A Provably Secure Group Signature Scheme from Code-Based Assumptions
|
|
- Hilary Atkins
- 6 years ago
- Views:
Transcription
1 A Provably Secure Group Signature Scheme from Code-Based Assumptions Martianus Frederic Ezerman, Hyung Tae Lee, San Ling, Khoa Nguyen, Huaxiong Wang NTU, Singapore ASIACRYPT 15-01/12/15
2 Group Signatures [CH91] U 1... U i... U N Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 2 / 11
3 Group Signatures [CH91] (Σ, ) U 1... U i... U N Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 2 / 11
4 Group Signatures [CH91] (Σ, ) Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 2 / 11
5 Group Signatures [CH91] (Σ, ) U i Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 2 / 11
6 The [BMW 03] Model 4 algorithms: 1 KeyGen(λ, N) ( gpk, gmsk, {gsk[j]} N 1 j=0 2 Sign(gsk[j], M) Σ. 3 Verify(gpk, M, Σ) {0, 1}. 4 Open(gmsk, M, Σ) {j, }. ). Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 3 / 11
7 The [BMW 03] Model 4 algorithms: 1 KeyGen(λ, N) ( gpk, gmsk, {gsk[j]} N 1 j=0 2 Sign(gsk[j], M) Σ. 3 Verify(gpk, M, Σ) {0, 1}. 4 Open(gmsk, M, Σ) {j, }. ). 3 requirements: correctness, anonymity, traceability. Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 3 / 11
8 The [BMW 03] Model 4 algorithms: 1 KeyGen(λ, N) ( gpk, gmsk, {gsk[j]} N 1 j=0 2 Sign(gsk[j], M) Σ. 3 Verify(gpk, M, Σ) {0, 1}. 4 Open(gmsk, M, Σ) {j, }. ). 3 requirements: correctness, anonymity, traceability. 3 cryptographic ingredients: ordinary digital signature, encryption scheme, zero-knowledge protocol. Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 3 / 11
9 Post-Quantum Group Signatures Shor s quantum algorithm [Shor 94] post-quantum cryptography. 6 candidates of post-quantum group signatures have been published in the last 5 years [GKV 10,CNR 12,LLLS 13,LLNW 14,LNW 15,NZZ 15]. [NZZ 15] is arguably the most efficient in the asymptotic sense. All are based on lattice assumptions. Large key and signature sizes. No implementation so far. Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 4 / 11
10 Post-Quantum Group Signatures Shor s quantum algorithm [Shor 94] post-quantum cryptography. 6 candidates of post-quantum group signatures have been published in the last 5 years [GKV 10,CNR 12,LLLS 13,LLNW 14,LNW 15,NZZ 15]. [NZZ 15] is arguably the most efficient in the asymptotic sense. All are based on lattice assumptions. Large key and signature sizes. No implementation so far. Open questions: 1 More diversity? 2 More practical construction? E.g., an easy-to-implement and competitively efficient code-based group signature scheme would be desirable. Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 4 / 11
11 A Provably Secure Code-Based Group Signature? Needed ingredients: 1 Ordinary signature: CFS [CFS 01] and variants: No known convincing security proof. Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 5 / 11
12 A Provably Secure Code-Based Group Signature? Needed ingredients: 1 Ordinary signature: CFS [CFS 01] and variants: No known convincing security proof. Stern s protocol [Ste 96] + Fiat-Shamir transform [FS 86]. Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 5 / 11
13 A Provably Secure Code-Based Group Signature? Needed ingredients: 1 Ordinary signature: CFS [CFS 01] and variants: No known convincing security proof. Stern s protocol [Ste 96] + Fiat-Shamir transform [FS 86]. 2 Encryption scheme: Provably secure variants of McEliece s [McE 78] and Niederreiter s [Nie 86] schemes. E.g., randomized McEliece [NIKM 08]. Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 5 / 11
14 A Provably Secure Code-Based Group Signature? Needed ingredients: 1 Ordinary signature: CFS [CFS 01] and variants: No known convincing security proof. Stern s protocol [Ste 96] + Fiat-Shamir transform [FS 86]. 2 Encryption scheme: Provably secure variants of McEliece s [McE 78] and Niederreiter s [Nie 86] schemes. E.g., randomized McEliece [NIKM 08]. 3 The bottleneck is a ZK protocol connecting the first two layers. The signer should demonstrate that the given group signature is generated by certain certified group user who honestly encrypts his identifying information while keeping both the certificate and the identity secret! An open question in code-based cryptography. Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 5 / 11
15 Our Results A code-based GS scheme provably secure in the ROM: CPA-anonymity: Learning Parity with (fixed-weight) Noise + McEliece. Traceability: Syndrome Decoding. Implementation results: The first ones for post-quantum group signatures. Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 6 / 11
16 Our Results A code-based GS scheme provably secure in the ROM: CPA-anonymity: Learning Parity with (fixed-weight) Noise + McEliece. Traceability: Syndrome Decoding. Implementation results: The first ones for post-quantum group signatures. Efficiency comparison with recent lattice-based schemes: Asymptotically, ours is less efficient: O(N) vs. O(log N). Practically: (rough estimation) N Public key Signature KB 1.07 MB Our scheme MB 2.21 MB GB 294 MB [NZZ 15] GB 579 MB Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 6 / 11
17 Our Construction McEliece para (n, k, t); SD para (m, r, ω); maximum group size N = 2 l. Notations: B(m, ω) = {s {0, 1} m wt(s) = ω}; B(n, t) is defined similarly. KeyGen: 1 (G F k n 2, dk) McE.Kg; H $ F r m $ 2 ; j [0, N 1]: s j B(m, ω), y j = H s j. 2 Output gpk = (G, H, y 0,..., y N 1 ); gmsk = dk; and gsk[j] = s j, j. Sign(gsk[j] = s, M): 1 Encrypt I2B(j) {0, 1} l - the bin. rep. of j [0, N 1] - using randomized McEliece [NIKM 08]: Sample u $ F k l 2, e $ B(n, t), and compute c = ( u I2B(j) ) G e F n 2. 2 Generate a NIZK argument Π to show the knowledge of (j, s, u, e) s.t.: s = gsk[j] and c is a correct encryption of I2B(j) with randomness (u, e). (Π is made non-interactive via Fiat-Shamir, with M included in the RO hashing.) 3 Output Σ = (c, Π). Verify: check Π. Open: decrypt c using dk. Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 7 / 11
18 The Underlying Zero-Knowledge Argument of Knowledge Common input: G F k n 2 ; H F r m 2 ; y 0,..., y N 1 F r 2 ; c Fn 2. Prover s input: (j, s, u, e) [0, N 1] B(m, ω) F k l 2 B(n, t). Prover s goal: Prove in ZK that H s = y j and c = ( u I2B(j) ) G e. Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 8 / 11
19 The Underlying Zero-Knowledge Argument of Knowledge Common input: G F k n 2 ; H F r m 2 ; y 0,..., y N 1 F r 2 ; c Fn 2. Prover s input: (j, s, u, e) [0, N 1] B(m, ω) F k l 2 B(n, t). Prover s goal: Prove in ZK that H s = y j and c = ( u I2B(j) ) G e. H s = y j H s A x = 0 Transform c = ( u I2B(j) ) G e c = ( u f ) (1) Ĝ e, A = [ y 0 y N 1] ; and x = δ N j - the N-dim. unit-vector with 1 at j-th pos. f = Encode(j)=(1 j 0, j 0,..., 1 j l 1, j l 1 ) F 2l 2 - ext. of I2B(j)=(j 0,..., j l 1 ) and Ĝ - extension of G. Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 8 / 11
20 The Underlying Zero-Knowledge Argument of Knowledge Common input: G F k n 2 ; H F r m 2 ; y 0,..., y N 1 F r 2 ; c Fn 2. Prover s input: (j, s, u, e) [0, N 1] B(m, ω) F k l 2 B(n, t). Prover s goal: Prove in ZK that H s = y j and c = ( u I2B(j) ) G e. H s = y j H s A x = 0 Transform c = ( u I2B(j) ) G e c = ( u f ) (1) Ĝ e, A = [ y 0 y N 1] ; and x = δ N j - the N-dim. unit-vector with 1 at j-th pos. f = Encode(j)=(1 j 0, j 0,..., 1 j l 1, j l 1 ) F 2l 2 - ext. of I2B(j)=(j 0,..., j l 1 ) and Ĝ - extension of G. Now, the task is to prove in ZK that: (1) holds with s B(m, ω); u F k l 2 ; e B(n, t); x = δ N j ; f = Encode(j). Green: Can be done with Stern s protocol. Red: Needs additional technique! Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 8 / 11
21 Proving that x = δ N j & f = Encode(j) for some hidden j Let B2I : {0, 1} l [0, N 1] be the inverse function of I2B( ). For every b {0, 1} l, we carefully define 2 permutations T b : F N 2 F N 2 and T b : F 2l 2 F 2l 2, s.t. the following equivalences hold: j [0, N 1] and b {0, 1} l, x = δj N T b (x) = δb2i(i2b(j) b) N f = Encode(j) T b(f) = Encode(B2I(I2B(j) b)). Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 9 / 11
22 Proving that x = δ N j & f = Encode(j) for some hidden j Let B2I : {0, 1} l [0, N 1] be the inverse function of I2B( ). For every b {0, 1} l, we carefully define 2 permutations T b : F N 2 F N 2 and T b : F 2l 2 F 2l 2, s.t. the following equivalences hold: j [0, N 1] and b {0, 1} l, x = δj N T b (x) = δb2i(i2b(j) b) N f = Encode(j) T b(f) = Encode(B2I(I2B(j) b)). To prove that the LHS holds in ZK: sample b $ {0, 1} l, send b 1 = I2B(j) b, x 1 = T b (x), f 1 = T b(f), and let the verifier check that the RHS holds. Idea: b acts as a one-time pad j is completely hidden (inspired by a method proposed by [LLNW 14]). Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 9 / 11
23 Implementation Results Testing platform: PC with 3.5 GHz CPU, 16 GB RAM. To achieve 80-bit security, repeat Stern s protocol 140 times. McEliece para: (n, k, t) = (2 11, 1696, 32); SD para: (m, r, ω) = (2756, 550, 121). N Public key Signature KeyGen Sign Verify Open KB 111 KB KB 114 KB KB 159 KB MB 876 KB MB 12.4 MB GB 196 MB Unit for time: second. Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 10 / 11
24 Summary of our contributions: 1 A provably secure code-based GS scheme. 2 Implementation results. Open questions: Code-based GS with 1 CCA-anonymity? 2 Logarithmic-size signature? 3 Revocation? Dynamic enrollment of users? Thank you! Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 11 / 11
Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-based
Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-based San Ling and Khoa Nguyen and Huaxiong Wang NTU, Singapore ENS de Lyon, 30/09/2015 Content 1 Introduction Previous Works on Lattice-Based
More informationImproved Zero-knowledge Protocol for the ISIS Problem, and Applications
Improved Zero-knowledge Protocol for the ISIS Problem, and Applications Khoa Nguyen, Nanyang Technological University (Based on a joint work with San Ling, Damien Stehlé and Huaxiong Wang) December, 29,
More informationA Code-based Group Signature Scheme with Shorter Public Key Length
Hafsa Assidi, Edoukou Berenger Ayebie and El Mamoun Souidi Mohammed V University in Rabat, Faculty of Sciences, Laboratory of Mathematics, Computer Science and Applications, BP 1014 RP, Rabat, Morocco
More informationLattice-Based Zero-Knowledge Arguments for Integer Relations
Lattice-Based Zero-Knowledge Arguments for Integer Relations Benoît Libert 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 1 CNRS and ENS Lyon, France 2 Nanyang Technological University, Singapore CRYPTO 2018,
More informationCode-based cryptography
Code-based graphy Laboratoire Hubert Curien, UMR CNRS 5516, Bâtiment F 18 rue du professeur Benoît Lauras 42000 Saint-Etienne France pierre.louis.cayrel@univ-st-etienne.fr June 4th 2013 Pierre-Louis CAYREL
More informationLattice-Based Group Signatures: Achieving Full Dynamicity with Ease
Lattice-Based Group Signatures: Achieving Full Dynamicity with Ease San Ling, Khoa Nguyen, Huaxiong Wang, Yanhong Xu Division of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang
More informationA new zero-knowledge code based identification scheme with reduced communication
A new zero-knowledge code based identification scheme with reduced communication Carlos Aguilar, Philippe Gaborit, Julien Schrek Université de Limoges, France. {carlos.aguilar,philippe.gaborit,julien.schrek}@xlim.fr
More informationZero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures without Trapdoors
Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures without Trapdoors Benoît Libert 1, San Ling 2, Khoa Nguyen 2, and Huaxiong Wang 2 1 Ecole
More informationA brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago
A brief survey of post-quantum cryptography D. J. Bernstein University of Illinois at Chicago Once the enormous energy boost that quantum computers are expected to provide hits the street, most encryption
More informationarxiv: v1 [cs.cr] 25 Jan 2018
Forward-Secure Group Signatures from Lattices San Ling, Khoa Nguyen, Huaxiong Wang, Yanhong Xu arxiv:1801.08323v1 [cs.cr] 25 Jan 2018 Division of Mathematical Sciences, School of Physical and Mathematical
More informationA Key Recovery Attack on MDPC with CCA Security Using Decoding Errors
A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo Thomas Johansson Paul Stankovski Dept. of Electrical and Information Technology, Lund University ASIACRYPT 2016 Dec 8th, 2016
More informationCryptographie basée sur les codes correcteurs d erreurs et arithmétique
with Cryptographie basée sur les correcteurs d erreurs et arithmétique with with Laboratoire Hubert Curien, UMR CNRS 5516, Bâtiment F 18 rue du professeur Benoît Lauras 42000 Saint-Etienne France pierre.louis.cayrel@univ-st-etienne.fr
More informationForward-Secure Group Signatures from Lattices
Forward-Secure Group Signatures from Lattices San Ling, Khoa Nguyen, Huaxiong Wang, Yanhong Xu Division of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang Technological University,
More informationNon-Interactive Zero-Knowledge Proofs of Non-Membership
Non-Interactive Zero-Knowledge Proofs of Non-Membership O. Blazy, C. Chevalier, D. Vergnaud XLim / Université Paris II / ENS O. Blazy (XLim) Negative-NIZK CT-RSA 2015 1 / 22 1 Brief Overview 2 Building
More informationA Lattice-Based Group Signature Scheme with Message-Dependent Opening
A Lattice-Based Group Signature Scheme with Message-Dependent Opening Benoît Libert, Fabrice Mouhartem, Khoa Nguyen To cite this version: Benoît Libert, Fabrice Mouhartem, Khoa Nguyen. A Lattice-Based
More informationA Lattice-Based Threshold Ring Signature Scheme (TRSS-L)
A Lattice-Based Threshold Ring Signature Scheme (TRSS-L) Pierre-Louis Cayrel 1 Richard Lindner 2 Markus Rückert 2 Rosemberg Silva 3 1 Center for Advanced Security Research Darmstadt (CASED) 2 Technische
More informationPicnic Post-Quantum Signatures from Zero Knowledge Proofs
Picnic Post-Quantum Signatures from Zero Knowledge Proofs MELISSA CHASE, MSR THE PICNIC TEAM DAVID DERLER STEVEN GOLDFEDER JONATHAN KATZ VLAD KOLESNIKOV CLAUDIO ORLANDI SEBASTIAN RAMACHER CHRISTIAN RECHBERGER
More informationBoneh-Franklin Identity Based Encryption Revisited
Boneh-Franklin Identity Based Encryption Revisited David Galindo Institute for Computing and Information Sciences Radboud University Nijmegen P.O.Box 9010 6500 GL, Nijmegen, The Netherlands. d.galindo@cs.ru.nl
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationTrapdoors for Lattices: Simpler, Tighter, Faster, Smaller
Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1 UC San Diego 2 Georgia Tech April 2012 1 / 16 Lattice-Based Cryptography y = g x mod p m e mod N e(g a,
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationLogic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation
Quantum logic gates Logic gates Classical NOT gate Quantum NOT gate (X gate) A NOT A α 0 + β 1 X α 1 + β 0 A N O T A 0 1 1 0 Matrix form representation 0 1 X = 1 0 The only non-trivial single bit gate
More informationCryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05
Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05 Fangguo Zhang 1 and Xiaofeng Chen 2 1 Department of Electronics and Communication Engineering, Sun Yat-sen
More informationHigh-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven
High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers
More informationImproving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems
Improving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems Robert Niebuhr 1, Pierre-Louis Cayrel 2, and Johannes Buchmann 1,2 1 Technische Universität Darmstadt Fachbereich
More informationCryptographic Protocols Notes 2
ETH Zurich, Department of Computer Science SS 2018 Prof. Ueli Maurer Dr. Martin Hirt Chen-Da Liu Zhang Cryptographic Protocols Notes 2 Scribe: Sandro Coretti (modified by Chen-Da Liu Zhang) About the notes:
More informationSide-channel analysis in code-based cryptography
1 Side-channel analysis in code-based cryptography Tania RICHMOND IMATH Laboratory University of Toulon SoSySec Seminar Rennes, April 5, 2017 Outline McEliece cryptosystem Timing Attack Power consumption
More informationWhat are we talking about when we talk about post-quantum cryptography?
PQC Asia Forum Seoul, 2016 What are we talking about when we talk about post-quantum cryptography? Fang Song Portland State University PQC Asia Forum Seoul, 2016 A personal view on postquantum cryptography
More informationCode-based Cryptography
a Hands-On Introduction Daniel Loebenberger Ηράκλειο, September 27, 2018 Post-Quantum Cryptography Various flavours: Lattice-based cryptography Hash-based cryptography Code-based
More informationStructure Preserving CCA Secure Encryption
Structure Preserving CCA Secure Encryption presented by ZHANG Tao 1 / 9 Introduction Veriable Encryption enable validity check of the encryption (Camenisch et al. @ CRYPTO'03): veriable encryption of discrete
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationSECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL. Mark Zhandry Stanford University
SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL Mark Zhandry Stanford University Random Oracle Model (ROM) Sometimes, we can t prove a scheme secure in the standard model. Instead,
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationCryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1
Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes
More informationLossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More informationPost-Quantum Security of the Fujisaki-Okamoto (FO) and OAEP Transforms
Post-Quantum Security of the Fujisaki-Okamoto (FO) and OAEP Transforms Made by: Ehsan Ebrahimi Theory of Cryptography Conference, Beijing, China Oct. 31 - Nov. 3, 2016 Joint work with Dominique Unruh Motivation:
More informationPost-Quantum Cryptography
Post-Quantum Cryptography Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters Technische Universiteit Eindhoven ASCrypto Summer School: 18 September 2017 Error correction
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationDigital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay
Digital Signatures Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay July 24, 2018 1 / 29 Group Theory Recap Groups Definition A set
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationLecture 10. Public Key Cryptography: Encryption + Signatures. Identification
Lecture 10 Public Key Cryptography: Encryption + Signatures 1 Identification Public key cryptography can be also used for IDENTIFICATION Identification is an interactive protocol whereby one party: prover
More informationConvertible Group Undeniable Signatures
Convertible Group Undeniable Signatures Yuh-Dauh Lyuu 1 and Ming-Luen Wu 2 1 Dept. of Computer Science & Information Engineering and Dept. of Finance, National Taiwan University, Taiwan lyuu@csie.ntu.edu.tw
More informationRandom Oracles in a Quantum World
Random Oracles in a Quantum World AsiaISG Research Seminars 2011/2012 Özgür Dagdelen, Marc Fischlin (TU Darmstadt) Dan Boneh, Mark Zhandry (Stanford University) Anja Lehmann (IBM Zurich) Christian Schaffner
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationAttacking and defending the McEliece cryptosystem
Attacking and defending the McEliece cryptosystem (Joint work with Daniel J. Bernstein and Tanja Lange) Christiane Peters Technische Universiteit Eindhoven PQCrypto 2nd Workshop on Postquantum Cryptography
More informationHow to improve information set decoding exploiting that = 0 mod 2
How to improve information set decoding exploiting that 1 + 1 = 0 mod 2 Anja Becker Postdoc at EPFL Seminar CCA January 11, 2013, Paris Representation Find unique solution to hard problem in cryptography
More informationMcEliece and Niederreiter Cryptosystems That Resist Quantum Fourier Sampling Attacks
McEliece and Niederreiter Cryptosystems That Resist Quantum Fourier Sampling Attacks Hang Dinh Indiana Uniersity South Bend joint work with Cristopher Moore Uniersity of New Mexico Alexander Russell Uniersity
More informationFPGA-based Niederreiter Cryptosystem using Binary Goppa Codes
FPGA-based Niederreiter Cryptosystem using Binary Goppa Codes Wen Wang 1, Jakub Szefer 1, and Ruben Niederhagen 2 1. Yale University, USA 2. Fraunhofer Institute SIT, Germany April 9, 2018 PQCrypto 2018
More informationIdentity-Based Online/Offline Encryption
Fuchun Guo 2 Yi Mu 1 Zhide Chen 2 1 University of Wollongong, Australia ymu@uow.edu.au 2 Fujian Normal University, Fuzhou, China fuchunguo1982@gmail.com Outline 1 2 3 4 Identity-based Encryption Review
More informationCode-based post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago
Code-based post-quantum cryptography D. J. Bernstein University of Illinois at Chicago Once the enormous energy boost that quantum computers are expected to provide hits the street, most encryption security
More informationErrors, Eavesdroppers, and Enormous Matrices
Errors, Eavesdroppers, and Enormous Matrices Jessalyn Bolkema September 1, 2016 University of Nebraska - Lincoln Keep it secret, keep it safe Public Key Cryptography The idea: We want a one-way lock so,
More informationSystèmes de preuve Groth-Sahai et applications
Systèmes de preuve Groth-Sahai et applications Damien Vergnaud École normale supérieure C.N.R.S. I.N.R.I.A. 22 octobre 2010 Séminaire CCA D. Vergnaud (ENS) Groth-Sahai proof system and applications Oct.
More informationNon-Interactive ZK:The Feige-Lapidot-Shamir protocol
Non-Interactive ZK: The Feige-Lapidot-Shamir protocol April 20, 2009 Remainders FLS protocol Definition (Interactive proof system) A pair of interactive machines (P, V ) is called an interactive proof
More informationAdaptive partitioning. Dennis Hofheinz (KIT, Karlsruhe)
Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Public-Key Encryption Accepted security
More informationEfficient and Provably Secure Trapdoor-free Group Signature Schemes from Bilinear Pairings
Efficient and Provably Secure Trapdoor-free Group Signature Schemes from Bilinear Pairings 1 Lan Nguyen and Rei Safavi-Naini School of Information Technology and Computer Science University of Wollongong,
More informationLattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More informationFloppy-Sized Group Signatures from Lattices
Floppy-Sized Group Signatures from Lattices Cecilia Boschini 1,2( ), Jan Camenisch 1, and Gregory Neven 1 1 IBM Research, Zurich, Switzerland 2 Università della Svizzera Italiana, Lugano, Switzerland {bos,jca,nev}@zurich.ibm.com
More informationA Group Signature Scheme from Lattice Assumptions
A Group Signature Scheme from Lattice Assumptions S. Dov Gordon Jonathan Katz Vinod Vaikuntanathan Abstract Group signature schemes allow users to sign messages on behalf of a group while (1) maintaining
More informationCryptography in the Quantum Era. Tomas Rosa and Jiri Pavlu Cryptology and Biometrics Competence Centre, Raiffeisen BANK International
Cryptography in the Quantum Era Tomas Rosa and Jiri Pavlu Cryptology and Biometrics Competence Centre, Raiffeisen BANK International Postulate #1: Qubit state belongs to Hilbert space of dimension 2 ψ
More informationGurgen Khachatrian Martun Karapetyan
34 International Journal Information Theories and Applications, Vol. 23, Number 1, (c) 2016 On a public key encryption algorithm based on Permutation Polynomials and performance analyses Gurgen Khachatrian
More informationSecurity Arguments for Digital Signatures and Blind Signatures
J. Cryptology (2000) 13: 361 396 DOI: 10.1007/s001450010003 2000 International Association for Cryptologic Research Security Arguments for Digital Signatures and Blind Signatures David Pointcheval and
More informationEfficient Group Signatures without Trapdoors
Efficient Group Signatures without Trapdoors Giuseppe Ateniese and Breno de Medeiros The Johns Hopkins University Department of Computer Science Baltimore, MD 21218, USA ateniese@cs.jhu.edu, breno.demedeiros@acm.org
More informationLattice-Based Fault Attacks on RSA Signatures
Lattice-Based Fault Attacks on RSA Signatures Mehdi Tibouchi École normale supérieure Workshop on Applied Cryptography, Singapore, 2010-12-03 Gist of this talk Review a classical attack on RSA signatures
More informationA new security notion for asymmetric encryption Draft #8
A new security notion for asymmetric encryption Draft #8 Muhammad Rezal Kamel Ariffin 1,2 1 Al-Kindi Cryptography Research Laboratory, Institute for Mathematical Research, 2 Department of Mathematics,
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Public-key crypto ECC RSA DSA Secret-key crypto AES SHA2 SHA1... Combination of both
More informationQuantum-secure symmetric-key cryptography based on Hidden Shifts
Quantum-secure symmetric-key cryptography based on Hidden Shifts Gorjan Alagic QMATH, Department of Mathematical Sciences University of Copenhagen Alexander Russell Department of Computer Science & Engineering
More informationarxiv: v1 [cs.cr] 16 Dec 2013
Post-Quantum Cryptography: Code-based Signatures Pierre-Louis Cayrel and Mohammed Meziani CASED Center for Advanced Security Research Darmstadt Mornewegstrasse, 64293 Darmstadt, Germany pierre-louis.cayrel@cased.de
More informationPost-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from Symmetric-Key Primitives
Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from Symmetric-Key Primitives David Derler 1, Sebastian Ramacher 1, and Daniel Slamanig 2 1 IAIK, Graz University
More informationProofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures
Proofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures G. Fuchsbauer D. Pointcheval École normale supérieure Pairing'09, 13.08.2009 Fuchsbauer, Pointcheval (ENS) Proofs
More informationAnalysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh
Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh Bruno Produit Institute of Computer Science University of Tartu produit@ut.ee December 19, 2017 Abstract This document is an analysis
More informationRing Group Signatures
Ring Group Signatures Liqun Chen Hewlett-Packard Laboratories, Long Down Avenue, Stoke Gifford, Bristol, BS34 8QZ, United Kingdom. liqun.chen@hp.com Abstract. In many applications of group signatures,
More informationSome ZK security proofs for Belenios
Some ZK security proofs for Belenios Pierrick Gaudry CNRS, INRIA, Université de Lorraine January 30, 2017 The purpose of this document is to justify the use of ZK proofs in Belenios. Most of them are exactly
More informationFrom NewHope to Kyber. Peter Schwabe April 7, 2017
From NewHope to Kyber Peter Schwabe peter@cryptojedi.org https://cryptojedi.org April 7, 2017 In the past, people have said, maybe it s 50 years away, it s a dream, maybe it ll happen sometime. I used
More informationA Strong Identity Based Key-Insulated Cryptosystem
A Strong Identity Based Key-Insulated Cryptosystem Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275, P.R.China
More informationIntroduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes
Introduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 03 13 More
More informationTighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)
1 Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shuichi Katsumata (The University of Tokyo /AIST) Shota Yamada (AIST) Takashi Yamakawa
More informationCode-based identification and signature schemes in software
Author manuscript, published in "MoCrySEn 2013, Germany (2013)" Code-based identification and signature schemes in software Sidi Mohamed El Yousfi Alaoui 1, Pierre-Louis Cayrel 2, Rachid El Bansarkhani
More informationHidden Field Equations
Security of Hidden Field Equations (HFE) 1 The security of Hidden Field Equations ( H F E ) Nicolas T. Courtois INRIA, Paris 6 and Toulon University courtois@minrank.org Permanent HFE web page : hfe.minrank.org
More informationNotes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.
COS 533: Advanced Cryptography Lecture 9 (October 11, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Udaya Ghai Notes for Lecture 9 1 Last Time Last time, we introduced zero knowledge proofs
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationNoisy Diffie-Hellman protocols
Noisy Diffie-Hellman protocols Carlos Aguilar 1, Philippe Gaborit 1, Patrick Lacharme 1, Julien Schrek 1 and Gilles Zémor 2 1 University of Limoges, France, 2 University of Bordeaux, France. Classical
More informationBlind Collective Signature Protocol
Computer Science Journal of Moldova, vol.19, no.1(55), 2011 Blind Collective Signature Protocol Nikolay A. Moldovyan Abstract Using the digital signature (DS) scheme specified by Belarusian DS standard
More informationPublic-Key Identification Schemes based on Multivariate Quadratic Polynomials
Public-Key Identification Schemes based on Multivariate Quadratic Polynomials Koichi Sakumoto, Taizo Shirai, Harunaga Hiwatari from Tokyo, Japan Sony Corporation @CRYPTO2011 Motivation Finding a new alternative
More informationFang Song. Joint work with Sean Hallgren and Adam Smith. Computer Science and Engineering Penn State University
Fang Song Joint work with Sean Hallgren and Adam Smith Computer Science and Engineering Penn State University Are classical cryptographic protocols secure against quantum attackers? 2 Are classical cryptographic
More informationPrivacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics
Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics F. Prost Frederic.Prost@ens-lyon.fr Ecole Normale Supérieure de Lyon July 2015 F. Prost Frederic.Prost@ens-lyon.fr (Ecole
More informationPost-Quantum Code-Based Cryptography
Big Data Photonics UCLA Post-Quantum Code-Based Cryptography 03-25-2016 Valérie Gauthier Umaña Assistant Professor valeriee.gauthier@urosario.edu.co Cryptography Alice 1 Cryptography Alice Bob 1 Cryptography
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationGeorge Danezis Microsoft Research, Cambridge, UK
George Danezis Microsoft Research, Cambridge, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationThe failure of McEliece PKC based on Reed-Muller codes.
The failure of McEliece PKC based on Reed-Muller codes. May 8, 2013 I. V. Chizhov 1, M. A. Borodin 2 1 Lomonosov Moscow State University. email: ivchizhov@gmail.com, ichizhov@cs.msu.ru 2 Lomonosov Moscow
More informationOn the Big Gap Between p and q in DSA
On the Big Gap Between p and in DSA Zhengjun Cao Department of Mathematics, Shanghai University, Shanghai, China, 200444. caozhj@shu.edu.cn Abstract We introduce a message attack against DSA and show that
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationOn the Impossibility of Batch Update for Cryptographic Accumulators
for Philippe Camacho (pcamacho@dcc.uchile.cl) Alejandro Hevia (ahevia@dcc.uchile.cl) FMCrypto Workshop: Formal Methods in Cryptography University of Chile March 24, 2010 Introduction This work is about
More informationRandom Oracles in a Quantum World
Dan Boneh 1 Özgür Dagdelen 2 Marc Fischlin 2 Anja Lehmann 3 Christian Schaffner 4 Mark Zhandry 1 1 Stanford University, USA 2 CASED & Darmstadt University of Technology, Germany 3 IBM Research Zurich,
More informationNotes for Lecture 9. 1 Combining Encryption and Authentication
U.C. Berkeley CS276: Cryptography Handout N9 Luca Trevisan February 17, 2009 Notes for Lecture 9 Notes scribed by Joel Weinberger, posted March 1, 2009 Summary Last time, we showed that combining a CPA-secure
More informationMarch 19: Zero-Knowledge (cont.) and Signatures
March 19: Zero-Knowledge (cont.) and Signatures March 26, 2013 1 Zero-Knowledge (review) 1.1 Review Alice has y, g, p and claims to know x such that y = g x mod p. Alice proves knowledge of x to Bob w/o
More informationA New Hard Problem over Non- Commutative Finite Groups for Cryptographic Protocols
Moldovyan D.N., Moldovyan N.A. St.etersburg, Russia, SPIIRAS A New Hard Problem over Non- Commutative Finite Groups for Cryptographic Protocols Reporter: Moldovyan N.A. Structure of the report 1. Hard
More information