Digital Signatures from Strong RSA without Prime Genera7on. David Cash Rafael Dowsley Eike Kiltz
|
|
- Brendan Anthony
- 5 years ago
- Views:
Transcription
1 Digital Signatures from Strong RSA without Prime Genera7on David Cash Rafael Dowsley Eike Kiltz
2 Digital Signatures Digital signatures are one of mostly deployed cryptographic primi7ves.
3 Digital Signatures Digital signatures are one of mostly deployed cryptographic primi7ves. The proved- secure schemes with the best security guarantees are not nearly as efficient as the (unbroken) schemes used in prac7ce.
4 Digital Signatures Digital signatures are one of mostly deployed cryptographic primi7ves. The proved- secure schemes with the best security guarantees are not nearly as efficient as the (unbroken) schemes used in prac7ce. The best provable security evidence for the most prac7cal schemes are in the random oracle model (ROM). For instance, the RSA full domain hash [BR96]: Sign(sk=(n,d), m) = H(m) d mod n
5 Digital Signatures Digital signatures are one of mostly deployed cryptographic primi7ves. The proved- secure schemes with the best security guarantees are not nearly as efficient as the (unbroken) schemes used in prac7ce. The best provable security evidence for the most prac7cal schemes are in the random oracle model (ROM). For instance, the RSA full domain hash [BR96]: Sign(sk=(n,d), m) = H(m) d mod n Problem: In prac7ce non- random hash func7ons like SHA- 256 are used, which implies some theore7cal limita7ons of these results [CGH98,DOP05].
6 RSA- based Signatures in the Standard Model There is a line of work on designing provable secure, efficient signatures based on the (strong) RSA problem in the standard model. The aim is to decrease the efficiency gap between these solu7ons and the ones in the ROM.
7 RSA- based Signatures in the Standard Model There is a line of work on designing provable secure, efficient signatures based on the (strong) RSA problem in the standard model. The aim is to decrease the efficiency gap between these solu7ons and the ones in the ROM. In common: the signing algorithm generates primes.
8 RSA- based Signatures in the Standard Model There is a line of work on designing provable secure, efficient signatures based on the (strong) RSA problem in the standard model. The aim is to decrease the efficiency gap between these solu7ons and the ones in the ROM. In common: the signing algorithm generates primes. Genera7ng primes is expensive and it is not an intrinsic step for the signing algorithm, thus it is desirable to avoid it.
9 Our Work Strong RSA- based signature without prime genera7on for signing.
10 Our Work Strong RSA- based signature without prime genera7on for signing. Public key and signature sizes compe77ve with prior schemes, the verifica7on is much slower.
11 Our Work Strong RSA- based signature without prime genera7on for signing. Public key and signature sizes compe77ve with prior schemes, the verifica7on is much slower. Not compe77ve with ROM solu7ons.
12 Our Work Strong RSA- based signature without prime genera7on for signing. Public key and signature sizes compe77ve with prior schemes, the verifica7on is much slower. Not compe77ve with ROM solu7ons. Conceptual contribu7on towards the goal of prac7cal schemes from conserva7ve hardness assump7ons without random oracles.
13 Strong RSA Problem and Signatures Challenger Adversary (sk, pk=n=pq) y $ RSA- Keygen $ Z n * n, y
14 Strong RSA Problem and Signatures Challenger Adversary (sk, pk=n=pq) y $ RSA- Keygen $ Z n * n, y e, x Wins if x e =y mod n and e>1.
15 Strong RSA Problem and Signatures Challenger Adversary (sk, pk=n=pq) y $ RSA- Keygen $ Z n * n, y e, x Wins if x e =y mod n and e>1. Natural approach for embedding it into digital signatures: the signature is (e, x) where x is the e- th root of a value y that depends on the message.
16 Strong RSA Problem and Signatures Challenger Adversary (sk, pk=n=pq) y $ RSA- Keygen $ Z n * n, y e, x Wins if x e =y mod n and e>1. Natural approach for embedding it into digital signatures: the signature is (e, x) where x is the e- th root of a value y that depends on the message. In order to apply known techniques that prevent an adversary from assembling several signatures into a new signature, e is typically required to be prime or a product of primes.
17 Current Schemes Many exis7ng schemes [CS99,F03,HK08,Z01,Z03,CL04] use Sign(sk, m) = (H(m) 1/e mod n, e) where e is a random prime and is H some (algebraic) hash func7on.
18 Current Schemes Many exis7ng schemes [CS99,F03,HK08,Z01,Z03,CL04] use Sign(sk, m) = (H(m) 1/e mod n, e) where e is a random prime and is H some (algebraic) hash func7on. Other schemes [GHR99,HW09,HJK11] based on the strong/standard RSA problem use Sign(sk, m) = g 1/ h i(m) mod n where h i are independent hash func7ons that hash into primes.
19 Our Scheme Uses the prefix signing technique of Hohenberger- Waters [HW09].
20 Our Scheme Uses the prefix signing technique of Hohenberger- Waters [HW09]. Let p and q be large safe primes and F a be pseudorandom func7on that outputs random odds numbers.
21 Our Scheme Uses the prefix signing technique of Hohenberger- Waters [HW09]. Let p and q be large safe primes and F a be pseudorandom func7on that outputs random odds numbers. pk = (n,g,k) where n=pq, g is a random element of Z n * and k is a key for F
22 Our Scheme Uses the prefix signing technique of Hohenberger- Waters [HW09]. Let p and q be large safe primes and F a be pseudorandom func7on that outputs random odds numbers. pk = (n,g,k) where n=pq, g is a random element of Z n * and k is a key for F sk = (p,q,pk)
23 Our Scheme Uses the prefix signing technique of Hohenberger- Waters [HW09]. Let p and q be large safe primes and F a be pseudorandom func7on that outputs random odds numbers. pk = (n,g,k) where n=pq, g is a random element of Z n * and k is a key for F sk = (p,q,pk) The signature on a message m of L- bits is Sign(sk, m) = g 1/e mod n L e = F(k,m[1 i]) F(k,m i) i=1 u i=1
24 Our Scheme To verify a signature σ on a message m first compute L e = F(k,m[1 i]) F(k,m i) i=1 u i=1 Accept if σ e = g mod n
25 Our Scheme To verify a signature σ on a message m first compute L e = F(k,m[1 i]) F(k,m i) i=1 u i=1 Accept if σ e = g mod n We show that this scheme is secure against weak chosen message alacks.
26 Weak CMA Security Challenger Adversary (sk, pk) $ Keygen
27 Weak CMA Security Challenger Adversary (sk, pk) $ Keygen m 1,, m t
28 Weak CMA Security Challenger Adversary (sk, pk) $ Keygen m 1,, m t σ i $ Sign(sk, m i ) pk, σ 1,..., σ t
29 Weak CMA Security Challenger Adversary (sk, pk) $ Keygen m 1,, m t σ i $ Sign(sk, m i ) pk, σ 1,..., σ t m*, σ* Wins if Verify(pk, m*, σ*)=1 and m* was not queried.
30 CMA Security Challenger Adversary (sk, pk) $ Keygen pk
31 CMA Security Challenger Adversary (sk, pk) $ Keygen pk σ 1 $ Sign(sk, m 1 ) σ t $ Sign(sk, m t ) m 1 σ 1. m t σ t
32 CMA Security Challenger Adversary (sk, pk) $ Keygen pk σ 1 $ Sign(sk, m 1 ) σ t $ Sign(sk, m t ) m 1 σ 1. m t σ t m*, σ* Wins if Verify(pk, m*, σ*)=1 and m* was not queried.
33 CMA Security Challenger Adversary (sk, pk) $ Keygen pk σ 1 $ Sign(sk, m 1 ) σ t $ Sign(sk, m t ) m 1 σ 1. m t σ t m*, σ* Wins if Verify(pk, m*, σ*)=1 and m* was not queried. A chameleon hash func7on can be used to get from weak CMA to CMA [KR00,HW09].
34 Prefix Signing Technique [HW09] Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i])
35 Prefix Signing Technique [HW09] ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Each branch has an associated number that is determined by F.
36 Prefix Signing Technique [HW09] ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Each branch has an associated number that is determined by F. To sign a message m=0011, for instance, compute e as the product of the numbers associated with the branches in green.
37 Prefix Signing Technique [HW09] ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Let the sub- tree in green be the branches associated with the parallel signing query of the adversary.
38 Prefix Signing Technique [HW09] ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Let the sub- tree in green be the branches associated with the parallel signing query of the adversary. Exit branch: non- green, but only has green branches on path from root un7l it.
39 Prefix Signing Technique [HW09] ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Guess Let the sub- tree in green be the branches associated with the parallel signing query of the adversary. Exit branch: non- green, but only has green branches on path from root un7l it.
40 Prefix Signing Technique [HW09] ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) We also use this structure, but with F that outputs random odd numbers and based on the strong RSA problem.
41 Prefix Signing Technique [HW09] ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) We also use this structure, but with F that outputs random odd numbers and based on the strong RSA problem. We do not try to guess the exit branch.
42 Naïve Approach ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Let α be a sufficiently large integer and set the outputs of F to be large enough so that they are α- smooth with negligible probability only.
43 Naïve Approach ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Let α be a sufficiently large integer and set the outputs of F to be large enough so that they are α- smooth with negligible probability only. With overwhelming probability all exit branches are good. Very bad parameters.
44 Our Scheme ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Only require the numbers to be non- α- smooth with constant probability.
45 Proof Idea ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) For every possible valid forgery, there should be a non- α- smooth number in its root to message path that is not in the sub- tree of queried messages.
46 Proof Idea ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) For every possible valid forgery, there should be a non- α- smooth number in its root to message path that is not in the sub- tree of queried messages.
47 Proof Idea ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) For every possible valid forgery, there should be a non- α- smooth number in its root to message path that is not in the sub- tree of queried messages.
48 Proof Idea ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Adapt analysis technique from Gennaro et al. [GHR99] to analyze the probability that a non- smooth number divides the product of some random numbers.
49 Proof Idea ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Adapt analysis technique from Gennaro et al. [GHR99] to analyze the probability that a non- smooth number divides the product of some random numbers. If the number associated with the branch in purple does not divide the product of the ones in green, then it is possible to solve the strong RSA problem.
50 Proof Idea ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Given an strong RSA instance (n, y) and the signature query, compute g backwards: g=y green numbers mod n
51 Proof Idea ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Given a forged signature (m*, σ*), it is possible to solve the strong RSA problem if gcd(e*, green numbers)>1 e* = F(k,m*[1 i])
52 Smoothness Analysis ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Start analysis with the exit branches. If one of them is smooth, analyze its children and repeat this process recursively.
53 Smoothness Analysis ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Start analysis with the exit branches. If one of them is smooth, analyze its children and repeat this process recursively.
54 Smoothness Analysis ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Start analysis with the exit branches. If one of them is smooth, analyze its children and repeat this process recursively.
55 Smoothness Analysis ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Start analysis with the exit branches. If one of them is smooth, analyze its children and repeat this process recursively.
56 Smoothness Analysis ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Start analysis with the exit branches. If one of them is smooth, analyze its children and repeat this process recursively.
57 Smoothness Analysis ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Start analysis with the exit branches. If one of them is smooth, analyze its children and repeat this process recursively.
58 Smoothness Analysis ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Start analysis with the exit branches. If one of them is smooth, analyze its children and repeat this process recursively.
59 Smoothness Analysis ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Start analysis with the exit branches. If one of them is smooth, analyze its children and repeat this process recursively.
60 Smoothness Analysis ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Start analysis with the exit branches. If one of them is smooth, analyze its children and repeat this process recursively. Problem: How to deal with exit branches in the last level/non- finished recursions.
61 Smoothness Analysis ε Sign(sk, m) = g 1/e mod n L e = F(k,m[1 i]) F(k,m i) i=1 u i=1
62 Smoothness Analysis ε.. Sign(sk, m) = g 1/e mod n L e = F(k,m[1 i]) F(k,m i) i=1 u i=1
63 #Recursions 0 For each exit branch of the tree with overwhelming probability there are at most 2L 2 recursive calls. 1
64 #Recursions 0 For each exit branch of the tree with overwhelming probability there are at most 2L 2 recursive calls. Upper bound at each level: 2L. 1
65 #Recursions 0 For each exit branch of the tree with overwhelming probability there are at most 2L 2 recursive calls. Upper bound at each level: 2L. 1 Each level can have at most double the calls as the previous one.
66 #Recursions 0 For each exit branch of the tree with overwhelming probability there are at most 2L 2 recursive calls. Upper bound at each level: 2L. 1 Each level can have at most double the calls as the previous one. If the previous level had at most L calls, then the current one has at most 2L. Otherwise the previous level had between L and 2L calls and we apply the Chernoff bound to these Bernoulli random variables.
67 Smoothness Analysis In the context of ellip7c- curve signatures Coron, Handschuh and Naccache [CHN99] avoided point coun7ng by working over larger underlying fields.
68 Smoothness Analysis In the context of ellip7c- curve signatures Coron, Handschuh and Naccache [CHN99] avoided point coun7ng by working over larger underlying fields. As in our case a naïve analysis of the smoothness property would result in very bad parameters, so they only increased the size of the underlying field enough to get smooth curves with low probability.
69 Smoothness Analysis In the context of ellip7c- curve signatures Coron, Handschuh and Naccache [CHN99] avoided point coun7ng by working over larger underlying fields. As in our case a naïve analysis of the smoothness property would result in very bad parameters, so they only increased the size of the underlying field enough to get smooth curves with low probability. Iterate the protocol over many independent curves to guarantee that at least one of them is not smooth.
70 Smoothness Analysis In the context of ellip7c- curve signatures Coron, Handschuh and Naccache [CHN99] avoided point coun7ng by working over larger underlying fields. As in our case a naïve analysis of the smoothness property would result in very bad parameters, so they only increased the size of the underlying field enough to get smooth curves with low probability. Iterate the protocol over many independent curves to guarantee that at least one of them is not smooth....
71 Summary ² Our scheme does not need to generate primes while signing.
72 Summary ² Our scheme does not need to generate primes while signing. ² Public- key and signature size compe77ve with other schemes.
73 Summary ² Our scheme does not need to generate primes while signing. ² Public- key and signature size compe77ve with other schemes. ² Weakness: verifica7on performance.
74 Summary ² Our scheme does not need to generate primes while signing. ² Public- key and signature size compe77ve with other schemes. ² Weakness: verifica7on performance. ² Could be a stepping- stone to more prac7cal signatures in the standard model.
75
Digital Signature Schemes and the Random Oracle Model. A. Hülsing
Digital Signature Schemes and the Random Oracle Model A. Hülsing Today s goal Review provable security of in use signature schemes. (PKCS #1 v2.x) PAGE 1 Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/dsa.jpg
More informationShort Signatures Without Random Oracles
Short Signatures Without Random Oracles Dan Boneh and Xavier Boyen (presented by Aleksandr Yampolskiy) Outline Motivation Preliminaries Secure short signature Extensions Conclusion Why signatures without
More informationJohn Hancock enters the 21th century Digital signature schemes. Table of contents
John Hancock enters the 21th century Digital signature schemes Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents From last time: Good news and bad There
More informationA New RSA-Based Signature Scheme
1 / 13 A New RSA-Based Signature Scheme Sven Schäge, Jörg Schwenk Horst Görtz Institute for IT-Security Africacrypt 2010 2 / 13 RSA-Based Signature Schemes Naïve RSA signature scheme not secure under the
More informationFrom Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes
From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 2001, vol. 2020 of Lecture Notes in Computer
More informationOptimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample
Optimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample Fuchun Guo 1, Rongmao Chen 2, Willy Susilo 1, Jianchang Lai 1, Guomin Yang 1, and Yi Mu 1 1 Institute
More informationLecture 14 More on Digital Signatures and Variants. COSC-260 Codes and Ciphers Adam O Neill Adapted from
Lecture 14 More on Digital Signatures and Variants COSC-260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Setting the Stage We will cover in more depth some issues for
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationLecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004
CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce
More informationShort Signatures From Diffie-Hellman: Realizing Short Public Key
Short Signatures From Diffie-Hellman: Realizing Short Public Key Jae Hong Seo Department of Mathematics, Myongji University Yongin, Republic of Korea jaehongseo@mju.ac.kr Abstract. Efficient signature
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationTransitive Signatures Based on Non-adaptive Standard Signatures
Transitive Signatures Based on Non-adaptive Standard Signatures Zhou Sujing Nanyang Technological University, Singapore, zhousujing@pmail.ntu.edu.sg Abstract. Transitive signature, motivated by signing
More informationDigital signature schemes
Digital signature schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction digital signature scheme security of digital
More informationShort Unique Signatures from RSA with a Tight Security Reduction (in the Random Oracle Model)
Short Unique Signatures from RSA with a Tight Security Reduction (in the Random Oracle Model) Hovav Shacham UC San Diego and UT Austin Abstract. A signature scheme is unique if for every public key and
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously Digital Signatures Algorithms: Gen() à (sk,pk) Sign(sk,m) à σ Ver(pk,m,σ) à 0/1 Correctness: Pr[Ver(pk,m,Sign(sk,m))=1:
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationImproved Security for Linearly Homomorphic Signatures: A Generic Framework
An extended abstract of this work will appear in Public Key Cryptography PKC 2012. This is the full version. Improved Security for Linearly Homomorphic Signatures: A Generic Framework DAVID MANDELL FREEMAN
More informationShort and Stateless Signatures from the RSA Assumption
Short and Stateless Signatures from the RSA Assumption Susan Hohenberger 1, and Brent Waters 2, 1 Johns Hopkins University, susan@cs.jhu.edu 2 University of Texas at Austin, bwaters@cs.utexas.edu Abstract.
More informationSchnorr Signature. Schnorr Signature. October 31, 2012
. October 31, 2012 Table of contents Salient Features Preliminaries Security Proofs Random Oracle Heuristic PKS and its Security Models Hardness Assumption The Construction Oracle Replay Attack Security
More informationTowards Tightly Secure Lattice Short Signature and Id-Based Encryption
Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li QUT Asiacrypt 16 2016-12-06 1 / 19 Motivations 1. Short lattice signature with tight security reduction w/o
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationDigital Signatures. p1.
Digital Signatures p1. Digital Signatures Digital signature is the same as MAC except that the tag (signature) is produced using the secret key of a public-key cryptosystem. Message m MAC k (m) Message
More informationA Second Look at s Transforma3on
A Second Look at s Transforma3on - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Özgür Dagdelen Technische Universität Darmstadt Daniele Venturi Sapienza University
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationCryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg
Course 1: Remainder: RSA Université du Luxembourg September 21, 2010 Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and
More informationImproved Security for Linearly Homomorphic Signatures: A Generic Framework
Improved Security for Linearly Homomorphic Signatures: A Generic Framework Stanford University, USA PKC 2012 Darmstadt, Germany 23 May 2012 Problem: Computing on Authenticated Data Q: How do we delegate
More informationTightly-Secure Signatures From Lossy Identification Schemes
Tightly-Secure Signatures From Lossy Identification Schemes Michel Abdalla, Pierre-Alain Fouque, Vadim Lyubashevsky, and Mehdi Tibouchi 2 École normale supérieure {michel.abdalla,pierre-alain.fouque,vadim.lyubashevsky}@ens.fr
More informationTight Proofs for Signature Schemes without Random Oracles
Tight Proofs for Signature Schemes without Random Oracles Sven Schäge Horst Görtz Institute for IT-Security Ruhr-University of Bochum sven.schaege@rub.de Abstract. We present the first tight security proofs
More informationSynchronized Aggregate Signatures from the RSA Assumption
Synchronized Aggregate Signatures from the RSA Assumption Susan Hohenberger Johns Hopkins University susan@cs.jhu.edu Brent Waters UT Austin bwaters@cs.utexas.edu January 18, 2018 Abstract In this work
More informationMarch 19: Zero-Knowledge (cont.) and Signatures
March 19: Zero-Knowledge (cont.) and Signatures March 26, 2013 1 Zero-Knowledge (review) 1.1 Review Alice has y, g, p and claims to know x such that y = g x mod p. Alice proves knowledge of x to Bob w/o
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationBEYOND POST QUANTUM CRYPTOGRAPHY
BEYOND POST QUANTUM CRYPTOGRAPHY Mark Zhandry Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical Beyond Post-Quantum Cryptography
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationHash-based signatures & Hash-and-sign without collision-resistance
Hash-based signatures & Hash-and-sign without collision-resistance Andreas Hülsing 22.12.2016 Hash-based Signature Schemes [Mer89] Post quantum Only secure hash function Security well understood Fast 22-12-2016
More informationHomework 3 Solutions
5233/IOC5063 Theory of Cryptology, Fall 205 Instructor Prof. Wen-Guey Tzeng Homework 3 Solutions 7-Dec-205 Scribe Amir Rezapour. Consider an unfair coin with head probability 0.5. Assume that the coin
More informationHash-based Signatures. Andreas Hülsing
Hash-based Signatures Andreas Hülsing Post-Quantum Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters 23-2-2016 PAGE 2... 1 3 1 4 2 3 2 2 3 2 3 4 1 2 1 2 1 1 y x x x x
More informationComparing With RSA. 1 ucl Crypto Group
Comparing With RSA Julien Cathalo 1, David Naccache 2, and Jean-Jacques Quisquater 1 1 ucl Crypto Group Place du Levant 3, Louvain-la-Neuve, b-1348, Belgium julien.cathalo@uclouvain.be, jean-jacques.quisquater@uclouvain.be
More informationSIS-based Signatures
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin February 26, 2013 Basics We will use the following parameters: n, the security parameter. =poly(n). m 2n log s 2 n
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationRealizing Hash-and-Sign Signatures under Standard Assumptions
Realizing Hash-and-Sign Signatures under Standard Assumptions Susan Hohenberger Johns Hopkins University Brent Waters University of Texas at Austin June 14, 2009 Abstract Currently, there are relatively
More informationHow (Not) to Design Strong-RSA Signatures
Published in Designs, Codes and Cryptography, 59(1/3):169 182, 2011. How (Not) to Design Strong-RSA Signatures Marc Joye Abstract This paper considers strong-rsa signature schemes built from the scheme
More informationSecurity Analysis of an Identity-Based Strongly Unforgeable Signature Scheme
Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme Kwangsu Lee Dong Hoon Lee Abstract Identity-based signature (IBS) is a specific type of public-key signature (PKS) where any
More informationOutline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.
Provable Security in the Computational Model III Signatures David Pointcheval Ecole normale supérieure, CNRS & INRI Public-Key Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions
More informationQ B (pk, sk) Gen x u M pk y Map pk (x) return [B(pk, y)? = x]. (m, s) A O h
MTAT.07.003 Cryptology II Spring 2012 / Exercise session?? / Example Solution Exercise (FRH in RO model). Show that the full domain hash signature is secure against existential forgeries in the random
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationThreshold RSA for Dynamic and Ad-Hoc Groups
Threshold RSA for Dynamic and Ad-Hoc Groups Rosario Gennaro, Shai Halevi, Hugo Krawczyk, Tal Rabin IBM T.J.Watson Research Center Hawthorne, NY USA Abstract. We consider the use of threshold signatures
More informationII. Digital signatures
II. Digital signatures Alice m Bob Eve 1. Did Bob send message m, or was it Eve? 2. Did Eve modify the message m, that was sent by Bob? 1 Digital signatures Digital signature - are equivalent of handwritten
More informationUninstantiability of Full-Domain Hash
Uninstantiability of based on On the Generic Insecurity of, Crypto 05, joint work with Y.Dodis and R.Oliveira Krzysztof Pietrzak CWI Amsterdam June 3, 2008 Why talk about this old stuff? Why talk about
More informationSeifert s RSA Fault Attack: Simplified Analysis and Generalizations
Seifert s RSA Fault Attack: Simplified Analysis and Generalizations James A. Muir School of Computer Science Carleton University jamuir@scs.carleton.ca 15 December 2005 21:11:36 EST Abstract Seifert recently
More informationSampling Lattice Trapdoors
Sampling Lattice Trapdoors November 10, 2015 Today: 2 notions of lattice trapdoors Efficient sampling of trapdoors Application to digital signatures Last class we saw one type of lattice trapdoor for a
More informationLecture 15 & 16: Trapdoor Permutations, RSA, Signatures
CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.
More informationOnline Cryptography Course. Message integrity. Message Auth. Codes. Dan Boneh
Online Cryptography Course Message integrity Message Auth. Codes Message Integrity Goal: integrity, no confiden>ality. Examples: Protec>ng public binaries on disk. Protec>ng banner ads on web pages. Message
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #6 Sep 8 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Quiz #1 later today Still some have not signed up for class mailing list Perhaps
More informationRealizing Hash-and-Sign Signatures under Standard Assumptions
Realizing Hash-and-Sign Signatures under Standard Assumptions Susan Hohenberger 1, and Brent Waters 2, 1 Johns Hopkins University, susan@cs.jhu.edu 2 University of Texas at Austin, bwaters@cs.utexas.edu
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationIntroduction to Cryptography. Susan Hohenberger
Introduction to Cryptography Susan Hohenberger 1 Cryptography -- from art to science -- more than just encryption -- essential today for non-military applications 2 Symmetric Crypto Shared secret K =>
More informationOn High-Rate Cryptographic Compression Functions
On High-Rate Cryptographic Compression Functions Richard Ostertág and Martin Stanek Department o Computer Science Faculty o Mathematics, Physics and Inormatics Comenius University Mlynská dolina, 842 48
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationSECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL. Mark Zhandry Stanford University
SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL Mark Zhandry Stanford University Random Oracle Model (ROM) Sometimes, we can t prove a scheme secure in the standard model. Instead,
More informationCLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD
CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without
More informationHash-based Signatures
Hash-based Signatures Andreas Hülsing Summer School on Post-Quantum Cryptography June 2017, TU Eindhoven Post-Quantum Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters
More informationNew Approach for Selectively Convertible Undeniable Signature Schemes
New Approach for Selectively Convertible Undeniable Signature Schemes Kaoru Kurosawa 1 and Tsuyoshi Takagi 2 1 Ibaraki University, Japan, kurosawa@mx.ibaraki.ac.jp 2 Future University-Hakodate, Japan,
More informationMemory-Tight Reductions
Memory-Tight Reductions Benedikt Auerbach 1 David Cash 2 Manuel Fersch 1 Eike Kiltz 1 April 12, 2018 1 Horst Görtz Institute for IT Security, Ruhr University Bochum, Germany {benedikt.auerbach,manuel.fersch,eike.kiltz}@rub.de
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019
Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationTight Proofs for Signature Schemes without Random Oracles
Tight Proofs for Signature Schemes without Random Oracles Sven Schäge Horst Görtz Institute for IT-Security, Ruhr-University of Bochum, Germany sven.schaege@rub.de Abstract. We present the first tight
More informationThe Gap-Problems: a New Class of Problems for the Security of Cryptographic Schemes
Proceedings of the 2001 International Workshop on Practice and Theory in Public Key Cryptography (PKC 2001) (13 15 february 2001, Cheju Islands, South Korea) K. Kim Ed. Springer-Verlag, LNCS 1992, pages
More informationOnline Cryptography Course. Collision resistance. Introduc3on. Dan Boneh
Online Cryptography Course Collision resistance Introduc3on Recap: message integrity So far, four MAC construc3ons: PRFs ECBC- MAC, CMAC : commonly used with AES (e.g. 802.11i) NMAC : basis of HMAC (this
More informationOptimal Security Proofs for Full Domain Hash, Revisited
Optimal Security Proofs for Full Domain Hash, Revisited Saqib A. Kakvi 1 and Eike Kiltz 1 Faculty of Mathematics, Horst Görtz Institute for IT Security Ruhr University Bochum {saqib.kakvi,eike.kiltz}@rub.de
More informationSecure Hash-and-Sign Signatures Without the Random Oracle
Secure Hash-and-Sign Signatures Without the Random Oracle Rosario Gennaro, Shai Halevi, and Tal Rabin IBM T.J.Watson Research Center, PO Box 704, Yorktown Heights, NY 10598, USA {rosario,shaih,talr}@watson.ibm.com
More informationWeek : Public Key Cryptosystem and Digital Signatures
Week 10-11 : Public Key Cryptosystem and Digital Signatures 1. Public Key Encryptions RSA, ElGamal, 2 RSA- PKC(1/3) 1st public key cryptosystem R.L.Rivest, A.Shamir, L.Adleman, A Method for Obtaining Digital
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationXMSS A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions
XMSS A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions Johannes Buchmann and Andreas Hülsing {buchmann,huelsing}@cdc.informatik.tu-darmstadt.de Cryptography and Computeralgebra
More informationHow to Use Linear Homomorphic Signature in Network Coding
How to Use Linear Homomorphic Signature in Network Coding Li Chen lichen.xd at gmail.com Xidian University September 28, 2013 How to Use Linear Homomorphic Signature in Network Coding Outline 1 Linear
More informationLattice Cryptography
CSE 06A: Lattice Algorithms and Applications Winter 01 Instructor: Daniele Micciancio Lattice Cryptography UCSD CSE Many problems on point lattices are computationally hard. One of the most important hard
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationCryptography CS 555. Topic 24: Finding Prime Numbers, RSA
Cryptography CS 555 Topic 24: Finding Prime Numbers, RSA 1 Recap Number Theory Basics Abelian Groups φφ pppp = pp 1 qq 1 for distinct primes p and q φφ NN = Z N gg xx mod N = gg [xx mmmmmm φφ NN ] mod
More informationLimits on the Efficiency of One-Way Permutation-Based Hash Functions
Limits on the Efficiency of One-Way Permutation-Based Hash Functions Jeong Han Kim Daniel R. Simon Prasad Tetali Abstract Naor and Yung show that a one-bit-compressing universal one-way hash function (UOWHF)
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationSecure and Practical Identity-Based Encryption
Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.
More informationPractical Verifiable Encryption and Decryption of Discrete Logarithms
Practical Verifiable Encryption and Decryption of Discrete Logarithms Jan Camenisch IBM Zurich Research Lab Victor Shoup New York University p.1/27 Verifiable encryption of discrete logs Three players:
More informationChapter 7: Signature Schemes. COMP Lih-Yuan Deng
Chapter 7: Signature Schemes COMP 7120-8120 Lih-Yuan Deng lihdeng@memphis.edu Overview Introduction Security requirements for signature schemes ElGamal signature scheme Variants of ElGamal signature scheme
More informationCramer-Damgård Signatures Revisited: Efficient Flat-Tree Signatures Based on Factoring
Cramer-Damgård Signatures Revisited: Efficient Flat-Tree Signatures Based on Factoring Dario Catalano 1 and Rosario Gennaro 2 1 CNRS - École normale supérieure, Laboratoire d informatique 45 rue d Ulm,
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationConstructing Provably-Secure Identity-Based Signature Schemes
Constructing Provably-Secure Identity-Based Signature Schemes Chethan Kamath Indian Institute of Science, Bangalore November 23, 2013 Overview Table of contents Background Formal Definitions Schnorr Signature
More informationLecture 1. Crypto Background
Lecture 1 Crypto Background This lecture Crypto background hash functions random oracle model digital signatures and applications Cryptographic Hash Functions Hash function takes a string of arbitrary
More informationA Security Proof of KCDSA using an extended Random Oracle Model
A Security Proof of KCDSA using an extended Random Oracle Model Vikram Singh Abstract We describe a tight security reduction to the discrete logarithm problem for KCDSA under an extended Random Oracle
More informationLecture V : Public Key Cryptography
Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional
More informationDigital Signatures from Challenge-Divided Σ-Protocols
Digital Signatures from Challenge-Divided Σ-Protocols Andrew C. Yao Yunlei Zhao Abstract Digital signature is one of the basic primitives in cryptography. A common paradigm of obtaining signatures, known
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #5 Sep 7 th 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list by end of today Quiz #1 will be on Thursday,
More informationPairing-Based Identification Schemes
Pairing-Based Identification Schemes David Freeman Information Theory Research HP Laboratories Palo Alto HPL-2005-154 August 24, 2005* public-key cryptography, identification, zero-knowledge, pairings
More informationQuestion 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +
Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(
More information