Mitigating Multi-Target-Attacks in Hash-based Signatures. Andreas Hülsing joint work with Joost Rijneveld, Fang Song
|
|
- Francis McBride
- 5 years ago
- Views:
Transcription
1 Mitigating Multi-Target-Attacks in Hash-based Signatures Andreas Hülsing joint work with Joost Rijneveld, Fang Song
2 A brief motivation
3 Trapdoor- / Identification Scheme-based (PQ-)Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters PAGE y x x x x x x y x x x x x x y
4 Hash-based Signature Schemes [Mer89] Post quantum Only secure hash function Security well understood Fast PAGE 4
5 RSA DSA EC-DSA... Intractability Assumption Cryptographic hash function RSA, DH, SVP, MQ, Digital signature scheme PAGE 5
6 Basic Construction PAGE 6
7 Lamport-Diffie OTS [Lam79] Message M = b1,,bm, OWF H * = n bit SK PK sk 1,0 sk 1,1 sk m,0 sk m,1 H H H H H H pk 1,0 pk 1,1 pk m,0 pk m,1 b1 Mux b2 Mux bm Mux Sig sk 1,b1 sk m,bm PAGE 7
8 Merkle s Hash-based Signatures PK H SIG = (i=2,,,,, ) H OTS H H H H H H H H H H H H H OTS OTS OTS OTS OTS OTS OTS OTS SK PAGE 8
9 Minimizing security assumptions... [BHH+15,BDE+11,BDH11, DOTV08,Hül13,HRB13]
10 Assumption / Attacks Hash-function properties stronger / easier to break Collision-Resistance 2 nd -Preimage- Resistance weaker / harder to break One-way Pseudorandom PAGE 10
11 Attacks on Hash Functions MD5 Collisions (theo.) MD5 Collisions (practical!) SHA-1 Collisions (theo.) MD5 & SHA-1 No (Second-) Preimage Attacks! PAGE 11
12 ...and dealing with the consequences [HRS16]
13 Multi-target attacks What is the bit security of a protocol using a n = 256 bit hash function that requires one-wayness? 256 bit? Not necessarily!
14 Multi-target attacks Consider H n {h k : 0,1 m 0,1 n k 0,1 n } Assume protocol Π that uses h k p times Break Π invert h k on one out of p different values. Attack complexity: Θ(2 n log p ) (generic attacks) Bit security: n log p Similar problem applies for SPR, etcr,...
15 Formalizing the issue One-wayness: for any classical q-query A Single-function, multi-target one-wayness
16 Solution? Use different elements from function family for each hash. - Makes problems independent - Each hash query can only be used for one target!
17 Multi-function, multi-target OW Seems trivial, right? What about the quantum case? Still trivial?
18 Results
19 Implications Tight security for MSS that rely on multi-function properties. New function (key) for each call. New bitmask too for SPR No solution for message digest, yet (see etcr)
20 Part II: Details on Hashbased signatures
21 Winternitz-OTS [Mer90,BDE+11,Hül13]
22 Recap LD-OTS [Lam79] Message M = b1,,bm, OWF H * = n bit SK sk 1,0 sk 1,1 sk m,0 sk m,1 H H H H H H PK pk 1,0 pk 1,1 pk m,0 pk m,1 b1 Mux b2 Mux bn Mux Sig sk 1,b1 sk m,bm
23 LD-OTS in MSS SIG = (i=2,,,,, ) Verification: 1. Verify 2. Verify authenticity of We can do better!
24 Trivial Optimization Message M = b1,,bm, OWF H * = n bit SK sk 1,0 sk 1,1 sk m,0 sk m,1 H H H H H H PK pk 1,0 pk 1,1 pk m,0 pk m,1 b1 Mux Mux b1 bm Mux Mux bm Sig sig 1,0 sig 1,1 sig m,0 sig m,1
25 Optimized LD-OTS in MSS Verification: X SIG = (i=2,,,,, ) 1. Compute from 2. Verify authenticity of Steps together verify
26 Let s sort this! Message M = b 1,,b m, OWF H SK: sk 1,,sk m,sk m+1,,sk 2m PK: H(sk 1 ),,H(sk m ),H(sk m+1 ),,H(sk 2m ) Encode M: M = M M = b 1,,b m, b 1,, b m (instead of b 1, b 1,,b m, b m ) Sig: sig i = sk i, if b i = 1 H(sk i ), otherwise Checksum with bad performance!
27 Optimized LD-OTS [Mer90] Message M = b 1,,b m, OWF H SK: sk 1,,sk m,sk m+1,,sk m+1+log m PK: H(sk 1 ),,H(sk m ),H(sk m+1 ),,H(sk m+1+log m ) Encode M: M = b 1,,b m, 1 m b i Sig: sig i = sk i, if b i = 1 H(sk i ), otherwise IF one b i is flipped from 1 to 0, another b j will flip from 0 to 1
28 Function chains Function family: H n h k : {0,1} n {0,1} n h k $ H n Parameter w Chain: c i ( x) i 1 h k ( c ( x)) hk hk hk ( x) i times c 0 (x) = x c 1 (x) = h k (x) c w 1 (x)
29 WOTS Winternitz parameter w, security parameter n, message length m, function family H n c 0 (sk 1 ) = sk 1 Key Generation: Compute l, sample h k pk 1 = c w-1 (sk 1 ) c 1 (sk 1 ) c 1 (sk l ) pk l = c w-1 (sk l ) c 0 (sk l ) = sk l
30 WOTS Signature generation M b 1 b 2 b 3 b 4 b m b m +1 b m +2 b l c 0 (sk 1 ) = sk 1 pk 1 = c w-1 (sk 1 ) C σ 1 =c b 1(sk 1 ) Signature: σ = (σ 1,, σ l ) pk l = c w-1 (sk l ) c 0 (sk l ) = sk l σ l =c b l (sk l )
31 WOTS Signature Verification Verifier knows: M, w b 1 b 2 b 3 b 4 b m b m +1 b l 1+2 b l σ 1 Signature: σ = (σ 1,, σ l ) c 1 (σ 1 ) c 2 (σ 1 ) c 3 (σ 1 ) σ l pk 1 =? c w 1 b 1 (σ 1 ) pk l =? c w 1 b l (σ l )
32 WOTS Function Chains For x 0,1 n define c 0 x = x and WOTS: c i x = h k (c i 1 x ) WOTS $ : c i x = h c i 1 x (r) WOTS + : c i x = h k (c i 1 x r i )
33 WOTS Security Theorem (informally): W-OTS is strongly unforgeable under chosen message attacks if H n is a collision resistant family of undetectable one-way functions. W-OTS $ is existentially unforgeable under chosen message attacks if H n is a pseudorandom function family. W-OTS + is strongly unforgeable under chosen message attacks if H n is a 2 nd -preimage resistant family of undetectable one-way functions.
34 extended Merkle Signature Scheme (XMSS) joint work with Johannes Buchmann, Erik Dahmen
35 XMSS Tree: Uses bitmasks Leafs: Use binary tree with bitmasks OTS: WOTS + Mesage digest: Randomized hashing Collision-resilient -> signature size halved H b i H
36 Multi-Tree XMSS Uses multiple layers of trees -> Key generation (= Building first tree on each layer) Θ(2 h ) Θ(d*2 h/d ) -> Allows to reduce worst-case signing times Θ(h/2) Θ(h/2d)
37 XMSS-Draft since -01 Each hash function call (excl. message hash) takes now a key and a bitmask. Issue: Order of N w l keys and bitmasks that have to be published. Put them into PK? Impractical Solution: PRG + Seed in PK
38 XMSS-Draft since -01 Solution: PRG + Seed in PK Security: - Not really standard model. - Natural but new assumption ( Generating the public values using a PRG, the scheme does not get less secure if seed is published. ), - Or ROM
39 SPHINCS: practical stateless hashbased signatures joint work with Daniel J. Bernstein, Daira Hopwood, Tanja Lange, Ruben Niederhagen, Louiza Papachristodoulou, Michael Schneider, Peter Schwabe, Zooko Wilcox O Hearn
40 How to Eliminate the State
41 Protest? PAGE
42 Few-Time Signature Schemes PAGE 42
43 Recap LD-OTS Message M = b1,,bn, OWF H * = n bit SK PK sk 1,0 sk 1,1 sk n,0 sk n,1 H H H H H H pk 1,0 pk 1,1 pk n,0 pk n,1 b1 Mux b2 Mux bn Mux Sig sk 1,b1 sk n,bn PAGE 43
44 HORS [RR02] Message M, OWF H, CRHF H = n bit Parameters t=2 a,k, with m = ka (typical a=16, k=32) * SK sk 1 sk 2 sk t-1 sk t H H H H H H PK pk 1 pk 1 pk t-1 pk t PAGE 44
45 HORS mapping function Message M, OWF H, CRHF H = n bit Parameters t=2 a,k, with m = ka (typical a=16, k=32) * M H b 1 b 2 b a b ar i 1 i k PAGE 45
46 HORS Message M, OWF H, CRHF H * = n bit Parameters t=2 a,k, with m = ka (typical a=16, k=32) SK sk 1 sk 2 sk t-1 sk t H H H H H H PK pk 1 pk 1 pk t-1 pk t H (M) b 1 b 2 b a b a+1 b ka-2 b ka-1 b ka i 1 Mux Mux i k sk i1 sk ik PAGE 46
47 HORS Security M mapped to k element index set M i {1,, t} k Each signature publishes k out of t secrets Either break one-wayness or r-subset-resilience: After seeing index sets M i j for r messages msg j, 1 j r, hard to find msg r+1 i msg j such that M r+1 1 j r M i j. Best generic attack: Succ r-ssr (A, q) = q rk t Security shrinks with each signature! k PAGE 47
48 HORST Using HORS with MSS requires adding PK (tn) to MSS signature. HORST: Merkle Tree on top of HORS-PK New PK = Root Publish Authentication Paths for HORS signature values PK can be computed from Sig With optimizations: tn (k(log t x + 1) + 2 x )n E.g. SPHINCS-256: 2 MB 16 KB Use randomized message hash PAGE 48
49 SPHINCS Stateless Scheme XMSS MT + HORST + (pseudo-)random index Collision-resilient Deterministic signing SPHINCS-256: 128-bit post-quantum secure Hundrest of signatures / sec 41 kb signature 1 kb keys
50 Thank you! Questions? For references & further literature see PAGE 50
51 (Hash) function families H n h k : {0,1} m n {0,1} n m(n) n efficient {0,1} n h k m n {0,1}
52 One-wayness H n h k : {0,1} m n {0,1} n y c, k h $ k H n x $ {0,1} h k x y c m n Success if h k x = y c x
53 Collision resistance H n h k : {0,1} m n {0,1} n k h k $ H n Success if h k x 1 = h k x 2 (x 1, x 2 )
54 Second-preimage resistance H n h k : {0,1} m n {0,1} n x c, k h $ k H n x $ m n c {0,1} Success if h k x c = h k x x
55 Undetectability H n h k : {0,1} m n {0,1} n h k $ H n b $ {0,1} If b = 1 else x $ m n {0,1} y c h k (x) y c $ {0,1} n y c, k b*
56 Pseudorandomness H n h k : {0,1} m n {0,1} n 1 n b x y = g(x) g If b = 1 g $ H n else g $ U m n,n b*
An update on Hash-based Signatures. Andreas Hülsing
An update on Hash-based Signatures Andreas Hülsing Trapdoor- / Identification Scheme-based (PQ-)Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters 9-9-2015 PAGE 2... 1
More informationHash-based Signatures. Andreas Hülsing
Hash-based Signatures Andreas Hülsing Post-Quantum Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters 23-2-2016 PAGE 2... 1 3 1 4 2 3 2 2 3 2 3 4 1 2 1 2 1 1 y x x x x
More informationHash-based signatures & Hash-and-sign without collision-resistance
Hash-based signatures & Hash-and-sign without collision-resistance Andreas Hülsing 22.12.2016 Hash-based Signature Schemes [Mer89] Post quantum Only secure hash function Security well understood Fast 22-12-2016
More informationHash-based Signatures
Hash-based Signatures Andreas Hülsing Summer School on Post-Quantum Cryptography June 2017, TU Eindhoven Post-Quantum Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters
More informationSPHINCS: practical stateless hash-based signatures
SPHINCS: practical stateless hash-based signatures D. J. Bernstein, D. Hopwood, A. Hülsing, T. Lange, R. Niederhagen, L. Papachristodoulou, P. Schwabe, and Z. Wilcox O'Hearn Digital Signatures are Important!
More informationMitigating Multi-Target Attacks in Hash-based Signatures
Mitigating Multi-Target Attacks in Hash-based Signatures Andreas Hülsing 1, Joost Rijneveld 2, and Fang Song 3 1 Department of Mathematics and Computer Science Technische Universiteit Eindhoven P.O. Box
More informationXMSS A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions
XMSS A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions Johannes Buchmann and Andreas Hülsing {buchmann,huelsing}@cdc.informatik.tu-darmstadt.de Cryptography and Computeralgebra
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Public-key crypto ECC RSA DSA Secret-key crypto AES SHA2 SHA1... Combination of both
More informationOptimal Parameters for XMSS MT
Optimal Parameters for XMSS MT Andreas Hülsing, Lea Rausch, and Johannes Buchmann Cryptography and Computeralgebra Department of Computer Science TU Darmstadt, Germany huelsing@cdc.informatik.tu-darmstadt.de
More informationQuantum-Safe Crypto Why & How? JP Aumasson, Kudelski Security
Quantum-Safe Crypto Why & How? JP Aumasson, Kudelski Security Flight plan What s a quantum computer? How broken are your public keys? AES vs. quantum search Hidden quantum powers Defeating quantum computing
More informationImproving Stateless Hash-Based Signatures
Improving Stateless Hash-Based Signatures Jean-Philippe Aumasson 1 and Guillaume Endignoux 2 1 Kudelski Security, Switzerland 2 Google, Switzerland Abstract. We present several optimizations to SPHINCS,
More informationReassessing Grover s Algorithm
Reassessing Grover s Algorithm Scott Fluhrer Cisco Systems, USA sfluhrer@cisco.com Abstract. We note that Grover s algorithm (and any other quantum algorithm that does a search using an oracle) does not
More informationDigital Signature Schemes and the Random Oracle Model. A. Hülsing
Digital Signature Schemes and the Random Oracle Model A. Hülsing Today s goal Review provable security of in use signature schemes. (PKCS #1 v2.x) PAGE 1 Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/dsa.jpg
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationFrom 5-pass MQ-based identification to MQ-based signatures
From 5-pass MQ-based identification to MQ-based signatures Ming-Shing Chen 1,2, Andreas Hülsing 3, Joost Rijneveld 4, Simona Samardjiska 5, Peter Schwabe 4 National Taiwan University 1 / Academia Sinica
More informationFrom 5-pass MQ-based identification to MQ-based signatures
From 5-pass MQ-based identification to MQ-based signatures Ming-Shing Chen 1,2, Andreas Hülsing 3, Joost Rijneveld 4, Simona Samardjiska 5, Peter Schwabe 4 National Taiwan University 1 / Academia Sinica
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Asymmetric Crypto ECC RSA DSA Symmetric Crypto AES SHA2 SHA1... Combination of both
More informationFPGA-BASED ACCELERATOR FOR POST-QUANTUM SIGNATURE SCHEME SPHINCS-256
IMES FPGA-BASED ACCELERATOR FOR POST-QUANTUM SIGNATURE SCHEME SPHINCS-256 Dorian Amiet 1, Andreas Curiger 2 and Paul Zbinden 1 1 HSR Hochschule für Technik, Rapperswil, Switzerland 2 Securosys SA, Zürich,
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationOptimal Parameters for XMSSMT
Optimal Parameters for XMSSMT Andreas Hülsing, Lea Rausch, Johannes Buchmann To cite this version: Andreas Hülsing, Lea Rausch, Johannes Buchmann. Optimal Parameters for XMSSMT. Alfredo Cuzzocrea; Christian
More informationA survey on quantum-secure cryptographic systems
A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum
More informationClarifying the subset-resilience problem
Clarifying the subset-resilience problem Jean-Philippe Aumasson 1 and Guillaume Endignoux 2 1 Kudelski Security, Switzerland 2 firstname.surname@m4x.org Abstract. We investigate the subset-resilience problem,
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationFrom 5-pass MQ-based identification to MQ-based signatures
From 5-pass MQ-based identification to MQ-based signatures Andreas Hülsing, Joost Rijneveld, Simona Samardjiska, and Peter Schwabe 30 June 2016 1 / 31 Our take on PQ-Crypto Prepare for actual use Reliable
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationNotes for Lecture 9. 1 Combining Encryption and Authentication
U.C. Berkeley CS276: Cryptography Handout N9 Luca Trevisan February 17, 2009 Notes for Lecture 9 Notes scribed by Joel Weinberger, posted March 1, 2009 Summary Last time, we showed that combining a CPA-secure
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationW-OTS + Shorter Signatures for Hash-Based Signature Schemes
W-OTS + Shorter Signatures for Hash-Based Signature Schemes Andreas Hülsing huelsing@cdc.informati.tu-darmstadt.de Cryptography and Computeralgebra Department of Computer Science TU Darmstadt Abstract.
More informationMQDSS signatures: construction
MQDSS signatures: construction Ming-Shing Chen 1,2, Andreas Hülsing 3, Joost Rijneveld 4, Simona Samardjiska 5, Peter Schwabe 4 National Taiwan University 1 / Academia Sinica 2, Taipei, Taiwan Eindhoven
More informationLecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004
CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationLecture 14 More on Digital Signatures and Variants. COSC-260 Codes and Ciphers Adam O Neill Adapted from
Lecture 14 More on Digital Signatures and Variants COSC-260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Setting the Stage We will cover in more depth some issues for
More informationMessage Authentication Codes (MACs)
Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands October 8, 2015 1 / 22 About Me 2 / 22 About Me Tung Chou (Tony) 2 / 22 About Me Tung Chou (Tony) Ph.D.
More informationCRYSTALS Kyber and Dilithium. Peter Schwabe February 7, 2018
CRYSTALS Kyber and Dilithium Peter Schwabe peter@cryptojedi.org https://cryptojedi.org February 7, 2018 Crypto today 5 building blocks for a secure channel Symmetric crypto Block or stream cipher (e.g.,
More informationENEE 459-C Computer Security. Message authentication (continue from previous lecture)
ENEE 459-C Computer Security Message authentication (continue from previous lecture) Last lecture Hash function Cryptographic hash function Message authentication with hash function (attack?) with cryptographic
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously Digital Signatures Algorithms: Gen() à (sk,pk) Sign(sk,m) à σ Ver(pk,m,σ) à 0/1 Correctness: Pr[Ver(pk,m,Sign(sk,m))=1:
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationNumber Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers
Number Theory: Applications Number Theory Applications Computer Science & Engineering 235: Discrete Mathematics Christopher M. Bourke cbourke@cse.unl.edu Results from Number Theory have many applications
More informationIntroduction to Information Security
Introduction to Information Security Lecture 4: Hash Functions and MAC 2007. 6. Prof. Byoungcheon Lee sultan (at) joongbu. ac. kr Information and Communications University Contents 1. Introduction - Hash
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationPractice Exam Winter 2018, CS 485/585 Crypto March 14, 2018
Practice Exam Name: Winter 2018, CS 485/585 Crypto March 14, 2018 Portland State University Prof. Fang Song Instructions This exam contains 8 pages (including this cover page) and 5 questions. Total of
More informationA Composition Theorem for Universal One-Way Hash Functions
A Composition Theorem for Universal One-Way Hash Functions Victor Shoup IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland sho@zurich.ibm.com Abstract. In this paper we present a new scheme
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationHash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34
Hash Functions Ali El Kaafarani Mathematical Institute Oxford University 1 of 34 Outline 1 Definition and Notions of Security 2 The Merkle-damgård Transform 3 MAC using Hash Functions 4 Cryptanalysis:
More informationAn introduction to Hash functions
An introduction to Hash functions Anna Rimoldi eriscs - Universitée de la Méditerranée, Marseille Secondo Workshop di Crittografia BunnyTN 2011 A. Rimoldi (eriscs) Hash function 12 September 2011 1 / 27
More informationTrapdoors for Lattices: Simpler, Tighter, Faster, Smaller
Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1 UC San Diego 2 Georgia Tech April 2012 1 / 16 Lattice-Based Cryptography y = g x mod p m e mod N e(g a,
More informationPost-Quantum Cryptography
Post-Quantum Cryptography Prof. Dr. J. Buchmann Written by: P. Schmidt Last updated: February 25, 2010 1 Contents 1. Introduction 5 2. Motivation 5 3. Quantum Algorithms and Quantum Computers 6 3.1. The
More informationAnalysis of Random Oracle Instantiation Scenarios for OAEP and other Practical Schemes
Analysis of Random Oracle Instantiation Scenarios for OAEP and other Practical Schemes Alexandra Boldyreva 1 and Marc Fischlin 2 1 College of Computing, Georgia Institute of Technology, 801 Atlantic Drive,
More informationCLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD
CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without
More informationCryptographic Hash Functions
Cryptographic Hash Functions Çetin Kaya Koç koc@ece.orst.edu Electrical & Computer Engineering Oregon State University Corvallis, Oregon 97331 Technical Report December 9, 2002 Version 1.5 1 1 Introduction
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationLecture 1. Crypto Background
Lecture 1 Crypto Background This lecture Crypto background hash functions random oracle model digital signatures and applications Cryptographic Hash Functions Hash function takes a string of arbitrary
More informationPublic-Seed Pseudorandom Permutations
Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB Joint work with Pratik Soni (UCSB) DIMACS Workshop New York June 8, 2017 We look at existing class of cryptographic primitives and introduce/study
More informationFoundations of Cryptography
- 111 - Foundations of Cryptography Notes of lecture No. 10B & 11 (given on June 11 & 18, 1989) taken by Sergio Rajsbaum Summary In this lecture we define unforgeable digital signatures and present such
More informationBEYOND POST QUANTUM CRYPTOGRAPHY
BEYOND POST QUANTUM CRYPTOGRAPHY Mark Zhandry Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical Beyond Post-Quantum Cryptography
More informationLecture 14: Cryptographic Hash Functions
CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is
More informationHigh-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven
High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers
More informationIntroduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes
Introduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 03 13 More
More informationTransitive Signatures Based on Non-adaptive Standard Signatures
Transitive Signatures Based on Non-adaptive Standard Signatures Zhou Sujing Nanyang Technological University, Singapore, zhousujing@pmail.ntu.edu.sg Abstract. Transitive signature, motivated by signing
More informationDigital signature schemes
Digital signature schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction digital signature scheme security of digital
More informationLecture 11: Key Agreement
Introduction to Cryptography 02/22/2018 Lecture 11: Key Agreement Instructor: Vipul Goyal Scribe: Francisco Maturana 1 Hardness Assumptions In order to prove the security of cryptographic primitives, we
More informationII. Digital signatures
II. Digital signatures Alice m Bob Eve 1. Did Bob send message m, or was it Eve? 2. Did Eve modify the message m, that was sent by Bob? 1 Digital signatures Digital signature - are equivalent of handwritten
More informationHigher Order Universal One-Way Hash Functions from the Subset Sum Assumption
Higher Order Universal One-Way Hash Functions from the Subset Sum Assumption Ron Steinfeld, Josef Pieprzyk, Huaxiong Wang Dept. of Computing, Macquarie University, Australia {rons, josef, hwang}@ics.mq.edu.au
More informationSIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography
SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 8 of Trappe and Washington DIGITAL SIGNATURES message sig 1. How do we bind
More informationEx1 Ex2 Ex3 Ex4 Ex5 Ex6
Technische Universität München (I7) Winter 2012/13 Dr. M. Luttenberger / M. Schlund Cryptography Endterm Last name: First name: Student ID no.: Signature: If you feel ill, let us know immediately. Please,
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 16 October 30, 2017 CPSC 467, Lecture 16 1/52 Properties of Hash Functions Hash functions do not always look random Relations among
More informationSampling Lattice Trapdoors
Sampling Lattice Trapdoors November 10, 2015 Today: 2 notions of lattice trapdoors Efficient sampling of trapdoors Application to digital signatures Last class we saw one type of lattice trapdoor for a
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More informationUnderstanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 11 Hash Functions ver.
Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl www.crypto-textbook.com Chapter 11 Hash Functions ver. October 29, 2009 These slides were prepared by
More informationPerfectly-Crafted Swiss Army Knives in Theory
Perfectly-Crafted Swiss Army Knives in Theory Workshop Hash Functions in Cryptology * supported by Emmy Noether Program German Research Foundation (DFG) Hash Functions as a Universal Tool collision resistance
More information6.080/6.089 GITCS Apr 15, Lecture 17
6.080/6.089 GITCS pr 15, 2008 Lecturer: Scott aronson Lecture 17 Scribe: dam Rogal 1 Recap 1.1 Pseudorandom Generators We will begin with a recap of pseudorandom generators (PRGs). s we discussed before
More informationWeek 12: Hash Functions and MAC
Week 12: Hash Functions and MAC 1. Introduction Hash Functions vs. MAC 2 Hash Functions Any Message M Hash Function Generate a fixed length Fingerprint for an arbitrary length message. No Key involved.
More informationCryptographic Solutions for Data Integrity in the Cloud
Cryptographic Solutions for Stanford University, USA Stanford Computer Forum 2 April 2012 Homomorphic Encryption Homomorphic encryption allows users to delegate computation while ensuring secrecy. Homomorphic
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationUninstantiability of Full-Domain Hash
Uninstantiability of based on On the Generic Insecurity of, Crypto 05, joint work with Y.Dodis and R.Oliveira Krzysztof Pietrzak CWI Amsterdam June 3, 2008 Why talk about this old stuff? Why talk about
More informationLecture 15 & 16: Trapdoor Permutations, RSA, Signatures
CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.
More informationA brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago
A brief survey of post-quantum cryptography D. J. Bernstein University of Illinois at Chicago Once the enormous energy boost that quantum computers are expected to provide hits the street, most encryption
More informationEnforcing honesty of certification authorities: Tagged one-time signature schemes
Enforcing honesty of certification authorities: Tagged one-time signature schemes Information Security Group Royal Holloway, University of London bertram.poettering@rhul.ac.uk Stanford, January 11, 2013
More informationFrom Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes
From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 2001, vol. 2020 of Lecture Notes in Computer
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #5 Sep 7 th 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list by end of today Quiz #1 will be on Thursday,
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationHashes and Message Digests Alex X. Liu & Haipeng Dai
Hashes and Message Digests Alex X. Liu & Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University Integrity vs. Secrecy Integrity: attacker cannot
More informationDigital Signatures. p1.
Digital Signatures p1. Digital Signatures Digital signature is the same as MAC except that the tag (signature) is produced using the secret key of a public-key cryptosystem. Message m MAC k (m) Message
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationInformation Security
SE 4472 / ECE 9064 Information Security Week 12: Random Number Generators and Picking Appropriate Key Lengths Fall 2015 Prof. Aleksander Essex Random Number Generation Where do keys come from? So far we
More informationHigher Order Universal One-Way Hash Functions
Higher Order Universal One-Way Hash Functions Deukjo Hong 1, Bart Preneel 2, and Sangjin Lee 1 1 Center for Information Security Technologies(CIST), Korea University, Seoul, Korea {hongdj,sangjin}@cist.korea.ac.kr
More informationTowards Tightly Secure Lattice Short Signature and Id-Based Encryption
Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li QUT Asiacrypt 16 2016-12-06 1 / 19 Motivations 1. Short lattice signature with tight security reduction w/o
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationHomework 7 Solutions
Homework 7 Solutions Due: March 22, 2018 CS 151: Intro. to Cryptography and Computer Security 1 Fun with PRFs a. F a s = F 0 k(x) F s (x) is not a PRF, for any choice of F. Consider a distinguisher D a
More information2: Iterated Cryptographic Hash Functions
2: Iterated ryptographic Hash Functions we want hash function H : ({0, 1} n ) {0, 1} n of potentially infinite input size instead we have compression function F : {0, 1} m {0, 1} n {0, 1} n and define
More informationLeftovers from Lecture 3
Leftovers from Lecture 3 Implementing GF(2^k) Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x): (1,1,0,1,1) *(0,1,0,1,1) = (1,1,0,0,1) For small size finite
More informationSecure Signatures and Chosen Ciphertext Security in a Post-Quantum World
Secure Signatures and Chosen Ciphertext Security in a Post-Quantum World Dan Boneh Mark Zhandry Stanford University {dabo,zhandry}@cs.stanford.edu Abstract We initiate the study of quantum-secure digital
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationDTTF/NB479: Dszquphsbqiz Day 26
DTTF/NB479: Dszquphsbqiz Day 26 Announceents:. HW6 due now 2. HW7 posted 3. Will pick pres dates Friday Questions? This week: Discrete Logs, Diffie-Hellan, ElGaal Hash Functions, SHA, Birthday attacks
More informationhttps://www.microsoft.com/en-us/research/people/plonga/ Outline Motivation recap Isogeny-based cryptography The SIDH key exchange protocol The SIKE protocol Authenticated key exchange from supersingular
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More information