Lossy Trapdoor Functions and Their Applications
Size: px
Start display at page:

Download "Lossy Trapdoor Functions and Their Applications"

Transcription

1 1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International

2 On Losing Information 2 / 15

3 On Losing Information 2 / 15

4 On Losing Information 2 / 15

5 On Losing Information 2 / 15

6 On Losing Information 2.3 MB 0.4 MB 2 / 15

7 On Losing Information 2 / 15

8 2 / 15 On Losing Information Lossy object indistinguishable from original

9 3 / 15 This Talk 1 Trapdoor functions without factoring: discrete log & lattices

10 3 / 15 This Talk 1 Trapdoor functions without factoring: discrete log & lattices 2 Black-box chosen-ciphertext security via randomness recovery

11 3 / 15 This Talk 1 Trapdoor functions without factoring: discrete log & lattices 2 Black-box chosen-ciphertext security via randomness recovery 3 A new general primitive: Lossy Trapdoor Functions

12 4 / 15 Public Key Cryptography 1-1 Trapdoor Functions ( F, F 1 ) S x {0, 1} n F F(x) {0, 1} N

13 4 / 15 Public Key Cryptography 1-1 Trapdoor Functions ( F, F 1 ) S x {0, 1} n F F(x) {0, 1} N

14 4 / 15 Public Key Cryptography 1-1 Trapdoor Functions ( F, F 1 ) S x {0, 1} n F 1 F F(x) {0, 1} N

15 4 / 15 Public Key Cryptography 1-1 Trapdoor Functions Public Key Encryption ( F, F 1 ) S ( E, D) S x {0, 1} n m r F 1 F F(x) E(m ; r) {0, 1} N {0, 1} N

16 4 / 15 Public Key Cryptography 1-1 Trapdoor Functions Public Key Encryption ( F, F 1 ) S ( E, D) S x {0, 1} n m r F 1 F D F(x) E(m ; r) {0, 1} N {0, 1} N

17 5 / 15 Realizing Public Key Crypto Factoring Discrete log Lattices PKE [RSA,... ] [ElGamal] [AD,R1,R2] CCA [DDN,...,CS2] [CS1]?? TDF [RSA,R,P]????

18 5 / 15 Realizing Public Key Crypto Factoring Discrete log Lattices PKE [RSA,... ] [ElGamal] [AD,R1,R2] CCA [DDN,...,CS2] [CS1]?? TDF [RSA,R,P]???? Lattice-Based Crypto: Simple & parallelizable Resist quantum algorithms (so far) Security from worst-case assumptions [Ajtai,... ]

19 5 / 15 Realizing Public Key Crypto Factoring Discrete log Lattices PKE [RSA,... ] [ElGamal] [AD,R1,R2] CCA [DDN,...,CS2] [CS1]?? TDF [RSA,R,P]???? Black-Box Separations: [GMR] PKE [GMM] TDF CCA

20 5 / 15 Realizing Public Key Crypto Factoring Discrete log Lattices PKE [RSA,... ] [ElGamal] [AD,R1,R2] CCA [DDN,...,CS2] [CS1] TDF [RSA,R,P] This Work: Factoring TDF Disc log Lossy TDF CCA Lattices CRHF, OT,...

21 6 / 15 Lossy Trapdoor Functions ( F, F 1 ) S inj x {0, 1} n F 1 F {0, 1} N

22 6 / 15 Lossy Trapdoor Functions ( F, F 1 ) S inj F S loss x {0, 1} n x {0, 1} n F 1 F F {0, 1} N Im(F) = 2 r 2 n {0, 1} N

23 6 / 15 Lossy Trapdoor Functions ( F, F 1 ) S inj F S loss x {0, 1} n x {0, 1} n F 1 F F {0, 1} N Im(F) = 2 r 2 n {0, 1} N

24 6 / 15 Lossy Trapdoor Functions F c F ( F, F 1 ) S inj F S loss x {0, 1} n x {0, 1} n F 1 F F {0, 1} N Im(F) = 2 r 2 n {0, 1} N

25 Lossy TDFs 1-1 Trapdoor Functions Theorem S inj generates 1-1 trapdoor functions (F, F 1 ). 7 / 15

26 Lossy TDFs 1-1 Trapdoor Functions Theorem S inj generates 1-1 trapdoor functions (F, F 1 ). Efficient I wants to invert F. {0, 1} n S inj x F I? = x 7 / 15

27 Lossy TDFs 1-1 Trapdoor Functions Theorem S inj generates 1-1 trapdoor functions (F, F 1 ). Efficient I wants to invert F. {0, 1} n S loss x F I = x 7 / 15

28 Lossy TDFs 1-1 Trapdoor Functions Theorem S inj generates 1-1 trapdoor functions (F, F 1 ). Efficient I wants to invert F. {0, 1} n S loss x F I = x F(x) has 2 n r preimages (on average). 7 / 15

29 Lossy TDFs 1-1 Trapdoor Functions Theorem S inj generates 1-1 trapdoor functions (F, F 1 ). Efficient I wants to invert F. {0, 1} n S loss x F I = x F(x) has 2 n r preimages (on average). Main Technique Swapping F with F yields statistically secure system. 7 / 15

30 8 / 15 Lossy TDFs Public-Key Encryption Hard-core functions [GoldreichLevin] the lazy way.

31 8 / 15 Lossy TDFs Public-Key Encryption Hard-core functions [GoldreichLevin] the lazy way. Pairwise independent H : {0, 1} n {0, 1} k for k n r.

32 8 / 15 Lossy TDFs Public-Key Encryption Hard-core functions [GoldreichLevin] the lazy way. Pairwise independent H : {0, 1} n {0, 1} k for k n r. x F H F(x) H(x)

33 8 / 15 Lossy TDFs Public-Key Encryption Hard-core functions [GoldreichLevin] the lazy way. Pairwise independent H : {0, 1} n {0, 1} k for k n r. x F H F(x) H(x)

34 8 / 15 Lossy TDFs Public-Key Encryption Hard-core functions [GoldreichLevin] the lazy way. Pairwise independent H : {0, 1} n {0, 1} k for k n r. entropy k x F H F(x) H(x) k unif bits [ILL,DRS]

35 8 / 15 Lossy TDFs Public-Key Encryption Hard-core functions [GoldreichLevin] the lazy way. Pairwise independent H : {0, 1} n {0, 1} k for k n r. entropy k x F H F(x) H(x) k unif bits [ILL,DRS] Public key (F, H), secret key F 1. Encrypt m {0, 1} k as (F(x), m H(x)).

36 9 / 15 Chosen Ciphertext-Secure Encryption Intuitive Definition [DDN,NY,RS] Encryption hides message, even with decryption oracle

37 9 / 15 Chosen Ciphertext-Secure Encryption Intuitive Definition [DDN,NY,RS] Encryption hides message, even with decryption oracle Why It Matters Correct security notion for active adversaries Real-world attacks on protocols [Bleichenbacher,JKS]

38 9 / 15 Chosen Ciphertext-Secure Encryption Intuitive Definition [DDN,NY,RS] Encryption hides message, even with decryption oracle Why It Matters Correct security notion for active adversaries Real-world attacks on protocols [Bleichenbacher,JKS] Technical Difficulty Verify ciphertext is well-formed Usually via zero-knowledge proof Our approach: recover randomness

39 10 / 15 All-But-One TDFs G(b, x) has extra parameter: branch b {0, 1} n.

40 10 / 15 All-But-One TDFs G(b, x) has extra parameter: branch b {0, 1} n. Generate (G, G 1 ) with hidden lossy branch l.

41 10 / 15 All-But-One TDFs G(b, x) has extra parameter: branch b {0, 1} n. Generate (G, G 1 ) with hidden lossy branch l. G(0, ) G(1, ) G G(l, ) G(l + 1, )

42 10 / 15 All-But-One TDFs G(b, x) has extra parameter: branch b {0, 1} n. Generate (G, G 1 ) with hidden lossy branch l. G(0, ) G(1, ) G G(l, ) G(l + 1, ) Lossy TDFs all-but-one TDFs.

43 11 / 15 Lossy TDFs CCA-Secure Encryption F 1 KeyGen ( F, G, H )

44 11 / 15 Lossy TDFs CCA-Secure Encryption F 1 KeyGen Encrypt ( F, G, H ) m y 1 = F(x) y 2 = G(b, x) c = H(x) m

45 11 / 15 Lossy TDFs CCA-Secure Encryption F 1 KeyGen Encrypt Decrypt ( F, G, H ) m y 1 = F(x) y 2 = G(b, x) c = H(x) m y 1 y 2 c

46 11 / 15 Lossy TDFs CCA-Secure Encryption F 1 KeyGen ( F, G, H ) Encrypt m y 1 = F(x) y 2 = G(b, x) c = H(x) m Decrypt Recover x = F 1 (y 1 ). Reencrypt & check. y 1 y 2 c

47 11 / 15 Lossy TDFs CCA-Secure Encryption F 1 KeyGen ( F, G, H ) Encrypt m Decrypt Recover x = F 1 (y 1 ). Reencrypt & check. y 1 = F(x) y 2 = G(b, x) c = H(x) m y 1 y 2 c c H(x) or

48 11 / 15 Lossy TDFs CCA-Secure Encryption F 1 KeyGen ( F, G, H ) Challenge m Decrypt Recover x = F 1 (y 1 ). Reencrypt & check. y 1 = F(x) y 2 = G(l, x) c = H(x) m y 1 y 2 c c H(x) or

49 11 / 15 Lossy TDFs CCA-Secure Encryption G 1 KeyGen ( F, G, H ) Challenge m Decrypt Recover x = G 1 (y 2 ). Reencrypt & check. y 1 = F(x) y 2 = G(l, x) c = H(x) m y 1 y 2 c c H(x) or

50 11 / 15 Lossy TDFs CCA-Secure Encryption G 1 KeyGen ( F, G, H ) Challenge m Decrypt Recover x = G 1 (y 2 ). Reencrypt & check. y 1 = F(x) y 2 = G(l, x) c = H(x) m y 1 y 2 c c H(x) or

51 11 / 15 Lossy TDFs CCA-Secure Encryption G 1 KeyGen ( F, G, H ) Challenge m Decrypt Recover x = G 1 (y 2 ). Reencrypt & check. y 1 = F(x) y 2 = G(l, x) c = H(x) m y 1 y 2 c c H(x) or Challenge ciphertext hides m statistically.

52 11 / 15 Lossy TDFs CCA-Secure Encryption G 1 KeyGen ( F, G, H ) Challenge m Decrypt Recover x = G 1 (y 2 ). Reencrypt & check. y 1 = F(x) y 2 = G(l, x) c = H(x) m y 1 y 2 c c H(x) or Challenge ciphertext hides m statistically. (One-time signature for CCA2 security. [DolevDworkNaor])

53 12 / 15 Realizing Lossy TDFs Use any (additively) homomorphic cryptosystem.

54 12 / 15 Realizing Lossy TDFs Use any (additively) homomorphic cryptosystem. Encrypted n n matrix: I for F, 0 for F. F 1 is decryption key.

55 12 / 15 Realizing Lossy TDFs Use any (additively) homomorphic cryptosystem. Encrypted n n matrix: I for F, 0 for F. F 1 is decryption key. F(x) computed by encrypted linear algebra.

56 12 / 15 Realizing Lossy TDFs Use any (additively) homomorphic cryptosystem. Encrypted n n matrix: I for F, 0 for F. F 1 is decryption key. F(x) computed by encrypted linear algebra x 1 x 2. x n = x 1 x 2. x n

57 12 / 15 Realizing Lossy TDFs Use any (additively) homomorphic cryptosystem. Encrypted n n matrix: I for F, 0 for F. F 1 is decryption key. F(x) computed by encrypted linear algebra x 1 x 2. x n =

58 12 / 15 Realizing Lossy TDFs Use any (additively) homomorphic cryptosystem. Encrypted n n matrix: I for F, 0 for F. F 1 is decryption key. F(x) computed by encrypted linear algebra x 1 x 2. x n = Randomness in each 0 leaks information!

59 13 / 15 Realizing Lossy TDFs (Really) Homomorphic cryptosystem with special properties:

60 13 / 15 Realizing Lossy TDFs (Really) Homomorphic cryptosystem with special properties: 1 Secure to reuse randomness across different keys

61 13 / 15 Realizing Lossy TDFs (Really) Homomorphic cryptosystem with special properties: 1 Secure to reuse randomness across different keys 2 Homomorphism isolates randomness

62 13 / 15 Realizing Lossy TDFs (Really) Homomorphic cryptosystem with special properties: 1 Secure to reuse randomness across different keys 2 Homomorphism isolates randomness 0 ; r 1 0 ; r 1. 0 ; r 1

63 13 / 15 Realizing Lossy TDFs (Really) Homomorphic cryptosystem with special properties: 1 Secure to reuse randomness across different keys 2 Homomorphism isolates randomness 0 ; r 1 0 ; r 2 0 ; r 1 0 ; r 2. 0 ; r 1 0 ; r 2

64 13 / 15 Realizing Lossy TDFs (Really) Homomorphic cryptosystem with special properties: 1 Secure to reuse randomness across different keys 2 Homomorphism isolates randomness 0 ; r 1 0 ; r 2 0 ; r n 0 ; r 1 0 ; r 2 0 ; r n ; r 1 0 ; r 2 0 ; r n

65 13 / 15 Realizing Lossy TDFs (Really) Homomorphic cryptosystem with special properties: 1 Secure to reuse randomness across different keys 2 Homomorphism isolates randomness 0 ; r 1 0 ; r 2 0 ; r n 0 ; r 1 0 ; r 2 0 ; r n ; r 1 0 ; r 2 0 ; r n x 1 x 2. x n = 0 ; R 0 ; R. 0 ; R

66 13 / 15 Realizing Lossy TDFs (Really) Homomorphic cryptosystem with special properties: 1 Secure to reuse randomness across different keys 2 Homomorphism isolates randomness 0 ; r 1 0 ; r 2 0 ; r n 0 ; r 1 0 ; r 2 0 ; r n ; r 1 0 ; r 2 0 ; r n x 1 x 2. x n = 0 ; R 0 ; R. 0 ; R Just need n > R for lossiness.

67 14 / 15 Concrete Assumptions 1 Decisional Diffie-Hellman (DDH) on cyclic groups Additive homomorphism in ElGamal: message in the exponent Reusing randomness [NaorReingold,Kurosawa,... ]

68 14 / 15 Concrete Assumptions 1 Decisional Diffie-Hellman (DDH) on cyclic groups Additive homomorphism in ElGamal: message in the exponent Reusing randomness [NaorReingold,Kurosawa,... ] 2 Learning With Errors (LWE) on lattices [Regev] Bounded homomorphism Reuse most randomness but not the error terms

69 15 / 15 Future Directions Other applications of lossy TDFs (NIZK, PIR,...?)

70 15 / 15 Future Directions Other applications of lossy TDFs (NIZK, PIR,...?) Natural trapdoors for lattices [GPV]

71 15 / 15 Future Directions Other applications of lossy TDFs (NIZK, PIR,...?) Natural trapdoors for lattices [GPV] Other indistinguishable properties of huge objects?

Similar documents

Lossy Trapdoor Functions and Their Applications

Lossy Trapdoor Functions and Their Applications Lossy Trapdoor Functions and Their Applications Chris Peikert SRI International Brent Waters SRI International August 29, 2008 Abstract We propose a general cryptographic primitive called lossy trapdoor

More information

Trapdoor functions from the Computational Diffie-Hellman Assumption

Trapdoor functions from the Computational Diffie-Hellman Assumption Trapdoor functions from the Computational Diffie-Hellman Assumption Sanjam Garg 1 Mohammad Hajiabadi 1,2 1 University of California, Berkeley 2 University of Virginia August 22, 2018 1 / 18 Classical Public-Key

More information

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf

More information

Peculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology

Peculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology 1 / 19 Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 7 May 2010 2 / 19 Talk Agenda Encryption schemes

More information

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004 CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed

More information

14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption. Victor Shoup New York University

14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption. Victor Shoup New York University 14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption Victor Shoup New York University A Historical Perspective The wild years (mid 70 s-mid 80 s): Diffie-Hellman, RSA, ElGamal The

More information

Classical hardness of the Learning with Errors problem

Classical hardness of the Learning with Errors problem Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness

More information

Lossy Trapdoor Functions from Smooth Homomorphic Hash Proof Systems

Lossy Trapdoor Functions from Smooth Homomorphic Hash Proof Systems Lossy Trapdoor Functions from Smooth Homomorphic Hash Proof Systems Brett Hemenway UCLA bretth@mathuclaedu Rafail Ostrovsky UCLA rafail@csuclaedu January 9, 2010 Abstract In STOC 08, Peikert and Waters

More information

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT) 1 Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shuichi Katsumata (The University of Tokyo /AIST) Shota Yamada (AIST) Takashi Yamakawa

More information

Lecture 28: Public-key Cryptography. Public-key Cryptography

Lecture 28: Public-key Cryptography. Public-key Cryptography Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access

More information

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7 CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a

More information

Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem. Chris Peikert Georgia Tech

Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem. Chris Peikert Georgia Tech 1 / 14 Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert Georgia Tech Computer Security & Cryptography Workshop 12 April 2010 2 / 14 Talk Outline 1 State of Lattice-Based

More information

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.

More information

Public-Key Encryption: ElGamal, RSA, Rabin

Public-Key Encryption: ElGamal, RSA, Rabin Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption

More information

1 Number Theory Basics

1 Number Theory Basics ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his

More information

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction

More information

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem

More information

COS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7

COS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7 COS 597C: Recent Developments in Program Obfuscation Lecture 7 10/06/16 Lecturer: Mark Zhandry Princeton University Scribe: Jordan Tran Notes for Lecture 7 1 Introduction In this lecture, we show how to

More information

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor

More information

Lecture 1: Introduction to Public key cryptography

Lecture 1: Introduction to Public key cryptography Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means

More information

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from

More information

Advanced Cryptography 03/06/2007. Lecture 8

Advanced Cryptography 03/06/2007. Lecture 8 Advanced Cryptography 03/06/007 Lecture 8 Lecturer: Victor Shoup Scribe: Prashant Puniya Overview In this lecture, we will introduce the notion of Public-Key Encryption. We will define the basic notion

More information

On the power of non-adaptive quantum chosen-ciphertext attacks

On the power of non-adaptive quantum chosen-ciphertext attacks On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic (UMD, NIST), Stacey Jeffery (QuSoft, CWI), and Maris Ozols (QuSoft, UvA) Alexander Poremba August 29, 2018 Heidelberg

More information

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies

More information

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator

More information

Chapter 8 Public-key Cryptography and Digital Signatures

Chapter 8 Public-key Cryptography and Digital Signatures Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital

More information

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1 UC San Diego 2 Georgia Tech April 2012 1 / 16 Lattice-Based Cryptography y = g x mod p m e mod N e(g a,

More information

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004 CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key

More information

Chosen-Ciphertext Security from Subset Sum

Chosen-Ciphertext Security from Subset Sum Chosen-Ciphertext Security from Subset Sum Sebastian Faust 1, Daniel Masny 1, and Daniele Venturi 2 1 Horst-Görtz Institute for IT Security and Faculty of Mathematics, Ruhr-Universität Bochum, Bochum,

More information

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017 Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total

More information

4-3 A Survey on Oblivious Transfer Protocols

4-3 A Survey on Oblivious Transfer Protocols 4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of

More information

Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions

Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions Crypto 2011 Daniele Micciancio Petros Mol August 17, 2011 1 Learning With Errors (LWE) secret public: integers n,

More information

5.4 ElGamal - definition

5.4 ElGamal - definition 5.4 ElGamal - definition In this section we define the ElGamal encryption scheme. Next to RSA it is the most important asymmetric encryption scheme. Recall that for a cyclic group G, an element g G is

More information

Report on Learning with Errors over Rings-based HILA5 and its CCA Security

Report on Learning with Errors over Rings-based HILA5 and its CCA Security Report on Learning with Errors over Rings-based HILA5 and its CCA Security Jesús Antonio Soto Velázquez January 24, 2018 Abstract HILA5 is a cryptographic primitive based on lattices that was submitted

More information

Classical hardness of Learning with Errors

Classical hardness of Learning with Errors Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our

More information

Open problems in lattice-based cryptography

Open problems in lattice-based cryptography University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear

More information

Discrete Logarithm Problem

Discrete Logarithm Problem Discrete Logarithm Problem Finite Fields The finite field GF(q) exists iff q = p e for some prime p. Example: GF(9) GF(9) = {a + bi a, b Z 3, i 2 = i + 1} = {0, 1, 2, i, 1+i, 2+i, 2i, 1+2i, 2+2i} Addition:

More information

CRYPTANALYSIS OF COMPACT-LWE

CRYPTANALYSIS OF COMPACT-LWE SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption

More information

Lattice Based Crypto: Answering Questions You Don't Understand

Lattice Based Crypto: Answering Questions You Don't Understand Lattice Based Crypto: Answering Questions You Don't Understand Vadim Lyubashevsky INRIA / ENS, Paris Cryptography Secure communication in the presence of adversaries Symmetric-Key Cryptography Secret key

More information

CONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS

CONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS CONSRUCIONS SECURE AGAINS RECEIVER SELECIVE OPENING AND CHOSEN CIPHEREX AACKS Dingding Jia, Xianhui Lu, Bao Li jiadingding@iie.ac.cn C-RSA 2017 02-17 Outline Background Motivation Our contribution Existence:

More information

CS 395T. Probabilistic Polynomial-Time Calculus

CS 395T. Probabilistic Polynomial-Time Calculus CS 395T Probabilistic Polynomial-Time Calculus Security as Equivalence Intuition: encryption scheme is secure if ciphertext is indistinguishable from random noise Intuition: protocol is secure if it is

More information

On Notions of Security for Deterministic Encryption, and Efficient Constructions without Random Oracles

On Notions of Security for Deterministic Encryption, and Efficient Constructions without Random Oracles A preliminary version of this paper appears in Advances in Cryptology - CRYPTO 2008, 28th Annual International Cryptology Conference, D. Wagner ed., LNCS, Springer, 2008. This is the full version. On Notions

More information

Notes for Lecture 16

Notes for Lecture 16 COS 533: Advanced Cryptography Lecture 16 (11/13/2017) Lecturer: Mark Zhandry Princeton University Scribe: Boriana Gjura Notes for Lecture 16 1 Lattices (continued) 1.1 Last time. We defined lattices as

More information

Lecture 11: Key Agreement

Lecture 11: Key Agreement Introduction to Cryptography 02/22/2018 Lecture 11: Key Agreement Instructor: Vipul Goyal Scribe: Francisco Maturana 1 Hardness Assumptions In order to prove the security of cryptographic primitives, we

More information

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,

More information

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance

More information

Smooth Projective Hash Function and Its Applications

Smooth Projective Hash Function and Its Applications Smooth Projective Hash Function and Its Applications Rongmao Chen University of Wollongong November 21, 2014 Literature Ronald Cramer and Victor Shoup. Universal Hash Proofs and a Paradigm for Adaptive

More information

Advanced Cryptography 1st Semester Public Encryption

Advanced Cryptography 1st Semester Public Encryption Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 1st 2007 1 / 64 Last Time (I) Indistinguishability Negligible function Probabilities Indistinguishability

More information

Notes for Lecture 17

Notes for Lecture 17 U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,

More information

Provable security. Michel Abdalla

Provable security. Michel Abdalla Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only

More information

Introduction to Cybersecurity Cryptography (Part 4)

Introduction to Cybersecurity Cryptography (Part 4) Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message

More information

The Cramer-Shoup Cryptosystem

The Cramer-Shoup Cryptosystem The Cramer-Shoup Cryptosystem Eileen Wagner October 22, 2014 1 / 28 The Cramer-Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive

More information

Lecture Note 3 Date:

Lecture Note 3 Date: P.Lafourcade Lecture Note 3 Date: 28.09.2009 Security models 1st Semester 2007/2008 ROUAULT Boris GABIAM Amanda ARNEDO Pedro 1 Contents 1 Perfect Encryption 3 1.1 Notations....................................

More information

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks 1 Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks Michael Albert michael.albert@cs.otago.ac.nz 2 This week Arithmetic Knapsack cryptosystems Attacks on knapsacks Some

More information

Question: Total Points: Score:

Question: Total Points: Score: University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please

More information

Introduction to Cybersecurity Cryptography (Part 4)

Introduction to Cybersecurity Cryptography (Part 4) Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message

More information

A survey on quantum-secure cryptographic systems

A survey on quantum-secure cryptographic systems A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum

More information

ECS 189A Final Cryptography Spring 2011

ECS 189A Final Cryptography Spring 2011 ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I

More information

Introduction to Modern Cryptography. Benny Chor

Introduction to Modern Cryptography. Benny Chor Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes Lecture 8 Tel-Aviv University

More information

G Advanced Cryptography April 10th, Lecture 11

G Advanced Cryptography April 10th, Lecture 11 G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems

More information

Cryptography and Security Final Exam

Cryptography and Security Final Exam Cryptography and Security Final Exam Serge Vaudenay 17.1.2017 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not

More information

Introduction to Cryptography. Lecture 8

Introduction to Cryptography. Lecture 8 Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication

More information

Advanced Topics in Cryptography

Advanced Topics in Cryptography Advanced Topics in Cryptography Lecture 6: El Gamal. Chosen-ciphertext security, the Cramer-Shoup cryptosystem. Benny Pinkas based on slides of Moni Naor page 1 1 Related papers Lecture notes of Moni Naor,

More information

RSA-OAEP and Cramer-Shoup

RSA-OAEP and Cramer-Shoup RSA-OAEP and Cramer-Shoup Olli Ahonen Laboratory of Physics, TKK 11th Dec 2007 T-79.5502 Advanced Cryptology Part I: Outline RSA, OAEP and RSA-OAEP Preliminaries for the proof Proof of IND-CCA2 security

More information

Multiparty Computation

Multiparty Computation Multiparty Computation Principle There is a (randomized) function f : ({0, 1} l ) n ({0, 1} l ) n. There are n parties, P 1,...,P n. Some of them may be adversarial. Two forms of adversarial behaviour:

More information

On error distributions in ring-based LWE

On error distributions in ring-based LWE On error distributions in ring-based LWE Wouter Castryck 1,2, Ilia Iliashenko 1, Frederik Vercauteren 1,3 1 COSIC, KU Leuven 2 Ghent University 3 Open Security Research ANTS-XII, Kaiserslautern, August

More information

An Overview of Homomorphic Encryption

An Overview of Homomorphic Encryption An Overview of Homomorphic Encryption Alexander Lange Department of Computer Science Rochester Institute of Technology Rochester, NY 14623 May 9, 2011 Alexander Lange (RIT) Homomorphic Encryption May 9,

More information

Classical hardness of Learning with Errors

Classical hardness of Learning with Errors Classical hardness of Learning with Errors Zvika Brakerski 1 Adeline Langlois 2 Chris Peikert 3 Oded Regev 4 Damien Stehlé 2 1 Stanford University 2 ENS de Lyon 3 Georgia Tech 4 New York University Our

More information

Leakage Resilient ElGamal Encryption

Leakage Resilient ElGamal Encryption Asiacrypt 2010, December 9th, Singapore Outline 1 Hybrid Encryption, the KEM/DEM framework 2 ElGamal KEM 3 Leakage Resilient Crypto Why? How? Other models? 4 Leakage Resilient ElGamal CCA1 secure KEM (Key

More information

White-Box Security Notions for Symmetric Encryption Schemes

White-Box Security Notions for Symmetric Encryption Schemes White-Box Security Notions for Symmetric Encryption Schemes Cécile Delerablée 1 Tancrède Lepoint 1,2 Pascal Paillier 1 Matthieu Rivain 1 CryptoExperts 1, École Normale Supérieure2 SAC 2013 Outline 1 What

More information

Short Exponent Diffie-Hellman Problems

Short Exponent Diffie-Hellman Problems Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and

More information

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such

More information

Public-Key Cryptosystems CHAPTER 4

Public-Key Cryptosystems CHAPTER 4 Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:

More information

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.

More information

A ROBUST AND PLAINTEXT-AWARE VARIANT OF SIGNED ELGAMAL ENCRYPTION

A ROBUST AND PLAINTEXT-AWARE VARIANT OF SIGNED ELGAMAL ENCRYPTION A ROBUST AND PLAINTEXT-AWARE VARIANT OF SIGNED ELGAMAL ENCRYPTION Joana Treger ANSSI, France. Session ID: CRYP-W21 Session Classification: Advanced ELGAMAL ENCRYPTION & BASIC CONCEPTS CDH / DDH Computational

More information

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without

More information

ASYMMETRIC ENCRYPTION

ASYMMETRIC ENCRYPTION ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall

More information

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it

More information

5199/IOC5063 Theory of Cryptology, 2014 Fall

5199/IOC5063 Theory of Cryptology, 2014 Fall 5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.

More information

Lattice-Based Cryptography

Lattice-Based Cryptography Liljana Babinkostova Department of Mathematics Computing Colloquium Series Detecting Sensor-hijack Attacks in Wearable Medical Systems Krishna Venkatasubramanian Worcester Polytechnic Institute Quantum

More information

Efficient Public-Key Cryptography in the Presence of Key Leakage

Efficient Public-Key Cryptography in the Presence of Key Leakage Efficient Public-Key Cryptography in the Presence of Key Leakage Yevgeniy Dodis Kristiyan Haralambiev Adriana López-Alt Daniel Wichs August 17, 2010 Abstract We study the design of cryptographic primitives

More information

A Group Signature Scheme from Lattice Assumptions

A Group Signature Scheme from Lattice Assumptions A Group Signature Scheme from Lattice Assumptions S. Dov Gordon Jonathan Katz Vinod Vaikuntanathan Abstract Group signature schemes allow users to sign messages on behalf of a group while (1) maintaining

More information

Cryptology. Scribe: Fabrice Mouhartem M2IF

Cryptology. Scribe: Fabrice Mouhartem M2IF Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description

More information

Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97

Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97 Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97 Phong Nguyen and Jacques Stern École Normale Supérieure, Laboratoire d Informatique 45, rue d Ulm, F 75230 Paris Cedex 05 {Phong.Nguyen,Jacques.Stern}@ens.fr

More information

Quantum-secure symmetric-key cryptography based on Hidden Shifts

Quantum-secure symmetric-key cryptography based on Hidden Shifts Quantum-secure symmetric-key cryptography based on Hidden Shifts Gorjan Alagic QMATH, Department of Mathematical Sciences University of Copenhagen Alexander Russell Department of Computer Science & Engineering

More information

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography 1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to

More information

10 Concrete candidates for public key crypto

10 Concrete candidates for public key crypto 10 Concrete candidates for public key crypto In the previous lecture we talked about public key cryptography and saw the Diffie Hellman system and the DSA signature scheme. In this lecture, we will see

More information

Discrete logarithm and related schemes

Discrete logarithm and related schemes Discrete logarithm and related schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Discrete logarithm problem examples, equivalent

More information

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015 L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm

More information

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1] CMSC 858K Advanced Topics in Cryptography February 19, 2004 Lecturer: Jonathan Katz Lecture 8 Scribe(s): Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan 1 Introduction Last time we introduced

More information

CS Topics in Cryptography January 28, Lecture 5

CS Topics in Cryptography January 28, Lecture 5 CS 4501-6501 Topics in Cryptography January 28, 2015 Lecture 5 Lecturer: Mohammad Mahmoody Scribe: Ameer Mohammed 1 Learning with Errors: Motivation An important goal in cryptography is to find problems

More information

Applied cryptography

Applied cryptography Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:

More information

6.892 Computing on Encrypted Data October 28, Lecture 7

6.892 Computing on Encrypted Data October 28, Lecture 7 6.892 Computing on Encrypted Data October 28, 2013 Lecture 7 Lecturer: Vinod Vaikuntanathan Scribe: Prashant Vasudevan 1 Garbled Circuits Picking up from the previous lecture, we start by defining a garbling

More information

Non-interactive Zaps and New Techniques for NIZK

Non-interactive Zaps and New Techniques for NIZK Non-interactive Zaps and New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai July 10, 2006 Abstract In 2000, Dwork and Naor proved a very surprising result: that there exist Zaps, tworound witness-indistinguishable

More information

Oded Regev Courant Institute, NYU

Oded Regev Courant Institute, NYU Fast er algorithm for the Shortest Vector Problem Oded Regev Courant Institute, NYU (joint with Aggarwal, Dadush, and Stephens-Davidowitz) A lattice is a set of points Lattices L={a 1 v 1 + +a n v n a

More information

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern

More information

Efficient Chosen-Ciphtertext Secure Public Key Encryption Scheme From Lattice Assumption

Efficient Chosen-Ciphtertext Secure Public Key Encryption Scheme From Lattice Assumption Appl. Math. Inf. Sci. 8, No. 2, 633-638 (2014) 633 Applied Mathematics & Information Sciences An International Journal http://dx.doi.org/10.12785/amis/080221 Efficient Chosen-Ciphtertext Secure Public

More information

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian

More information

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0

More information

New and Improved Key-Homomorphic Pseudorandom Functions

New and Improved Key-Homomorphic Pseudorandom Functions New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1 Georgia Institute of Technology CRYPTO 14 19 August 2014 Outline 1 Introduction 2 Construction, Parameters

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback