). k Queston: does t meet the hdng and bndng requrement?
62 Usng publc-key encrypton Protocol: 1. Commt: To commt a value m, Alce generates a par of keys ( pk, sk), and sends c : = E ( m) along wth pk (and system parameters) to Bob. 2. Reveal: Alce sends to Bob msk,, and the random cons used n her computng of E ( m). 3. Verfy: Bob accepts m f pk E ( m) = c usng the revealed random cons pk revealed pk, sk and system parameters match. Queston: Does t meet the hdng and bndng requrement? pk
63 Quadratc Resdues Let n= pq; p and q large prmes. Quadratc resdues: elements n Zn whch are a square. QR n= the subgroup of quadratc resdues n Zn. QNR n= Zn QR n= { quadratc non-resdue Z } n ( ) ( p 1)/2 Euler's crteron: x mod p. ( x) ( x)( x) s n. + 1 f [ x] QR p ( x s a square) Legendre symbol: ( x ) p = 1 f [ x] QNR p (not a square) 0 f [ x] = 0 = Jacob symbol: =. x p n p q
64 Quadratc Resdues (cont'd) x ( n ) x ( ) x ( ) ( x) ( x) Thus, = 1 ff = = ± 1. n p q ( x) ( x) s a quadratc resdue n Zn ff p q 1. x = = If 1, then x s not a quadratc resdue n Zn. If = 1, x may or may not be a quadratc resdue n Z. n Quadratc resduosty assumpton: wthout knowng the factors of n= x ( ) an x Zn wth 1 s = = + 1 QNR n the set o Jacob symbol 1. pq, t s ntractable to determne whether n a quadratc resdue. f quadratc non-resdues n wth Z n n
65 QR-based commtment scheme (deas) { } Let b be the commtted bt, b 0,1. Bnd b to a predcate (T or F), whch s hard to determne. Quadratc resduosty assumpton: wthout knowng the factors of n = pq, t s ntractable to determne whether x ( ) an x Zn wth = 1 s a quadratc resdue. n ( ) b Use b to produce a number x wth = 1 such that b= 0 xb s a quadratc resdue b= 1 x b s not a quadratc resdue b x n
66 QR-based commtment scheme + 1 System setup: S chooses n = pq and g. n 1. QNR 2. Commt ( S R): ( n, g, c), where c: = r g, r Z and b s the bt beng commtted. 3. Reveal ( S R): ( p, q, r, b). R 2 b R n Verfy: R accepts b f n = pq, r Zn, g QNR n, 2 b and c = r g.
67 Securty 2 b 1. (Computatonal) Hdng: c: = r g s a random element ( c ) wth = 1. Further, c s a square ( c QR ) ff b= 0. n If R can tell whether b= 0, then he can tell whether c s a square, contradctng the QR assumpton. 2. (Uncondtonal) Bndng: Once S s commtted to c s ether a square or a non-square. S cannot change her commtment wthout beng caught. n b,
68 DL-based commtment scheme 1. System setup (known to S and R): p, q large prmes, wth q p 1; G q : the unque subgroup of order q of Z g, h: generators of G ; h random; q { q 1} { 0 1 q 1 } G = g, g, g,, g = h, h,, h. q r m 2. Commt ( S R): c = g h, where r Z, and m Z q s the value beng commtted. 3. Reveal ( S R): ( rm, ). r m 4. Verfy: R accepts m f c = g h. R p ; q
69 Securty ( ) Hdng: For any m, r m 1. Uncondtonal c = g s unformly dstrbuted over G ; hence, m s perfectly hdden from R. 2. (Computatonal) Bndng: S can change her commtment ff she knows such that r m r m ( r r )( m m) gh g h g h 1 log h= ( r r )( m m) g q 1 h r m m ( rm, ), (, ), m, = = DL assumpton. r m Note: computatons lke gh are done modulo p; exponents and logarthms are computed modulo q.
70 Q: What f we change the commtment to the followng? m r c: = h (wthout usng g ) r+ m c: = g (namely, g = h) Q: Who should generate pqgh,,,?
71 Impossblty of uncondtonal bndng & hdng It s mpossble to have a commtment scheme whch s both uncondtonal bndng and uncondtonal hdng. n s Otherwse, let C : {0,1} {0,1} {0,1} be such a scheme. C s uncondtonal hdng When S sends a commtment c: = C( r, b), there exsts a ( r, b ), b b, s.t. C( r, b ) = c. (Otherwse, R can fnd b by computng a pre-mage of c.) C s uncondtonal bndng There exsts no such ( r, b ) (otherwse, S can fnd t and change her commtment).
72 Secret Sharng
73 Threshold secret sharng ( tn, )-threshold secret sharng scheme, t n: A secret s s dvded by a trusted authorty nto n shares s, each gven to a user u, 1 n. Any t or more users together can recover s. t 1 or fewer users can not recover s.
74 Shamr's threshold secret sharng scheme 1. Select a prme p> max( s, n). 2. Construct a ( t 1)-degree polynomal f( x) = a x, where a = s and a,, a Z. 0 1 t 1 R 3. Choose n dstnct values x,, x Z. 4. Share s = ( x, y ), where y = f( x ) mod p, 1 n. 1 p n p t 1 = 0
75 Gven t shares ( x, y), J, where J = t, f( x) and s can be recovered usng Lagrange's nterpolaton formula: x x f( x) = y and j J j J\{ } x xj x j s = a0 = f(0) = y = yλ x x J j J\{ } j J
76 Electronc Vote
77 A mult-authorty electon scheme 1. Partcpants: a trusted center, n authortes, m voters. 2. Partcpants post ther messages to a bulletn board. 3. The trusted center sets up parameters for the scheme. 4. Each vote, yes or no, s encrypted usng a homomorphc publc-key cryptosystem (e.g. ElGamal). 5. The decrypton key s s dvded among n authortes usng a ( tn, )-threshold scheme. 6. If t authortes are honest, the votes can be talled correctly wthout decryptng ndvdual votes.
78 System setup (by the trusted center) 1. For ElGamal encrypton (same as n DSA): choose two large prmes p and q such that q ( p 1). choose an element choose a g Z of order q. G = g Z. p q q secret key s Zq and compute the s publc key h= g mod p. 2. For Shamr ( tn, ) - threshold scheme: choose a ( t 1)-degree polynomal f( x) = a x + s. s let x =, and compute s = f( x ) and h = g, 1 n. Gve share ( x, s ) to authorty A. 3. Publsh ( pqghh,,,,,, h) on the bulletn board. 1 n t 1 = 1
79 Vote castng Each voter V cast hs vote v {1, 1} as r v r c = ( c, c ) = ( g, g h ),1,2 v n the bulletn board, where v s frst encoded as g and then encrypted by ElGamal encrypton. Each ballot c s sgned by ts voter V. V also has to prove that he follows the protocol and form c correctly; or hs vote wll be nvald.
80 Tally computng Everyone can compute m r v r c= ( c, c ) ( c, c ) ( g, g h ), 1 2,1,2 = 1 = 1 d m = = whch s an encrypton of g, where d = v s the dfference between yes votes and no votes. Decrypt c to recover g = c c. d s 2 1 m m+ 1, Fnd d by computng g, g and comparng d wth g.
81 Decryptng c= ( c, c ) wthout knowng 1 2 s s Recall that Ds( c) = cc, and s= s, f there s 2 1 λ a group J of t honest authortes. Each authorty A posts ( x, w ), where w = c, and J proves that she s honest. Check f there s a set J of t honest authortes; and f so, compute the coeffcents λ from { x : J}. Compute c c c w. s sλ sλ λ 1 = 1 = 1 = J J s 1
82 Authorty's proof of honesty Each authorty A has to prove that she really posts w = c s 1, where s s her share of the secret key s. s Recall that h = g s publshed on the bulletn board. Thus, A can prove her honesty by showng log w = log h c g 1 Ths can be done usng the non-nteractve verson of provng equal logarthms.
83 Voter's proof of honesty Each voter has to prove that hs vote s of the r v r form ( c1, c2) = ( g, g h ), wth v {1, 1}. Dependng on hs vote: v= c = c g 1 f 1, he proves log g 1 log h 2. f v= 1, he proves log g c1 = log hc2g. Harder than the problem of authorty's proof, because the voter doesn't want to reveal whch one s proved.
84 Extenton to mult-way electons If there are l optons, choose l generators g,, g n G, and encode opton by g. { } Voter V encrypts hs vote v g,, g as Tally: 1 l r c = ( c, c ) = ( g, h,1,2 m r j), where R q. Σ Σ d1 dl compute (, ) (, ) (, ), 1 2,1,2 1 l = 1 = 1 where d s the number of votes for opton. g r Z s d1 d2 dl Decrypt (, ) by computng m c c = c c = g h g g c c c c = g g g Fnd the exponents ( d,, d l ) by searchng. 1 1 l l q
85 Elmnatng the trusted center If there are l optons, choose l generators g,, g n G, and encode opton by g. { } Voter V encrypts hs vote v g,, g as Tally: 1 l c = ( c, c ) = ( g, h g r r,1,2 j m ), where r R Zq. Σ Σ d1 dl compute (, ) = (, ) = (, ), 1 2,1,2 1 l = 1 = 1 where d s the number of votes for opton. c1 c2 c2c1 = g1 g2 g Fnd the exponents ( d,, d l ) by searchng. s d1 d2 dl Decrypt (, ) by computng. m c c c c g h g g 1 1 l l q
86 Blnd Sgnature
87 Blnd sgnature Enables the sgner to sgn a message wthout seeng ts content. Suppose the sgner has sgned more than one message. When a sgned message s presented to the sgner, she can verfy whether t s her sgnature, but she cannot lnk the sgned message to any partcular transacton. Applcaton: dgtal cash.
88 RSA-based blnd sgnature d Note: Peggy's vald sgnature for m s m mod n. e e 1. Vc Peggy: a: = mr mod n, r R Zn. (Masks m wth r.) d 2. Peggy Vc : b: = a mod n. (Peggy sgns on a.) 3. Vc computes Peggy's sgnature for m as d = mod ( = m mod n). 1 s br n Idea: RSA sgnature s homomorphc: RSA ( mm ) = RSA ( m) RSA ( m )
89 Shnorr's blnd sgnature scheme (dea) If τ = ( acb,, ) s an acceptng transcrpt of Proof-Log( g, y), b c (.e., a = g y ), then τ = ( a, c, b) s also an acceptng transcrpt of Proof-Log( g, y), where a a g y u v w c uc + w u, v, w R Z b ub + v u v w ub uc v w ub v uc w b c Indeed, a= a g y = g y g y = g + y + = g y. q
90 Shnorr's blnd sgnature scheme Blnd-Log-Sg n ( m, g, y) h r 1. Peggy Vc: a = g, where r Z Vc Peggy: c = ( c w) u, where u, v, w R Zq, u v w u 0, c= h( m a), a= a g y. 3. Peggy Vc: b = r cx. b c 4. Vc verfes whether a = g y, computes b= ub + v, and gets the sgnature σ ( m) = ( c, b). b c Verfy( mcb,, ) = true ff c= h( m g y ). R q
CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 12 Jan. 2017, 14:00-18:00
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 12 Jan. 2017, 14:00-18:00 No extra materal s allowed durng the exam except for pens and a smple calculator (not smartphones).
More informationG /G Advanced Cryptography 12/9/2009. Lecture 14
G22.3220-001/G63.2180 Advanced Cryptography 12/9/2009 Lecturer: Yevgeny Dods Lecture 14 Scrbe: Arsteds Tentes In ths lecture we covered the Ideal/Real paradgm and the noton of UC securty. Moreover, we
More informationCryptographic Protocols. Steve Lai
Cryptographic Protocols Steve Lai This course: APPLICATIONS (security) Encryption Schemes Crypto Protocols Sign/MAC Schemes Pseudorandom Generators And Functions Zero-Knowledge Proof Systems Computational
More informationCryptanalysis of pairing-free certificateless authenticated key agreement protocol
Cryptanalyss of parng-free certfcateless authentcated key agreement protocol Zhan Zhu Chna Shp Development Desgn Center CSDDC Wuhan Chna Emal: zhuzhan0@gmal.com bstract: Recently He et al. [D. He J. Chen
More informationA Threshold Digital Signature Issuing Scheme without Secret Communication
A Threshold Dgtal Sgnature Issung Scheme wthout Secret Communcaton Kazuo Takarag, Kunhko Myazak, Masash Takahash Systems Development Laboratory, Htach, Ltd e-mal: {takara, kunhko, takahas}@sdlhtachcop
More informationComments on a secure dynamic ID-based remote user authentication scheme for multiserver environment using smart cards
Comments on a secure dynamc ID-based remote user authentcaton scheme for multserver envronment usng smart cards Debao He chool of Mathematcs tatstcs Wuhan nversty Wuhan People s Republc of Chna Emal: hedebao@63com
More informationProvable Security Signatures
Provable Securty Sgnatures UCL - Louvan-la-Neuve Wednesday, July 10th, 2002 LIENS-CNRS Ecole normale supéreure Summary Introducton Sgnature FD PSS Forkng Lemma Generc Model Concluson Provable Securty -
More informationSeparable Linkable Threshold Ring Signatures
Separable Lnkable Threshold Rng Sgnatures Patrck P. Tsang 1, Vctor K. We 1, Tony K. Chan 1, Man Ho Au 1, Joseph K. Lu 1, and Duncan S. Wong 2 1 Department of Informaton Engneerng The Chnese Unversty of
More informationHomomorphic Trapdoor Commitments to Group Elements
Homomorphc Trapdoor Commtments to Group Elements Jens Groth Unversty College London j.groth@ucl.ac.uk Abstract We present homomorphc trapdoor commtments to group elements. In contrast, prevous homomorphc
More informationAttacks on RSA The Rabin Cryptosystem Semantic Security of RSA Cryptology, Tuesday, February 27th, 2007 Nils Andersen. Complexity Theoretic Reduction
Attacks on RSA The Rabn Cryptosystem Semantc Securty of RSA Cryptology, Tuesday, February 27th, 2007 Nls Andersen Square Roots modulo n Complexty Theoretc Reducton Factorng Algorthms Pollard s p 1 Pollard
More information6.842 Randomness and Computation February 18, Lecture 4
6.842 Randomness and Computaton February 18, 2014 Lecture 4 Lecturer: Rontt Rubnfeld Scrbe: Amartya Shankha Bswas Topcs 2-Pont Samplng Interactve Proofs Publc cons vs Prvate cons 1 Two Pont Samplng 1.1
More informationHash functions : MAC / HMAC
Hash functons : MAC / HMAC Outlne Message Authentcaton Codes Keyed hash famly Uncondtonally Secure MACs Ref: D Stnson: Cryprography Theory and Practce (3 rd ed), Chap 4. Unversal hash famly Notatons: X
More informationFinding Primitive Roots Pseudo-Deterministically
Electronc Colloquum on Computatonal Complexty, Report No 207 (205) Fndng Prmtve Roots Pseudo-Determnstcally Ofer Grossman December 22, 205 Abstract Pseudo-determnstc algorthms are randomzed search algorthms
More informationEnhanced Privacy ID: A Direct Anonymous Attestation Scheme with Enhanced Revocation Capabilities
Enhanced Prvacy ID: A Drect Anonymous Attestaton Scheme wth Enhanced Revocaton Capabltes Erne Brckell Intel Corporaton erne.brckell@ntel.com Jangtao L Intel Corporaton jangtao.l@ntel.com August 17, 2007
More informationLecture 4: Universal Hash Functions/Streaming Cont d
CSE 5: Desgn and Analyss of Algorthms I Sprng 06 Lecture 4: Unversal Hash Functons/Streamng Cont d Lecturer: Shayan Oves Gharan Aprl 6th Scrbe: Jacob Schreber Dsclamer: These notes have not been subjected
More informationPassword Based Key Exchange With Mutual Authentication
Password Based Key Exchange Wth Mutual Authentcaton Shaoquan Jang and Guang Gong Department of Electrcal and Computer Engneerng Unversty of Waterloo Waterloo, Ontaro N2L 3G1, CANADA Emal:{angshq,ggong}@callope.uwaterloo.ca
More informationCryptanalysis of Threshold Proxy Signature Schemes 1)
MM Research Preprnts, 226 233 MMRC, AMSS, Academa Snca No. 23, December 24 Cryptanalyss of Threshold Proxy Sgnature Schemes 1) Zuo-Wen Tan and Zhuo-Jun Lu Key Laboratory of Mathematcs Mechanzaton Insttute
More informationShort Pairing-based Non-interactive Zero-Knowledge Arguments
Short Parng-based Non-nteractve Zero-Knowledge Arguments Jens Groth Unversty College London j.groth@ucl.ac.uk October 26, 2010 Abstract. We construct non-nteractve zero-knowledge arguments for crcut satsfablty
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationInformation-Theoretic Timed-Release Security: Key-Agreement, Encryption, and Authentication Codes
Informaton-Theoretc Tmed-Release Securty: Key-Agreement, Encrypton, and Authentcaton Codes Yohe Watanabe, Takenobu Seto, Junj Shkata Graduate School of Envronment and Informaton Scences, Yokohama Natonal
More information3.1 Expectation of Functions of Several Random Variables. )' be a k-dimensional discrete or continuous random vector, with joint PMF p (, E X E X1 E X
Statstcs 1: Probablty Theory II 37 3 EPECTATION OF SEVERAL RANDOM VARIABLES As n Probablty Theory I, the nterest n most stuatons les not on the actual dstrbuton of a random vector, but rather on a number
More informationConstructing Non-Malleable Commitments: A Black-Box Approach
Constructng Non-Malleable Commtments: A Black-Box Approach Vpul Goyal Mcrosoft Research INDIA vpul@mcrosoft.com Chen-Kue Lee UCLA USA jcklee@ucla.edu Ivan Vscont Unversty of Salerno ITALY vscont@da.unsa.t
More informationCalculation of time complexity (3%)
Problem 1. (30%) Calculaton of tme complexty (3%) Gven n ctes, usng exhaust search to see every result takes O(n!). Calculaton of tme needed to solve the problem (2%) 40 ctes:40! dfferent tours 40 add
More informationProactive Linear Integer Secret Sharing
Proactve Lnear Integer Secret Sharng Rune Thorbek BRICS, Dept. of Computer Scence, Unversty of Aarhus Abstract. In [3] Damgard and Thorbek proposed the lnear nteger secret sharng (LISS) scheme. In ths
More informationClassical Encryption and Authentication under Quantum Attacks
Classcal Encrypton and Authentcaton under Quantum Attacks arxv:1307.3753v1 [cs.cr] 14 Jul 2013 Mara Velema July 12, 2013 Abstract Post-quantum cryptography studes the securty of classcal,.e. non-quantum
More informationA Commitment-Consistent Proof of a Shuffle
A Commtment-Consstent Proof of a Shuffle Douglas Wkström CSC KTH Stockholm, Sweden dog@csc.kth.se Aprl 2, 2011 Abstract We ntroduce a pre-computaton technque that drastcally reduces the onlne computatonal
More informationLecture 3: Probability Distributions
Lecture 3: Probablty Dstrbutons Random Varables Let us begn by defnng a sample space as a set of outcomes from an experment. We denote ths by S. A random varable s a functon whch maps outcomes nto the
More informationA Model of Bilinear-Pairings Based Designated-Verifier Proxy Signatue Scheme*
A Model of Blnear-Parngs Based Desgnated-Verfer Proxy Sgnatue Scheme Fengyng L,, Qngshu Xue, Jpng Zhang, Zhenfu Cao Department of Educaton Informaton Technology, East Chna Normal Unversty, 0006, Shangha,
More informationBorn and raised distributively: Fully distributed non-interactive adaptively-secure threshold signatures with short shares
Publshed n Theoretcal Computer Scence, 645: 24, 206 Born and rased dstrbutvely: Fully dstrbuted non-nteractve adaptvely-secure threshold sgnatures wth short shares Benoît Lbert Ecole Normale Supéreure
More informationRound Efficient Unconditionally Secure Multiparty Computation Protocol
Round Effcent Uncondtonally Secure Multparty Computaton Protocol Arpta Patra Ashsh Choudhary C. Pandu Rangan Department of Computer Scence and Engneerng Indan Insttute of Technology Madras Chenna Inda
More informationAlgebraic partitioning: Fully compact and (almost) tightly secure cryptography
Algebrac parttonng: Fully compact and (almost) tghtly secure cryptography Denns Hofhenz October 12, 2015 Abstract We descrbe a new technque for conductng parttonng arguments. Parttonng arguments are a
More informationSecure and practical identity-based encryption
Secure and practcal dentty-based encrypton D. Naccache Abstract: A varant of Waters dentty-based encrypton scheme wth a much smaller system parameters sze (only a few klobytes) s presented. It s shown
More informationLeakage-Resilient Identification Schemes from Zero-Knowledge Proofs of Storage
Leakage-Reslent Identfcaton Schemes from Zero-Knowledge Proofs of Storage Guseppe Atenese Sapenza, Unversty of Rome atenese@d.unroma1.t Antono Faono Aarhus Unversty antfa@cs.au.dk Seny Kamara Mcrosoft
More informationDecentralized Multi-Client Functional Encryption for Inner Product
Ths paper s a slght varant of the Extended Abstract that appears n Advances n Cryptology ASIACRYPT 2018 (December 2 6, Brsbane, Australa) Sprnger-Verlag, LNCS?????, pages??????. Decentralzed Mult-Clent
More informationEfficient Ring Signatures Without Random Oracles
Effcent Rng Sgnatures Wthout Random Oracles Hovav Shacham hovav.shacham@wezmann.ac.l Brent Waters bwaters@csl.sr.com Abstract We descrbe the frst effcent rng sgnature scheme secure, wthout random oracles,
More informationFoundations of Arithmetic
Foundatons of Arthmetc Notaton We shall denote the sum and product of numbers n the usual notaton as a 2 + a 2 + a 3 + + a = a, a 1 a 2 a 3 a = a The notaton a b means a dvdes b,.e. ac = b where c s an
More informationPh 219a/CS 219a. Exercises Due: Wednesday 12 November 2008
1 Ph 19a/CS 19a Exercses Due: Wednesday 1 November 008.1 Whch state dd Alce make? Consder a game n whch Alce prepares one of two possble states: ether ρ 1 wth a pror probablty p 1, or ρ wth a pror probablty
More informationDigital Signatures. p1.
Digital Signatures p1. Digital Signatures Digital signature is the same as MAC except that the tag (signature) is produced using the secret key of a public-key cryptosystem. Message m MAC k (m) Message
More informationImproving the Round Complexity of VSS in Point-to-Point Networks
Improvng the Round Complexty of VSS n Pont-to-Pont Networks Jonathan Katz Chu-Yuen Koo Rant Kumaresan Abstract We revst the followng queston: what s the optmal round complexty of verfable secret sharng
More informationTHE CHINESE REMAINDER THEOREM. We should thank the Chinese for their wonderful remainder theorem. Glenn Stevens
THE CHINESE REMAINDER THEOREM KEITH CONRAD We should thank the Chnese for ther wonderful remander theorem. Glenn Stevens 1. Introducton The Chnese remander theorem says we can unquely solve any par of
More informationExercises of Chapter 2
Exercses of Chapter Chuang-Cheh Ln Department of Computer Scence and Informaton Engneerng, Natonal Chung Cheng Unversty, Mng-Hsung, Chay 61, Tawan. Exercse.6. Suppose that we ndependently roll two standard
More informationPost-quantum Key Exchange Protocol Using High Dimensional Matrix
Post-quantum Key Exchange Protocol Usng Hgh Dmensonal Matrx Rchard Megrelshvl I. J. Tbls State Unversty rchard.megrelshvl@tsu.ge Melksadeg Jnkhadze Akak Tseretel State Unversty Kutas, Georga mn@yahoo.com
More informationMin Cut, Fast Cut, Polynomial Identities
Randomzed Algorthms, Summer 016 Mn Cut, Fast Cut, Polynomal Identtes Instructor: Thomas Kesselhem and Kurt Mehlhorn 1 Mn Cuts n Graphs Lecture (5 pages) Throughout ths secton, G = (V, E) s a mult-graph.
More informationAlgorithms for factoring
CSA E0 235: Crytograhy Arl 9,2015 Instructor: Arta Patra Algorthms for factorng Submtted by: Jay Oza, Nranjan Sngh Introducton Factorsaton of large ntegers has been a wdely studed toc manly because of
More informationarxiv: v1 [cs.cr] 22 Oct 2018
CRYPTOGRAPHIC ANALYSIS OF THE MODIFIED MATRIX MODULAR CRYPTOSYSTEM arxv:181109876v1 [cscr] 22 Oct 2018 VITALIĬ ROMAN KOV Abstract We show that the Modfed Matrx Modular Cryptosystem proposed by SK Rososhek
More informationStanford University CS254: Computational Complexity Notes 7 Luca Trevisan January 29, Notes for Lecture 7
Stanford Unversty CS54: Computatonal Complexty Notes 7 Luca Trevsan January 9, 014 Notes for Lecture 7 1 Approxmate Countng wt an N oracle We complete te proof of te followng result: Teorem 1 For every
More informationAlgebraic properties of polynomial iterates
Algebrac propertes of polynomal terates Alna Ostafe Department of Computng Macquare Unversty 1 Motvaton 1. Better and cryptographcally stronger pseudorandom number generators (PRNG) as lnear constructons
More informationNotes on Frequency Estimation in Data Streams
Notes on Frequency Estmaton n Data Streams In (one of) the data streamng model(s), the data s a sequence of arrvals a 1, a 2,..., a m of the form a j = (, v) where s the dentty of the tem and belongs to
More informationEfficient many-party controlled teleportation of multi-qubit quantum information via entanglement
Effcent many-party controlled teleportaton of mult-qut quantum nformaton va entanglement Chu-Png Yang, Shh-I Chu, Syuan Han Physcal Revew A, 24 Presentng: Vctora Tchoudakov Motvaton Teleportaton va the
More informationSome Consequences. Example of Extended Euclidean Algorithm. The Fundamental Theorem of Arithmetic, II. Characterizing the GCD and LCM
Example of Extended Eucldean Algorthm Recall that gcd(84, 33) = gcd(33, 18) = gcd(18, 15) = gcd(15, 3) = gcd(3, 0) = 3 We work backwards to wrte 3 as a lnear combnaton of 84 and 33: 3 = 18 15 [Now 3 s
More informationCryptanalysis of a Public-key Cryptosystem Using Lattice Basis Reduction Algorithm
www.ijcsi.org 110 Cryptanalyss of a Publc-key Cryptosystem Usng Lattce Bass Reducton Algorthm Roohallah Rastagh 1, Hamd R. Dall Oskoue 2 1,2 Department of Electrcal Engneerng, Aeronautcal Unversty of Snce
More informationRound and Communication Efficient Unconditionally-secure MPC with t < n/3 in Partially Synchronous Network
Round and Communcaton Effcent Uncondtonally-secure MPC wth t < n/3 n Partally Synchronous Network Ashsh Choudhury Arpta Patra Dvya Rav Abstract In ths work, we study uncondtonally-secure mult-party computaton
More informationNon-Malleable Extractors and Symmetric Key Cryptography from Weak Secrets
Non-Malleable Extractors and Symmetrc Key Cryptography from Weak Secrets Yevgeny Dods Danel Wchs Aprl 6, 2009 Abstract We study the queston of basng symmetrc key cryptography on weak secrets. In ths settng,
More information} Often, when learning, we deal with uncertainty:
Uncertanty and Learnng } Often, when learnng, we deal wth uncertanty: } Incomplete data sets, wth mssng nformaton } Nosy data sets, wth unrelable nformaton } Stochastcty: causes and effects related non-determnstcally
More informationAggregate Message Authentication Codes
Aggregate Message Authentcaton Codes Jonathan Katz Dept. of Computer Scence Unversty of Maryland, USA. jkatz@cs.umd.edu Yehuda Lndell Dept. of Computer Scence Bar-Ilan Unversty, Israel. lndell@cs.bu.ac.l.
More informationImplementation and Detection
1 December 18 2014 Implementaton and Detecton Htosh Matsushma Department of Economcs Unversty of Tokyo 2 Ths paper consders mplementaton of scf: Mechansm Desgn wth Unqueness CP attempts to mplement scf
More informationThe Multiple Classical Linear Regression Model (CLRM): Specification and Assumptions. 1. Introduction
ECONOMICS 5* -- NOTE (Summary) ECON 5* -- NOTE The Multple Classcal Lnear Regresson Model (CLRM): Specfcaton and Assumptons. Introducton CLRM stands for the Classcal Lnear Regresson Model. The CLRM s also
More informationHMMT February 2016 February 20, 2016
HMMT February 016 February 0, 016 Combnatorcs 1. For postve ntegers n, let S n be the set of ntegers x such that n dstnct lnes, no three concurrent, can dvde a plane nto x regons (for example, S = {3,
More informationAugmented Broadcaster Identity-based Broadcast Encryption
Augmented Broadcaster Identty-based Broadcast Encrypton Janhong Zhang Yuwe Xu Zhpeng Chen Insttuton of Image Processng and Pattern Recognton North Chna Unversty of Technology Bejng Chna 100144 ywxupaper@163com
More informationFurther Lower Bounds for Structure-Preserving Signatures in Asymmetric Bilinear Groups
Further Lower Bounds for Structure-Preservng Sgnatures n Asymmetrc Blnear Groups Essam Ghadaf Unversty of the West of England, Brstol, UK essam.ghadaf@gmal.com Abstract. Structure-Preservng Sgnatures (SPSs
More informationSecure Two-Party k-means Clustering
Secure Two-Party k-means Clusterng Paul Bunn Rafal Ostrovsky ABSTRACT The k-means Clusterng problem s one of the most-explored problems n data mnng to date. Wth the advent of protocols that have proven
More informationa b a In case b 0, a being divisible by b is the same as to say that
Secton 6.2 Dvsblty among the ntegers An nteger a ε s dvsble by b ε f there s an nteger c ε such that a = bc. Note that s dvsble by any nteger b, snce = b. On the other hand, a s dvsble by only f a = :
More informationPRIME NUMBER GENERATION BASED ON POCKLINGTON S THEOREM
PRIME NUMBER GENERATION BASED ON POCKLINGTON S THEOREM Alexandros Papankolaou and Song Y. Yan Department of Computer Scence, Aston Unversty, Brmngham B4 7ET, UK 24 October 2000, Receved 26 June 2001 Abstract
More informationThe Synchronous 8th-Order Differential Attack on 12 Rounds of the Block Cipher HyRAL
The Synchronous 8th-Order Dfferental Attack on 12 Rounds of the Block Cpher HyRAL Yasutaka Igarash, Sej Fukushma, and Tomohro Hachno Kagoshma Unversty, Kagoshma, Japan Emal: {garash, fukushma, hachno}@eee.kagoshma-u.ac.jp
More informationReport on Image warping
Report on Image warpng Xuan Ne, Dec. 20, 2004 Ths document summarzed the algorthms of our mage warpng soluton for further study, and there s a detaled descrpton about the mplementaton of these algorthms.
More information= z 20 z n. (k 20) + 4 z k = 4
Problem Set #7 solutons 7.2.. (a Fnd the coeffcent of z k n (z + z 5 + z 6 + z 7 + 5, k 20. We use the known seres expanson ( n+l ( z l l z n below: (z + z 5 + z 6 + z 7 + 5 (z 5 ( + z + z 2 + z + 5 5
More informationQuantum secure circuit evaluation
Scence n Chna Ser. F Informaton Scences 2004 Vol.47 No.6 717 727 717 Quantum secure crcut evaluaton CHEN Huanhuan, LI Bn & ZHUANG Zhenquan Department of Electronc Scence and Technology, Unversty of Scence
More informationDepartment of Statistics University of Toronto STA305H1S / 1004 HS Design and Analysis of Experiments Term Test - Winter Solution
Department of Statstcs Unversty of Toronto STA35HS / HS Desgn and Analyss of Experments Term Test - Wnter - Soluton February, Last Name: Frst Name: Student Number: Instructons: Tme: hours. Ads: a non-programmable
More informationAnti-van der Waerden numbers of 3-term arithmetic progressions.
Ant-van der Waerden numbers of 3-term arthmetc progressons. Zhanar Berkkyzy, Alex Schulte, and Mchael Young Aprl 24, 2016 Abstract The ant-van der Waerden number, denoted by aw([n], k), s the smallest
More informationThe Geometry of Logit and Probit
The Geometry of Logt and Probt Ths short note s meant as a supplement to Chapters and 3 of Spatal Models of Parlamentary Votng and the notaton and reference to fgures n the text below s to those two chapters.
More informationC/CS/Phy191 Problem Set 3 Solutions Out: Oct 1, 2008., where ( 00. ), so the overall state of the system is ) ( ( ( ( 00 ± 11 ), Φ ± = 1
C/CS/Phy9 Problem Set 3 Solutons Out: Oct, 8 Suppose you have two qubts n some arbtrary entangled state ψ You apply the teleportaton protocol to each of the qubts separately What s the resultng state obtaned
More informationOn a CCA2-secure variant of McEliece in the standard model
On a CCA2-secure varant of McElece n the standard model Edoardo Perschett Department of Mathematcs, Unversty of Auckland, New Zealand. e.perschett@math.auckland.ac.nz Abstract. We consder publc-key encrypton
More informationIntroduction to Algorithms
Introducton to Algorthms 6.046J/8.40J Lecture 7 Prof. Potr Indyk Data Structures Role of data structures: Encapsulate data Support certan operatons (e.g., INSERT, DELETE, SEARCH) Our focus: effcency of
More informationPractical and Secure Solutions for Integer Comparison (Extended Abstract)
Practcal and Secure Solutons for Integer Comparson (Extended Abstract) Juan Garay 1, erry Schoenmakers 2, and José Vllegas 2 1 ell Labs Lucent Technologes, 600 Mountan Ave., Murray Hll, NJ 07974 garay@research.bell-labs.com
More informationarxiv: v1 [cs.cr] 24 Jan 2019
A Descrpton and Proof of a Generalsed and Optmsed Varant of Wkström s Mxnet Thomas Hanes arxv:90.0837v [cs.cr] 24 Jan 209 Introducton Polyas GmbH In ths paper, we descrbe an optmsed varant of Wkström s
More informationYale University Department of Computer Science
Yale Unversty Department of Computer Scence Denable Anonymous Group Authentcaton Ewa Syta Benamn Peterson Davd Isaac Wolnsky Mchael Fscher Bryan Ford YALEU/DCS/TR-1486 February 13, 2014 Denable Anonymous
More informationOutline. Communication. Bellman Ford Algorithm. Bellman Ford Example. Bellman Ford Shortest Path [1]
DYNAMIC SHORTEST PATH SEARCH AND SYNCHRONIZED TASK SWITCHING Jay Wagenpfel, Adran Trachte 2 Outlne Shortest Communcaton Path Searchng Bellmann Ford algorthm Algorthm for dynamc case Modfcatons to our algorthm
More informationPerfect Competition and the Nash Bargaining Solution
Perfect Competton and the Nash Barganng Soluton Renhard John Department of Economcs Unversty of Bonn Adenauerallee 24-42 53113 Bonn, Germany emal: rohn@un-bonn.de May 2005 Abstract For a lnear exchange
More informationTightly CCA-Secure Encryption without Pairings
Tghtly CCA-Secure Encrypton wthout Parngs Roman Gay 1,, Denns Hofhenz 2,, Eke Kltz 3,, and Hoeteck Wee 1, 1 ENS, Pars, France rgay,wee@d.ens.fr 2 Ruhr-Unverstät Bochum, Bochum, Germany eke.kltz@rub.de
More informationCircular chosen-ciphertext security with compact ciphertexts
Crcular chosen-cphertext securty wth compact cphertexts Denns Hofhenz January 19, 2013 Abstract A key-dependent message (KDM secure encrypton scheme s secure even f an adversary obtans encryptons of messages
More information4 Analysis of Variance (ANOVA) 5 ANOVA. 5.1 Introduction. 5.2 Fixed Effects ANOVA
4 Analyss of Varance (ANOVA) 5 ANOVA 51 Introducton ANOVA ANOVA s a way to estmate and test the means of multple populatons We wll start wth one-way ANOVA If the populatons ncluded n the study are selected
More informationand problem sheet 2
-8 and 5-5 problem sheet Solutons to the followng seven exercses and optonal bonus problem are to be submtted through gradescope by :0PM on Wednesday th September 08. There are also some practce problems,
More informationHomework 3 Solutions
5233/IOC5063 Theory of Cryptology, Fall 205 Instructor Prof. Wen-Guey Tzeng Homework 3 Solutions 7-Dec-205 Scribe Amir Rezapour. Consider an unfair coin with head probability 0.5. Assume that the coin
More informationPrimer on High-Order Moment Estimators
Prmer on Hgh-Order Moment Estmators Ton M. Whted July 2007 The Errors-n-Varables Model We wll start wth the classcal EIV for one msmeasured regressor. The general case s n Erckson and Whted Econometrc
More informationMessage modification, neutral bits and boomerangs
Message modfcaton, neutral bts and boomerangs From whch round should we start countng n SHA? Antone Joux DGA and Unversty of Versalles St-Quentn-en-Yvelnes France Jont work wth Thomas Peyrn 1 Dfferental
More information12 MATH 101A: ALGEBRA I, PART C: MULTILINEAR ALGEBRA. 4. Tensor product
12 MATH 101A: ALGEBRA I, PART C: MULTILINEAR ALGEBRA Here s an outlne of what I dd: (1) categorcal defnton (2) constructon (3) lst of basc propertes (4) dstrbutve property (5) rght exactness (6) localzaton
More informationFinding Malleability in NTRUSign
Fndng Malleablty n TRUSgn SungJun Mn, Go Yamamoto, and Kwangjo Km Auto-ID Labs Whte Paper WP-HARDWARE-33 Sungjun Mn Senor Researcher, atonal Computerzaton Agency Go Yamamoto Senor Researcher, Informaton
More informationLecture Space-Bounded Derandomization
Notes on Complexty Theory Last updated: October, 2008 Jonathan Katz Lecture Space-Bounded Derandomzaton 1 Space-Bounded Derandomzaton We now dscuss derandomzaton of space-bounded algorthms. Here non-trval
More informationBézier curves. Michael S. Floater. September 10, These notes provide an introduction to Bézier curves. i=0
Bézer curves Mchael S. Floater September 1, 215 These notes provde an ntroducton to Bézer curves. 1 Bernsten polynomals Recall that a real polynomal of a real varable x R, wth degree n, s a functon of
More informationLectures - Week 4 Matrix norms, Conditioning, Vector Spaces, Linear Independence, Spanning sets and Basis, Null space and Range of a Matrix
Lectures - Week 4 Matrx norms, Condtonng, Vector Spaces, Lnear Independence, Spannng sets and Bass, Null space and Range of a Matrx Matrx Norms Now we turn to assocatng a number to each matrx. We could
More informationPractical Functional Encryption for Quadratic Functions with Applications to Predicate Encryption
Practcal Functonal Encrypton for Quadratc Functons wth Applcatons to Predcate Encrypton Carmen Elsabetta Zara Baltco 1, Daro Catalano 1, Daro Fore 2, and Roman Gay 3 1 Dpartmento d Matematca e Informatca,
More information2E Pattern Recognition Solutions to Introduction to Pattern Recognition, Chapter 2: Bayesian pattern classification
E395 - Pattern Recognton Solutons to Introducton to Pattern Recognton, Chapter : Bayesan pattern classfcaton Preface Ths document s a soluton manual for selected exercses from Introducton to Pattern Recognton
More information18.781: Solution to Practice Questions for Final Exam
18.781: Soluton to Practce Questons for Fnal Exam 1. Fnd three solutons n postve ntegers of x 6y = 1 by frst calculatng the contnued fracton expanson of 6. Soluton: We have 1 6=[, ] 6 6+ =[, ] 1 =[,, ]=[,,
More informationRSA /2002/13(08) , ); , ) RSA RSA : RSA RSA [2] , [1,4]
1000-9825/2002/13(081729-06 2002 Journal of Software Vol13, No8 RSA 1,2 1, 1 (, 200433; 2 (, 200070 E-mal: yfhu@fudaneducn http://wwwfudaneducn : RSA RSA :, ; RSA,,, RSA,, : ; RSA ; ;RSA; : TP309 : A RSA
More informationA Novel Feistel Cipher Involving a Bunch of Keys supplemented with Modular Arithmetic Addition
(IJACSA) Internatonal Journal of Advanced Computer Scence Applcatons, A Novel Festel Cpher Involvng a Bunch of Keys supplemented wth Modular Arthmetc Addton Dr. V.U.K Sastry Dean R&D, Department of Computer
More informationStrongly Unforgeable Proxy Re-Signature Schemes in the Standard model
Strongly Unforgeable Proxy Re-Sgnature Schemes n the Standard model No Author Gven No Insttute Gven Abstract. Proxy re-sgnatures are generally used for the delegaton of sgnng rghts of a user delegator
More informationResource Allocation with a Budget Constraint for Computing Independent Tasks in the Cloud
Resource Allocaton wth a Budget Constrant for Computng Independent Tasks n the Cloud Wemng Sh and Bo Hong School of Electrcal and Computer Engneerng Georga Insttute of Technology, USA 2nd IEEE Internatonal
More informationThe Second Anti-Mathima on Game Theory
The Second Ant-Mathma on Game Theory Ath. Kehagas December 1 2006 1 Introducton In ths note we wll examne the noton of game equlbrum for three types of games 1. 2-player 2-acton zero-sum games 2. 2-player
More informationComment on An arbitrated quantum signature scheme. with fast signing and verifying
Comment on n arbtrated quantum sgnature scheme wth fast sgnng and verfyng Y-Png Luo and Tzonelh Hwang * Department of Computer cence and Informaton Engneerng, Natonal Cheng ung Unversty, No, Unversty Rd,
More informationChapter 8 SCALAR QUANTIZATION
Outlne Chapter 8 SCALAR QUANTIZATION Yeuan-Kuen Lee [ CU, CSIE ] 8.1 Overvew 8. Introducton 8.4 Unform Quantzer 8.5 Adaptve Quantzaton 8.6 Nonunform Quantzaton 8.7 Entropy-Coded Quantzaton Ch 8 Scalar
More information