Non- browser TLS Woes
|
|
- Joleen Price
- 5 years ago
- Views:
Transcription
1 Non- browser TLS Woes Dan Boneh Joint work with M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, and V. Shma?kov Proc. ACM CCS 2012
2 30 second summary Lots of non- browser systems using TLS: Payment gateway SDK, Mobile ads, Web services middleware, cloud client API, Developers use TLS through a higher level library: e.g. HRpClient, curl, Weberknecht, PHP, Python Problem 1: complex and confusing interfaces to TLS layer result: lots of improper server- side cert valida?on man in the middle vulnerabili?es Problem 2: lirle tes?ng of server- side cert. valida?on Should be part of QA tes?ng
3 Case studies: (1) PHP / curl binding PHP TLS binding: fsockopen( ssl:// ) : no server- side cert. valida?on curl binding: cert. verifica?on controlled by boolean CURLOPT_SSL_VERIFYPEER int CURLOPT_SSL_VERIFYHOST 0: no server- side cert valida?on 1: check the existence of a common name in server cert. 2: check common name in cert. matches provided hostname (default = 2) Very common mistake: CURLOPT_SSL_VERIFYPEER = true CURLOPT_SSL_VERIFYHOST = true We found four SDKs using it for SSL
4 Real World Crypto Workshop, Jan Instead: Recent Developments in Broadcast EncrypTon Dan Boneh Stanford University
5 Background: bilinear maps G, G 2 : finite cyclic groups of prime order q An admissible bilinear map e: G G G 2 is: Bilinear: e(g a, g b ) = e(g,g) ab a,b Z, g G Non- degenerate: g generates G 1 e(g,g) generates G 2 Efficiently computable Several examples where Dlog in G believed to be hard
6 Many ApplicaTons: enc., sigs., NIZK, Simplest example: BLS signatures [B- Lynn- Shacham 01] KeyGen: sk = rand. x in Z q, pk = g x G Sign(sk, m) H(m) x G verify(pk, m, sig) accept iff e(g, H(m) x ) = e(g x, H(m)) e(g, sig ) e(pk, H(m)) Thm: Existen?ally unforgeable under CDH in the RO model Beyond bilinear maps: k- linear maps [BS 03] k- linear map e: G G G G k non- degen. & efficient k hard Dlog in G Even more applica?ons. Can they be constructed?
7 k- linear maps: a recent breakthrough S. Garg, C. Gentry, S. Halevi ProperTes: (informal) The map x gx is randomized Representa?on of g G is O(k) bits BeRer than k- linear map: gradaton e1: G G G2 For our purposes: e2: G G2 G3 ek: G G Gk ek: G Gk Gk+1 e: Gk Gk G2k
8 Broadcast EncrypTon [Fiat- Naor 1993] Encrypt to arbitrary subsets S: d 1 c E(pk,S,m) S {1,,n} d 2 d 3 Security goal (informal): Full collusion resistance: secure even if all users in S c collude
9 Broadcast EncrypTon Public- key BE system: Setup(n) pub. key pk, master sec. key msk KeyGen( msk, j) d j (private key for user j) Enc( pk, S ) ct, k k used to encrypt msg for users S {1,, n} Dec( pk, d j, S, ct): If j S, output k Broadcast contains ( [S], ct, E SYM (k, msg) )
10 Broadcast EncrypTon: StaTc Security Seman?c security when users collude (sta?c adversary) challenger run Setup(n) pk, { d j j S } (ct, k 1 ) Enc( pk, S) k 0 K S {1,, n } (ct, k 0 ) or (ct, k 1 ) aracker b {0,1} Def: Adv[A] = Pr[ b is correct ] - ½ Security: poly-?me A: Adv[A] is negligible
11 Broadcast systems are everywhere File sharing in encrypted file systems (e.g. EFS): ACL file encrypted file system d Bob file d Ned Encrypted mail system: recipients mail mail system d Bob mail d Ned Social networks: privately send message to a group
12 ConstrucTons small sets Subs. Service revoca?on 0 n DVD players ct sk pk The trivial system: O( S ) O(1) O(n) Revoca?on schemes: O(n- S ) O(log n) O(1) [ NNL,HS,GST, LSW,DPP, ] Can we have O(1) size ciphertext for all sets S?? The BGW system: O(1) O(1) O(n) [B- Gentry- Waters 05]
13 The BGW system Setup(n): g G, α, msk Z q, def: g k = g (αk ) pk = ( g, g 1, g 2,, g n, g n+2,, g 2n, v=g msk ) G 2n+1 hole KeyGen( msk, j) d j = (g j ) msk G Enc(pk, S): t Z q ct = ( g t, (v Π j S g n+1-j ) t ), key = e(g n,g 1 ) t
14 Security Thm: BGW is sta?cally secure for n users in a bilinear group where n- DDHE assump?on holds n- DDHE: for rand. g,h G, α Z q, R G 2 : p [ h, g, g α, g ( α 2),,g ( α n), g ( α n+2),,g ( α 2n ), e(g,h) ( α n+1 ) ] [ h, g, g α, g (α2),,g (αn), g (αn+2),,g (α2n ), R ]
15 Extensions, VariaTons, Improvements AdapTve security: [GW 10, PPSS 12, ] Adversary can adap?vely select what keys to request IdenTty- based: [SF 07, D 07, GW 10, ] Smaller pubic key size: pk = O( maximal S ) Set of all users can be {0, 1, 2, 3,, } Chosen ciphertext secure: [BGW 05, PPSS 12, ] Trace & revoke: [BW 06]
16 BGW using (log n)- linear map Recall: BGW Setup(n): g G, α, msk Z q. pk: g, g α, g ( α 2),, g ( α n), g ( α n+2),,g ( α 2n ), v=g msk Suppose: e k : G G G k ; e: G k G k G 2k Set pk as: ( #users 2 k- 1 ) g, g α, g (α2 ), g (α4 ), g ( α (22k ) ), g ( α (22k+1 ) ), v=g k msk Using 2k- linear map : can build all needed elements in pk but for rand. h G cannot build e(g,,g,h) ( α (22k - 1) ) G 2k
17 BGW using (log n)- linear map ct sk pk Bilinear BGW: O(1) O(1) O(n) [B- Gentry- Waters 05] (log n)- linear BGW: O(log n) O(log n) O(log 2 n) Open ques?ons: Same parameters without k- linear maps?? O(1) size ct from standard lazce assump?ons (LWE)??
18 Summary Many open problems in broadcast encryp?on: O(log n) size ciphertext & secret keys from LWE? O(log n) size ct, sk, and pub- key w/o k- linear maps? Distributed BE with sub- linear ciphertext?
Applied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationIdentity Based Encryption
Bilinear Pairings in Cryptography: Identity Based Encryption Dan Boneh Stanford University Recall: Pub-Key Encryption (PKE) PKE Three algorithms : (G, E, D) G(λ) (pk,sk) outputs pub-key and secret-key
More informationShort Signatures Without Random Oracles
Short Signatures Without Random Oracles Dan Boneh and Xavier Boyen (presented by Aleksandr Yampolskiy) Outline Motivation Preliminaries Secure short signature Extensions Conclusion Why signatures without
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationDéjà Q All Over Again
Royal Holloway, February 2017 1/43 Bilinear Groups and Assumptions Reductions Symmetric Schemes Conclusions Déjà Q All Over Again Melissa Chase 1 Mary Maller 2 1 MSR Redmond Sarah Meiklejohn 2 2 University
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationEfficient Identity-based Encryption Without Random Oracles
Efficient Identity-based Encryption Without Random Oracles Brent Waters Weiwei Liu School of Computer Science and Software Engineering 1/32 Weiwei Liu Efficient Identity-based Encryption Without Random
More informationFully Homomorphic Encryption from LWE
Fully Homomorphic Encryption from LWE Based on joint works with: Zvika Brakerski (Stanford) Vinod Vaikuntanathan (University of Toronto) Craig Gentry (IBM) Post-Quantum Webinar, November 2011 Outsourcing
More informationOnline Cryptography Course. Message integrity. Message Auth. Codes. Dan Boneh
Online Cryptography Course Message integrity Message Auth. Codes Message Integrity Goal: integrity, no confiden>ality. Examples: Protec>ng public binaries on disk. Protec>ng banner ads on web pages. Message
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationCONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS
CONSRUCIONS SECURE AGAINS RECEIVER SELECIVE OPENING AND CHOSEN CIPHEREX AACKS Dingding Jia, Xianhui Lu, Bao Li jiadingding@iie.ac.cn C-RSA 2017 02-17 Outline Background Motivation Our contribution Existence:
More informationEvaluating 2-DNF Formulas on Ciphertexts
Evaluating 2-DNF Formulas on Ciphertexts Dan Boneh, Eu-Jin Goh, and Kobbi Nissim Theory of Cryptography Conference 2005 Homomorphic Encryption Enc. scheme is homomorphic to function f if from E[A], E[B],
More informationEfficient Identity-Based Encryption Without Random Oracles
Efficient Identity-Based Encryption Without Random Oracles Brent Waters Abstract We present the first efficient Identity-Based Encryption (IBE) scheme that is fully secure without random oracles. We first
More informationBounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts
Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts Stefano Tessaro (UC Santa Barbara) David A. Wilson (MIT) Bounded-Collusion IBE from Semantically-Secure
More informationIdentity-based encryption
Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationAttribute-Based Encryption Optimized for Cloud Computing
ttribute-based Encryption Optimized for Cloud Computing Máté Horváth 27 January 1 / 17 Roadmap 1 Encryption in the Cloud 2 User Revocation 3 Background 4 The Proposed Scheme 5 Conclusion 2 / 17 Traditional
More informationSearchable encryption & Anonymous encryption
Searchable encryption & Anonymous encryption Michel Abdalla ENS & CNS February 17, 2014 MPI - Course 2-12-1 Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, 2014 1 /
More informationResistance to Pirates 2.0: A Method from Leakage Resilient Cryptography
Resistance to Pirates 2.0: A Method from Leakage Resilient Cryptography Duong Hieu Phan 1,2 and Viet Cuong Trinh 1 1 LAGA, University of Paris 8 2 ENS / CNRS / INRIA Abstract. In the classical model of
More informationPublic Key Broadcast Encryption with Low Number of Keys and Constant Decryption Time
Public Key Broadcast Encryption with Low Number of Keys and Constant Decryption Time Yi-Ru Liu, Wen-Guey Tzeng Department of Computer Science National Chiao Tung University Hsinchu, Taiwan 30050 Email:
More informationVerifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin
Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Béguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationCryptography from Pairings
DIAMANT/EIDMA Symposium, May 31st/June 1st 2007 1 Cryptography from Pairings Kenny Paterson kenny.paterson@rhul.ac.uk May 31st 2007 DIAMANT/EIDMA Symposium, May 31st/June 1st 2007 2 The Pairings Explosion
More informationLesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search
Lesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search November 3, 2014 teacher : Benoît Libert scribe : Florent Bréhard Key-Policy Attribute-Based Encryption (KP-ABE)
More informationFoundations. P =! NP oneway function signature schemes Trapdoor oneway function PKC, IBS IBE
Foundations P =! NP oneway function signature schemes Trapdoor oneway function PKC, IBS IBE NP problems: IF, DL, Knapsack Hardness of these problems implies the security of cryptosytems? 2 Relations of
More informationConstrained Pseudorandom Functions and Their Applications
Constrained Pseudorandom Functions and Their Applications Dan Boneh dabo@cs.stanford.edu Brent Waters bwaters@cs.utexas.edu September 9, 2013 Abstract We put forward a new notion of pseudorandom functions
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationComputing with Encrypted Data Lecture 26
Computing with Encrypted Data 6.857 Lecture 26 Encryption for Secure Communication M Message M All-or-nothing Have Private Key, Can Decrypt No Private Key, No Go cf. Non-malleable Encryption Encryption
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationSecure and Practical Identity-Based Encryption
Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.
More informationPairing-Based Cryptography An Introduction
ECRYPT Summer School Samos 1 Pairing-Based Cryptography An Introduction Kenny Paterson kenny.paterson@rhul.ac.uk May 4th 2007 ECRYPT Summer School Samos 2 The Pairings Explosion Pairings originally used
More informationFrom Minicrypt to Obfustopia via Private-Key Functional Encryption
From Minicrypt to Obfustopia via Private-Key Functional Encryption Ilan Komargodski Weizmann Institute of Science Joint work with Gil Segev (Hebrew University) Functional Encryption [Sahai-Waters 05] Enc
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationFully Homomorphic Encryption over the Integers
Fully Homomorphic Encryption over the Integers Many slides borrowed from Craig Marten van Dijk 1, Craig Gentry 2, Shai Halevi 2, Vinod Vaikuntanathan 2 1 MIT, 2 IBM Research Computing on Encrypted Data
More informationPractical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles
Practical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles Man Ho Au 1, Joseph K. Liu 2, Tsz Hon Yuen 3, and Duncan S. Wong 4 1 Centre for Information Security Research
More informationi-hop Homomorphic Encryption Schemes
i-hop Homomorphic Encryption Schemes Craig Gentry Shai Halevi Vinod Vaikuntanathan March 12, 2010 Abstract A homomorphic encryption scheme enables computing on encrypted data by means of a public evaluation
More informationPractice Exam Winter 2018, CS 485/585 Crypto March 14, 2018
Practice Exam Name: Winter 2018, CS 485/585 Crypto March 14, 2018 Portland State University Prof. Fang Song Instructions This exam contains 8 pages (including this cover page) and 5 questions. Total of
More informationFully Key-Homomorphic Encryption and its Applications
Fully Key-Homomorphic Encryption and its Applications D. Boneh, C. Gentry, S. Gorbunov, S. Halevi, Valeria Nikolaenko, G. Segev, V. Vaikuntanathan, D. Vinayagamurthy Outline Background on PKE and IBE Functionality
More informationRecent Advances in Identity-based Encryption Pairing-based Constructions
Fields Institute Workshop on New Directions in Cryptography 1 Recent Advances in Identity-based Encryption Pairing-based Constructions Kenny Paterson kenny.paterson@rhul.ac.uk June 25th 2008 Fields Institute
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationOutsider-Anonymous Broadcast Encryption with Sublinear Ciphertexts
Outsider-Anonymous Broadcast Encryption with Sublinear Ciphertexts elly Fazio 1,2 and Irippuge Milinda Perera 2 1 The City College of CUY fazio@cs.ccny.cuny.edu 2 The Graduate Center of CUY {nfazio,iperera}@gc.cuny.edu
More informationLattice-based Multi-signature with Linear Homomorphism
Copyright c 2016 The Institute of Electronics, Information and Communication Engineers SCIS 2016 2016 Symposium on Cryptography and Information Security Kumamoto, Japan, Jan. 19-22, 2016 The Institute
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationSecurity Analysis of an Identity-Based Strongly Unforgeable Signature Scheme
Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme Kwangsu Lee Dong Hoon Lee Abstract Identity-based signature (IBS) is a specific type of public-key signature (PKS) where any
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationInstructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year
Data Privacy and Security Instructor: Daniele Venturi Master Degree in Data Science Sapienza University of Rome Academic Year 2017-2018 Interlude: Number Theory Cubum autem in duos cubos, aut quadratoquadratum
More informationEfficient Smooth Projective Hash Functions and Applications
Efficient Smooth Projective Hash Functions and Applications David Pointcheval Joint work with Olivier Blazy, Céline Chevalier and Damien Vergnaud Ecole Normale Supérieure Isaac Newton Institute for Mathematical
More information6.892 Computing on Encrypted Data October 28, Lecture 7
6.892 Computing on Encrypted Data October 28, 2013 Lecture 7 Lecturer: Vinod Vaikuntanathan Scribe: Prashant Vasudevan 1 Garbled Circuits Picking up from the previous lecture, we start by defining a garbling
More informationNew Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts
New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts Allison Lewko University of Texas at Austin alewko@cs.utexas.edu Brent Waters University of Texas at Austin bwaters@cs.utexas.edu
More informationHidden-Vector Encryption with Groups of Prime Order
Hidden-Vector Encryption with Groups of Prime Order Vincenzo Iovino 1 and Giuseppe Persiano 1 Dipartimento di Informatica ed Applicazioni, Università di Salerno, 84084 Fisciano (SA), Italy. iovino,giuper}@dia.unisa.it.
More informationComputing on Encrypted Data
Computing on Encrypted Data COSIC, KU Leuven, ESAT, Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium. August 31, 2018 Computing on Encrypted Data Slide 1 Outline Introduction Multi-Party
More informationBEYOND POST QUANTUM CRYPTOGRAPHY
BEYOND POST QUANTUM CRYPTOGRAPHY Mark Zhandry Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical Beyond Post-Quantum Cryptography
More informationIdentity-Based Online/Offline Encryption
Fuchun Guo 2 Yi Mu 1 Zhide Chen 2 1 University of Wollongong, Australia ymu@uow.edu.au 2 Fujian Normal University, Fuzhou, China fuchunguo1982@gmail.com Outline 1 2 3 4 Identity-based Encryption Review
More informationA New Functional Encryption for Multidimensional Range Query
A New Functional Encryption for Multidimensional Range Query Jia Xu 1, Ee-Chien Chang 2, and Jianying Zhou 3 1 Singapore Telecommunications Limited jia.xu@singtel.com 2 National University of Singapore
More informationCLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD
CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without
More informationDigital Signature Schemes and the Random Oracle Model. A. Hülsing
Digital Signature Schemes and the Random Oracle Model A. Hülsing Today s goal Review provable security of in use signature schemes. (PKCS #1 v2.x) PAGE 1 Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/dsa.jpg
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from
More informationTowards Tightly Secure Lattice Short Signature and Id-Based Encryption
Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li QUT Asiacrypt 16 2016-12-06 1 / 19 Motivations 1. Short lattice signature with tight security reduction w/o
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationToward Hierarchical Identity-Based Encryption
Toward Hierarchical Identity-Based Encryption Jeremy Horwitz and Ben Lynn Stanford University, Stanford, CA 94305, USA, {horwitz blynn}@cs.stanford.edu Abstract. We introduce the concept of hierarchical
More informationLow Overhead Broadcast Encryption from Multilinear Maps
Low Overhead Broadcast Encryption from Multilinear Maps Dan Boneh Stanford University dabo@cs.stanford.edu Mark Zhandry Stanford University zhandry@cs.stanford.edu Brent Waters University of Texas at Austin
More informationDATA PRIVACY AND SECURITY
DATA PRIVACY AND SECURITY Instructor: Daniele Venturi Master Degree in Data Science Sapienza University of Rome Academic Year 2018-2019 Interlude: Number Theory Cubum autem in duos cubos, aut quadratoquadratum
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationNew Constructions of Revocable Identity-Based Encryption from Multilinear Maps
New Constructions of Revocable Identity-Based Encryption from Multilinear Maps Seunghwan Park Kwangsu Lee Dong Hoon Lee Abstract A revocation mechanism in cryptosystems for a large number of users is absolutely
More informationCryptographic Solutions for Data Integrity in the Cloud
Cryptographic Solutions for Stanford University, USA Stanford Computer Forum 2 April 2012 Homomorphic Encryption Homomorphic encryption allows users to delegate computation while ensuring secrecy. Homomorphic
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationHow to Use Linear Homomorphic Signature in Network Coding
How to Use Linear Homomorphic Signature in Network Coding Li Chen lichen.xd at gmail.com Xidian University September 28, 2013 How to Use Linear Homomorphic Signature in Network Coding Outline 1 Linear
More informationEnforcing honesty of certification authorities: Tagged one-time signature schemes
Enforcing honesty of certification authorities: Tagged one-time signature schemes Information Security Group Royal Holloway, University of London bertram.poettering@rhul.ac.uk Stanford, January 11, 2013
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Secret Sharing Vault should only open if both Alice and Bob are present Vault should only open if Alice, Bob, and Charlie are
More informationConverting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups
Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups David Mandell Freeman Stanford University, USA Eurocrypt 2010 Monaco, Monaco 31 May 2010 David Mandell Freeman (Stanford)
More informationCrypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.
Crypto math II Alin Tomescu alinush@mit.edu May 7, 015 Abstract A quick overview on group theory from Ron Rivest s 6.857 course in Spring 015. 1 Overview Group theory review Diffie-Hellman (DH) key exchange
More informationDan Boneh. Introduction. Course Overview
Online Cryptography Course Introduction Course Overview Welcome Course objectives: Learn how crypto primitives work Learn how to use them correctly and reason about security My recommendations: Take notes
More informationNon-Interactive Zero-Knowledge from Homomorphic Encryption. Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU)
Non-Interactive Zero-Knowledge from Homomorphic Encryption Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU) January 27th, 2006 NYU Crypto Reading Group Zero-Knowledge and Interaction
More informationA Fully Collusion Resistant Broadcast, Trace and Revoke System
A Fully Collusion Resistant Broadcast, Trace and Revoke System Dan Boneh Brent Waters Abstract We introduce a simple primitive called Augmented Broadcast Encryption (ABE) that is sufficient for constructing
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationLeakage Resilient ElGamal Encryption
Asiacrypt 2010, December 9th, Singapore Outline 1 Hybrid Encryption, the KEM/DEM framework 2 ElGamal KEM 3 Leakage Resilient Crypto Why? How? Other models? 4 Leakage Resilient ElGamal CCA1 secure KEM (Key
More information15 Public-Key Encryption
15 Public-Key Encryption So far, the encryption schemes that we ve seen are symmetric-key schemes. The same key is used to encrypt and decrypt. In this chapter we introduce public-key (sometimes called
More informationAdaptively Simulation-Secure Attribute-Hiding Predicate Encryption
Adaptively Simulation-Secure Attribute-Hiding Predicate Encryption by Pratish Datta 1 joint work with Tatsuaki Okamoto 1 and Katsuyuki Takashima 2 1 NTT Secure Platform Laboratories 3-9-11 Midori-cho,
More informationA Strong Identity Based Key-Insulated Cryptosystem
A Strong Identity Based Key-Insulated Cryptosystem Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275, P.R.China
More informationProofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures
Proofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures G. Fuchsbauer D. Pointcheval École normale supérieure Pairing'09, 13.08.2009 Fuchsbauer, Pointcheval (ENS) Proofs
More informationOrder- Revealing Encryp2on and the Hardness of Private Learning
Order- Revealing Encryp2on and the Hardness of Private Learning January 11, 2016 Mark Bun Mark Zhandry Harvard MIT Let s do some science! Scurvy: a problem throughout human history Caused by vitamin C
More informationConditional Proxy Broadcast Re-Encryption
Conditional Proxy Broadcast Re-Encryption Cheng-Kang Chu 1, Jian Weng 1,2, Sherman S.M. Chow 3, Jianying Zhou 4, and Robert H. Deng 1 1 School of Information Systems Singapore Management University, Singapore
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationShortening the Libert-Peters-Yung Revocable Group Signature Scheme by Using the Random Oracle Methodology
Shortening the Libert-Peters-Yung Revocable Group Signature Scheme by Using the Random Oracle Methodology Kazuma Ohara, Keita Emura, Goichiro Hanaoka, i Ishida, Kazuo Ohta, and Yusuke Sakai The University
More informationOn i-hop Homomorphic Encryption
No relation to On i-hop Homomorphic Encryption Craig Gentry, Shai Halevi, Vinod Vaikuntanathan IBM Research 2 This Work is About Connections between: Homomorphic encryption (HE) Secure function evaluation
More informationSecure Certificateless Public Key Encryption without Redundancy
Secure Certificateless Public Key Encryption without Redundancy Yinxia Sun and Futai Zhang School of Mathematics and Computer Science Nanjing Normal University, Nanjing 210097, P.R.China Abstract. Certificateless
More informationOn Homomorphic Encryption and Secure Computation
On Homomorphic Encryption and Secure Computation challenge response Shai Halevi IBM NYU Columbia Theory Day, May 7, 2010 Computing on Encrypted Data Wouldn t it be nice to be able to o Encrypt my data
More informationLightweight Symmetric-Key Hidden Vector Encryption without Pairings
Lightweight Symmetric-Key Hidden Vector Encryption without Pairings Sikhar Patranabis and Debdeep Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology Kharagpur sikhar.patranabis@iitkgp.ac.in,
More information18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018
18734: Foundations of Privacy Anonymous Cash Anupam Datta CMU Fall 2018 Today: Electronic Cash Goals Alice can ask for Bank to issue coins from her account. Alice can spend coins. Bank cannot track what
More informationLecture 7: Boneh-Boyen Proof & Waters IBE System
CS395T Advanced Cryptography 2/0/2009 Lecture 7: Boneh-Boyen Proof & Waters IBE System Instructor: Brent Waters Scribe: Ioannis Rouselakis Review Last lecture we discussed about the Boneh-Boyen IBE system,
More informationMarch 19: Zero-Knowledge (cont.) and Signatures
March 19: Zero-Knowledge (cont.) and Signatures March 26, 2013 1 Zero-Knowledge (review) 1.1 Review Alice has y, g, p and claims to know x such that y = g x mod p. Alice proves knowledge of x to Bob w/o
More informationOnline Cryptography Course. Using block ciphers. Review: PRPs and PRFs. Dan Boneh
Online Cryptography Course Using block ciphers Review: PRPs and PRFs Block ciphers: crypto work horse n bits PT Block n bits E, D CT Block Key k bits Canonical examples: 1. 3DES: n= 64 bits, k = 168 bits
More informationProxy Re-Signature Schemes without Random Oracles
An extended abstract of this paper appears in Indocrypt 2007, K. Srinathan, C. Pandu Rangan, M. Yung (Eds.), volume 4859 of LNCS, pp. 97-209, Sringer-Verlag, 2007. Proxy Re-Signature Schemes without Random
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More information