Peculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology
|
|
- Lawrence Cook
- 6 years ago
- Views:
Transcription
1 1 / 19 Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 7 May 2010
2 2 / 19 Talk Agenda Encryption schemes with special features:
3 2 / 19 Talk Agenda Encryption schemes with special features: 1 (Bi-)Deniability
4 2 / 19 Talk Agenda Encryption schemes with special features: 1 (Bi-)Deniability 2 Circular Security
5 3 / 19 Part 1: Deniable Encryption A. O Neill, C. Peikert (2010) Bideniable Public-Key Encryption
6 Deniable Encryption c = Encpk ( surprise party 4 big bro! ) (Images courtesy xkcd.org) 4 / 19
7 Deniable Encryption c = Encpk ( surprise party 4 big bro! )!! (Images courtesy xkcd.org) 4 / 19
8 Deniable Encryption c = DenEncpk ( surprise party 4 big bro! ) What We Want 1 Bob gets Alice s intended message, but... (Images courtesy xkcd.org) 4 / 19
9 Deniable Encryption c = DenEncpk ( surprise party 4 big bro! ) (fake!) (fake!) What We Want 1 Bob gets Alice s intended message, but... (Images courtesy xkcd.org) 4 / 19
10 Deniable Encryption c = Encpk ( I love kittens!!!! ) What We Want 1 Bob gets Alice s intended message, but... 2 Fake coins & keys look as if another message was encrypted! (Images courtesy xkcd.org) 4 / 19
11 5 / 19 Applications of Deniability 1 Anti-coercion: off the record communication (journalists, lawyers, whistle-blowers), 1984
12 5 / 19 Applications of Deniability 1 Anti-coercion: off the record communication (journalists, lawyers, whistle-blowers), Voting: can reveal any candidate, so can t sell vote (?)
13 5 / 19 Applications of Deniability 1 Anti-coercion: off the record communication (journalists, lawyers, whistle-blowers), Voting: can reveal any candidate, so can t sell vote (?) 3 Secure protocols tolerating adaptive break-ins [CFGN 96]
14 6 / 19 State of the Art Theory [CanettiDworkNaorOstrovsky 97] Sender-deniable encryption scheme Receiver-deniability by adding interaction & switching roles Bi-deniability by interaction w/ 3rd parties (one must remain uncoerced)
15 6 / 19 State of the Art Theory [CanettiDworkNaorOstrovsky 97] Sender-deniable encryption scheme Receiver-deniability by adding interaction & switching roles Bi-deniability by interaction w/ 3rd parties (one must remain uncoerced) Practice: TrueCrypt, Rubberhose,... Limited deniability: move along, no message here... Plausible for storage, but not so much for communication.
16 7 / 19 This Work 1 Bi-deniable encryption: sender & receiver simultaneously coercible
17 7 / 19 This Work 1 Bi-deniable encryption: sender & receiver simultaneously coercible A true public-key scheme: non-interactive, no 3rd parties Uses special properties of lattices [Ajtai 96,Regev 05,GPV 08,... ] Has large keys... but this is inherent [Nielsen 02]
18 7 / 19 This Work 1 Bi-deniable encryption: sender & receiver simultaneously coercible A true public-key scheme: non-interactive, no 3rd parties Uses special properties of lattices [Ajtai 96,Regev 05,GPV 08,... ] Has large keys... but this is inherent [Nielsen 02] 2 Plan-ahead bi-deniability with short keys Bounded number of alternative messages, decided in advance
19 8 / 19 A Core Tool: Translucent Sets [CDNO 97] {0, 1} k = U P Public description pk with secret trapdoor sk.
20 8 / 19 A Core Tool: Translucent Sets [CDNO 97] {0, 1} k = U P x Public description pk with secret trapdoor sk. Properties 1 Given only pk, Can efficiently sample from P (and from U, trivially). P-sample is pseudorandom: looks like a U-sample so it can be faked as a U-sample.
21 8 / 19 A Core Tool: Translucent Sets [CDNO 97] {0, 1} k = U P x Public description pk with secret trapdoor sk. Properties 1 Given only pk, Can efficiently sample from P (and from U, trivially). P-sample is pseudorandom: looks like a U-sample so it can be faked as a U-sample. 2 Given sk, can easily distinguish P from U.
22 8 / 19 A Core Tool: Translucent Sets [CDNO 97] {0, 1} k = U P x Public description pk with secret trapdoor sk. Properties 1 Given only pk, Can efficiently sample from P (and from U, trivially). P-sample is pseudorandom: looks like a U-sample so it can be faked as a U-sample. 2 Given sk, can easily distinguish P from U. Many instantiations: trapdoor perms (RSA), DDH, lattices,...
23 9 / 19 Translucence for Deniability [CDNO 97] Normal: Enc(0) = UU Enc(1) = UP U P sk
24 9 / 19 Translucence for Deniability [CDNO 97] Normal: Enc(0) = UU Deniable: Enc(0) = PP Enc(1) = UP Enc(1) = UP U P sk
25 Translucence for Deniability [CDNO 97] U Normal: Enc(0) = UU Enc(1) = UP Deniable: Enc(0) = PP Enc(1) = UP P sk Deniability 4 Alice can fake: PP UP UU 9 / 19
26 Translucence for Deniability [CDNO 97] U Normal: Enc(0) = UU Enc(1) = UP Deniable: Enc(0) = PP Enc(1) = UP P sk 7 Deniability 4 Alice can fake: PP UP UU 7 What about Bob?? His sk reveals the true nature of the samples! 9 / 19
27 10 / 19 Our Contribution: Bi-Translucent Sets Properties 1 Each pk has many sk, each inducing a slightly different P-test.
28 10 / 19 Our Contribution: Bi-Translucent Sets Properties 1 Each pk has many sk, each inducing a slightly different P-test.
29 10 / 19 Our Contribution: Bi-Translucent Sets x Properties 1 Each pk has many sk, each inducing a slightly different P-test. 2 Most sk classify a given P-sample correctly.
30 10 / 19 Our Contribution: Bi-Translucent Sets x Properties 1 Each pk has many sk, each inducing a slightly different P-test. 2 Most sk classify a given P-sample correctly. 3 Can generate pk with a faking key: given fk and a P-sample x, can find a proper-looking sk that classifies x as a U-sample.
31 10 / 19 Our Contribution: Bi-Translucent Sets x Properties 1 Each pk has many sk, each inducing a slightly different P-test. 2 Most sk classify a given P-sample correctly. 3 Can generate pk with a faking key: given fk and a P-sample x, can find a proper-looking sk that classifies x as a U-sample. Bob can also fake P U!
32 11 / 19 Lattice-Based Bi-Translucent Set Primal L (A) Dual L(A) O r O Basic Translucency pk = parity check A of lattice L (A). sk = Gaussian (short) vector r L. (I.e., Ar = 0 Z n q.)
33 11 / 19 Lattice-Based Bi-Translucent Set Primal L (A) Dual L(A) O r O x Basic Translucency pk = parity check A of lattice L (A). sk = Gaussian (short) vector r L. (I.e., Ar = 0 Z n q.) U-sample = uniform x in Z m q. Then r, x is uniform mod q.
34 11 / 19 Lattice-Based Bi-Translucent Set Primal L (A) Dual L(A) O r x O Basic Translucency pk = parity check A of lattice L (A). sk = Gaussian (short) vector r L. (I.e., Ar = 0 Z n q.) U-sample = uniform x in Z m q. Then r, x is uniform mod q. P-sample = x = A t s + e (LWE). Then r, x 0 mod q.
35 11 / 19 Lattice-Based Bi-Translucent Set Primal L (A) Dual L(A) x O O fk Receiver Faking Faking key = short basis of L (a la [GPV 08,... ])
36 11 / 19 Lattice-Based Bi-Translucent Set Primal L (A) Dual L(A) r x O O fk Receiver Faking Faking key = short basis of L (a la [GPV 08,... ]) Given P-sample x, choose fake r L correlated with x s error. Then r, x is uniform mod q x is classified as a U-sample.
37 11 / 19 Lattice-Based Bi-Translucent Set Primal L (A) Dual L(A) r x O O fk Security (in a nutshell) Fake r depends heavily on x. Why would it look like a normal r?
38 11 / 19 Lattice-Based Bi-Translucent Set Primal L (A) Dual L(A) r x O O Security (in a nutshell) Fake r depends heavily on x. Why would it look like a normal r? Alternative experiment: choose Gaussian r (as normal), then let x = LWE + Gauss r. This (r, x) has the same joint distrib!
39 11 / 19 Lattice-Based Bi-Translucent Set Primal L (A) Dual L(A) r x O O Security (in a nutshell) Fake r depends heavily on x. Why would it look like a normal r? Alternative experiment: choose Gaussian r (as normal), then let x = LWE + Gauss r. This (r, x) has the same joint distrib! Finally, replace LWE with uniform normal r and U-sample x.
40 12 / 19 Closing Thoughts on Deniability Faking sk requires oblivious misclassification (of P as U) Bi-deniability from other cryptographic assumptions? Full deniability, without alternative algorithms?
41 13 / 19 Part 2: Circular-Secure Encryption B. Applebaum, D. Cash, C. Peikert, A. Sahai (CRYPTO 2009) Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems
42 14 / 19 Circular / Clique / Key-Dependent Security sk Alice Enc pkbob (sk Alice ) sk Bob
43 14 / 19 Circular / Clique / Key-Dependent Security sk Alice Enc pkbob (sk Alice ) Enc pkalice (sk Bob )?? sk Bob Semantic security [GM 02] only guarantees security for messages that the adversary can itself generate.
44 14 / 19 Circular / Clique / Key-Dependent Security sk Alice Enc pkbob (sk Alice ) Enc pkalice (sk Bob )?? sk Bob Semantic security [GM 02] only guarantees security for messages that the adversary can itself generate. F-KDM security: adversary also gets Enc pk (f (sk)) for any f F Clique security: adversary gets Enc pki (f (sk j )) for any i, j
45 14 / 19 Circular / Clique / Key-Dependent Security sk Alice Enc pkbob (sk Alice ) Enc pkalice (sk Bob )?? sk Bob Semantic security [GM 02] only guarantees security for messages that the adversary can itself generate. F-KDM security: adversary also gets Enc pk (f (sk)) for any f F Clique security: adversary gets Enc pki (f (sk j )) for any i, j Applications: formal analysis [ABHS 05], disk encryption, anonymity systems [CL 01], fully homomorphic encryption [G 09]
46 14 / 19 Circular / Clique / Key-Dependent Security sk Alice Enc pkbob (sk Alice ) Enc pkalice (sk Bob )?? sk Bob Semantic security [GM 02] only guarantees security for messages that the adversary can itself generate. F-KDM security: adversary also gets Enc pk (f (sk)) for any f F Clique security: adversary gets Enc pki (f (sk j )) for any i, j Applications: formal analysis [ABHS 05], disk encryption, anonymity systems [CL 01], fully homomorphic encryption [G 09] Some (semantically secure) schemes are actually circular-insecure [ABBC 10,GH 10]
47 15 / 19 Solutions [Boneh-Halevi-Hamburg-Ostrovsky 08] Based on decisional Diffie-Hellman (DDH) assumption
48 15 / 19 Solutions [Boneh-Halevi-Hamburg-Ostrovsky 08] Based on decisional Diffie-Hellman (DDH) assumption Our Scheme [Applebaum-Cash-P-Sahai 09] Based on Learning With Errors (LWE) assumption [Regev 05]
49 15 / 19 Solutions [Boneh-Halevi-Hamburg-Ostrovsky 08] Based on decisional Diffie-Hellman (DDH) assumption Security: Clique & KDM for affine functions Our Scheme [Applebaum-Cash-P-Sahai 09] Based on Learning With Errors (LWE) assumption [Regev 05] Security: same. Follows general [BHHO 08] approach.
50 15 / 19 Solutions [Boneh-Halevi-Hamburg-Ostrovsky 08] Based on decisional Diffie-Hellman (DDH) assumption Security: Clique & KDM for affine functions Large computation & communication. For k-bit message: Public key Enc Time Ciphertext k 2 group elts k expon k group elts k 3 bits k 4 bit ops k 2 bits Our Scheme [Applebaum-Cash-P-Sahai 09] Based on Learning With Errors (LWE) assumption [Regev 05] Security: same. Follows general [BHHO 08] approach.
51 15 / 19 Solutions [Boneh-Halevi-Hamburg-Ostrovsky 08] Based on decisional Diffie-Hellman (DDH) assumption Security: Clique & KDM for affine functions Large computation & communication. For k-bit message: Public key Enc Time Ciphertext k 2 group elts k expon k group elts k 3 bits k 4 bit ops k 2 bits Our Scheme [Applebaum-Cash-P-Sahai 09] Based on Learning With Errors (LWE) assumption [Regev 05] Security: same. Follows general [BHHO 08] approach. Efficiency: comes for free with existing schemes! [R 05,PVW 08] Public key Enc Time Ciphertext k 2 bits k 2 ops k bits
52 16 / 19 Regev s Cryptosystem Decision LWE problem: distinguish samples (a i, b i = a i, s + e i ) Z n q Z q from uniform (a i, b i )
53 16 / 19 Regev s Cryptosystem Decision LWE problem: distinguish samples (a i, b i = a i, s + e i ) Z n q Z q from uniform (a i, b i ) The Scheme Keys: sk = s Z n q, pk =. A t.,. b = At s + e. α q
54 16 / 19 Regev s Cryptosystem Decision LWE problem: distinguish samples (a i, b i = a i, s + e i ) Z n q Z q from uniform (a i, b i ) The Scheme Keys: sk = s Z n q, pk =. A t.,. b = At s + e. α q Encrypt: Let (u = Ar, v = b, r ) for r {0, 1} m. For message µ Z p (where p q), ciphertext = (u, v + µ q p ).
55 16 / 19 Regev s Cryptosystem Decision LWE problem: distinguish samples (a i, b i = a i, s + e i ) Z n q Z q from uniform (a i, b i ) The Scheme Keys: sk = s Z n q, pk =. A t.,. b = At s + e. α q Encrypt: Let (u = Ar, v = b, r ) for r {0, 1} m. For message µ Z p (where p q), ciphertext = (u, v + µ q p ). Decrypt (u, v ): find the µ Z p such that v u, s µ q p.
56 16 / 19 Regev s Cryptosystem Decision LWE problem: distinguish samples (a i, b i = a i, s + e i ) Z n q Z q from uniform (a i, b i ) The Scheme Keys: sk = s Z n q, pk =. A t.,. b = At s + e. α q Encrypt: Let (u = Ar, v = b, r ) for r {0, 1} m. For message µ Z p (where p q), ciphertext = (u, v + µ q p ). Decrypt (u, v ): find the µ Z p such that v u, s µ q p. Security proof: uniform pk = (A, b) = uniform ciphertext (u, v).
57 17 / 19 Self-Reference? An Observation With (u = Ar, v = b, r ), the ciphertext (u = u q p e 1, v) decrypts as v u, s (s 1 mod p) q p. (Or any affine fct of s.)
58 17 / 19 Self-Reference? An Observation With (u = Ar, v = b, r ), the ciphertext (u = u q p e 1, v) decrypts as v u, s (s 1 mod p) q p. But: is (u, v) distributed the same as (u, v ) Enc(s 1 mod p)? And does s 1 Z q fit into the message space Z p?
59 17 / 19 Self-Reference? An Observation With (u = Ar, v = b, r ), the ciphertext (u = u q p e 1, v) decrypts as v u, s (s 1 mod p) q p. But: is (u, v) distributed the same as (u, v ) Enc(s 1 mod p)? And does s 1 Z q fit into the message space Z p? No! Also no!
60 17 / 19 Self-Reference! An Observation With (u = Ar, v = b, r ), the ciphertext (u = u q p e 1, v) decrypts as v u, s (s 1 mod p) q p. But: is (u, v) distributed the same as (u, v ) Enc(s 1 mod p)? And does s 1 Z q fit into the message space Z p? Modifying the Scheme No! Also no! 1 Use q = p 2 for divisibility. (Need new search/decision reduction for LWE.)
61 17 / 19 Self-Reference! An Observation With (u = Ar, v = b, r ), the ciphertext (u = u q p e 1, v) decrypts as v u, s (s 1 mod p) q p. But: is (u, v) distributed the same as (u, v ) Enc(s 1 mod p)? And does s 1 Z q fit into the message space Z p? Modifying the Scheme 1 Use q = p 2 for divisibility. 2 Give (u, v) a nice distrib: use r Gaussian(Z m ). Then (u, v) is itself an LWE s sample. [R 05,GPV 08] No! Also no!
62 17 / 19 Self-Reference! An Observation With (u = Ar, v = b, r ), the ciphertext (u = u q p e 1, v) decrypts as v u, s (s 1 mod p) q p. But: is (u, v) distributed the same as (u, v ) Enc(s 1 mod p)? And does s 1 Z q fit into the message space Z p? Modifying the Scheme 1 Use q = p 2 for divisibility. 2 Give (u, v) a nice distrib: use r Gaussian(Z m ). Then (u, v) is itself an LWE s sample. [R 05,GPV 08] (And for security, (u, v) is still uniform when (A, b) is uniform.) No! Also no!
63 17 / 19 Self-Reference! An Observation With (u = Ar, v = b, r ), the ciphertext (u = u q p e 1, v) decrypts as v u, s (s 1 mod p) q p. But: is (u, v) distributed the same as (u, v ) Enc(s 1 mod p)? And does s 1 Z q fit into the message space Z p? Modifying the Scheme 1 Use q = p 2 for divisibility. 2 Give (u, v) a nice distrib: use r Gaussian(Z m ). Then (u, v) is itself an LWE s sample. [R 05,GPV 08] (And for security, (u, v) is still uniform when (A, b) is uniform.) No! Also no! 3 Use a Gaussian secret s, so each s i ( p 2, p 2 ): self-reference!
64 17 / 19 Self-Reference! An Observation With (u = Ar, v = b, r ), the ciphertext (u = u q p e 1, v) decrypts as v u, s (s 1 mod p) q p. But: is (u, v) distributed the same as (u, v ) Enc(s 1 mod p)? And does s 1 Z q fit into the message space Z p? Modifying the Scheme 1 Use q = p 2 for divisibility. 2 Give (u, v) a nice distrib: use r Gaussian(Z m ). Then (u, v) is itself an LWE s sample. [R 05,GPV 08] (And for security, (u, v) is still uniform when (A, b) is uniform.) No! Also no! 3 Use a Gaussian secret s, so each s i ( p 2, p 2 ): self-reference!?? But is it secure to use such an s??
65 18 / 19 LWE with Gaussian Secret Transform LWE s (for arbitrary s) into LWE e for Gaussian secret e: Given the source LWE s of samples (a i, b i = a i, s + e i ),
66 18 / 19 LWE with Gaussian Secret Transform LWE s (for arbitrary s) into LWE e for Gaussian secret e: Given the source LWE s of samples (a i, b i = a i, s + e i ), 1 Draw n samples (A, b = A t s + e) so that A is invertible mod q.
67 18 / 19 LWE with Gaussian Secret Transform LWE s (for arbitrary s) into LWE e for Gaussian secret e: Given the source LWE s of samples (a i, b i = a i, s + e i ), 1 Draw n samples (A, b = A t s + e) so that A is invertible mod q. 2 Draw and transform fresh samples: (a, b) (a = A 1 a, b + a, b ) = (a, a, s + e A 1 a, A t s + a, e ) = (a, a, e + e).
68 18 / 19 LWE with Gaussian Secret Transform LWE s (for arbitrary s) into LWE e for Gaussian secret e: Given the source LWE s of samples (a i, b i = a i, s + e i ), 1 Draw n samples (A, b = A t s + e) so that A is invertible mod q. 2 Draw and transform fresh samples: (a, b) (a = A 1 a, b + a, b ) = (a, a, s + e A 1 a, A t s + a, e ) = (a, a, e + e). (Also maps uniform samples (a, b) to uniform (a, b )).
69 18 / 19 LWE with Gaussian Secret Transform LWE s (for arbitrary s) into LWE e for Gaussian secret e: Given the source LWE s of samples (a i, b i = a i, s + e i ), 1 Draw n samples (A, b = A t s + e) so that A is invertible mod q. 2 Draw and transform fresh samples: (a, b) (a = A 1 a, b + a, b ) = (a, a, s + e A 1 a, A t s + a, e ) = (a, a, e + e). (Also maps uniform samples (a, b) to uniform (a, b )). Clique & Affine Security (Again, For Free) Repeating transform produces ind. sources LWE e1, LWE e2,... Side effect: a known affine relation between unknowns s and e i. This lets us create Enc pki (affine(e j )) for any i, j.
70 19 / 19 Final Words The simple, linear structure of lattice-based encryption allows for many enhancements. There is much more to be done!
71 19 / 19 Final Words The simple, linear structure of lattice-based encryption allows for many enhancements. There is much more to be done! Thanks!
Lossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More informationFast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems
Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems Benny Applebaum, David Cash, Chris Peikert, Amit Sahai Princeton University, Georgia Tech, SRI international,
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationBounded Key-Dependent Message Security
Bounded Key-Dependent Message Security Boaz Barak Iftach Haitner Dennis Hofheinz Yuval Ishai October 21, 2009 Abstract We construct the first public-key encryption scheme that is proven secure (in the
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationLecture 11: Key Agreement
Introduction to Cryptography 02/22/2018 Lecture 11: Key Agreement Instructor: Vipul Goyal Scribe: Francisco Maturana 1 Hardness Assumptions In order to prove the security of cryptographic primitives, we
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More informationPublic-Key Cryptosystems from the Worst-Case Shortest Vector Problem. Chris Peikert Georgia Tech
1 / 14 Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert Georgia Tech Computer Security & Cryptography Workshop 12 April 2010 2 / 14 Talk Outline 1 State of Lattice-Based
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationLattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationTrapdoors for Lattices: Simpler, Tighter, Faster, Smaller
Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1 UC San Diego 2 Georgia Tech April 2012 1 / 16 Lattice-Based Cryptography y = g x mod p m e mod N e(g a,
More informationFully Bideniable Interactive Encryption
Fully Bideniable Interactive Encryption Ran Canetti Sunoo Park Oxana Poburinnaya January 1, 19 Abstract While standard encryption guarantees secrecy of the encrypted plaintext only against an attacker
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More informationPublic-Key Encryption
Public-Key Encryption 601.642/442: Modern Cryptography Fall 2017 601.642/442: Modern Cryptography Public-Key Encryption Fall 2017 1 / 14 The Setting Alice and Bob don t share any secret Alice wants to
More informationChosen-Ciphertext Security from Subset Sum
Chosen-Ciphertext Security from Subset Sum Sebastian Faust 1, Daniel Masny 1, and Daniele Venturi 2 1 Horst-Görtz Institute for IT Security and Faculty of Mathematics, Ruhr-Universität Bochum, Bochum,
More informationOn Minimal Assumptions for Sender-Deniable Public Key Encryption
On Minimal Assumptions for Sender-Deniable Public Key Encryption Dana Dachman-Soled University of Maryland danadach@ece.umd.edu Abstract. The primitive of deniable encryption was introduced by Canetti
More informationIdeal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015
Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of Technology ICERM 23 April 2015 1 / 16 Agenda 1 Ring-LWE and its hardness from ideal lattices 2 Open questions
More informationNotes for Lecture 16
COS 533: Advanced Cryptography Lecture 16 (11/13/2017) Lecturer: Mark Zhandry Princeton University Scribe: Boriana Gjura Notes for Lecture 16 1 Lattices (continued) 1.1 Last time. We defined lattices as
More informationi-hop Homomorphic Encryption Schemes
i-hop Homomorphic Encryption Schemes Craig Gentry Shai Halevi Vinod Vaikuntanathan March 12, 2010 Abstract A homomorphic encryption scheme enables computing on encrypted data by means of a public evaluation
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationTrapdoor functions from the Computational Diffie-Hellman Assumption
Trapdoor functions from the Computational Diffie-Hellman Assumption Sanjam Garg 1 Mohammad Hajiabadi 1,2 1 University of California, Berkeley 2 University of Virginia August 22, 2018 1 / 18 Classical Public-Key
More informationCOS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7
COS 597C: Recent Developments in Program Obfuscation Lecture 7 10/06/16 Lecturer: Mark Zhandry Princeton University Scribe: Jordan Tran Notes for Lecture 7 1 Introduction In this lecture, we show how to
More informationCS Topics in Cryptography January 28, Lecture 5
CS 4501-6501 Topics in Cryptography January 28, 2015 Lecture 5 Lecturer: Mohammad Mahmoody Scribe: Ameer Mohammed 1 Learning with Errors: Motivation An important goal in cryptography is to find problems
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More information6.892 Computing on Encrypted Data September 16, Lecture 2
6.89 Computing on Encrypted Data September 16, 013 Lecture Lecturer: Vinod Vaikuntanathan Scribe: Britt Cyr In this lecture, we will define the learning with errors (LWE) problem, show an euivalence between
More informationBounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts
Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts Stefano Tessaro (UC Santa Barbara) David A. Wilson (MIT) Bounded-Collusion IBE from Semantically-Secure
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationEvaluating 2-DNF Formulas on Ciphertexts
Evaluating 2-DNF Formulas on Ciphertexts Dan Boneh, Eu-Jin Goh, and Kobbi Nissim Theory of Cryptography Conference 2005 Homomorphic Encryption Enc. scheme is homomorphic to function f if from E[A], E[B],
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationBuilding Lossy Trapdoor Functions from Lossy Encryption
Building Lossy Trapdoor Functions from Lossy Encryption Brett Hemenway Rafail Ostrovsky February 24, 2015 Abstract Injective one-way trapdoor functions are one of the most fundamental cryptographic primitives.
More informationReport on Learning with Errors over Rings-based HILA5 and its CCA Security
Report on Learning with Errors over Rings-based HILA5 and its CCA Security Jesús Antonio Soto Velázquez January 24, 2018 Abstract HILA5 is a cryptographic primitive based on lattices that was submitted
More informationPseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions
Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions Crypto 2011 Daniele Micciancio Petros Mol August 17, 2011 1 Learning With Errors (LWE) secret public: integers n,
More informationLecture 22: RSA Encryption. RSA Encryption
Lecture 22: Recall: RSA Assumption We pick two primes uniformly and independently at random p, q $ P n We define N = p q We shall work over the group (Z N, ), where Z N is the set of all natural numbers
More informationThe Cramer-Shoup Cryptosystem
The Cramer-Shoup Cryptosystem Eileen Wagner October 22, 2014 1 / 28 The Cramer-Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationCandidates must show on each answer book the type of calculator used. Only calculators permitted under UEA Regulations may be used.
UNIVERSITY OF EAST ANGLIA School of Mathematics May/June UG Examination 2010 2011 CRYPTOGRAPHY Time allowed: 2 hours Attempt THREE questions. Candidates must show on each answer book the type of calculator
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationLecture 7: ElGamal and Discrete Logarithms
Lecture 7: ElGamal and Discrete Logarithms Johan Håstad, transcribed by Johan Linde 2006-02-07 1 The discrete logarithm problem Recall that a generator g of a group G is an element of order n such that
More informationADVERTISING AGGREGATIONARCHITECTURE
SOMAR LAPS PRIVACY-PRESERVING LATTICE-BASED PRIVATE-STREAM SOCIAL MEDIA ADVERTISING AGGREGATIONARCHITECTURE OR: HOW NOT TO LEAVE YOUR PERSONAL DATA AROUND REVISITING PRIVATE-STREAM AGGREGATION: LATTICE-BASED
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationLow Noise LPN: KDM Secure Public Key Encryption and Sample Amplification
Low Noise LPN: KDM Secure Public Key Encryption and Sample Amplification Nico Döttling Dept. of Computer Science, Aarhus University January 1, 015 Abstract Cryptographic schemes based on the Learning Parity
More informationMultiparty Computation
Multiparty Computation Principle There is a (randomized) function f : ({0, 1} l ) n ({0, 1} l ) n. There are n parties, P 1,...,P n. Some of them may be adversarial. Two forms of adversarial behaviour:
More informationPublic-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP
Public-Key Cryptography Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP Diffie-Hellman Key-exchange Secure under DDH: (g x,g x,g xy ) (g x,g x,g r ) Random x {0,..,
More information2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms
CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationA Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM
A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM Paulo S. L. M. Barreto Bernardo David Rafael Dowsley Kirill Morozov Anderson C. A. Nascimento Abstract Oblivious Transfer
More informationLattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More information6.892 Computing on Encrypted Data October 28, Lecture 7
6.892 Computing on Encrypted Data October 28, 2013 Lecture 7 Lecturer: Vinod Vaikuntanathan Scribe: Prashant Vasudevan 1 Garbled Circuits Picking up from the previous lecture, we start by defining a garbling
More informationPost-quantum key exchange for the Internet based on lattices
Post-quantum key exchange for the Internet based on lattices Craig Costello Talk at MSR India Bangalore, India December 21, 2016 Based on J. Bos, C. Costello, M. Naehrig, D. Stebila Post-Quantum Key Exchange
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationBuilding Injective Trapdoor Functions From Oblivious Transfer
Electronic Colloquium on Computational Complexity, Report No. 127 (2010) Building Injective Trapdoor Functions From Oblivious Transfer Brett Hemenway and Rafail Ostrovsky August 9, 2010 Abstract Injective
More informationBlack-box circular-secure encryption beyond affine functions
Black-box circular-secure encryption beyond affine functions The MIT Faculty has made this article openly available. Please share how this access benefits you. Your story matters. Citation As Published
More informationCryptography and Security Midterm Exam
Cryptography and Security Midterm Exam Serge Vaudenay 23.11.2017 duration: 1h45 no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationEl Gamal A DDH based encryption scheme. Table of contents
El Gamal A DDH based encryption scheme Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction El Gamal Practical Issues The El Gamal encryption
More informationNotes for Lecture Decision Diffie Hellman and Quadratic Residues
U.C. Berkeley CS276: Cryptography Handout N19 Luca Trevisan March 31, 2009 Notes for Lecture 19 Scribed by Cynthia Sturton, posted May 1, 2009 Summary Today we continue to discuss number-theoretic constructions
More informationDual Projective Hashing and its Applications Lossy Trapdoor Functions and More
Dual Projective Hashing and its Applications Lossy Trapdoor Functions and More Hoeteck Wee George Washington University hoeteck@gwu.edu Abstract. We introduce the notion of dual projective hashing. This
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More informationA survey on quantum-secure cryptographic systems
A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum
More informationRecent Advances in Identity-based Encryption Pairing-free Constructions
Fields Institute Workshop on New Directions in Cryptography 1 Recent Advances in Identity-based Encryption Pairing-free Constructions Kenny Paterson kenny.paterson@rhul.ac.uk June 25th 2008 Fields Institute
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019
Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationTutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction
Tutorial on Quantum Computing Vwani P. Roychowdhury Lecture 1: Introduction 1 & ) &! # Fundamentals Qubits A single qubit is a two state system, such as a two level atom we denote two orthogonal states
More informationEfficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply
CIS 2018 Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply Claudio Orlandi, Aarhus University Circuit Evaluation 3) Multiplication? How to compute [z]=[xy]? Alice, Bob
More informationDeniable Attribute Based Encryption for Branching Programs from LWE
Deniable Attribute Based Encryption for Branching Programs from LWE Daniel Apon Xiong Fan Feng-Hao Liu Abstract Deniable encryption (Canetti et al. CRYPTO 97) is an intriguing primitive that provides a
More informationLattice Based Crypto: Answering Questions You Don't Understand
Lattice Based Crypto: Answering Questions You Don't Understand Vadim Lyubashevsky INRIA / ENS, Paris Cryptography Secure communication in the presence of adversaries Symmetric-Key Cryptography Secret key
More informationSecure and Practical Identity-Based Encryption
Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationOverview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017
CSC 580 Cryptography and Computer Security Math for Public Key Crypto, RSA, and Diffie-Hellman (Sections 2.4-2.6, 2.8, 9.2, 10.1-10.2) March 21, 2017 Overview Today: Math needed for basic public-key crypto
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationDiscrete Logarithm Problem
Discrete Logarithm Problem Finite Fields The finite field GF(q) exists iff q = p e for some prime p. Example: GF(9) GF(9) = {a + bi a, b Z 3, i 2 = i + 1} = {0, 1, 2, i, 1+i, 2+i, 2i, 1+2i, 2+2i} Addition:
More information14 Diffie-Hellman Key Agreement
14 Diffie-Hellman Key Agreement 14.1 Cyclic Groups Definition 14.1 Example Let д Z n. Define д n = {д i % n i Z}, the set of all powers of д reduced mod n. Then д is called a generator of д n, and д n
More informationCS 395T. Probabilistic Polynomial-Time Calculus
CS 395T Probabilistic Polynomial-Time Calculus Security as Equivalence Intuition: encryption scheme is secure if ciphertext is indistinguishable from random noise Intuition: protocol is secure if it is
More informationGreat Theoretical Ideas in Computer Science
15-251 Great Theoretical Ideas in Computer Science Lecture 22: Cryptography November 12th, 2015 What is cryptography about? Adversary Eavesdropper I will cut your throat I will cut your throat What is
More informationPublic Key Cryptography
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Public Key Cryptography EECE 412 1 What is it? Two keys Sender uses recipient s public key to encrypt Receiver uses his private key to decrypt
More informationNumber Theory & Modern Cryptography
Number Theory & Modern Cryptography Week 12 Stallings: Ch 4, 8, 9, 10 CNT-4403: 2.April.2015 1 Introduction Increasing importance in cryptography Public Key Crypto and Signatures Concern operations on
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018
Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationLecture V : Public Key Cryptography
Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional
More information1 Basic Number Theory
ECS 228 (Franklin), Winter 2013, Crypto Review 1 Basic Number Theory This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More information