G /G Advanced Cryptography November 11, Lecture 10. defined Adaptive Soundness and Adaptive Zero Knowledge
|
|
- Elmer Jones
- 5 years ago
- Views:
Transcription
1 G /G Advanced Cryptography November 11, 2009 Lecture 10 Lecturer: Yevgeniy Dodis Scribe: Adriana Lopez Last time we: defined Adaptive Soundness and Adaptive Zero Knowledge defined Unbounded Zero Knowledge finished constructing unbounded (adaptive) NIZK for NP can prove many statements with the same crs crs = poly(λ) composable NIZK (ZK holds even if tk is given) easy to extend to a Proof of Knowledge (let c = Enc pk (x) and prove that Dec sk (c) is a witness for y). Today we ll cover: Simulation Soundness A One-Time Simulation-Sound NIZK Construction Two constructions of CCA-Secure Encryption from CPA-Secure Encryption Dolev, Dwork, Naor [DDN]: using One-Time signatures and One-Time NIZK (OT-NIZK) Naor, Yung [NY]: using One-Time Simulation-Sound NIZK (OT-SS-NIZK) 1 Simutation Soundness Motivation: Can P prove false statements given tk? Recall that in a proof, soundness holds even for unbounded P but we want the honest Prover to be efficient. In an argument, soundness only holds for bounded P. In either case, sim(tk, ) is efficient. Lemma 1 Let Y T be the distribution of true statements, and Y F be the distribution of false statements, and assume Y T Y F. Then sim(tk, Y F ) outputs an accepting proof with probability 1 negl(λ). Remark 2 We can assume Y T Y F given the existence of one-way functions (OWFs). L10-1
2 Proof: (Y F,sim(tk, Y F )) (Y T,sim(tk, Y T )) since Y T Y F (Y T, P(X T, Y T )) by Zero Knowledge By completeness, P(X T, Y T ) gives accepting proof. Since (Y F,sim(tk, Y F )) (Y T, P(X T, Y T )), then sim(tk, Y F ) must give an accepting proof with probability 1 negl(λ). Question: Can P prove false statements after seeing proofs of (possibly false) statements? It s unclear. We only know the answer is no if it only sees proofs of true statements (by adaptive soundness). Definition 3 We say a protocol Π is simulation-sound (SS) if ppt A Pr[A wins] negl(λ) in the following game: A sim(tk, ) (y, Π ), where sim(tk, ) gives proofs of (possibly false) statements. A wins if all of the following hold: V (y, Π,crs) = 1 y / L y was not a query to the simulator oracle sim(tk, ) We say a protocol Π is one-time simulation-sound (OT-SS) if in the game above, we only allow A to make one query to sim(tk, ). Remark 4 We can also define simulation-extractability, which is the equivalent of a simulationsound proof of knowledge. 1.1 Construction of OT-SS-NIZK We show a construction of OT-SS-NIZK (OT-SS and OT-ZK) based on OT-NIZK, OT signatures, and commitments. Let nizk-π =(nizk-gen, nizk-prove, nizk-ver) be a OT-NIZK protocol. Let nizk-prove(crs, (y, vk, c), x) prove statements of type: "either y L or c com(vk)". Let Σ =(sign-gen, sign, sign-ver) be a OT signature scheme, and let (com-gen, com, open) be a commitment scheme. Gen(1 λ ): (ot-crs, ot-tk) nizk-gen(1 λ ), (sk,vk ) sign-gen(1 λ ),ck com-gen(1 λ ), (c, d) com ck (vk ; r). Output crs = (ot-crs, c),tk = (ot-tk, sk, r). Prove(crs, x, y) : (sk,vk) sign-gen(1 λ ), Π nizk-prove(crs,(y,vk, c), x), σ sign sk (vk, Π, y). Output (vk, Π, σ). Verify(vk, Π, σ): Output 1 iff sign-ver(vk,π, y, σ) = 1 and nizk-ver(π,tk) = 1. We let sim(crs, y,tk) simulate a proof as follows: sim uses vk = vk, proves c = com(vk ) and uses sk to sign (vk, Π, y). L10-2
3 Theorem 5 If nizk-π is OT-NIZK and Σ is a OT signature scheme, then the protocol described above is OT-SS-NIZK. Proof: We first prove that the protocol described above is one-time zero-knowledge. Consider the transcript output in each of the following games: Game 0: In game 0, everything is done as in the protocol described above: c = com(vk ), the real prover uses vk and proves that y L. Game 1: In game 1, c = com(vk), the real prover uses vk and proves that y L. Notice that game 1 is the same as game 0 except that c = com(vk). By the hiding property of the commitment scheme, the transcript in game 1 is indistinguishable from the one in game 0. Game 2: In game 2, c = com(vk), the real prover uses vk and proves that c = com(vk). By witness indistinguishability of nizk-π, the transcript in game 2 is indistinguishable from the one in game 1. Game 3: In game 3, c = com(vk ) and sim gives a proof that c = com(vk ). By one-time zero-knowledge of nizk-π, the transcript in game 3 is indistinguishable from the one in game 2. We have proven that the transcript in game 3 is indistinguishable from the transcript in game 0. This implies that the real transcript produced by the real prover is indistinguishable from the one produced by the simulator sim, as desired. We must also prove that the protocol above is one-time simulation-sound. Let Succ be the event that A makes query sim(y), and outputs a proof (vk, Π, σ ) for y such that y y, y / L, and Verify(vk, Π, σ ) = 1. Let Succ be the same as Succ except that we further require that vk vk. Notice that Pr[Succ] Pr[Succ ] = negl(λ) by the security of the one-time signature scheme. Now, consider the event Succ. Since vk vk, then c com(vk ). But we also have that y / L, so by soundness of nizk-π, Pr[nizk-Ver(Π,tk) = 1] = negl(λ). Thus, Pr[Succ ] = negl(λ) which implies that Pr[Succ] = negl(λ), as desired. 2 CCA-Secure Encryption from CPA-Secure Encryption Recall the following definitions of CPA and CCA-secure encryptions: Definition 6 An encryption scheme is said to be CPA-secure if ppt A, Pr[A wins] negl(λ) in the following game: (pk, sk) Gen(1 λ ) (m, state) A(pk) c 0 Enc pk (0), c 1 Enc pk (m) L10-3
4 b R {0, 1}, b A(c b, state) A wins if b = b. Definition 7 An encryption scheme is said to be CCA-secure if ppt A, Pr[A wins] negl(λ) in the game above, even when A has access to a decryption oracle Dec sk( ), with the restriction that A cannot query the oracle with c b. We show two constructions of CCA-secure encryption from CPA-secure encryption: Dolev, Dwork, Naor [DDN]: using One-Time signatures and One-Time NIZK (OT- NIZK) Naor, Yung [NY]: using One-Time Simulation-Sound NIZK (OT-SS-NIZK) 2.1 Dolev, Dwork, Naor [DDN] Let E = (Enc-Gen, Enc, Dec) be a CPA-secure encryption scheme, let Σ = (Sign-Gen, Sign, Sign-Ver) be a OT signature scheme, and let nizk-π = (nizk-gen, Prove, nizk-ver) be a OT- NIZK protocol. Let Prove(c 1, c 2,...,c n ) prove statements of the form "All the c i s decrypt to the same message m". CCA-Gen(1 λ ): crs nizk-gen(1 λ ). Let n = vk in the OT signature scheme. For i = 1 to n and b {0, 1}: (ek i,b,dk i,b ) Enc-Gen(1 λ ). Let ek = {ek i,b } i {1,...,n},b {0,1}. ek = ek 1,0 ek 2,0... ek n,0 ek 1,1 ek 2,1... ek n,1 Output ek=(ek,crs) and dk=(dk 1,0, dk 1,1 ). CCA-Enc ek (m): (vk,sk) sign-gen(1 λ ). Let vk = vk 1 vk 2... vk n. For i = 1 to n: c i Enc(ek i,vki, m). Let Π Prove(c 1, c 2,...c n ) be an NIZK proof that given (vk,ek, c 1, c 2,...,c n ) all the c i s decrypt to the same message m with respect to vk. Let c c 1 c 2...c n, σ Sign sk (vk, c,π), and output (vk, c,π, σ). CCA-Dec dk (c): If nizk-ver(π) = 1 and sign-ver(vk, c,π, σ) = 1, output m = Dec(dk 1,vk1, c 1 ). Otherwise, reect. Theorem 8 If E is CPA-secure, nizk-π is OT-NIZK, and Σ is a OT signature scheme, then the encryption scheme described above is CCA-secure. Proof: Consider the following sequence of games, and let Pr i [A wins] = Pr[A wins in game i]. Table 1 summarizes the games described below and the properties used to prove indistinguishability between consecutive games. Game 0: Game 0 is the real CCA game in the case when A receives CCA-Enc ek (m) = (vk, c, Π, σ ). L10-4
5 Game 1: Game 1 is the same as game 0 except that A automatically wins if its query to the decryption oracle is a valid ciphertext (vk, c, Π, σ ) such that vk = vk. Notice that in order for the ciphertext to be valid, σ must be a valid signature with respect to vk. By the security of Σ, we know that the probability that A submits such a ciphertext is negligible, since otherwise he would have forged a signature with respect to the same verification key. This means that Pr 1 [A wins] Pr 0 [A wins] = negl(λ). Game 2: Game 2 is the same as game 1 except that the challenger selects vk,sk in advance, creates ek as before, but lets dk = (dk 1,vk,dk 1 2,vk,...,dk 2 n,vk n ), where vk i denotes the complement of the ith bit of vk. Since we allow A to win if its decryption query contains vk, we can assume that the query contains vk vk. This means that there exists some for which vk = vk. The challenger then answers the decryption query by decrypting c using dk,vk. By soundness of nizk-π, this will give the same decryption as if we had decrypted c 1 as before. Therefore, Pr 2 [A wins] Pr 1 [A wins] = negl(λ). Game 3: Game 3 is the same as game 2 except that we let Π = sim(vk,ek, c ). By zeroknowledge of nizk-π we know that Pr 3 [A wins] Pr 2 [A wins] = negl(λ). Game 4, i: Game 4, i is the same as game 3 except that for i : c = Enc(ek,vk, 0) and for > i : c = Enc(ek,vk, m). Because E is CPA-secure, we have that Pr 4,1 [A wins] Pr 3 [A wins] = negl(λ) and for i = 1,..., n 1: Pr 4,i+1 [A wins] Pr 4,i [A wins] = negl(λ). Game 5: Game 5 is the same as game 4, n except that we let Π = Prove(c 1, c 2,...c n). Notice that in this case, for all i we have that c i = Enc(ek i,vk i, 0) and the prover proves a true statement, that all the c i s are encryptions of the same message (0 in this case). By zero-knowledge of nizk-π we know that Pr 5 [A wins] Pr 4,n [A wins] = negl(λ). Game 6: Game 6 is the same as game 5 except that the challenger runs the Gen algorithm described above to create ek and dk, and only afterwards selects vk,sk, all as in the real CCA game. By soundness of nizk-π we know that Pr 6 [A wins] Pr 5 [A wins] = negl(λ). Game 7: Game 7 is the same as game 6 except that A does not automatically win if its query to the decryption oracle is a valid ciphertext (vk, c, Π, σ ) such that vk = vk. By the security of Σ, we know that Pr 7 [A wins] Pr 6 [A wins] = negl(λ). Notice that game 7 is exactly the CCA game when A receives CCA-Enc ek (0). We have proved that Pr 7 [A wins] Pr 0 [A wins] = negl(λ), which proves the theorem since game 0 is the CCA game when A receives CCA-Enc ek (m). L10-5
6 Table 1: Values of c for i, c for > i, Π, Dec( ), the conditions for A to win in each game, and properties used to prove indistinguishability of consecutive games. Game c : i c : > i Π Dec( ) A wins Property 0 Enc(m) Enc(m) real c 1 using dk 1 b = b 1 Enc(m) Enc(m) real c 1 using dk 1 b = b and Dec( ) security of Σ query does not use vk 2 Enc(m) Enc(m) real c using dk,vk b = b and Dec( ) soundness 3 Enc(m) Enc(m) fake c using dk,vk b = b and Dec( ) zero-knowledge 4, i Enc(0) Enc(m) fake c using dk,vk b = b and Dec( ) CPA of E query does not use vk 5 Enc(0) Enc(0) real c using dk,vk b = b and Dec( ) zero-knowledge 6 Enc(0) Enc(0) real c 1 using dk 1 b = b and Dec( ) soundness 7 Enc(0) Enc(0) real c 1 using dk 1 b = b security of Σ 2.2 Naor, Yung [NY] Let E 1 = (Gen 1,Enc 1,Dec 1 ) and E 2 = (Gen 2,Enc 2,Dec 2 ) be two CPA-secure encryption schemes. Let nizk-π = (nizk-gen, Prove, Ver) be a one-time simulation-sound NIZK protocol, and let Prove(c 1, c 2 ) prove statements of the form "Dec(c 1 ) = Dec(c 2 )". Gen(1 λ ): (ek 1, dk 1 ) Gen 1 (1 λ ), (ek 2, dk 2 ) Gen 2 (1 λ ),crs nizk-gen(1 λ ). Output ek = (ek 1,ek 2,crs) and dk = dk 1. Enc ek (m): c 1 Enc 1 (ek 1, m), c 2 Enc 2 (ek 2, m), Π Prove(c 1, c 2 ). Output c = (c 1, c 2, Π). Dec sk (c): If Ver(Π) = 1, output m = Dec 1 (dk 1, c). Otherwise, reect. Theorem 9 If E 1 and E 2 are CPA-secure and nizk-π is OT-SS-NIZK, then the encryption scheme described above is CCA-secure. Proof: Consider the following sequence of games, and let Pr i [A wins] = Pr[A wins in game i]. Table 2 summarizes the games described below and the properties used to prove indistinguishability between consecutive games. Game 0: Game 0 is the CCA game described above in the case when A receives Enc(m): c 1 = Enc 1 (ek 1, m), c 2 = Enc 2 (ek 2, m), Π = Prove(c 1, c 2 ), and Dec( ) decrypts c 1 with key dk 1. L10-6
7 Table 2: Values of c 1, c 2, Π, Dec( ) in each game, and properties used to prove indistinguishability of consecutive games. Game c 1 c 2 Π Dec( ) Property 0 Enc 1 (ek 1, m) Enc 2 (ek 2, m) real c 1 using dk 1 1 Enc 1 (ek 1, m) Enc 2 (ek 2, m) fake c 1 using dk 1 zero knowledge of nizk-π 2 Enc 1 (ek 1, m) Enc 2 (ek 2, 0) fake c 1 using dk 1 CPA of E 2 3 Enc 1 (ek 1, m) Enc 2 (ek 2, 0) fake c 2 using dk 2 simulation-soundness of nizk-π 4 Enc 1 (ek 1, 0) Enc 2 (ek 2, 0) fake c 2 using dk 2 CPA of E 1 5 Enc 1 (ek 1, 0) Enc 2 (ek 2, 0) real c 2 using dk 2 zero knowledge of nizk-π 6 Enc 1 (ek 1, 0) Enc 2 (ek 2, 0) real c 1 using dk 1 soundness of nizk-π Game 1: Game 1 is the same as Game 0 except that Π is a simulated proof. By zero knowledge of nizk-π: Pr 1 [A wins] = Pr 0 [A wins]. Game 2: Game 2 is the same as Game 1 except that c 2 = Enc 2 (ek 2, 0). By the CPA-security of E 2 : Pr 2 [A wins] Pr 1 [A wins] = negl(λ). Game 3: Game 3 is the same as Game 2 except that Dec( ) decrypts c 2 with key dk 2. By simulation-soundness of nizk-π: Pr 3 [A wins] Pr 2 [A wins] = negl(λ). Game 4: Game 4 is the same as Game 3 except that c 1 = Enc 1 (ek 1, 0). By the CPA-security of E 1 : Pr 4 [A wins] Pr 3 [A wins] = negl(λ). Game 5: Game 5 is the same as Game 4 except that Π = Prove(c 1, c 2 ). By zero knowledge of nizk-π: Pr 5 [A wins] = Pr 4 [A wins]. Game 6: Game 6 is the same as Game 5 except that Dec( ) decrypts c 1 with key dk 1. By soundness of nizk-π: Pr 6 [A wins] Pr 5 [A wins] = negl(λ). We have proved that Pr 6 [A wins] Pr 0 [A wins] = negl(λ). Notice that game 6 is the CCA game described above in the case when A receives Enc(0). We have thus proven that Pr[A wins CCA game] = negl(λ). Remark 10 If E 1 is CPA-secure and E 2 is CCA-secure, then nizk-π need not be simulation sound. But why create a CCA-secure encryption scheme from a CCA-secure encryption scheme? If E 1 is CPA-secure and E 2 is CCA-secure, then the above construction gives a CCA-secure scheme that has the combined properties of E 1 and E 2. For example, if E 1 is a leakage-resilient CPA-secure scheme and E 2 is CCA-secure, then the construction above gives a leakage-resilient CCA-secure encryption scheme. Remark 11 An important open problem in cryptography is the following: how to construct a CCA-secure encryption scheme from a CPA-secure encryption scheme without using NIZK? L10-7
Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]
CMSC 858K Advanced Topics in Cryptography February 19, 2004 Lecturer: Jonathan Katz Lecture 8 Scribe(s): Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan 1 Introduction Last time we introduced
More informationLecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge
CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationEfficient Public-Key Cryptography in the Presence of Key Leakage
Efficient Public-Key Cryptography in the Presence of Key Leakage Yevgeniy Dodis Kristiyan Haralambiev Adriana López-Alt Daniel Wichs August 17, 2010 Abstract We study the design of cryptographic primitives
More informationNotes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.
COS 533: Advanced Cryptography Lecture 9 (October 11, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Udaya Ghai Notes for Lecture 9 1 Last Time Last time, we introduced zero knowledge proofs
More informationRound Optimal Blind Signatures
Round Optimal Blind Signatures Dominique Schröder University of Maryland Dominique Unruh Saarland University May 25, 2011 Abstract. All known round optimal (i.e., two-move) blind signature schemes either
More informationChosen-Ciphertext Security (I)
Chosen-Ciphertext Security (I) CS 601.442/642 Modern Cryptography Fall 2018 S 601.442/642 Modern Cryptography Chosen-Ciphertext Security (I) Fall 2018 1 / 20 Recall: Public-Key Encryption Syntax: Genp1
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationCSA E0 312: Secure Computation September 09, [Lecture 9-10]
CSA E0 312: Secure Computation September 09, 2015 Instructor: Arpita Patra [Lecture 9-10] Submitted by: Pratik Sarkar 1 Summary In this lecture we will introduce the concept of Public Key Samplability
More informationCryptography in the Multi-string Model
Cryptography in the Multi-string Model Jens Groth 1 and Rafail Ostrovsky 1 University of California, Los Angeles, CA 90095 {jg,rafail}@cs.ucla.edu Abstract. The common random string model introduced by
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationEfficient Fully-Leakage Resilient One-More Signature Schemes
Efficient Fully-Leakage Resilient One-More Signature Schemes Antonio Faonio IMDEA Software Institute, Madrid, Spain In a recent paper Faonio, Nielsen and Venturi (ICALP 2015) gave new constructions of
More informationG /G Advanced Cryptography 10/21/2009. Lecture 7
G22.3220-001/G63.2180 Advaned Cryptography 10/21/2009 Leturer: Yevgeniy Dodis Leture 7 Sribe: Aris Tentes In this leture we will over the following topis: Witness Hiding Σ-protools Alternative Constrution
More informationIII. Pseudorandom functions & encryption
III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion:
More informationFoundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge
Foundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge Handout Mode Iftach Haitner, Tel Aviv University Tel Aviv University. April 1, 2014 Iftach Haitner (TAU) Foundation of Cryptography
More informationSmooth Projective Hash Function and Its Applications
Smooth Projective Hash Function and Its Applications Rongmao Chen University of Wollongong November 21, 2014 Literature Ronald Cramer and Victor Shoup. Universal Hash Proofs and a Paradigm for Adaptive
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationLecture 3: Interactive Proofs and Zero-Knowledge
CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More informationAdaptive partitioning. Dennis Hofheinz (KIT, Karlsruhe)
Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Public-Key Encryption Accepted security
More informationLecture 7: CPA Security, MACs, OWFs
CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)
More informationFUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS. Elette Boyle Shafi Goldwasser Ioana Ivan
FUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS Elette Boyle Shafi Goldwasser Ioana Ivan Traditional Paradigm: All or Nothing Encryption [DH76] Given SK, can decrypt. Otherwise, can t distinguish encryptions
More informationOn the Non-malleability of the Fiat-Shamir Transform
An extended abstract of this paper is published in the proceedings of the 13th International Conference on Cryptology in India [21] Indocrypt 2012. This is the full version. On the Non-malleability of
More informationLecture 15 & 16: Trapdoor Permutations, RSA, Signatures
CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.
More informationLecture 13: Private Key Encryption
COM S 687 Introduction to Cryptography October 05, 2006 Instructor: Rafael Pass Lecture 13: Private Key Encryption Scribe: Ashwin Machanavajjhala Till this point in the course we have learnt how to define
More informationLossy Trapdoor Functions and Their Applications
Lossy Trapdoor Functions and Their Applications Chris Peikert SRI International Brent Waters SRI International August 29, 2008 Abstract We propose a general cryptographic primitive called lossy trapdoor
More informationStructure Preserving CCA Secure Encryption
Structure Preserving CCA Secure Encryption presented by ZHANG Tao 1 / 9 Introduction Veriable Encryption enable validity check of the encryption (Camenisch et al. @ CRYPTO'03): veriable encryption of discrete
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationCOS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7
COS 597C: Recent Developments in Program Obfuscation Lecture 7 10/06/16 Lecturer: Mark Zhandry Princeton University Scribe: Jordan Tran Notes for Lecture 7 1 Introduction In this lecture, we show how to
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationStrong Security Models for Public-Key Encryption Schemes
Strong Security Models for Public-Key Encryption Schemes Pooya Farshim (Joint Work with Manuel Barbosa) Information Security Group, Royal Holloway, University of London, Egham TW20 0EX, United Kingdom.
More informationSimulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures
Simulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth UCLA, Computer Science Department 3531A Boelter Hall Los Angeles, CA 90095, USA jg@cs.ucla.edu December
More informationRound-Optimal Password-Based Authenticated Key Exchange
Round-Optimal Password-Based Authenticated Key Exchange Jonathan Katz Vinod Vaikuntanathan Abstract We show a general framework for constructing password-based authenticated key-exchange protocols with
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationPublic-Key Encryption
Public-Key Encryption 601.642/442: Modern Cryptography Fall 2017 601.642/442: Modern Cryptography Public-Key Encryption Fall 2017 1 / 14 The Setting Alice and Bob don t share any secret Alice wants to
More informationImproved Structure Preserving Signatures under Standard Bilinear Assumptions
Improved Structure Preserving Signatures under Standard Bilinear Assumptions Charanjit S. Jutla 1 and Arnab Roy 2 1 IBM T. J. Watson Research Center, Yorktown Heights, NY, USA csjutla@us.ibm.com 2 Fujitsu
More informationGroup Signatures from Lattices: Simpler, Tighter, Shorter, Ring-based
Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-based San Ling and Khoa Nguyen and Huaxiong Wang NTU, Singapore ENS de Lyon, 30/09/2015 Content 1 Introduction Previous Works on Lattice-Based
More informationCONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS
CONSRUCIONS SECURE AGAINS RECEIVER SELECIVE OPENING AND CHOSEN CIPHEREX AACKS Dingding Jia, Xianhui Lu, Bao Li jiadingding@iie.ac.cn C-RSA 2017 02-17 Outline Background Motivation Our contribution Existence:
More informationOn the CCA1-Security of Elgamal and Damgård s Elgamal
On the CCA1-Security of Elgamal and Damgård s Elgamal Cybernetica AS, Estonia Tallinn University, Estonia October 21, 2010 Outline I Motivation 1 Motivation 2 3 Motivation Three well-known security requirements
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationEfficient Cryptographic Primitives for. Non-Interactive Zero-Knowledge Proofs. and Applications
Efficient Cryptographic Primitives for Non-Interactive Zero-Knowledge Proofs and Applications by Kristiyan Haralambiev A dissertation submitted in partial fulfillment of the requirements for the degree
More informationDelayed-Input Non-Malleable Zero Knowledge and Multi-Party Coin Tossing in Four Rounds
Delayed-Input Non-Malleable Zero Knowledge and Multi-Party Coin Tossing in Four Rounds Michele Ciampi DIEM Università di Salerno ITALY mciampi@unisa.it Rafail Ostrovsky UCLA Los Angeles rafail@cs.ucla.edu
More informationSession 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University
Session 4: Efficient Zero Knowledge Yehuda Lindell Bar-Ilan University 1 Proof Systems Completeness: can convince of a true statement Soundness: cannot convince for a false statement Classic proofs: Written
More informationDual-System Simulation-Soundness with Applications to UC-PAKE and More
Dual-System Simulation-Soundness with Applications to UC-PAKE and More Charanjit S. Jutla IBM T. J. Watson Research Center Yorktown Heights, NY 10598, USA csjutla@us.ibm.com Arnab Roy Fujitsu Laboratories
More informationTamper and Leakage Resilience in the Split-State Model
Tamper and Leakage Resilience in the Split-State Model Feng-Hao Liu and Anna Lysyanskaya May 4, 2012 Abstract It is notoriously difficult to create hardware that is immune from side channel and tampering
More informationOn the (Im)Possibility of Tamper-Resilient Cryptography: Using Fourier Analysis in Computer Viruses
On the (Im)Possibility of Tamper-Resilient Cryptography: Using Fourier Analysis in Computer Viruses Per Austrin, Kai-Min Chung, Mohammad Mahmoody, Rafael Pass, Karn Seth November 12, 2012 Abstract We initiate
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationMulti-Key Homomorphic Signatures Unforgeable under Insider Corruption
Multi-Key Homomorphic Signatures Unforgeable under Insider Corruption Russell W. F. Lai 1,2, Raymond K. H. Tai 1, Harry W. H. Wong 1, and Sherman S. M. Chow 1 1 Chinese University of Hong Kong, Hong Kong
More informationMTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Zero-knowledge Proofs Sven Laur University of Tartu Formal Syntax Zero-knowledge proofs pk (pk, sk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) (pk,sk)? R
More informationMarch 19: Zero-Knowledge (cont.) and Signatures
March 19: Zero-Knowledge (cont.) and Signatures March 26, 2013 1 Zero-Knowledge (review) 1.1 Review Alice has y, g, p and claims to know x such that y = g x mod p. Alice proves knowledge of x to Bob w/o
More informationConstant-round Leakage-resilient Zero-knowledge from Collision Resistance *
Constant-round Leakage-resilient Zero-knowledge from Collision Resistance * Susumu Kiyoshima NTT Secure Platform Laboratories, Tokyo, Japan kiyoshima.susumu@lab.ntt.co.jp August 20, 2018 Abstract In this
More informationResettable Cryptography in Constant Rounds the Case of Zero Knowledge
Resettable Cryptography in Constant Rounds the Case of Zero Knowledge Yi Deng Dengguo Feng Vipul Goyal Dongdai Lin Amit Sahai Moti Yung NTU Singapore and SKLOIS, Institute of Software, CAS, China MSR India
More informationInteractive Zero-Knowledge with Restricted Random Oracles
Interactive Zero-Knowledge with Restricted Random Oracles Moti Yung 1 and Yunlei Zhao 2 1 RSA Laboratories and Department of Computer Science, Columbia University, New York, NY, USA. moti@cs.columbia.edu
More informationNon-interactive Zaps and New Techniques for NIZK
Non-interactive Zaps and New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai July 10, 2006 Abstract In 2000, Dwork and Naor proved a very surprising result: that there exist Zaps, tworound witness-indistinguishable
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationOblivious Transfer (OT) and OT Extension
Oblivious Transfer (OT) and OT Extension School on Secure Multiparty Computation Arpita Patra Arpita Patra Roadmap o Oblivious Transfer - Construction from `special PKE o OT Extension - IKNP OT extension
More informationLecture 15 - Zero Knowledge Proofs
Lecture 15 - Zero Knowledge Proofs Boaz Barak November 21, 2007 Zero knowledge for 3-coloring. We gave a ZK proof for the language QR of (x, n) such that x QR n. We ll now give a ZK proof (due to Goldreich,
More informationNon-Interactive ZK:The Feige-Lapidot-Shamir protocol
Non-Interactive ZK: The Feige-Lapidot-Shamir protocol April 20, 2009 Remainders FLS protocol Definition (Interactive proof system) A pair of interactive machines (P, V ) is called an interactive proof
More informationZAPs and Non-Interactive Witness Indistinguishability from Indistinguishability Obfuscation
ZAPs and Non-Interactive Witness Indistinguishability from Indistinguishability Obfuscation Nir Bitansky Omer Paneth February 12, 2015 Abstract We present new constructions of two-message and one-message
More informationQuasi-Adaptive NIZK for Linear Subspaces Revisited
Quasi-Adaptive NIZK for Linear Subspaces Revisited Eike Kiltz and Hoeteck Wee 1 Ruhr-Universität Bochum 2 ENS, Paris Abstract. Non-interactive zero-knowledge (NIZK) proofs for algebraic relations in a
More informationMagic Functions. In Memoriam Bernard M. Dwork
Magic Functions In Memoriam Bernard M. Dwork 1923 1998 Cynthia Dwork Moni Naor Omer Reingold Larry Stockmeyer Abstract We prove that three apparently unrelated fundamental problems in distributed computing,
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationPublicly Verifiable Software Watermarking
Publicly Verifiable Software Watermarking Aloni Cohen Justin Holmgren Vinod Vaikuntanathan April 22, 2015 Abstract Software Watermarking is the process of transforming a program into a functionally equivalent
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationConstant-Round Non-Malleable Commitments from Any One-Way Function
Constant-Round Non-Malleable Commitments from Any One-Way Function Huijia Lin Rafael Pass Abstract We show unconditionally that the existence of commitment schemes implies the existence of constant-round
More informationCandidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation
Candidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation Dongxue Pan 1,2, Hongda Li 1,2, Peifang Ni 1,2 1 The Data Assurance and Communication
More information1 Recap: Interactive Proofs
Theoretical Foundations of Cryptography Lecture 16 Georgia Tech, Spring 2010 Zero-Knowledge Proofs 1 Recap: Interactive Proofs Instructor: Chris Peikert Scribe: Alessio Guerrieri Definition 1.1. An interactive
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationMaking the Best of a Leaky Situation: Zero-Knowledge PCPs from Leakage-Resilient Circuits
Making the Best of a Leaky Situation: Zero-Knowledge PCPs from Leakage-Resilient Circuits Yuval Ishai Mor Weiss Guang Yang Abstract A Probabilistically Checkable Proof PCP) allows a randomized verifier,
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationCOS Cryptography - Final Take Home Exam
COS 433 - Cryptography - Final Take Home Exam Boaz Barak May 12, 2010 Read these instructions carefully before starting to work on the exam. If any of them are not clear, please email me before you start
More informationConstant-round Non-Malleable Commitments from Any One-Way Function
Constant-round Non-Malleable Commitments from Any One-Way Function Huijia Lin Rafael Pass September 2, 2010 Abstract We show unconditionally that the existence of commitment schemes implies the existence
More informationCompactly Hiding Linear Spans
Published in T. Iwata and J. H. Cheon, Eds., Advances in Cryptology ASIACYPT 2015, Part I, vol. 9452 of Lecture Notes in Computer Science, pp. 681-707, Springer, 2015. Compactly Hiding Linear Spans Tightly
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationRelations Among Notions of Security for Public-Key Encryption Schemes. Debdeep Mukhopadhyay IIT Kharagpur. Notions
Relations Among Notions of Security for Public-Key Encryption Schemes Debdeep Muhopadhyay IIT Kharagpur Notions To organize the definitions of secure encryptions Classified depending on: security goals:
More informationAdditive Conditional Disclosure of Secrets
Additive Conditional Disclosure of Secrets Sven Laur swen@math.ut.ee Helsinki University of Technology Motivation Consider standard two-party computation protocol. x f 1 (x, y) m 1 m2 m r 1 mr f 2 (x,
More informationOn Post-Quantum Cryptography
On Post-Quantum Cryptography Ehsan Ebrahimi Quantum Cryptography Group University of Tartu, Estonia 15 March 2018 Information Security and Cryptography Group Seminar Post-Quantum Cryptography Users intend
More informationCMSC 858K Advanced Topics in Cryptography March 4, 2004
CMSC 858K Advanced Topics in Cryptography March 4, 2004 Lecturer: Jonathan Katz Lecture 12 Scribe(s): Omer Horvitz Zhongchao Yu John Trafton Akhil Gupta 1 Introduction Our goal is to construct an adaptively-secure
More informationCryptographic Security of Macaroon Authorization Credentials
Cryptographic ecurity of Macaroon Authorization Credentials Adriana López-Alt New York University ecember 6, 2013 Abstract Macaroons, recently introduced by Birgisson et al. [BPUE + 14], are authorization
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More informationLecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers
1 Winter 2018 CS 485/585 Introduction to Cryptography Lecture 6 Portland State University Jan. 25, 2018 Lecturer: Fang Song Draft note. Version: February 4, 2018. Email fang.song@pdx.edu for comments and
More informationGentry IBE Paper Reading
Gentry IBE Paper Reading Y. Jiang 1 1 University of Wollongong September 5, 2014 Literature Craig Gentry. Practical Identity-Based Encryption Without Random Oracles. Advances in Cryptology - EUROCRYPT
More informationBounded CCA2-Secure Non-Malleable Encryption Rafael Pass, Abhi Shelat, and Vinod Vaikuntanathan
Computer Science and Artificial Intelligence Laoratory Technical Report MIT-CSAIL-TR-2006-081 Decemer 14, 2006 Bounded CCA2-Secure Non-Malleale Encryption Rafael Pass, Ahi Shelat, and Vinod Vaikuntanathan
More informationBlock ciphers And modes of operation. Table of contents
Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation
More informationAugmented Black-Box Simulation and Zero Knowledge Argument for NP
Augmented Black-Box Simulation and Zero Knowledge Argument for N Li Hongda, an Dongxue, Ni eifang The Data Assurance and Communication Security Research Center, School of Cyber Security, University of
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationConstant-Round Non-Malleable Commitments from Any One-Way Function
Constant-Round Non-Malleable Commitments from Any One-Way Function Huijia Lin Rafael Pass September 1, 2011 Abstract We show unconditionally that the existence of commitment schemes implies the existence
More informationLecture 15: Interactive Proofs
COM S 6830 Cryptography Tuesday, October 20, 2009 Instructor: Rafael Pass Lecture 15: Interactive Proofs Scribe: Chin Isradisaikul In this lecture we discuss a new kind of proofs that involves interaction
More informationA Transform for NIZK Almost as Efficient and General as the Fiat-Shamir Transform Without Programmable Random Oracles
A Transform for NIZK Almost as Efficient and General as the Fiat-Shamir Transform Without Programmable Random Oracles Michele Ciampi DIEM University of Salerno ITALY mciampi@unisa.it Giuseppe Persiano
More informationOblivious Transfer and Secure Multi-Party Computation With Malicious Parties
CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties Vitaly Shmatikov slide 1 Reminder: Oblivious Transfer b 0, b 1 i = 0 or 1 A b i B A inputs two bits, B inputs the index
More informationOn The (In)security Of Fischlin s Paradigm
On The (In)security Of Fischlin s Paradigm PRABHANJAN ANANTH Microsoft Research India prabhanjan.va@gmail.com RAGHAV BHASKAR Microsoft Research India rbhaskar@microsoft.com VIPUL GOYAL Microsoft Research
More informationOn the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups
On the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups Goichiro Hanaoka, Takahiro Matsuda, Jacob C.N. Schuldt Research Institute for Secure Systems (RISEC)
More informationNon-Conversation-Based Zero Knowledge
Non-Conversation-Based Zero Knowledge JOËL ALWEN Università di Salerno 84084 Fisciano (SA) ITALY jfa237@nyu.edu GIUSEPPE PERSIANO Università di Salerno 84084 Fisciano (SA) ITALY giuper@dia.unisa.it Submission
More informationNon-Interactive Zero-Knowledge from Homomorphic Encryption. Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU)
Non-Interactive Zero-Knowledge from Homomorphic Encryption Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU) January 27th, 2006 NYU Crypto Reading Group Zero-Knowledge and Interaction
More informationLattice-Based Dual Receiver Encryption and More
Lattice-Based Dual Receiver Encryption and More Daode Zhang 1,2, Kai Zhang 3,(, Bao Li 1,2, Xianhui Lu 1,2, Haiyang Xue 1,2, and Jie Li 1,2 1 School of Cyber Security, University of Chinese Academy of
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More information