On the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups
|
|
- Donald Mason
- 5 years ago
- Views:
Transcription
1 On the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups Goichiro Hanaoka, Takahiro Matsuda, Jacob C.N. Schuldt Research Institute for Secure Systems (RISEC) National Institute of Advanced Industrial Science and Technology (AIST) CRYPTO 12 23/8/2012
2 Public Key Encryption The construction of efficient and (IND-CCA) secure public key encryption has been a successful research area Practical and efficient design approach: hybrid encryption A public key encryption scheme is constructed from two components: 1. A key encapsulation mechanism (KEM) 2. A data encapsulation mechanism (DEM) 2
3 Hybrid Encryption Key encapsulation mechanism: 1 pk (sk, c) KG Enc Dec (pk, sk) Data encapsulation mechanism: (c, K) K/? (K, m) DEnc c 0 (c 0, K) DDec m 3
4 Hybrid Encryption Key encapsulation mechanism: 1 pk (sk, c) KG Enc Dec (pk, sk) (c, K) K/? Data encapsulation mechanism: Security (K, m) IND-CCA secure encryption is achieved by 1. IND-CCA DEnc KEM c 0 + IND-OT-CCA (c 0, K) DEM DDec m 2. Constrained IND-CCA KEM + AE-OT DEM 3
5 Efficient Key Encapsulation Mechanisms We focus on the problem of minimizing ciphertext overhead A number of very efficient KEMs already exist in the standard model Scheme Security Assumption Overhead [CS03] IND-CCA DDH 3 [HaKu08] IND-CCA CDH 3 [KD04] Constrained IND-CCA DDH 2 [HoKi07] Constrained IND-CCA DDH 2 [HaKu08] Constrained IND-CCA DDH 2 [Kiltz07] IND-CCA GHDH 2 [BMW05] IND-CCA DBDH 2 [CHH+07] Bounded IND-q-CCA DDH 1 G G G G G G G G 4
6 Motivating Question Question Is it possible to construct a KEM with a ciphertext overhead of less than two group elements that achieves IND-CCA security in the standard model? 5
7 The Cramer-Shoup KEM [CS03] KG : pk =(g, h, g x 1 h y 1, g x 2 h y 2, g z ) sk =(x 1, x 2, y 1, y 2, z) Enc : Let pk =(g, h, X, Y, Z) c =(g r, h r,(x Y ) r ) K = Z r = H(g r, h r ) Dec : c =(c 1, c 2, c 3 ) Let If c x 1+y 1 1 c x 2+y 2 2 = c 3 Otherwise return? return K = c z 1 6
8 The Cramer-Shoup KEM [CS03] KG : pk =(g, h, g x 1 h y 1, g x 2 h y 2, g z ) sk =(x 1, x 2, y 1, y 2, z) Enc : Let pk =(g, h, X, Y, Z) c =(g r, h r, H 0 ((X Y ) r )) = H(g r, h r ) K = Z r Dec : Let c =(c 1, c 2, c 3 ) If H 0 (c x 1+y 1 1 c x 2+y 2 2 ) = c 3 return K = c z 1 Otherwise return? 7
9 The Hofheinz-Kiltz KEM [HK07] KG : pk =(g, g x, g y, g z ) sk =(x, y, z) Enc : Let pk =(g, X, Y, Z) c =(g r,(x Y ) r ) K = Z r = H(g r ) Dec : Let If c =(c 1, c 2 ) c x +y 1 = c 2 K = c z 1 Otherwise return? return 8
10 The Hofheinz-Kiltz KEM [HK07] KG : pk =(g, g x, g y, g z ) sk =(x, y, z) Enc : Let pk =(g, X, Y, Z) c =(g r, H 0 ((X Y ) r )) = H(g r ) K = Z r Dec : Let c =(c 1, c 2 ) If H 0 (c x +y 1 ) = c 2 return K = c z 1 Otherwise return? 9
11 Main Result We show that There is no algebraic black-box reduction from the OW-CCA security of a class of KEMs with ciphertexts consisting of a single group element and a string, to the hardness of a non-interactive problem 10
12 A Class of Efficient Key Encapsulation Mechanisms We consider a class Kof KEMs defined in a prime order group G with the following additional properties: 1. Public key: pk =(X 1,...,X n, aux) 2 G n {0, 1} (y i = log g X i ) 2. Encapsulation: C =(c, d) =(g r, f (pk, r)) 2 G {0, 1} ny K = g f 0(pk,r) i=1 X f i (pk,r) i 3. Decapsulated key: K = g 0 (pk,c,y 1,...,y n ) c 1 (pk,c,y 1,...,y n ) where i(pk, C, y 1,...,y n )= i,1 (pk, C) y i,n (pk, C) y n s.t. d = 2 (pk, c, y 1,...,y n ) 11
13 OW-CCA Security for KEMs Decapsulation sk c K/? pk K 0 c (c, K ) Enc(pk) K/? c 6= c Decapsulation sk Adv OW-CCA ( ) = Pr[K 0 = K ] 12
14 Non-interactive Problems A non-interactive problem in a group is given by =(g, p, G) (x, y, w) y I V U (y, w) >/? x Hardness of a non-interactive problem y PPTA x wins if V(x, y, w) => Adv NIP P ( ) = Pr[ wins] Pr[U wins] P is hard if Adv NIP P ( ) < neg( ) 8 13
15 Non-interactive Problems A non-interactive problem in a group is given by =(g, p, G) (x, y, w) y I V U (y, w) >/? x Hardness of a non-interactive problem y PPTA wins if V(x, y, w) => x Captured problems: Adv NIP P ( ) = Pr[ wins] Pr[U wins] DDH, CDH, q-sdh, q-abdhe, IND-CPA, P is hard if Adv NIP... P ( ) < neg( ) 8 13
16 Black-box Reductions There is a black-box reduction from the OW-CCA security of a KEM non-interactive problem P if to a Oracle PPTA Any Adv OW-CCA ( ) > neg( ) 9 8 ) Adv NIP P ( ) > neg( ) This is a fully black-box reduction in the terminology by Reingold et al. [RTV04] 14
17 Algebraic Algorithms Defined via the existence of an extractor (X 1,...,X n ; r) (X 1,...,X n ; r) 9 such that ny i=1 X y i i = Y Y (y 1,...,y n ) The security reductions of existing KEMs defined in prime order groups are all algebraic. 15
18 Main Theorem Theorem 8 2K 8P 2 NIP Alg + BB P is hard ) OW-CCA P 16
19 Oracle Separation Lemma Assume there exists an oracle distribution such that 8 2K 9 Alg PPTA s.t. E h i Adv OW-CCA ( ) > neg and 8P 2 NIP E 8 Alg PPTA 9 h i Adv NIP P ( ) PPTA PPTA s.t. < Adv NIP P ( )+Adv DL ( ) Alg + BB Then, 8 2K and 8P 2 NIP, if P hard: OW-CCA P 17
20 Additional Observations 18
21 Additional Observations Looking at the details of the proofs yields a few additional insights The KEM attacker constructed in the proof only requires n decryption queries for a KEM with n group elements in the public key Corollary 8 2K 8P 2 NIP P is hard + pk 2{0, 1} G n BB + Alg ) OW-n-CCA P 18
22 Additional Observations Looking at the details of the proofs yields a few additional insights The KEM attacker constructed in the proof only requires n decryption queries for a KEM with n group elements in the public key Adaptive decryption queries are not required -- one parallel query is sufficient Corollary 8 Corollary 2K 8P 2 NIP BB + Alg 8P is 2K hard8p 2 NIP BB + Alg + ) OW-n-CCA P pk 2{0, P 1} is hard G n ) NM-CPA P 18
23 Programmable Hash Functions 19
24 Programmable Hash Functions Programmable hash functions Introduced by Hofheinz and Kiltz [HK08] Provides programmability in the standard model Main application: short signatures 19
25 Programmable Hash Functions Programmable hash functions Introduced by Hofheinz and Kiltz [HK08] Provides programmability in the standard model Main application: short signatures Based on an algebraic (poly, 1)-programmable hash function, we can construct a KEM which Is IND-CCA secure based on the DDH problem Has an algebraic black-box security reduction Has a ciphertext overhead of a single group element 19
26 Programmable Hash Functions Programmable hash functions Introduced by Hofheinz and Kiltz [HK08] Provides programmability in the standard model Main application: short signatures Based on an algebraic (poly, 1)-programmable hash function, we can construct a KEM which Corollary Is IND-CCA secure 8k 2based N there on exists the DDH no algebraic problem Has an algebraic (poly,k)-programmable black-box security reduction hash function in prime order groups Has a ciphertext overhead of a single group element 19
27 Programmable Hash Functions Programmable hash functions Introduced by Hofheinz and Kiltz [HK08] Provides programmability in the standard model Main application: short signatures Based on an algebraic (poly, 1)-programmable hash function, we can construct a KEM which Corollary Is IND-CCA secure 8k 2based N there on exists the DDH no algebraic problem Corollary Has an algebraic (poly,k)-programmable black-box security reduction hash function 8n, k 2 N in prime there order exists groups no algebraic Has a ciphertext (n,k)-programmable overhead of a single hash function group element with apple 2{0, 1} G m m apple n in prime order groups 19
28 Summary We have shown that There exists no algebraic black-box reduction from the OW-CCA security of a class of efficient KEMs to a non-interactive problem Certain types of programmable hash functions cannot be constructed in prime order groups Open problems (Im)possible to construct an IND-CCA secure KEM without pairings based on a non-interactive assumption and with two group element encapsulations? Possible to extend results to constrained CCA security? Possible to make any conclusions about schemes relying on key derivation functions? 20
29 Thank you! 21
On the CCA1-Security of Elgamal and Damgård s Elgamal
On the CCA1-Security of Elgamal and Damgård s Elgamal Cybernetica AS, Estonia Tallinn University, Estonia October 21, 2010 Outline I Motivation 1 Motivation 2 3 Motivation Three well-known security requirements
More informationKey Encapsulation Mechanisms from Extractable Hash Proof Systems, Revisited
Key Encapsulation Mechanisms from Extractable Hash Proof Systems, Revisited Takahiro Matsuda and Goichiro Hanaoka Research Institute for Secure Systems, National Institute of Advanced Industrial Science
More informationTightly CCA-Secure Encryption without Pairings. Romain Gay, ENS Dennis Hofheinz, KIT Eike Kiltz, RUB Hoeteck Wee, ENS
Tightly CCA-Secure Encryption without Pairings Romain Gay, ENS Dennis Hofheinz, KIT Eike Kiltz, RUB Hoeteck Wee, ENS Security of encryption pk Alice Enc(pk, m) Bob sk Security of encryption pk Alice Enc(pk,
More informationParallel Decryption Queries in Bounded Chosen Ciphertext Attacks
Parallel Decryption Queries in Bounded Chosen Ciphertext Attacks Takahiro Matsuda and Kanta Matsuura The University of Tokyo, Japan {tmatsuda,kanta}@iis.u-tokyo.ac.jp Abstract. Whether it is possible to
More informationChosen-Ciphertext Secure Key-Encapsulation Based on Gap Hashed Diffie-Hellman
A preliminary version of this paper appears in the proceedings of the 10th International Workshop on Practice and Theory in Public Key Cryptography, PKC 2007, Lecture Notes in Computer Science Vol.???,
More informationA New Variant of the Cramer-Shoup KEM Secure against Chosen Ciphertext Attack
A New Variant of the Cramer-Shoup KEM Secure against Chosen Ciphertext Attack Joonsang Baek 1 Willy Susilo 2 Joseph K. Liu 1 Jianying Zhou 1 1 Institute for Infocomm Research, Singapore 2 University of
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More informationThe Cramer-Shoup Cryptosystem
The Cramer-Shoup Cryptosystem Eileen Wagner October 22, 2014 1 / 28 The Cramer-Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationOn the Selective-Opening Security of DHIES
On the Selective-Opening Security of DHIES and other practical encryption schemes UbiCrypt Research Retreat, Schloss Raesfeld: 29.& 30. Sep. 2014 Felix Heuer, Tibor Jager, Eike Kiltz, Sven Schäge Horst
More informationSimple SK-ID-KEM 1. 1 Introduction
1 Simple SK-ID-KEM 1 Zhaohui Cheng School of Computing Science, Middlesex University The Burroughs, Hendon, London, NW4 4BT, United Kingdom. m.z.cheng@mdx.ac.uk Abstract. In 2001, Boneh and Franklin presented
More informationKurosawa-Desmedt Key Encapsulation Mechanism, Revisited and More
Kurosawa-Desmedt Key Encapsulation Mechanism, Revisited and More Kaoru Kurosawa 1 and Le Trieu Phong 1 Ibaraki University, Japan kurosawa@mx.ibaraki.ac.jp NICT, Japan phong@nict.go.jp Abstract. While the
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationA Twist on the Naor-Yung Paradigm and Its Application to Ecient CCA-Secure Encryption from Hard Search Problems
A Twist on the Naor-Yung Paradigm and Its Application to Ecient CCA-Secure Encryption from Hard Search Problems Ronald Cramer, Dennis Hofheinz, and Eike Kiltz Abstract. The Naor-Yung (NY) paradigm shows
More information14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption. Victor Shoup New York University
14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption Victor Shoup New York University A Historical Perspective The wild years (mid 70 s-mid 80 s): Diffie-Hellman, RSA, ElGamal The
More informationLecture Note 3 Date:
P.Lafourcade Lecture Note 3 Date: 28.09.2009 Security models 1st Semester 2007/2008 ROUAULT Boris GABIAM Amanda ARNEDO Pedro 1 Contents 1 Perfect Encryption 3 1.1 Notations....................................
More informationAdaptive partitioning. Dennis Hofheinz (KIT, Karlsruhe)
Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Public-Key Encryption Accepted security
More informationChosen-Ciphertext Security (I)
Chosen-Ciphertext Security (I) CS 601.442/642 Modern Cryptography Fall 2018 S 601.442/642 Modern Cryptography Chosen-Ciphertext Security (I) Fall 2018 1 / 20 Recall: Public-Key Encryption Syntax: Genp1
More informationSecure Hybrid Encryption from Weakened Key Encapsulation
A preliminary version of this paper appears in Advances in Cryptology CRYPTO 07, Lecture Notes in Computer Science Vol. 4622, A. Menezes ed., Springer-Verlag, 2007. This is the full version. Secure Hybrid
More informationStructure Preserving CCA Secure Encryption
Structure Preserving CCA Secure Encryption presented by ZHANG Tao 1 / 9 Introduction Veriable Encryption enable validity check of the encryption (Camenisch et al. @ CRYPTO'03): veriable encryption of discrete
More informationGentry IBE Paper Reading
Gentry IBE Paper Reading Y. Jiang 1 1 University of Wollongong September 5, 2014 Literature Craig Gentry. Practical Identity-Based Encryption Without Random Oracles. Advances in Cryptology - EUROCRYPT
More informationOn The Security of The ElGamal Encryption Scheme and Damgård s Variant
On The Security of The ElGamal Encryption Scheme and Damgård s Variant J. Wu and D.R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, ON, Canada {j32wu,dstinson}@uwaterloo.ca
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationShort Exponent Diffie-Hellman Problems
Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and
More informationTightly Secure CCA-Secure Encryption without Pairings
Tightly Secure CCA-Secure Encryption without Pairings Romain Gay 1,, Dennis Hofheinz 2,, Eike Kiltz 3,, and Hoeteck Wee 1, 1 ENS, Paris, France rgay,wee@di.ens.fr 2 Ruhr-Universität Bochum, Bochum, Germany
More informationEfficient Chosen-Ciphertext Security via Extractable Hash Proofs
Efficient Chosen-Ciphertext Security via Extractable Hash Proofs Hoeteck Wee Queens College, CUNY hoeteck@cs.qc.cuny.edu Abstract. We introduce the notion of an extractable hash proof system. Essentially,
More informationGeneric Constructions of Identity-Based and Certicateless KEMs K. Bentahar, P. Farshim, J. Malone-Lee and N.P. Smart Dept. Computer Science, Universit
Generic Constructions of Identity-Based and Certicateless KEMs K. Bentahar, P. Farshim, J. Malone-Lee and N.P. Smart Dept. Computer Science, University of Bristol, Merchant Venturers Building, Woodland
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationCONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS
CONSRUCIONS SECURE AGAINS RECEIVER SELECIVE OPENING AND CHOSEN CIPHEREX AACKS Dingding Jia, Xianhui Lu, Bao Li jiadingding@iie.ac.cn C-RSA 2017 02-17 Outline Background Motivation Our contribution Existence:
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationIdentity-based encryption
Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages
More informationLeakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter
Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter Baodong Qin Shengli Liu October 9, 2013 Abstract We present a new generic construction
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More informationStrong Security Models for Public-Key Encryption Schemes
Strong Security Models for Public-Key Encryption Schemes Pooya Farshim (Joint Work with Manuel Barbosa) Information Security Group, Royal Holloway, University of London, Egham TW20 0EX, United Kingdom.
More informationA New Paradigm of Hybrid Encryption Scheme
A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa 1 and Yvo Desmedt 2 1 Ibaraki University, Japan kurosawa@cis.ibaraki.ac.jp 2 Dept. of Computer Science, University College London, UK, and Florida
More informationChosen Ciphertext Security via UCE
Chosen Ciphertext Security via UCE Takahiro Matsuda and Goichiro Hanaoka Research Institute for Secure Systems (RISEC), National Institute of Advanced Industrial Science and Technology (AIST), Japan {t-matsuda,hanaoka-goichiro}@aist.go.jp
More informationLeakage Resilient ElGamal Encryption
Asiacrypt 2010, December 9th, Singapore Outline 1 Hybrid Encryption, the KEM/DEM framework 2 ElGamal KEM 3 Leakage Resilient Crypto Why? How? Other models? 4 Leakage Resilient ElGamal CCA1 secure KEM (Key
More informationAdvanced Cryptography 1st Semester Public Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 1st 2007 1 / 64 Last Time (I) Indistinguishability Negligible function Probabilities Indistinguishability
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationNon-malleability under Selective Opening Attacks: Implication and Separation
Non-malleability under Selective Opening Attacks: Implication and Separation Zhengan Huang 1, Shengli Liu 1, Xianping Mao 1, and Kefei Chen 2,3 1. Department of Computer Science and Engineering, Shanghai
More informationarxiv: v2 [cs.cr] 14 Feb 2018
Code-based Key Encapsulation from McEliece s Cryptosystem Edoardo Persichetti arxiv:1706.06306v2 [cs.cr] 14 Feb 2018 Florida Atlantic University Abstract. In this paper we show that it is possible to extend
More informationSecure Certificateless Public Key Encryption without Redundancy
Secure Certificateless Public Key Encryption without Redundancy Yinxia Sun and Futai Zhang School of Mathematics and Computer Science Nanjing Normal University, Nanjing 210097, P.R.China Abstract. Certificateless
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationKDM-CCA Security from RKA Secure Authenticated Encryption
KDM-CCA Security from RKA Secure Authenticated Encryption Xianhui Lu 1,2, Bao Li 1,2, Dingding Jia 1,2 1. Data Assurance and Communication Security Research Center, Chinese Academy of Sciences, Beijing,
More informationIdentity-based Hierarchical Key-insulated Encryption without Random Oracles
Identity-based Hierarchica Key-insuated Encryption without Random Oraces Yohei Watanabe 1,3 Junji Shikata 1,2 1 Graduate Schoo of Environment and Information Sciences, YNU, Japan 2 Institute of Advanced
More informationA ROBUST AND PLAINTEXT-AWARE VARIANT OF SIGNED ELGAMAL ENCRYPTION
A ROBUST AND PLAINTEXT-AWARE VARIANT OF SIGNED ELGAMAL ENCRYPTION Joana Treger ANSSI, France. Session ID: CRYP-W21 Session Classification: Advanced ELGAMAL ENCRYPTION & BASIC CONCEPTS CDH / DDH Computational
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationChosen Ciphertext Security via Point Obfuscation
Chosen Ciphertext Security via Point Obfuscation Takahiro Matsuda and Goichiro Hanaoka Research Institute for Secure Systems (RISEC), National Institute of Advanced Industrial Science and Technology (AIST),
More informationMaster s thesis, defended on June 20, 2007, supervised by Dr. Oleg Karpenkov. Mathematisch Instituut. Universiteit Leiden
Master s thesis, defended on June 20, 2007, supervised by Dr. Oleg Karpenkov Angela Zottarel Encryption from Weaker Assumptions Master thesis defended on June 28, 2010. Thesis Advisor: dr. Eike Kiltz.
More informationTighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)
1 Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shuichi Katsumata (The University of Tokyo /AIST) Shota Yamada (AIST) Takashi Yamakawa
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationPublic Key Encryption for the Forgetful
Public Key Encryption for the Forgetful Puwen Wei 1 Yuliang Zheng 2 Xiaoyun Wang 1,3 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan
More informationStandard versus Selective Opening Security: Separation and Equivalence Results
Standard versus Selective Opening Security: Separation and Equivalence Results Dennis Hofheinz and Andy Rupp Karlsruhe Institute of Technology, Germany {dennis.hofheinz,andy.rupp}@kit.edu Supported by
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationDecentralized Identity Management Scheme and its Realization by RSA and Discrete-Log-Based Encryption
Computer Security Symposium 2014 22-24 October 2014 RSA 814-0002 2-1-22 SRP 7 anada@isit.or.jp 819-0395 744 2 712 {kawamoto,sakurai}@inf.kyushu-u.ac.jp 510632 601 cryptjweng@gmail.com RSA Lenstra Decentralized
More informationSmooth Projective Hash Function and Its Applications
Smooth Projective Hash Function and Its Applications Rongmao Chen University of Wollongong November 21, 2014 Literature Ronald Cramer and Victor Shoup. Universal Hash Proofs and a Paradigm for Adaptive
More informationSimulation-based Selective Opening CCA Security for PKE from Key Encapsulation Mechanisms
Simulation-based Selective Opening CCA Security for PKE from Key Encapsulation Mechanisms Shengli Liu 1 and Kenneth G. Paterson 2 1 Department of Computer Science and Engineering, Shanghai Jiao Tong University,
More informationCryptography CS 555. Topic 24: Finding Prime Numbers, RSA
Cryptography CS 555 Topic 24: Finding Prime Numbers, RSA 1 Recap Number Theory Basics Abelian Groups φφ pppp = pp 1 qq 1 for distinct primes p and q φφ NN = Z N gg xx mod N = gg [xx mmmmmm φφ NN ] mod
More informationLecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko
CMSC 858K Advanced Topics in Cryptography February 26, 2004 Lecturer: Jonathan Katz Lecture 10 Scribe(s): Jeffrey Blank Chiu Yuen Koo Nikolai Yakovenko 1 Summary We had previously begun to analyze the
More informationAn Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem
An extended abstract of this paper appears in Advances in Cryptology EUROCRYPT 04, Lecture Notes in Computer Science Vol., C. Cachin and J. Camenisch ed., Springer-Verlag, 2004. This is the full version.
More informationEfficient Chosen Ciphertext Secure Public Key Encryption under the Computational Diffie-Hellman Assumption
Efficient Chosen Ciphertext Secure Public Key Encryption under the Computational Diffie-Hellman Assumption Goichiro Hanaoka 1 and Kaoru Kurosawa 2 1 RCIS, AIST 2 Ibaraki University Abstract. Recently Cash,
More informationON CIPHERTEXT UNDETECTABILITY. 1. Introduction
Tatra Mt. Math. Publ. 41 (2008), 133 151 tm Mathematical Publications ON CIPHERTEXT UNDETECTABILITY Peter Gaži Martin Stanek ABSTRACT. We propose a novel security notion for public-key encryption schemes
More informationPlaintext Awareness in Identity-Based Key Encapsulation
Plaintext Awareness in Identity-Based Key Encapsulation Mark Manulis 1 Bertram Poettering 2 Douglas Stebila 3 1 Department of Computing, University of Surrey, Guildford, Surrey, United Kingdom mark@manulis.eu
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More informationA Robust and Plaintext-Aware Variant of Signed ElGamal Encryption
A Robust and Plaintext-Aware Variant of Signed ElGamal Encryption Yannick Seurin and Joana Treger ANSSI, Paris, France yannick.seurin@m4x.org,joana.marim@ssi.gouv.fr Revised, 24 February 2013 Abstract.
More informationPairing-Based Cryptography An Introduction
ECRYPT Summer School Samos 1 Pairing-Based Cryptography An Introduction Kenny Paterson kenny.paterson@rhul.ac.uk May 4th 2007 ECRYPT Summer School Samos 2 The Pairings Explosion Pairings originally used
More informationA note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT
A note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT Daniel Jost, Christian Badertscher, Fabio Banfi Department of Computer Science, ETH Zurich, Switzerland daniel.jost@inf.ethz.ch christian.badertscher@inf.ethz.ch
More informationA Posteriori Openable Public Key Encryption *
A Posteriori Openable Public Key Encryption * Xavier Bultel 1, Pascal Lafourcade 1, CNRS, UMR 6158, LIMOS, F-63173 Aubière, France Université Clermont Auvergne, LIMOS, BP 10448, 63000 Clermont-Ferrand,
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationPublic-Key Cryptosystems Resilient to Key Leakage
Public-Key Cryptosystems Resilient to Key Leakage Moni Naor Gil Segev Abstract Most of the work in the analysis of cryptographic schemes is concentrated in abstract adversarial models that do not capture
More informationSubtleties in the Definition of IND-CCA: When and How Should Challenge-Decryption be Disallowed?
Subtleties in the Definition of IND-CCA: When and How Should Challenge-Decryption be Disallowed? Mihir Bellare 1 Dennis Hofheinz 2 Eike Kiltz 3 Abstract IND-CCA (Indistinguishability under adaptive chosen-ciphertext
More informationUnforgeable quantum encryption. Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! (Using AES with 128 bit block size in Galois Counter Mode and SHA2) Authenticated
More informationRSA-OAEP and Cramer-Shoup
RSA-OAEP and Cramer-Shoup Olli Ahonen Laboratory of Physics, TKK 11th Dec 2007 T-79.5502 Advanced Cryptology Part I: Outline RSA, OAEP and RSA-OAEP Preliminaries for the proof Proof of IND-CCA2 security
More informationChosen Ciphertext Secure Encryption under Factoring Assumption Revisited
Chosen Ciphertext Secure Encryption under Factoring Assumption Revisited Qixiang Mei 1,2,BaoLi 1, Xianhui Lu 1, and Dingding Jia 1 1 State Key Laboratory of Information Security, Graduate University of
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationStronger Public Key Encryption Schemes
Stronger Public Key Encryption Schemes Withstanding RAM Scraper Like Attacks Prof. C.Pandu Rangan Professor, Indian Institute of Technology - Madras, Chennai, India-600036. C.Pandu Rangan (IIT Madras)
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationG /G Advanced Cryptography November 11, Lecture 10. defined Adaptive Soundness and Adaptive Zero Knowledge
G22.3220-001/G63.2180 Advanced Cryptography November 11, 2009 Lecture 10 Lecturer: Yevgeniy Dodis Scribe: Adriana Lopez Last time we: defined Adaptive Soundness and Adaptive Zero Knowledge defined Unbounded
More informationEl Gamal A DDH based encryption scheme. Table of contents
El Gamal A DDH based encryption scheme Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction El Gamal Practical Issues The El Gamal encryption
More informationA New Randomness Extraction Paradigm for Hybrid Encryption
An extended abstract of this paper appears in Advances in Cryptology EUROCRYPT 09, Lecture Notes in Computer Science Vol.????, A. Joux ed., Springer-Verlag, 2009. This is the full version. A New Randomness
More informationLecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]
CMSC 858K Advanced Topics in Cryptography February 19, 2004 Lecturer: Jonathan Katz Lecture 8 Scribe(s): Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan 1 Introduction Last time we introduced
More informationEfficient Chosen-Ciphertext Security via Extractable Hash Proofs
Efficient Chosen-Ciphertext Security via Extractable Hash Proofs Hoeteck Wee Queens College, CUNY hoeteck@cs.qc.cuny.edu Abstract. We introduce the notion of an extractable hash proof system. Essentially,
More informationf (x) f (x) easy easy
A General Construction of IND-CCA2 Secure Public Key Encryption? Eike Kiltz 1 and John Malone-Lee 2 1 Lehrstuhl Mathematik & Informatik, Fakultat fur Mathematik, Ruhr-Universitat Bochum, Germany. URL:
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationOn the Security of Padding-Based Encryption Schemes or Why we cannot prove OAEP secure in the Standard Model
On the Security of Padding-Based Encryption Schemes or Why we cannot prove OAEP secure in the Standard Model Eike Kiltz and Krzysztof Pietrzak Cryptology & Information Security Group CWI Amsterdam, The
More informationIII. Pseudorandom functions & encryption
III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion:
More informationNotes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.
COS 533: Advanced Cryptography Lecture 9 (October 11, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Udaya Ghai Notes for Lecture 9 1 Last Time Last time, we introduced zero knowledge proofs
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani Mathematical Institute Oxford University 1 of 74 Outline 1 Complexity measures 2 Algebra and Number Theory Background 3 Public Key Encryption: security notions
More informationCircular chosen-ciphertext security with compact ciphertexts
Circular chosen-ciphertext security with compact ciphertexts Dennis Hofheinz October 9, 2018 Abstract A key-dependent message (KDM) secure encryption scheme is secure even if an adversary obtains encryptions
More informationChosen-Ciphertext Security from Subset Sum
Chosen-Ciphertext Security from Subset Sum Sebastian Faust 1, Daniel Masny 1, and Daniele Venturi 2 1 Horst-Görtz Institute for IT Security and Faculty of Mathematics, Ruhr-Universität Bochum, Bochum,
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani Mathematical Institute Oxford University 1 of 60 Outline 1 RSA Encryption Scheme 2 Discrete Logarithm and Diffie-Hellman Algorithm 3 ElGamal Encryption Scheme 4
More informationHybrid Key Encapsulation Mechanisms and Authenticated Key Exchange
Hybrid Key Encapsulation Mechanisms and Authenticated Key Exchange Nina Bindel 1 Jacqueline Brendel 1 Marc Fischlin 1 Brian Goncalves 2 Douglas Stebila 3 1 Technische Universität Darmstadt, Darmstadt,
More informationREMARKS ON IBE SCHEME OF WANG AND CAO
REMARKS ON IBE SCEME OF WANG AND CAO Sunder Lal and Priyam Sharma Derpartment of Mathematics, Dr. B.R.A.(Agra), University, Agra-800(UP), India. E-mail- sunder_lal@rediffmail.com, priyam_sharma.ibs@rediffmail.com
More informationSearchable encryption & Anonymous encryption
Searchable encryption & Anonymous encryption Michel Abdalla ENS & CNS February 17, 2014 MPI - Course 2-12-1 Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, 2014 1 /
More informationThe Group of Signed Quadratic Residues and Applications
The Group of Signed Quadratic Residues and Applications Dennis Hofheinz and Eike Kiltz Abstract. We consider the cryptographic group of Signed Quadratic Residues. This group is particularly useful for
More informationChosen Ciphertext Security with Optimal Ciphertext Overhead
Chosen Ciphertext Security with Optimal Ciphertext Overhead Masayuki Abe 1, Eike Kiltz 2 and Tatsuaki Okamoto 1 1 NTT Information Sharing Platform Laboratories, NTT Corporation, Japan 2 CWI Amsterdam,
More informationCLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD
CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without
More informationOblivious Transfer (OT) and OT Extension
Oblivious Transfer (OT) and OT Extension School on Secure Multiparty Computation Arpita Patra Arpita Patra Roadmap o Oblivious Transfer - Construction from `special PKE o OT Extension - IKNP OT extension
More informationPractical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles
Practical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles Man Ho Au 1, Joseph K. Liu 2, Tsz Hon Yuen 3, and Duncan S. Wong 4 1 Centre for Information Security Research
More information