Lossy Trapdoor Functions and Their Applications
|
|
- Francine Park
- 5 years ago
- Views:
Transcription
1 1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International
2 On Losing Information 2 / 15
3 On Losing Information 2 / 15
4 On Losing Information 2 / 15
5 On Losing Information 2 / 15
6 On Losing Information 2.3 MB 0.4 MB 2 / 15
7 On Losing Information 2 / 15
8 2 / 15 On Losing Information Lossy object indistinguishable from original
9 3 / 15 This Talk 1 Trapdoor functions without factoring: discrete log & lattices
10 3 / 15 This Talk 1 Trapdoor functions without factoring: discrete log & lattices 2 Black-box chosen-ciphertext security via randomness recovery
11 3 / 15 This Talk 1 Trapdoor functions without factoring: discrete log & lattices 2 Black-box chosen-ciphertext security via randomness recovery 3 A new general primitive: Lossy Trapdoor Functions
12 4 / 15 Public Key Cryptography 1-1 Trapdoor Functions ( F, F 1 ) S x {0, 1} n F F(x) {0, 1} N
13 4 / 15 Public Key Cryptography 1-1 Trapdoor Functions ( F, F 1 ) S x {0, 1} n F F(x) {0, 1} N
14 4 / 15 Public Key Cryptography 1-1 Trapdoor Functions ( F, F 1 ) S x {0, 1} n F 1 F F(x) {0, 1} N
15 4 / 15 Public Key Cryptography 1-1 Trapdoor Functions Public Key Encryption ( F, F 1 ) S ( E, D) S x {0, 1} n m r F 1 F F(x) E(m ; r) {0, 1} N {0, 1} N
16 4 / 15 Public Key Cryptography 1-1 Trapdoor Functions Public Key Encryption ( F, F 1 ) S ( E, D) S x {0, 1} n m r F 1 F D F(x) E(m ; r) {0, 1} N {0, 1} N
17 5 / 15 Realizing Public Key Crypto Factoring Discrete log Lattices PKE [RSA,... ] [ElGamal] [AD,R1,R2] CCA [DDN,...,CS2] [CS1]?? TDF [RSA,R,P]????
18 5 / 15 Realizing Public Key Crypto Factoring Discrete log Lattices PKE [RSA,... ] [ElGamal] [AD,R1,R2] CCA [DDN,...,CS2] [CS1]?? TDF [RSA,R,P]???? Lattice-Based Crypto: Simple & parallelizable Resist quantum algorithms (so far) Security from worst-case assumptions [Ajtai,... ]
19 5 / 15 Realizing Public Key Crypto Factoring Discrete log Lattices PKE [RSA,... ] [ElGamal] [AD,R1,R2] CCA [DDN,...,CS2] [CS1]?? TDF [RSA,R,P]???? Black-Box Separations: [GMR] PKE [GMM] TDF CCA
20 5 / 15 Realizing Public Key Crypto Factoring Discrete log Lattices PKE [RSA,... ] [ElGamal] [AD,R1,R2] CCA [DDN,...,CS2] [CS1] TDF [RSA,R,P] This Work: Factoring TDF Disc log Lossy TDF CCA Lattices CRHF, OT,...
21 6 / 15 Lossy Trapdoor Functions ( F, F 1 ) S inj x {0, 1} n F 1 F {0, 1} N
22 6 / 15 Lossy Trapdoor Functions ( F, F 1 ) S inj F S loss x {0, 1} n x {0, 1} n F 1 F F {0, 1} N Im(F) = 2 r 2 n {0, 1} N
23 6 / 15 Lossy Trapdoor Functions ( F, F 1 ) S inj F S loss x {0, 1} n x {0, 1} n F 1 F F {0, 1} N Im(F) = 2 r 2 n {0, 1} N
24 6 / 15 Lossy Trapdoor Functions F c F ( F, F 1 ) S inj F S loss x {0, 1} n x {0, 1} n F 1 F F {0, 1} N Im(F) = 2 r 2 n {0, 1} N
25 Lossy TDFs 1-1 Trapdoor Functions Theorem S inj generates 1-1 trapdoor functions (F, F 1 ). 7 / 15
26 Lossy TDFs 1-1 Trapdoor Functions Theorem S inj generates 1-1 trapdoor functions (F, F 1 ). Efficient I wants to invert F. {0, 1} n S inj x F I? = x 7 / 15
27 Lossy TDFs 1-1 Trapdoor Functions Theorem S inj generates 1-1 trapdoor functions (F, F 1 ). Efficient I wants to invert F. {0, 1} n S loss x F I = x 7 / 15
28 Lossy TDFs 1-1 Trapdoor Functions Theorem S inj generates 1-1 trapdoor functions (F, F 1 ). Efficient I wants to invert F. {0, 1} n S loss x F I = x F(x) has 2 n r preimages (on average). 7 / 15
29 Lossy TDFs 1-1 Trapdoor Functions Theorem S inj generates 1-1 trapdoor functions (F, F 1 ). Efficient I wants to invert F. {0, 1} n S loss x F I = x F(x) has 2 n r preimages (on average). Main Technique Swapping F with F yields statistically secure system. 7 / 15
30 8 / 15 Lossy TDFs Public-Key Encryption Hard-core functions [GoldreichLevin] the lazy way.
31 8 / 15 Lossy TDFs Public-Key Encryption Hard-core functions [GoldreichLevin] the lazy way. Pairwise independent H : {0, 1} n {0, 1} k for k n r.
32 8 / 15 Lossy TDFs Public-Key Encryption Hard-core functions [GoldreichLevin] the lazy way. Pairwise independent H : {0, 1} n {0, 1} k for k n r. x F H F(x) H(x)
33 8 / 15 Lossy TDFs Public-Key Encryption Hard-core functions [GoldreichLevin] the lazy way. Pairwise independent H : {0, 1} n {0, 1} k for k n r. x F H F(x) H(x)
34 8 / 15 Lossy TDFs Public-Key Encryption Hard-core functions [GoldreichLevin] the lazy way. Pairwise independent H : {0, 1} n {0, 1} k for k n r. entropy k x F H F(x) H(x) k unif bits [ILL,DRS]
35 8 / 15 Lossy TDFs Public-Key Encryption Hard-core functions [GoldreichLevin] the lazy way. Pairwise independent H : {0, 1} n {0, 1} k for k n r. entropy k x F H F(x) H(x) k unif bits [ILL,DRS] Public key (F, H), secret key F 1. Encrypt m {0, 1} k as (F(x), m H(x)).
36 9 / 15 Chosen Ciphertext-Secure Encryption Intuitive Definition [DDN,NY,RS] Encryption hides message, even with decryption oracle
37 9 / 15 Chosen Ciphertext-Secure Encryption Intuitive Definition [DDN,NY,RS] Encryption hides message, even with decryption oracle Why It Matters Correct security notion for active adversaries Real-world attacks on protocols [Bleichenbacher,JKS]
38 9 / 15 Chosen Ciphertext-Secure Encryption Intuitive Definition [DDN,NY,RS] Encryption hides message, even with decryption oracle Why It Matters Correct security notion for active adversaries Real-world attacks on protocols [Bleichenbacher,JKS] Technical Difficulty Verify ciphertext is well-formed Usually via zero-knowledge proof Our approach: recover randomness
39 10 / 15 All-But-One TDFs G(b, x) has extra parameter: branch b {0, 1} n.
40 10 / 15 All-But-One TDFs G(b, x) has extra parameter: branch b {0, 1} n. Generate (G, G 1 ) with hidden lossy branch l.
41 10 / 15 All-But-One TDFs G(b, x) has extra parameter: branch b {0, 1} n. Generate (G, G 1 ) with hidden lossy branch l. G(0, ) G(1, ) G G(l, ) G(l + 1, )
42 10 / 15 All-But-One TDFs G(b, x) has extra parameter: branch b {0, 1} n. Generate (G, G 1 ) with hidden lossy branch l. G(0, ) G(1, ) G G(l, ) G(l + 1, ) Lossy TDFs all-but-one TDFs.
43 11 / 15 Lossy TDFs CCA-Secure Encryption F 1 KeyGen ( F, G, H )
44 11 / 15 Lossy TDFs CCA-Secure Encryption F 1 KeyGen Encrypt ( F, G, H ) m y 1 = F(x) y 2 = G(b, x) c = H(x) m
45 11 / 15 Lossy TDFs CCA-Secure Encryption F 1 KeyGen Encrypt Decrypt ( F, G, H ) m y 1 = F(x) y 2 = G(b, x) c = H(x) m y 1 y 2 c
46 11 / 15 Lossy TDFs CCA-Secure Encryption F 1 KeyGen ( F, G, H ) Encrypt m y 1 = F(x) y 2 = G(b, x) c = H(x) m Decrypt Recover x = F 1 (y 1 ). Reencrypt & check. y 1 y 2 c
47 11 / 15 Lossy TDFs CCA-Secure Encryption F 1 KeyGen ( F, G, H ) Encrypt m Decrypt Recover x = F 1 (y 1 ). Reencrypt & check. y 1 = F(x) y 2 = G(b, x) c = H(x) m y 1 y 2 c c H(x) or
48 11 / 15 Lossy TDFs CCA-Secure Encryption F 1 KeyGen ( F, G, H ) Challenge m Decrypt Recover x = F 1 (y 1 ). Reencrypt & check. y 1 = F(x) y 2 = G(l, x) c = H(x) m y 1 y 2 c c H(x) or
49 11 / 15 Lossy TDFs CCA-Secure Encryption G 1 KeyGen ( F, G, H ) Challenge m Decrypt Recover x = G 1 (y 2 ). Reencrypt & check. y 1 = F(x) y 2 = G(l, x) c = H(x) m y 1 y 2 c c H(x) or
50 11 / 15 Lossy TDFs CCA-Secure Encryption G 1 KeyGen ( F, G, H ) Challenge m Decrypt Recover x = G 1 (y 2 ). Reencrypt & check. y 1 = F(x) y 2 = G(l, x) c = H(x) m y 1 y 2 c c H(x) or
51 11 / 15 Lossy TDFs CCA-Secure Encryption G 1 KeyGen ( F, G, H ) Challenge m Decrypt Recover x = G 1 (y 2 ). Reencrypt & check. y 1 = F(x) y 2 = G(l, x) c = H(x) m y 1 y 2 c c H(x) or Challenge ciphertext hides m statistically.
52 11 / 15 Lossy TDFs CCA-Secure Encryption G 1 KeyGen ( F, G, H ) Challenge m Decrypt Recover x = G 1 (y 2 ). Reencrypt & check. y 1 = F(x) y 2 = G(l, x) c = H(x) m y 1 y 2 c c H(x) or Challenge ciphertext hides m statistically. (One-time signature for CCA2 security. [DolevDworkNaor])
53 12 / 15 Realizing Lossy TDFs Use any (additively) homomorphic cryptosystem.
54 12 / 15 Realizing Lossy TDFs Use any (additively) homomorphic cryptosystem. Encrypted n n matrix: I for F, 0 for F. F 1 is decryption key.
55 12 / 15 Realizing Lossy TDFs Use any (additively) homomorphic cryptosystem. Encrypted n n matrix: I for F, 0 for F. F 1 is decryption key. F(x) computed by encrypted linear algebra.
56 12 / 15 Realizing Lossy TDFs Use any (additively) homomorphic cryptosystem. Encrypted n n matrix: I for F, 0 for F. F 1 is decryption key. F(x) computed by encrypted linear algebra x 1 x 2. x n = x 1 x 2. x n
57 12 / 15 Realizing Lossy TDFs Use any (additively) homomorphic cryptosystem. Encrypted n n matrix: I for F, 0 for F. F 1 is decryption key. F(x) computed by encrypted linear algebra x 1 x 2. x n =
58 12 / 15 Realizing Lossy TDFs Use any (additively) homomorphic cryptosystem. Encrypted n n matrix: I for F, 0 for F. F 1 is decryption key. F(x) computed by encrypted linear algebra x 1 x 2. x n = Randomness in each 0 leaks information!
59 13 / 15 Realizing Lossy TDFs (Really) Homomorphic cryptosystem with special properties:
60 13 / 15 Realizing Lossy TDFs (Really) Homomorphic cryptosystem with special properties: 1 Secure to reuse randomness across different keys
61 13 / 15 Realizing Lossy TDFs (Really) Homomorphic cryptosystem with special properties: 1 Secure to reuse randomness across different keys 2 Homomorphism isolates randomness
62 13 / 15 Realizing Lossy TDFs (Really) Homomorphic cryptosystem with special properties: 1 Secure to reuse randomness across different keys 2 Homomorphism isolates randomness 0 ; r 1 0 ; r 1. 0 ; r 1
63 13 / 15 Realizing Lossy TDFs (Really) Homomorphic cryptosystem with special properties: 1 Secure to reuse randomness across different keys 2 Homomorphism isolates randomness 0 ; r 1 0 ; r 2 0 ; r 1 0 ; r 2. 0 ; r 1 0 ; r 2
64 13 / 15 Realizing Lossy TDFs (Really) Homomorphic cryptosystem with special properties: 1 Secure to reuse randomness across different keys 2 Homomorphism isolates randomness 0 ; r 1 0 ; r 2 0 ; r n 0 ; r 1 0 ; r 2 0 ; r n ; r 1 0 ; r 2 0 ; r n
65 13 / 15 Realizing Lossy TDFs (Really) Homomorphic cryptosystem with special properties: 1 Secure to reuse randomness across different keys 2 Homomorphism isolates randomness 0 ; r 1 0 ; r 2 0 ; r n 0 ; r 1 0 ; r 2 0 ; r n ; r 1 0 ; r 2 0 ; r n x 1 x 2. x n = 0 ; R 0 ; R. 0 ; R
66 13 / 15 Realizing Lossy TDFs (Really) Homomorphic cryptosystem with special properties: 1 Secure to reuse randomness across different keys 2 Homomorphism isolates randomness 0 ; r 1 0 ; r 2 0 ; r n 0 ; r 1 0 ; r 2 0 ; r n ; r 1 0 ; r 2 0 ; r n x 1 x 2. x n = 0 ; R 0 ; R. 0 ; R Just need n > R for lossiness.
67 14 / 15 Concrete Assumptions 1 Decisional Diffie-Hellman (DDH) on cyclic groups Additive homomorphism in ElGamal: message in the exponent Reusing randomness [NaorReingold,Kurosawa,... ]
68 14 / 15 Concrete Assumptions 1 Decisional Diffie-Hellman (DDH) on cyclic groups Additive homomorphism in ElGamal: message in the exponent Reusing randomness [NaorReingold,Kurosawa,... ] 2 Learning With Errors (LWE) on lattices [Regev] Bounded homomorphism Reuse most randomness but not the error terms
69 15 / 15 Future Directions Other applications of lossy TDFs (NIZK, PIR,...?)
70 15 / 15 Future Directions Other applications of lossy TDFs (NIZK, PIR,...?) Natural trapdoors for lattices [GPV]
71 15 / 15 Future Directions Other applications of lossy TDFs (NIZK, PIR,...?) Natural trapdoors for lattices [GPV] Other indistinguishable properties of huge objects?
Lossy Trapdoor Functions and Their Applications
Lossy Trapdoor Functions and Their Applications Chris Peikert SRI International Brent Waters SRI International August 29, 2008 Abstract We propose a general cryptographic primitive called lossy trapdoor
More informationTrapdoor functions from the Computational Diffie-Hellman Assumption
Trapdoor functions from the Computational Diffie-Hellman Assumption Sanjam Garg 1 Mohammad Hajiabadi 1,2 1 University of California, Berkeley 2 University of Virginia August 22, 2018 1 / 18 Classical Public-Key
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationPeculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology
1 / 19 Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 7 May 2010 2 / 19 Talk Agenda Encryption schemes
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More information14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption. Victor Shoup New York University
14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption Victor Shoup New York University A Historical Perspective The wild years (mid 70 s-mid 80 s): Diffie-Hellman, RSA, ElGamal The
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationLossy Trapdoor Functions from Smooth Homomorphic Hash Proof Systems
Lossy Trapdoor Functions from Smooth Homomorphic Hash Proof Systems Brett Hemenway UCLA bretth@mathuclaedu Rafail Ostrovsky UCLA rafail@csuclaedu January 9, 2010 Abstract In STOC 08, Peikert and Waters
More informationTighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)
1 Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shuichi Katsumata (The University of Tokyo /AIST) Shota Yamada (AIST) Takashi Yamakawa
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationPublic-Key Cryptosystems from the Worst-Case Shortest Vector Problem. Chris Peikert Georgia Tech
1 / 14 Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert Georgia Tech Computer Security & Cryptography Workshop 12 April 2010 2 / 14 Talk Outline 1 State of Lattice-Based
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More informationCOS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7
COS 597C: Recent Developments in Program Obfuscation Lecture 7 10/06/16 Lecturer: Mark Zhandry Princeton University Scribe: Jordan Tran Notes for Lecture 7 1 Introduction In this lecture, we show how to
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationAdvanced Cryptography 03/06/2007. Lecture 8
Advanced Cryptography 03/06/007 Lecture 8 Lecturer: Victor Shoup Scribe: Prashant Puniya Overview In this lecture, we will introduce the notion of Public-Key Encryption. We will define the basic notion
More informationOn the power of non-adaptive quantum chosen-ciphertext attacks
On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic (UMD, NIST), Stacey Jeffery (QuSoft, CWI), and Maris Ozols (QuSoft, UvA) Alexander Poremba August 29, 2018 Heidelberg
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationTrapdoors for Lattices: Simpler, Tighter, Faster, Smaller
Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1 UC San Diego 2 Georgia Tech April 2012 1 / 16 Lattice-Based Cryptography y = g x mod p m e mod N e(g a,
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationChosen-Ciphertext Security from Subset Sum
Chosen-Ciphertext Security from Subset Sum Sebastian Faust 1, Daniel Masny 1, and Daniele Venturi 2 1 Horst-Görtz Institute for IT Security and Faculty of Mathematics, Ruhr-Universität Bochum, Bochum,
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More informationPseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions
Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions Crypto 2011 Daniele Micciancio Petros Mol August 17, 2011 1 Learning With Errors (LWE) secret public: integers n,
More information5.4 ElGamal - definition
5.4 ElGamal - definition In this section we define the ElGamal encryption scheme. Next to RSA it is the most important asymmetric encryption scheme. Recall that for a cyclic group G, an element g G is
More informationReport on Learning with Errors over Rings-based HILA5 and its CCA Security
Report on Learning with Errors over Rings-based HILA5 and its CCA Security Jesús Antonio Soto Velázquez January 24, 2018 Abstract HILA5 is a cryptographic primitive based on lattices that was submitted
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationDiscrete Logarithm Problem
Discrete Logarithm Problem Finite Fields The finite field GF(q) exists iff q = p e for some prime p. Example: GF(9) GF(9) = {a + bi a, b Z 3, i 2 = i + 1} = {0, 1, 2, i, 1+i, 2+i, 2i, 1+2i, 2+2i} Addition:
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationLattice Based Crypto: Answering Questions You Don't Understand
Lattice Based Crypto: Answering Questions You Don't Understand Vadim Lyubashevsky INRIA / ENS, Paris Cryptography Secure communication in the presence of adversaries Symmetric-Key Cryptography Secret key
More informationCONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS
CONSRUCIONS SECURE AGAINS RECEIVER SELECIVE OPENING AND CHOSEN CIPHEREX AACKS Dingding Jia, Xianhui Lu, Bao Li jiadingding@iie.ac.cn C-RSA 2017 02-17 Outline Background Motivation Our contribution Existence:
More informationCS 395T. Probabilistic Polynomial-Time Calculus
CS 395T Probabilistic Polynomial-Time Calculus Security as Equivalence Intuition: encryption scheme is secure if ciphertext is indistinguishable from random noise Intuition: protocol is secure if it is
More informationOn Notions of Security for Deterministic Encryption, and Efficient Constructions without Random Oracles
A preliminary version of this paper appears in Advances in Cryptology - CRYPTO 2008, 28th Annual International Cryptology Conference, D. Wagner ed., LNCS, Springer, 2008. This is the full version. On Notions
More informationNotes for Lecture 16
COS 533: Advanced Cryptography Lecture 16 (11/13/2017) Lecturer: Mark Zhandry Princeton University Scribe: Boriana Gjura Notes for Lecture 16 1 Lattices (continued) 1.1 Last time. We defined lattices as
More informationLecture 11: Key Agreement
Introduction to Cryptography 02/22/2018 Lecture 11: Key Agreement Instructor: Vipul Goyal Scribe: Francisco Maturana 1 Hardness Assumptions In order to prove the security of cryptographic primitives, we
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More informationSmooth Projective Hash Function and Its Applications
Smooth Projective Hash Function and Its Applications Rongmao Chen University of Wollongong November 21, 2014 Literature Ronald Cramer and Victor Shoup. Universal Hash Proofs and a Paradigm for Adaptive
More informationAdvanced Cryptography 1st Semester Public Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 1st 2007 1 / 64 Last Time (I) Indistinguishability Negligible function Probabilities Indistinguishability
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationThe Cramer-Shoup Cryptosystem
The Cramer-Shoup Cryptosystem Eileen Wagner October 22, 2014 1 / 28 The Cramer-Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive
More informationLecture Note 3 Date:
P.Lafourcade Lecture Note 3 Date: 28.09.2009 Security models 1st Semester 2007/2008 ROUAULT Boris GABIAM Amanda ARNEDO Pedro 1 Contents 1 Perfect Encryption 3 1.1 Notations....................................
More informationCosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks
1 Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks Michael Albert michael.albert@cs.otago.ac.nz 2 This week Arithmetic Knapsack cryptosystems Attacks on knapsacks Some
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationA survey on quantum-secure cryptographic systems
A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes Lecture 8 Tel-Aviv University
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Serge Vaudenay 17.1.2017 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationAdvanced Topics in Cryptography
Advanced Topics in Cryptography Lecture 6: El Gamal. Chosen-ciphertext security, the Cramer-Shoup cryptosystem. Benny Pinkas based on slides of Moni Naor page 1 1 Related papers Lecture notes of Moni Naor,
More informationRSA-OAEP and Cramer-Shoup
RSA-OAEP and Cramer-Shoup Olli Ahonen Laboratory of Physics, TKK 11th Dec 2007 T-79.5502 Advanced Cryptology Part I: Outline RSA, OAEP and RSA-OAEP Preliminaries for the proof Proof of IND-CCA2 security
More informationMultiparty Computation
Multiparty Computation Principle There is a (randomized) function f : ({0, 1} l ) n ({0, 1} l ) n. There are n parties, P 1,...,P n. Some of them may be adversarial. Two forms of adversarial behaviour:
More informationOn error distributions in ring-based LWE
On error distributions in ring-based LWE Wouter Castryck 1,2, Ilia Iliashenko 1, Frederik Vercauteren 1,3 1 COSIC, KU Leuven 2 Ghent University 3 Open Security Research ANTS-XII, Kaiserslautern, August
More informationAn Overview of Homomorphic Encryption
An Overview of Homomorphic Encryption Alexander Lange Department of Computer Science Rochester Institute of Technology Rochester, NY 14623 May 9, 2011 Alexander Lange (RIT) Homomorphic Encryption May 9,
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Zvika Brakerski 1 Adeline Langlois 2 Chris Peikert 3 Oded Regev 4 Damien Stehlé 2 1 Stanford University 2 ENS de Lyon 3 Georgia Tech 4 New York University Our
More informationLeakage Resilient ElGamal Encryption
Asiacrypt 2010, December 9th, Singapore Outline 1 Hybrid Encryption, the KEM/DEM framework 2 ElGamal KEM 3 Leakage Resilient Crypto Why? How? Other models? 4 Leakage Resilient ElGamal CCA1 secure KEM (Key
More informationWhite-Box Security Notions for Symmetric Encryption Schemes
White-Box Security Notions for Symmetric Encryption Schemes Cécile Delerablée 1 Tancrède Lepoint 1,2 Pascal Paillier 1 Matthieu Rivain 1 CryptoExperts 1, École Normale Supérieure2 SAC 2013 Outline 1 What
More informationShort Exponent Diffie-Hellman Problems
Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and
More information2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms
CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationLecture 15 & 16: Trapdoor Permutations, RSA, Signatures
CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.
More informationA ROBUST AND PLAINTEXT-AWARE VARIANT OF SIGNED ELGAMAL ENCRYPTION
A ROBUST AND PLAINTEXT-AWARE VARIANT OF SIGNED ELGAMAL ENCRYPTION Joana Treger ANSSI, France. Session ID: CRYP-W21 Session Classification: Advanced ELGAMAL ENCRYPTION & BASIC CONCEPTS CDH / DDH Computational
More informationCLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD
CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationLattice-Based Cryptography
Liljana Babinkostova Department of Mathematics Computing Colloquium Series Detecting Sensor-hijack Attacks in Wearable Medical Systems Krishna Venkatasubramanian Worcester Polytechnic Institute Quantum
More informationEfficient Public-Key Cryptography in the Presence of Key Leakage
Efficient Public-Key Cryptography in the Presence of Key Leakage Yevgeniy Dodis Kristiyan Haralambiev Adriana López-Alt Daniel Wichs August 17, 2010 Abstract We study the design of cryptographic primitives
More informationA Group Signature Scheme from Lattice Assumptions
A Group Signature Scheme from Lattice Assumptions S. Dov Gordon Jonathan Katz Vinod Vaikuntanathan Abstract Group signature schemes allow users to sign messages on behalf of a group while (1) maintaining
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationCryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97
Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97 Phong Nguyen and Jacques Stern École Normale Supérieure, Laboratoire d Informatique 45, rue d Ulm, F 75230 Paris Cedex 05 {Phong.Nguyen,Jacques.Stern}@ens.fr
More informationQuantum-secure symmetric-key cryptography based on Hidden Shifts
Quantum-secure symmetric-key cryptography based on Hidden Shifts Gorjan Alagic QMATH, Department of Mathematical Sciences University of Copenhagen Alexander Russell Department of Computer Science & Engineering
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More information10 Concrete candidates for public key crypto
10 Concrete candidates for public key crypto In the previous lecture we talked about public key cryptography and saw the Diffie Hellman system and the DSA signature scheme. In this lecture, we will see
More informationDiscrete logarithm and related schemes
Discrete logarithm and related schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Discrete logarithm problem examples, equivalent
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationLecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]
CMSC 858K Advanced Topics in Cryptography February 19, 2004 Lecturer: Jonathan Katz Lecture 8 Scribe(s): Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan 1 Introduction Last time we introduced
More informationCS Topics in Cryptography January 28, Lecture 5
CS 4501-6501 Topics in Cryptography January 28, 2015 Lecture 5 Lecturer: Mohammad Mahmoody Scribe: Ameer Mohammed 1 Learning with Errors: Motivation An important goal in cryptography is to find problems
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More information6.892 Computing on Encrypted Data October 28, Lecture 7
6.892 Computing on Encrypted Data October 28, 2013 Lecture 7 Lecturer: Vinod Vaikuntanathan Scribe: Prashant Vasudevan 1 Garbled Circuits Picking up from the previous lecture, we start by defining a garbling
More informationNon-interactive Zaps and New Techniques for NIZK
Non-interactive Zaps and New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai July 10, 2006 Abstract In 2000, Dwork and Naor proved a very surprising result: that there exist Zaps, tworound witness-indistinguishable
More informationOded Regev Courant Institute, NYU
Fast er algorithm for the Shortest Vector Problem Oded Regev Courant Institute, NYU (joint with Aggarwal, Dadush, and Stephens-Davidowitz) A lattice is a set of points Lattices L={a 1 v 1 + +a n v n a
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationEfficient Chosen-Ciphtertext Secure Public Key Encryption Scheme From Lattice Assumption
Appl. Math. Inf. Sci. 8, No. 2, 633-638 (2014) 633 Applied Mathematics & Information Sciences An International Journal http://dx.doi.org/10.12785/amis/080221 Efficient Chosen-Ciphtertext Secure Public
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationNew and Improved Key-Homomorphic Pseudorandom Functions
New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1 Georgia Institute of Technology CRYPTO 14 19 August 2014 Outline 1 Introduction 2 Construction, Parameters
More information