Security of Symmetric Primitives under Incorrect Usage of Keys
|
|
- Holly Crawford
- 5 years ago
- Views:
Transcription
1 Security of Symmetric Primitives under Incorrect Usage of Keys Pooya Farshim 1 Claudio Orlandi 2 Răzvan Roşie 1 1 ENS, CNRS, INRIA & PSL Research University, Paris, France 2 Aarhus University, Aarhus, Denmark FSE 2017, Tokyo, Japan 8 th March 2017 P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 1 / 33
2 Key-Robustness in a Nutshell Robustness: ciphertext can t be decrypted under two different keys. PKC13: robustness for PKE & IBE revisited by Farshim et al. AC10: Mohassel extends robustness to Hybrid Encryption. TCC10: robustness introduced for PKE & IBE by Abdalla et al. P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 2 / 33
3 Key-Robustness in a Nutshell Robustness: ciphertext can t be decrypted under two different keys. Dec Vulnerable channel C Dec Alice Bob
4 Key-Robustness in a Nutshell Robustness: ciphertext can t be decrypted under two different keys. Dec Vulnerable channel C Dec Alice C Bob K 1 K 2 Eve P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 3 / 33
5 Motivating Key-Robustness - Example 1 Digital Signatures from Symmetric Encryption: sk (K, s) pk Enc(K, s) contains the Symm. Enc. of s. σ (PRF(s, M), π) PRF evaluation + ZK proof for correctness. Is the scheme unforgeable? P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 4 / 33
6 Motivating Key-Robustness - Example 1 Digital Signatures from Symmetric Encryption: sk (K, s) pk Enc(K, s) contains the Symm. Enc. of s. σ (PRF(s, M), π) PRF evaluation + ZK proof for correctness. Is the scheme unforgeable? Enc(K, s) = Enc(K, s ) = FORGE P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 4 / 33
7 Motivating Key Robustness - Example 2 CBC-MAC: m 0 m 1 m 2 m t 1 0 E K E K E K E K T P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 5 / 33
8 Motivating Key Robustness - Example 2 CBC-MAC: (m 0, m 0 ) (m 1, m 1 ) (m 2, m 2 ) (m t 1, m t 1 ) 0 E K E K E K E K T MAC(K, M) = MAC(K, M ) = T P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 6 / 33
9 Definitional Landscape Complete Robustness (CROB): adversarially generated K 1, K 2. Goal: find C decryptable under K 1, K 2. CROB security: 1. (C, K 1 K 2 ) A 2. Dec(K 1, C) 3. Dec(K 2, C) P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 7 / 33
10 Definitional Landscape Strong Robustness (SROB): honestly generated K 1, K 2. Goal: find C decryptable under K 1, K 2. CROB SROB 1. (C, K 1 K 2 ) A 1. C A Enc,Dec 2. Dec(K 1, C) 3. Dec(K 2, C) P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 8 / 33
11 Definitional Landscape CROB SROB P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 9 / 33
12 Definitional Landscape AE-secure scheme = SROB-secure. CROB SROB AE P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 10 / 33
13 Definitional Landscape AE-secure scheme CROB-secure. CROB SROB AE P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 11 / 33
14 Definitional Landscape - MACs CROB SROB 1. (T, M 1, M 2, K 1 K 2 ) A 1. (T, M 1, M 2 ) A Tag,Ver 2. Ver(K 1, M 1, T ) = 1 3. Ver(K 2, M 2, T ) = 1 P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 12 / 33
15 Definitional Landscape - MACs SUF-secure MAC scheme = SROB-secure. CROB SROB SUF P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 13 / 33
16 The Big Picture FROB CROB XROB SFROB KROB SROB P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 14 / 33
17 Generic Composition Same Keys: Enc-Then-MAC is CROB Enc is CROB OR MAC is CROB Enc-And-MAC is CROB MAC-Then-Enc is CROB Different Keys: Enc-Then-MAC is CROB Enc is CROB AND MAC is CROB Enc-And-MAC is CROB MAC-Then-Enc is CROB P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 15 / 33
18 Generic Composition Proof intuition (Enc-Then-Mac): A outputs a CROB winning tuple (C T, K e1 K m1, K e2 K m2 ). K e1 K m1 K e2 K m2 M 1 Enc MAC M 2 Enc MAC Case K e1 K e2 : (C, K e1, K e2 ) wins CROB against Enc. Case K m1 K m2 : (T, K m1, C, K m2, C) wins CROB against MAC. P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 16 / 33
19 Generic Composition Proof intuition. A outputs a CROB winning tuple (C T, K e1 K m1, K e2 K m2 ). K m1 K m2 C MAC C MAC Case K e1 K e2 : (C, K e1, K e2 ) wins CROB against Enc. Case K m1 K m2 : (T, K m1, C, K m2, C) wins CROB against MAC. P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 17 / 33
20 CROB AE in the RO Model Instantiate a CROB MAC: MAC(K, M) := RO(K, M). Same-Key: Enc-Then-Mac via a CROB MAC. P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 18 / 33
21 CROB AE in the RO Model Instantiate a CROB MAC: MAC(K, M) := RO(K, M). Same-Key: Enc-Then-Mac via a CROB MAC. Different-Keys: authenticate the encryption key. Enc((K e K m ), M): C Enc(K e, M) T RO(K m, (C K e )) return (C, T ) AE-security CROB P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 18 / 33
22 CROB AE in the Standard Model Idea: construct a CROB secure MAC in the Standard Model. First attempt: Enc((K e K m ), M): C Enc(K e, M) T MAC(K m, (C K e )) return (C, T ) Issue: pseudorandomness for MAC. P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 19 / 33
23 CROB AE in the Standard Model Idea: construct a CR-PRF in the Standard Model. Second attempt: Enc((K e K m ), M): C Enc(K e, M) T PRF(K m, (C K e )) return (C, T ) Issue: ensure the PRF is Collision-Resistant. P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 20 / 33
24 Collision-Resistant PRFs in the Standard Model Collision-Resistant PRF: PRF(K 1, M 1 ) = PRF(K 2, M 2 ) = (K 1, M 1 ) = (K 2, M 2 ) Key-Injective PRF: PRF(K 1, M) = PRF(K 2, M) K 1 = K 2 Right-Injective PRG: PRG RHS (K 1 ) = PRG RHS (K 2 ) K 1 = K 2 P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 21 / 33
25 Collision-Resistant PRFs in the Standard Model Construction for Collision-Resistant PRF: PRF(K, M): (K 1 K 2 ) PRG(K ) C 1 PRP(K 1, M) C 2 PRF(K 2, C 1 ) return (C 1 C 2 ) Collision-Resistant PRF: PRF(K, M) = PRF(K, M ) = (K, M) = (K, M ) P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 22 / 33
26 Collision-Resistant PRFs in the Standard Model Construction for Collision-Resistant PRF: PRF(K, M): (K 1 K 2 ) PRG(K ) C 1 PRP(K 1, M) C 2 PRF(K 2, C 1 ) return (C 1 C 2 ) Proof intuition: Step 1 - Key-Injective PRF: PRF(K 2, C 1 ) = PRF(K 2, C 1) K 2 = K 2 P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 23 / 33
27 Collision-Resistant PRFs in the Standard Model Construction for Collision-Resistant PRF: PRF(K, M): (K 1 K 2 ) PRG(K ) C 1 PRP(K 1, M) C 2 PRF(K 2, C 1 ) return (C 1 C 2 ) Proof intuition: Step 2 - Right-Injective PRG: PRG RHS (K ) = PRG RHS (K ) K = K P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 24 / 33
28 Collision-Resistant PRFs in the Standard Model Construction for Collision-Resistant PRF: PRF(K, M): (K 1 K 2 ) PRG(K ) C 1 PRP(K 1, M) C 2 PRF(K 2, C 1 ) return (C 1 C 2 ) Proof intuition: Step 3 - Permutation: PRP(K 1, M) = PRP(K 1, M ) M = M P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 25 / 33
29 Right-Injective PRGs Building-block 1: a right injective PRG. Use the construction by Yao: PRG(x) := HC(x) HC(π(x))... HC(π x 1 (x)) π x (x) }{{}}{{} Left Part Right Part π is a pseudorandom permutation. HC is a hardcore predicate. P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 26 / 33
30 Key-Injective PRFs Building-block 2: a Key-Injective PRF via the GGM construction. Open problems: more efficient constructions from weaker assumptions. P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 27 / 33
31 Left/Right Collision-Resistant PRGs Building-block 3: length doubling Left/Right Collision-Resistant PRGs. PRG LHalf (K ) = PRG LHalf (K ) K = K AND PRG RHalf (K ) = PRG RHalf (K ) K = K Example: G(x 1, x 2, x 3 ) := ( (g x 1, g x 1x 2, g x 2x 3 ), (g x 2, g x 1x 3, g x 3) ) P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 28 / 33
32 CROB transforms in the Standard Model Analogue of the ABN transform in the symmetric setting: MAC key is generated on the fly. MAC is collision-resistant. Definition Enc(K e, M): K m Gen m (1 λ ) (K 1 e K 2 e ) PRG(K e ) C Enc(K 1 e, (M K m )) T Tag(K m, (C K 2 e )) return (C T ) P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 29 / 33
33 Summary Robustness: { AE: ciphertext can t be decrypted wrt. different keys. MAC: tag can t be validated under two different keys. 1 What goes wrong if the keys are adversarially generated. 2 Level of robustness achieved by AE/MAC schemes. 3 Generic transforms of AE schemes into CROB AE schemes. 4 How to construct collision-resistant PRFs P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 30 / 33
34 Summary Robustness: { AE: ciphertext can t be decrypted wrt. different keys. MAC: tag can t be validated under two different keys. 1 What goes wrong if the keys are adversarially generated. 2 Level of robustness achieved by AE/MAC schemes. 3 Generic transforms of AE schemes into CROB AE schemes. 4 How to construct collision-resistant PRFs P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 30 / 33
35 Motivating Key-Robustness - Example 3 Oblivious-Transfer protocol: x 1 = (K 2, K 3 ) x 2 = (K 1, K 3 ) x 3 = (K 1, K 2 ) OT 1 i x i C 1 = Enc(K 1, M 1 ) C 2 = Enc(K 2, M 2 ) C 3 = Enc(K 3, M 3 ) OT 2 C j j P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 31 / 33
36 Motivating Key-Robustness - Example 3 Oblivious-Transfer protocol: Malicious sender i = 1 x 1 = (K 2, K ) x 2 = (K 1, K 3 ) x 3 = (K 1, K 2 ) OT 1 x i Dec(K, C 3 ) = M C 1 = Enc(K 1, M 1 ) C 2 = Enc(K 2, M 2 ) C 3 = Enc(K 3, M 3 ) OT 2 C j j = 3 P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 32 / 33
37 Motivating Key-Robustness - Example 3 Oblivious-Transfer protocol: Malicious sender i = 2 x 1 = (K 2, K ) x 2 = (K 1, K 3 ) x 3 = (K 1, K 2 ) OT 1 x i Dec(K 3, C 3 ) = M 3 C 1 = Enc(K 1, M 1 ) C 2 = Enc(K 2, M 2 ) C 3 = Enc(K 3, M 3 ) OT 2 C j j = 3 P. Farshim, C. Orlandi, R. Roşie Security of Symmetric Primitives under Incorrect Usage of Keys 33 / 33
Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationEfficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply
CIS 2018 Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply Claudio Orlandi, Aarhus University Circuit Evaluation 3) Multiplication? How to compute [z]=[xy]? Alice, Bob
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationU.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6
U.C. Berkeley CS276: Cryptography Handout N6 Luca Trevisan February 5, 2009 Notes for Lecture 6 Scribed by Ian Haken, posted February 8, 2009 Summary The encryption scheme we saw last time, based on pseudorandom
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationDoubly half-injective PRGs for incompressible white-box cryptography
SESSION ID: CRYP-W02 Doubly half-injective PRGs for incompressible white-box cryptography Estuardo Alpirez Bock Aalto University, Finland Alessandro Amadori, Joppe W. Bos, Chris Brzuska, Wil Michiels White-box
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationSECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL. Mark Zhandry Stanford University
SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL Mark Zhandry Stanford University Random Oracle Model (ROM) Sometimes, we can t prove a scheme secure in the standard model. Instead,
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More informationQuestion 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +
Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously Digital Signatures Algorithms: Gen() à (sk,pk) Sign(sk,m) à σ Ver(pk,m,σ) à 0/1 Correctness: Pr[Ver(pk,m,Sign(sk,m))=1:
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationA New Approach to Practical Active-Secure Two-Party Computation
A New Approach to Practical Active-Secure Two-Party Computation Jesper Buus Nielsen 1, Peter Sebastian Nordholt 1, Claudio Orlandi 1, Sai Sheshank Burra 2 1 Aarhus University, Denmark 2 Indian Institute
More informationMASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer
MASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer Tore Frederiksen Emmanuela Orsini Marcel Keller Peter Scholl Aarhus University University of Bristol 31 May 2016 Secure Multiparty
More informationSecure Signatures and Chosen Ciphertext Security in a Post-Quantum World
Secure Signatures and Chosen Ciphertext Security in a Post-Quantum World Dan Boneh Mark Zhandry Stanford University {dabo,zhandry}@cs.stanford.edu Abstract We initiate the study of quantum-secure digital
More informationFUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS. Elette Boyle Shafi Goldwasser Ioana Ivan
FUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS Elette Boyle Shafi Goldwasser Ioana Ivan Traditional Paradigm: All or Nothing Encryption [DH76] Given SK, can decrypt. Otherwise, can t distinguish encryptions
More informationLecture 9 - Symmetric Encryption
0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,
More informationRobust Password- Protected Secret Sharing
Robust Password- Protected Secret Sharing Michel Abdalla, Mario Cornejo, Anca Niţulescu, David Pointcheval École Normale Supérieure, CNRS and INRIA, Paris, France R E S E A R C H UNIVERSITY PPSS: Motivation
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationPractice Exam Winter 2018, CS 485/585 Crypto March 14, 2018
Practice Exam Name: Winter 2018, CS 485/585 Crypto March 14, 2018 Portland State University Prof. Fang Song Instructions This exam contains 8 pages (including this cover page) and 5 questions. Total of
More informationMarch 19: Zero-Knowledge (cont.) and Signatures
March 19: Zero-Knowledge (cont.) and Signatures March 26, 2013 1 Zero-Knowledge (review) 1.1 Review Alice has y, g, p and claims to know x such that y = g x mod p. Alice proves knowledge of x to Bob w/o
More informationOblivious Transfer (OT) and OT Extension
Oblivious Transfer (OT) and OT Extension School on Secure Multiparty Computation Arpita Patra Arpita Patra Roadmap o Oblivious Transfer - Construction from `special PKE o OT Extension - IKNP OT extension
More informationLecture 7: CPA Security, MACs, OWFs
CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)
More informationQuantum-secure symmetric-key cryptography based on Hidden Shifts
Quantum-secure symmetric-key cryptography based on Hidden Shifts Gorjan Alagic QMATH, Department of Mathematical Sciences University of Copenhagen Alexander Russell Department of Computer Science & Engineering
More informationHistorical cryptography. cryptography encryption main applications: military and diplomacy
Historical cryptography cryptography encryption main applications: military and diplomacy ancient times world war II Historical cryptography All historical cryptosystems badly broken! No clear understanding
More informationCLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD
CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationOblivious Transfer and Secure Multi-Party Computation With Malicious Parties
CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties Vitaly Shmatikov slide 1 Reminder: Oblivious Transfer b 0, b 1 i = 0 or 1 A b i B A inputs two bits, B inputs the index
More informationA survey on quantum-secure cryptographic systems
A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum
More informationPerfectly-Crafted Swiss Army Knives in Theory
Perfectly-Crafted Swiss Army Knives in Theory Workshop Hash Functions in Cryptology * supported by Emmy Noether Program German Research Foundation (DFG) Hash Functions as a Universal Tool collision resistance
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019
Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationExtending Oblivious Transfers Efficiently
Extending Oblivious Transfers Efficiently Yuval Ishai Technion Joe Kilian Kobbi Nissim Erez Petrank NEC Microsoft Technion Motivation x y f(x,y) How (in)efficient is generic secure computation? myth don
More informationNotes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.
COS 533: Advanced Cryptography Lecture 9 (October 11, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Udaya Ghai Notes for Lecture 9 1 Last Time Last time, we introduced zero knowledge proofs
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationLecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers
1 Winter 2018 CS 485/585 Introduction to Cryptography Lecture 6 Portland State University Jan. 25, 2018 Lecturer: Fang Song Draft note. Version: February 4, 2018. Email fang.song@pdx.edu for comments and
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationLecture 24: MAC for Arbitrary Length Messages. MAC Long Messages
Lecture 24: MAC for Arbitrary Length Messages Recall Previous lecture, we constructed MACs for fixed length messages The GGM Pseudo-random Function (PRF) Construction Given. Pseudo-random Generator (PRG)
More informationOn the CCA1-Security of Elgamal and Damgård s Elgamal
On the CCA1-Security of Elgamal and Damgård s Elgamal Cybernetica AS, Estonia Tallinn University, Estonia October 21, 2010 Outline I Motivation 1 Motivation 2 3 Motivation Three well-known security requirements
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationA New Approach to Practical Secure Two-Party Computation. Jesper Buus Nielsen Peter Sebastian Nordholt Claudio Orlandi Sai Sheshank
A New Approach to Practical Secure Two-Party Computation Jesper Buus Nielsen Peter Sebastian Nordholt Claudio Orlandi Sai Sheshank Secure Two-Party Computation Alice has an input a {0,1} * Bob has an input
More informationPr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]
Midterm Review Sheet The definition of a private-key encryption scheme. It s a tuple Π = ((K n,m n,c n ) n=1,gen,enc,dec) where - for each n N, K n,m n,c n are sets of bitstrings; [for a given value of
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018
Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationBEYOND POST QUANTUM CRYPTOGRAPHY
BEYOND POST QUANTUM CRYPTOGRAPHY Mark Zhandry Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical Beyond Post-Quantum Cryptography
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationA Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM
A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM Paulo S. L. M. Barreto Bernardo David Rafael Dowsley Kirill Morozov Anderson C. A. Nascimento Abstract Oblivious Transfer
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More information1 Basic Number Theory
ECS 228 (Franklin), Winter 2013, Crypto Review 1 Basic Number Theory This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationA Posteriori Openable Public Key Encryption *
A Posteriori Openable Public Key Encryption * Xavier Bultel 1, Pascal Lafourcade 1, CNRS, UMR 6158, LIMOS, F-63173 Aubière, France Université Clermont Auvergne, LIMOS, BP 10448, 63000 Clermont-Ferrand,
More informationDigital Signatures. p1.
Digital Signatures p1. Digital Signatures Digital signature is the same as MAC except that the tag (signature) is produced using the secret key of a public-key cryptosystem. Message m MAC k (m) Message
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationStronger Security Variants of GCM-SIV
Stronger Security Variants of GCM-SIV Tetsu Iwata 1 Kazuhiko Minematsu 2 FSE 2017 Tokyo, Japan March 8 2017 Nagoya University, Japan NEC Corporation, Japan Supported in part by JSPS KAKENHI, Grant-in-Aid
More informationBasics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018
Basics in Cryptology II Distributed Cryptography David Pointcheval Ecole normale supérieure, CNRS & INRIA ENS Paris 2018 NS/CNRS/INRIA Cascade David Pointcheval 1/26ENS/CNRS/INRIA Cascade David Pointcheval
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationLectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols
CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation
More informationOn Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan)
On Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan) Secure Multiparty Computation (MPC) Ideal World/ Functionality
More informationCodes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII
Codes and Cryptography MAMME, Fall 2015 PART XII Outline 1 Symmetric Encryption (II) 2 Construction Strategies Construction Strategies Stream ciphers: For arbitrarily long messages (e.g., data streams).
More informationNotes for Lecture 9. 1 Combining Encryption and Authentication
U.C. Berkeley CS276: Cryptography Handout N9 Luca Trevisan February 17, 2009 Notes for Lecture 9 Notes scribed by Joel Weinberger, posted March 1, 2009 Summary Last time, we showed that combining a CPA-secure
More informationMESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1
MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Mihir Bellare UCSD 1 Integrity and authenticity The goal is to ensure that M really originates with Alice and not someone else M has not been modified
More informationLeakage-Resilient Public-Key Encryption from Obfuscation
Leakage-Resilient Public-Key Encryption from Obfuscation Dana Dachman-Soled S. Dov Gordon Feng-Hao Liu Adam O Neill Hong-Sheng Zhou July 25, 2016 Abstract The literature on leakage-resilient cryptography
More informationUnforgeable quantum encryption. Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! (Using AES with 128 bit block size in Galois Counter Mode and SHA2) Authenticated
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationLecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004
CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce
More informationDesign Paradigms for Building Multi-Property Hash Functions
Design Paradigms or Building Multi-Property Hash Functions Thomas Ristenpart UCSD Security and Cryptography Lab Lorentz Workshop June, 2008 Multi-property hash unctions One hash unction with many security
More informationEx1 Ex2 Ex3 Ex4 Ex5 Ex6
Technische Universität München (I7) Winter 2012/13 Dr. M. Luttenberger / M. Schlund Cryptography Endterm Last name: First name: Student ID no.: Signature: If you feel ill, let us know immediately. Please,
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky Lecture 4 Lecture date: January 26, 2005 Scribe: Paul Ray, Mike Welch, Fernando Pereira 1 Private Key Encryption Consider a game between
More informationCOS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7
COS 597C: Recent Developments in Program Obfuscation Lecture 7 10/06/16 Lecturer: Mark Zhandry Princeton University Scribe: Jordan Tran Notes for Lecture 7 1 Introduction In this lecture, we show how to
More informationCryptographic Security of Macaroon Authorization Credentials
Cryptographic ecurity of Macaroon Authorization Credentials Adriana López-Alt New York University ecember 6, 2013 Abstract Macaroons, recently introduced by Birgisson et al. [BPUE + 14], are authorization
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More informationSmooth Projective Hash Function and Its Applications
Smooth Projective Hash Function and Its Applications Rongmao Chen University of Wollongong November 21, 2014 Literature Ronald Cramer and Victor Shoup. Universal Hash Proofs and a Paradigm for Adaptive
More informationTHE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY
THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY Mark Zhandry - Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical
More informationProofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures
Proofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures G. Fuchsbauer D. Pointcheval École normale supérieure Pairing'09, 13.08.2009 Fuchsbauer, Pointcheval (ENS) Proofs
More informationPublic-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP
Public-Key Cryptography Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP Diffie-Hellman Key-exchange Secure under DDH: (g x,g x,g xy ) (g x,g x,g r ) Random x {0,..,
More informationG /G Introduction to Cryptography November 4, Lecture 10. Lecturer: Yevgeniy Dodis Fall 2008
G22.3210-001/G63.2170 Introduction to Cryptography November 4, 2008 Lecture 10 Lecturer: Yevgeniy Dodis Fall 2008 Last time we defined several modes of operation for encryption. Today we prove their security,
More informationPattern Matching Encryption, Strategic Equivalence of Range Voting and Approval Voting, and Statistical Robustness of Voting Rules.
Pattern Matching Encryption, Strategic Equivalence of Range Voting and Approval Voting, and Statistical Robustness of Voting Rules by Emily Shen Submitted to the Department of Electrical Engineering and
More informationRandom Oracles in a Quantum World
Dan Boneh 1 Özgür Dagdelen 2 Marc Fischlin 2 Anja Lehmann 3 Christian Schaffner 4 Mark Zhandry 1 1 Stanford University, USA 2 CASED & Darmstadt University of Technology, Germany 3 IBM Research Zurich,
More informationLeftover Hash Lemma, Revisited
Leftover Hash Lemma, Revisited Boaz Barak Yevgeniy Dodis Hugo Krawczyk Olivier Pereira Krzysztof Pietrzak Francois-Xavier Standaert Yu Yu September 3, 2011 Abstract The famous Leftover Hash Lemma (LHL)
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationCSA E0 235: Cryptography March 16, (Extra) Lecture 3
CSA E0 235: Cryptography March 16, 2015 Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Ajith S 1 Chosen Plaintext Attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which
More informationCSA E0 312: Secure Computation September 09, [Lecture 9-10]
CSA E0 312: Secure Computation September 09, 2015 Instructor: Arpita Patra [Lecture 9-10] Submitted by: Pratik Sarkar 1 Summary In this lecture we will introduce the concept of Public Key Samplability
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More informationMinimal Design for Decentralized Wallet. Omer Shlomovits
Minimal Design for Decentralized Wallet Omer Shlomovits 1 !2 Motivation Imagine we had a private key management system where: No single point of failure Move of assets (signing) cannot happen without Owner
More informationNotes for Lecture 16
COS 533: Advanced Cryptography Lecture 16 (11/13/2017) Lecturer: Mark Zhandry Princeton University Scribe: Boriana Gjura Notes for Lecture 16 1 Lattices (continued) 1.1 Last time. We defined lattices as
More informationChosen Plaintext Attacks (CPA)
Chosen Plaintext Attacks (CPA) Goals New Attacks! Chosen Plaintext Attacks (often CPA) is when Eve can choose to see some messages encoded. Formally she has Black Box for ENC k. We will: 1. Define Chosen
More informationMultiparty Computation from Somewhat Homomorphic Encryption. November 9, 2011
Multiparty Computation from Somewhat Homomorphic Encryption Ivan Damgård 1 Valerio Pastro 1 Nigel Smart 2 Sarah Zakarias 1 1 Aarhus University 2 Bristol University CTIC 交互计算 November 9, 2011 Damgård, Pastro,
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationChosen-Ciphertext Security (I)
Chosen-Ciphertext Security (I) CS 601.442/642 Modern Cryptography Fall 2018 S 601.442/642 Modern Cryptography Chosen-Ciphertext Security (I) Fall 2018 1 / 20 Recall: Public-Key Encryption Syntax: Genp1
More information