New and Improved Key-Homomorphic Pseudorandom Functions
|
|
- Martina Floyd
- 5 years ago
- Views:
Transcription
1 New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1 Georgia Institute of Technology CRYPTO August 2014
2 Outline 1 Introduction 2 Construction, Parameters and Efficiency 3 Proof of Security (Idea) Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 1 / 11
3 Outline 1 Introduction 2 Construction, Parameters and Efficiency 3 Proof of Security (Idea) Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 1 / 11
4 Pseudorandom Functions [GGM 84] A family of functions F = {F s : {0, 1} k B} such that, given adaptive query access, c F s F Random U x i F s (x i ) x i U(x i )?? Lots of applications in symmetric key cryptography: encryption, message authentication, friend or foe identification,... (Thanks to Seth MacFarlane for the adversary) Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 2 / 11
5 Cooking a (Provably Secure) PRF 1 Goldreich-Goldwasser-Micali [GGM 84] Based on any (doubling) PRG: F s (x 1,..., x k ) = G xk ( (G x1 (s)) ) Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 3 / 11
6 Cooking a (Provably Secure) PRF 1 Goldreich-Goldwasser-Micali [GGM 84] Based on any (doubling) PRG: F s (x 1,..., x k ) = G xk ( (G x1 (s)) ) 2 Number-theoretic direct constructions [NR 97, NRR 00] Framework: exponentiate to a product of (secret) exponents Security from number-theoretic assumptions (DDH, factoring,... ) Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 3 / 11
7 Cooking a (Provably Secure) PRF 1 Goldreich-Goldwasser-Micali [GGM 84] Based on any (doubling) PRG: F s (x 1,..., x k ) = G xk ( (G x1 (s)) ) 2 Number-theoretic direct constructions [NR 97, NRR 00] Framework: exponentiate to a product of (secret) exponents Security from number-theoretic assumptions (DDH, factoring,... ) 3 Lattice-based direct constructions [BPR 12] Framework: round a product of (secret) matrices/ring elements Security from lattice assumptions (LWE, worst-case lattice problems) Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 3 / 11
8 Key-Homomorphic Pseudorandom Functions Key Homomorphism Can efficiently compute F s+t (x) from F s (x) and F t (x) Applications: Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 4 / 11
9 Key-Homomorphic Pseudorandom Functions Key Homomorphism Can efficiently compute F s+t (x) from F s (x) and F t (x) Applications: distribute the operation of a Key Distribution Center, 1 DDH-based construction [NPR 99] Security in the random oracle model Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 4 / 11
10 Key-Homomorphic Pseudorandom Functions Key Homomorphism Can efficiently compute F s+t (x) from F s (x) and F t (x) Applications: distribute the operation of a Key Distribution Center, symmetric-key proxy re-encryption, updatable encryption, and PRFs secure against related-key attacks [BC 10,LMR 14] 1 DDH-based construction [NPR 99] Security in the random oracle model 2 Lattice-based construction [BLMR 13] Security in the standard model; construction and proof similar to [BPR 12] rounded-subset-product construction Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 4 / 11
11 Key-Homomorphic Pseudorandom Functions Key Homomorphism Can efficiently compute F s+t (x) from F s (x) and F t (x) Applications: distribute the operation of a Key Distribution Center, symmetric-key proxy re-encryption, updatable encryption, and PRFs secure against related-key attacks [BC 10,LMR 14] 1 DDH-based construction [NPR 99] Security in the random oracle model 2 Lattice-based construction [BLMR 13] Security in the standard model; construction and proof similar to [BPR 12] rounded-subset-product construction Main drawback: has huge parameters, keys, and runtimes Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 4 / 11
12 Key-Homomorphic Pseudorandom Functions Key Homomorphism Can efficiently compute F s+t (x) from F s (x) and F t (x) Applications: distribute the operation of a Key Distribution Center, symmetric-key proxy re-encryption, updatable encryption, and PRFs secure against related-key attacks [BC 10,LMR 14] 1 DDH-based construction [NPR 99] Security in the random oracle model 2 Lattice-based construction [BLMR 13] Security in the standard model; construction and proof similar to [BPR 12] rounded-subset-product construction Main drawback: has huge parameters, keys, and runtimes [BPR 12] also gives (non-kh) PRFs having much better parameters, with slightly worse (still polylog) depth Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 4 / 11
13 Key-Homomorphic Pseudorandom Functions Key Homomorphism Can efficiently compute F s+t (x) from F s (x) and F t (x) Applications: distribute the operation of a Key Distribution Center, symmetric-key proxy re-encryption, updatable encryption, and PRFs secure against related-key attacks [BC 10,LMR 14] 1 DDH-based construction [NPR 99] Security in the random oracle model 2 Lattice-based construction [BLMR 13] Security in the standard model; construction and proof similar to [BPR 12] rounded-subset-product construction Main drawback: has huge parameters, keys, and runtimes [BPR 12] also gives (non-kh) PRFs having much better parameters, with slightly worse (still polylog) depth Can we obtain similar tradeoffs for KH-PRFs? Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 4 / 11
14 Our Results New KH-PRFs (from lattices): Polylog Õ(1) depth (still) Quasi-optimal Õ(λ) key sizes First sublinear-depth PRFs (KH or otherwise) with Õ(λ) key size! Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 5 / 11
15 Our Results New KH-PRFs (from lattices): Polylog Õ(1) depth (still) Quasi-optimal Õ(λ) key sizes First sublinear-depth PRFs (KH or otherwise) with Õ(λ) key size! Reference Key Pub Params Time/Bit [BLMR 13] λ 3 [λ 3 ] λ 6 [λ 4 ] λ 5 [λ 3 ] This work λ [λ] λ 2 [λ] λ ω [λ] Figure : For input length λ with 2 λ security under standard assumptions. Log factors omitted. Ring-based constructions appear in [brackets]. Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 5 / 11
16 Our Results New KH-PRFs (from lattices): Polylog Õ(1) depth (still) Quasi-optimal Õ(λ) key sizes First sublinear-depth PRFs (KH or otherwise) with Õ(λ) key size! Reference Key Pub Params Time/Bit [BLMR 13] λ 3 [λ 3 ] λ 6 [λ 4 ] λ 5 [λ 3 ] This work λ [λ] λ 2 [λ] λ ω [λ] Figure : For input length λ with 2 λ security under standard assumptions. Log factors omitted. Ring-based constructions appear in [brackets]. New proof technique that may be useful elsewhere Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 5 / 11
17 Our Results New KH-PRFs (from lattices): Polylog Õ(1) depth (still) Quasi-optimal Õ(λ) key sizes First sublinear-depth PRFs (KH or otherwise) with Õ(λ) key size! Reference Key Pub Params Time/Bit [BLMR 13] λ 3 [λ 3 ] λ 6 [λ 4 ] λ 5 [λ 3 ] This work λ [λ] λ 2 [λ] λ ω [λ] Figure : For input length λ with 2 λ security under standard assumptions. Log factors omitted. Ring-based constructions appear in [brackets]. New proof technique that may be useful elsewhere Full version: Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 5 / 11
18 Outline 1 Introduction 2 Construction, Parameters and Efficiency 3 Proof of Security (Idea) Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 5 / 11
19 Boneh et al. KH-PRF Construction [BLMR 13] Secret key s Z n q, pub params B 0, B 1 {0, 1} n n, input x {0, 1} k k F s (x) = s B xi i=1 p Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 6 / 11
20 Boneh et al. KH-PRF Construction [BLMR 13] Secret key s Z n q, pub params B 0, B 1 {0, 1} n n, input x {0, 1} k 1 k F s (x) = s B xi i=1 p 2 0 Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 6 / 11
21 Boneh et al. KH-PRF Construction [BLMR 13] Secret key s Z n q, pub params B 0, B 1 {0, 1} n n, input x {0, 1} k F s (x) = s k B xi i=1 p 2 Somewhat key-homomorphic: F s (x) + F t (x) F s+t (x) + {0, ±1} n 1 0 Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 6 / 11
22 Boneh et al. KH-PRF Construction [BLMR 13] Secret key s Z n q, pub params B 0, B 1 {0, 1} n n, input x {0, 1} k F s (x) = s k B xi i=1 p 2 Somewhat key-homomorphic: F s (x) + F t (x) F s+t (x) + {0, ±1} n Proof strategy: introduce short error which rounds away x k k s k F s (x) = s B xi (sb x1 + e x1 ) x }{{} 3 i=1 p s i=2 x1 x 2 x B xi p Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 6 / 11
23 Boneh et al. KH-PRF Construction [BLMR 13] Secret key s Z n q, pub params B 0, B 1 {0, 1} n n, input x {0, 1} k F s (x) = s k B xi i=1 p 2 Somewhat key-homomorphic: F s (x) + F t (x) F s+t (x) + {0, ±1} n Proof strategy: introduce short error which rounds away x k k s k F s (x) = s B xi (sb x1 + e x1 ) x }{{} 3 i=1 p s i=2 x1 x 2 c k c s x1 B xi... c s x p = U(x) i=2 p 1 0 B xi p Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 6 / 11
24 Boneh et al. KH-PRF Construction [BLMR 13] Secret key s Z n q, pub params B 0, B 1 {0, 1} n n, input x {0, 1} k F s (x) = s k B xi i=1 p 2 Somewhat key-homomorphic: F s (x) + F t (x) F s+t (x) + {0, ±1} n Proof strategy: introduce short error which rounds away x k k s k F s (x) = s B xi (sb x1 + e x1 ) x }{{} 3 i=1 p s i=2 x1 x 2 c k c s x1 B xi... c s x p = U(x) i=2 LWE approx factor grows exponentially in input length k. p 1 0 B xi p Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 6 / 11
25 Gadget and Bit-Decomposition Gadget Z q -matrix G [MP 12]: A = G G 1 (A) Any Z q -matrix Square {0, 1}-matrix Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 7 / 11
26 Gadget and Bit-Decomposition Gadget Z q -matrix G [MP 12]: A = G G 1 (A) Any Z q -matrix Square {0, 1}-matrix A ubiquitous tool in lattice cryptography: FHE [BV 11,GSW 13,AP 14], CCA/IBE/ABE/FHS [MP 12,BGG + 14,GVW 14] Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 7 / 11
27 Our Construction For matrices A 0, A 1, full binary tree T and x {0, 1} T, define A T (x): Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 8 / 11
28 Our Construction For matrices A 0, A 1, full binary tree T and x {0, 1} T, define A T (x): T x A T (x) := A x for T = 1 Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 8 / 11
29 Our Construction For matrices A 0, A 1, full binary tree T and x {0, 1} T, define A T (x): T x T T.l x l T.r x r A T (x) := A x for T = 1 A T (x l x r ) := A T.l (x l ) G 1 (A T.r (x r )) Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 8 / 11
30 Our Construction For matrices A 0, A 1, full binary tree T and x {0, 1} T, define A T (x): T x T T.l x l T.r x r A T (x) := A x for T = 1 A T (x l x r ) := A T.l (x l ) G 1 (A T.r (x r )) New KH-PRF Construction Public parameters: matrices A 0, A 1, full binary tree T Function F s on T -bit input x defined as F s (x) = s A T (x) p Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 8 / 11
31 Our Construction For matrices A 0, A 1, full binary tree T and x {0, 1} T, define A T (x): T x T T.l x l T.r x r A T (x) := A x for T = 1 A T (x l x r ) := A T.l (x l ) G 1 (A T.r (x r )) New KH-PRF Construction Public parameters: matrices A 0, A 1, full binary tree T Function F s on T -bit input x defined as F s (x) = s A T (x) p Somewhat KH just as in [BLMR 13]. Same applications! Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 8 / 11
32 Parameters and Parallelism Sequentiality s(t ): the right depth of T Circuit depth of PRF is proportional to s(t ) s = 2 Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 9 / 11
33 Parameters and Parallelism Sequentiality s(t ): the right depth of T Circuit depth of PRF is proportional to s(t ) Expansion e(t ): the left depth of T LWE approx factor is exponential in e(t ) e = 2 Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 9 / 11
34 Parameters and Parallelism Sequentiality s(t ): the right depth of T Circuit depth of PRF is proportional to s(t ) Expansion e(t ): the left depth of T LWE approx factor is exponential in e(t ) Max input length = max # leaves = ( ) e+s s s = 2, e = 2 Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 9 / 11
35 Parameters and Parallelism Sequentiality s(t ): the right depth of T Circuit depth of PRF is proportional to s(t ) Expansion e(t ): the left depth of T LWE approx factor is exponential in e(t ) Max input length = max # leaves = ( ) e+s s s = 2, e = 2 Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 9 / 11
36 Parameters and Parallelism Sequentiality s(t ): the right depth of T Circuit depth of PRF is proportional to s(t ) Expansion e(t ): the left depth of T LWE approx factor is exponential in e(t ) Max input length = max # leaves = ( ) e+s s Instantiations e(t ) s(t ) Key Params λ 1 1 λ 3 λ 6 s = 2, e = 2 Left Spine x λ x 3 x 1 x 2 Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 9 / 11
37 Parameters and Parallelism Sequentiality s(t ): the right depth of T Circuit depth of PRF is proportional to s(t ) Expansion e(t ): the left depth of T LWE approx factor is exponential in e(t ) Max input length = max # leaves = ( ) e+s s Instantiations e(t ) s(t ) Key Params λ 1 1 λ 3 λ 6 s = 2, e = 2 [BLMR 13] Construction! x λ x 3 x 1 x 2 Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 9 / 11
38 Parameters and Parallelism Sequentiality s(t ): the right depth of T Circuit depth of PRF is proportional to s(t ) Expansion e(t ): the left depth of T LWE approx factor is exponential in e(t ) Max input length = max # leaves = ( ) e+s s Instantiations e(t ) s(t ) Key Params λ 1 1 λ 3 λ 6 1 λ 1 λ λ 2 s = 2, e = 2 Right Spine x 1 x 2 x 3 x λ Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 9 / 11
39 Parameters and Parallelism Sequentiality s(t ): the right depth of T Circuit depth of PRF is proportional to s(t ) Expansion e(t ): the left depth of T LWE approx factor is exponential in e(t ) Max input length = max # leaves = ( ) e+s s Instantiations e(t ) s(t ) Key Params λ 1 1 λ 3 λ 6 1 λ 1 λ λ 2 log 4 (λ) log 4 (λ) λ λ 2 s = 2, e = 2 Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 9 / 11
40 Outline 1 Introduction 2 Construction, Parameters and Efficiency 3 Proof of Security (Idea) Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO 14 9 / 11
41 Proof Idea T T d x d T 2 x 0 T x 2 1 x1 F s (x) = s A x0 G 1 (A T1 ( x 1 )) p s (s A x0 + e x0 ) G 1 (A }{{} T1 ( x 1 )) u x0 c u x0 G 1 (A T1 ( x 1 )) p p Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO / 11
42 Proof Idea New Idea: u = s G + v for uniform, independent s and v P(G). T T d x d T 2 x 0 T x 2 1 x1 F s (x) = s A x0 G 1 (A T1 ( x 1 )) p s (s A x0 + e x0 ) G 1 (A }{{} T1 ( x 1 )) u x0 c u x0 G 1 (A T1 ( x 1 )) p p Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO / 11
43 Proof Idea New Idea: u = s G + v for uniform, independent s and v P(G). T T d x d T 2 x 0 T x 2 1 x1 F s (x) = s A x0 G 1 (A T1 ( x 1 )) p s (s A x0 + e x0 ) G 1 (A }{{} T1 ( x 1 )) u x0 c u x0 G 1 (A T1 ( x 1 )) p p = s x0 A T1 ( x 1 ) G 1 (A T2 ( x 2 )) + v x0 G 1 (A T1 ( x 1 )) p Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO / 11
44 Proof Idea New Idea: u = s G + v for uniform, independent s and v P(G). T T d x d T 1 T 2 x 1 x 2 F s (x) = s A x0 G 1 (A T1 ( x 1 )) p s (s A x0 + e x0 ) G 1 (A }{{} T1 ( x 1 )) u x0 c u x0 G 1 (A T1 ( x 1 )) p p = s x0 A T1 ( x 1 ) G 1 (A T2 ( x 2 )) + v x0 G 1 (A T1 ( x 1 )) p = s x0 A T ( x 1 x d ) + v x0 G 1 (A T1 ( x 1 )) p Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO / 11
45 Proof Idea New Idea: u = s G + v for uniform, independent s and v P(G). T T d x d T 1 T 2 x 1 x 2 F s (x) = s A x0 G 1 (A T1 ( x 1 )) p s (s A x0 + e x0 ) G 1 (A }{{} T1 ( x 1 )) u x0 c u x0 G 1 (A T1 ( x 1 )) p p = s x0 A T1 ( x 1 ) G 1 (A T2 ( x 2 )) + v x0 G 1 (A T1 ( x 1 )) p = s x0 A T ( x 1 x d ) + v x0 G 1 (A T1 ( x 1 )) p c s x + v x0 G 1 (A T1 ( x 1 )) + other v terms s U(x). p Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO / 11
46 Conclusions Our main contributions New KH-PRFs from lattices: quasi-optimal key sizes, polylog depth New proof technique Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO / 11
47 Conclusions Our main contributions New KH-PRFs from lattices: quasi-optimal key sizes, polylog depth New proof technique The Last Word [Mun 07] (Image source: Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO / 11
New and Improved Key-Homomorphic Pseudorandom Functions
New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee Chris Peikert June 13, 2014 Abstract A key-homomorphic pseudorandom function (PRF) family {F s : D R} allows one to efficiently
More informationMore Efficient Lattice PRFs from Keyed Pseudorandom Synthesizers
More Efficient Lattice PRFs from Keyed Pseudorandom Synthesizers Hart Montgomery hmontgomery@us.fujitsu.com Fujitsu Laboratories of America November 5, 2018 Abstract We develop new constructions of lattice-based
More informationA survey on quantum-secure cryptographic systems
A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Zvika Brakerski 1 Adeline Langlois 2 Chris Peikert 3 Oded Regev 4 Damien Stehlé 2 1 Stanford University 2 ENS de Lyon 3 Georgia Tech 4 New York University Our
More informationPrivate Puncturable PRFs from Standard Lattice Assumptions
Private Puncturable PRFs from Standard Lattice Assumptions Sam Kim Stanford University Joint work with Dan Boneh and Hart Montgomery Pseudorandom Functions (PRFs) [GGM84] Constrained PRFs [BW13, BGI13,
More informationIdeal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015
Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of Technology ICERM 23 April 2015 1 / 16 Agenda 1 Ring-LWE and its hardness from ideal lattices 2 Open questions
More informationDoubly half-injective PRGs for incompressible white-box cryptography
SESSION ID: CRYP-W02 Doubly half-injective PRGs for incompressible white-box cryptography Estuardo Alpirez Bock Aalto University, Finland Alessandro Amadori, Joppe W. Bos, Chris Brzuska, Wil Michiels White-box
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationTHE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY
THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY Mark Zhandry - Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical
More informationBEYOND POST QUANTUM CRYPTOGRAPHY
BEYOND POST QUANTUM CRYPTOGRAPHY Mark Zhandry Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical Beyond Post-Quantum Cryptography
More informationFast Lattice-Based Encryption: Stretching SPRING
Fast Lattice-Based Encryption: Stretching SPRING Charles Bouillaguet 1 Claire Delaplace 1,2 Pierre-Alain Fouque 2 Paul Kirchner 3 1 CFHP team, CRIStAL, Université de Lille, France 2 EMSEC team, IRISA,
More informationLossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More informationPseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions
Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions Crypto 2011 Daniele Micciancio Petros Mol August 17, 2011 1 Learning With Errors (LWE) secret public: integers n,
More informationPrivate Puncturable PRFs From Standard Lattice Assumptions
Private Puncturable PRFs From Standard Lattice Assumptions Dan Boneh Stanford University dabo@cs.stanford.edu Sam Kim Stanford University skim13@cs.stanford.edu Hart Montgomery Fujitsu Laboratories of
More informationfrom Standard Lattice Assumptions
Watermarking Cryptographic Functionalities from Standard Lattice Assumptions Sam Kim and David J. Wu Stanford University Digital Watermarking CRYPTO CRYPTO CRYPTO Often used to identify owner of content
More informationWatermarking Cryptographic Functionalities from Standard Lattice Assumptions
Watermarking Cryptographic Functionalities from Standard Lattice Assumptions Sam Kim Stanford University Joint work with David J. Wu Digital Watermarking 1 Digital Watermarking Content is (mostly) viewable
More informationFully Homomorphic Encryption and Bootstrapping
Fully Homomorphic Encryption and Bootstrapping Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Fully Homomorphic Encryption (FHE) A FHE scheme can evaluate unbounded
More informationLattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationPseudorandomness of Ring-LWE for Any Ring and Modulus. Chris Peikert University of Michigan
Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded Regev Noah Stephens-Davidowitz (to appear, STOC 17) 10 March 2017 1 / 14 Lattice-Based Cryptography y = g
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More informationFoundation of Cryptography, Lecture 4 Pseudorandom Functions
Foundation of Cryptography, Lecture 4 Pseudorandom Functions Handout Mode Iftach Haitner, Tel Aviv University Tel Aviv University. March 11, 2014 Iftach Haitner (TAU) Foundation of Cryptography March 11,
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationPost-quantum key exchange for the Internet based on lattices
Post-quantum key exchange for the Internet based on lattices Craig Costello Talk at MSR India Bangalore, India December 21, 2016 Based on J. Bos, C. Costello, M. Naehrig, D. Stebila Post-Quantum Key Exchange
More informationIncreased efficiency and functionality through lattice-based cryptography
Increased efficiency and functionality through lattice-based cryptography Michele Minelli ENS, CNRS, INRIA, PSL Research University RESEARCH UNIVERSITY PARIS ECRYPT-NET Cloud Summer School Leuven, Belgium
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationTOWARDS PRACTICAL FULLY HOMOMORPHIC ENCRYPTION
TOWARDS PRACTICAL FULLY HOMOMORPHIC ENCRYPTION A Thesis Presented to The Academic Faculty by Jacob Alperin-Sheriff In Partial Fulfillment of the Requirements for the Degree Doctor of Philosophy in the
More informationCLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD
CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without
More informationLattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from
More informationBootstrapping Obfuscators via Fast Pseudorandom Functions
Bootstrapping Obfuscators via Fast Pseudorandom Functions Benny Applebaum October 26, 2013 Abstract We show that it is possible to upgrade an obfuscator for a weak complexity class WEAK into an obfuscator
More informationTrapdoors for Lattices: Simpler, Tighter, Faster, Smaller
Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1 UC San Diego 2 Georgia Tech April 2012 1 / 16 Lattice-Based Cryptography y = g x mod p m e mod N e(g a,
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationTowards Tightly Secure Lattice Short Signature and Id-Based Encryption
Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li QUT Asiacrypt 16 2016-12-06 1 / 19 Motivations 1. Short lattice signature with tight security reduction w/o
More informationPeculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology
1 / 19 Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 7 May 2010 2 / 19 Talk Agenda Encryption schemes
More informationSECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL. Mark Zhandry Stanford University
SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL Mark Zhandry Stanford University Random Oracle Model (ROM) Sometimes, we can t prove a scheme secure in the standard model. Instead,
More informationFaster Bootstrapping with Polynomial Error
Faster Bootstrapping with Polynomial Error Jacob Alperin-Sheriff Chris Peikert June 13, 2014 Abstract Bootstrapping is a technique, originally due to Gentry (STOC 2009), for refreshing ciphertexts of a
More informationHomework 7 Solutions
Homework 7 Solutions Due: March 22, 2018 CS 151: Intro. to Cryptography and Computer Security 1 Fun with PRFs a. F a s = F 0 k(x) F s (x) is not a PRF, for any choice of F. Consider a distinguisher D a
More informationHomomorphic Evaluation of the AES Circuit
Homomorphic Evaluation of the AES Circuit IBM Research and University Of Bristol. August 22, 2012 Homomorphic Evaluation of the AES Circuit Slide 1 Executive Summary We present a working implementation
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More informationPacking Messages and Optimizing Bootstrapping in GSW-FHE
Packing Messages and Optimizing Bootstrapping in GSW-FHE Ryo Hiromasa Masayuki Abe Tatsuaki Okamoto Kyoto University NTT PKC 15 April 1, 2015 1 / 13 Fully Homomorphic Encryption (FHE) c Enc(m) f, c ĉ Eval(
More informationPractical Bootstrapping in Quasilinear Time
Practical Bootstrapping in Quasilinear Time Jacob Alperin-Sheriff Chris Peikert School of Computer Science Georgia Tech UC San Diego 29 April 2013 1 / 21 Fully Homomorphic Encryption [RAD 78,Gen 09] FHE
More informationCryptographic Multilinear Maps. Craig Gentry and Shai Halevi
Cryptographic Multilinear Maps Craig Gentry and Shai Halevi China Summer School on Lattices and Cryptography, June 2014 Multilinear Maps (MMAPs) A Technical Tool A primitive for building applications,
More informationSIS-based Signatures
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin February 26, 2013 Basics We will use the following parameters: n, the security parameter. =poly(n). m 2n log s 2 n
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationThe Random Oracle Model and the Ideal Cipher Model are Equivalent
The Random Oracle Model and the Ideal Cipher Model are Equivalent Jean-ébastien Coron 1, Jacques Patarin 2, and Yannick eurin 2,3 (1) Univ. Luxembourg, (2) Univ. Versailles, (3)Orange Labs éminaire EN
More informationOn error distributions in ring-based LWE
On error distributions in ring-based LWE Wouter Castryck 1,2, Ilia Iliashenko 1, Frederik Vercauteren 1,3 1 COSIC, KU Leuven 2 Ghent University 3 Open Security Research ANTS-XII, Kaiserslautern, August
More informationParameter selection in Ring-LWE-based cryptography
Parameter selection in Ring-LWE-based cryptography Rachel Player Information Security Group, Royal Holloway, University of London based on joint works with Martin R. Albrecht, Hao Chen, Kim Laine, and
More informationLecture 24: MAC for Arbitrary Length Messages. MAC Long Messages
Lecture 24: MAC for Arbitrary Length Messages Recall Previous lecture, we constructed MACs for fixed length messages The GGM Pseudo-random Function (PRF) Construction Given. Pseudo-random Generator (PRG)
More informationCryptanalysis of a Message Authentication Code due to Cary and Venkatesan
Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan Simon R. Blackburn and Kenneth G. Paterson Department of Mathematics Royal Holloway, University of London Egham, Surrey, TW20 0EX,
More informationBuilding Secure Block Ciphers on Generic Attacks Assumptions
Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin University of Versailles and Orange Labs SAC 2008 August 14-15, 2008 the context security of symmetric primitives
More informationA Full Homomorphic Message Authenticator with Improved Efficiency
International Journal of Computer and Communication Engineering, Vol. 3, No. 4, July 2014 A Full Homomorphic Message Authenticator with Improved Efficiency Wenbin Chen and Hao Lei Abstract In the system
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationWhat are we talking about when we talk about post-quantum cryptography?
PQC Asia Forum Seoul, 2016 What are we talking about when we talk about post-quantum cryptography? Fang Song Portland State University PQC Asia Forum Seoul, 2016 A personal view on postquantum cryptography
More informationLattice-based Multi-signature with Linear Homomorphism
Copyright c 2016 The Institute of Electronics, Information and Communication Engineers SCIS 2016 2016 Symposium on Cryptography and Information Security Kumamoto, Japan, Jan. 19-22, 2016 The Institute
More informationAlain Passelègue Ecole Normale Supérieure Joint work with: Michel Abdalla (ENS), Fabrice Benhamouda (ENS), Kenneth G.
Alain Passelègue Ecole Normale Supérieure Joint work with: Michel Abdalla (ENS), Fabrice Benhamouda (ENS), Kenneth G. Paterson (RHUL) 26 mars 2014 Journées C2 Single-Key Attack on a cryptosystem F k F
More informationQuantum Differential and Linear Cryptanalysis
Quantum Differential and Linear Cryptanalysis Marc Kaplan 1,2 Gaëtan Leurent 3 Anthony Leverrier 3 María Naya-Plasencia 3 1 LTCI, Télécom ParisTech 2 School of Informatics, University of Edinburgh 3 Inria
More informationMASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer
MASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer Tore Frederiksen Emmanuela Orsini Marcel Keller Peter Scholl Aarhus University University of Bristol 31 May 2016 Secure Multiparty
More informationFrom FE Combiners to Secure MPC and Back
From FE Combiners to Secure MPC and Back Prabhanjan Ananth Saikrishna Badrinarayanan Aayush Jain Nathan Manohar Amit Sahai Abstract Functional encryption (FE) has incredible applications towards computing
More informationVadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3
A Tooλκit for Riνγ-ΛΩE κρyπτ oγραφ Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3 1 INRIA & ENS Paris 2 Georgia Tech 3 Courant Institute, NYU Eurocrypt 2013 27 May 1 / 12 A Toolkit for Ring-LWE Cryptography
More informationLinear Multi-Prover Interactive Proofs
Quasi-Optimal SNARGs via Linear Multi-Prover Interactive Proofs Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Interactive Arguments for NP L C = x C x, w = 1 for some w P(x, w) V(x) accept / reject
More informationFully Homomorphic Encryption. Zvika Brakerski Weizmann Institute of Science
Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science AWSCS, March 2015 Outsourcing Computation x x f f(x) Email, web-search, navigation, social networking What if x is private? Search
More informationPermutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1
Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Kwangsu Lee A Thesis for the Degree of Master of Science Division of Computer Science, Department
More informationSome security bounds for the DGHV scheme
Some security bounds for the DGHV scheme Franca Marinelli f.marinelli@studenti.unitn.it) Department of Mathematics, University of Trento, Italy Riccardo Aragona riccardo.aragona@unitn.it) Department of
More informationExploring Crypto Dark Matter:
Exploring Crypto Dark Matter: New Simple PRF Candidates and Their Applications Dan Boneh Yuval Ishai Alain Passelègue Amit Sahai David J. Wu Abstract Pseudorandom functions (PRFs) are one of the fundamental
More informationBenes and Butterfly schemes revisited
Benes and Butterfly schemes revisited Jacques Patarin, Audrey Montreuil Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract In [1], W. Aiello and R. Venkatesan have
More informationCS 355: Topics in Cryptography Spring Problem Set 5.
CS 355: Topics in Cryptography Spring 2018 Problem Set 5 Due: June 8, 2018 at 5pm (submit via Gradescope) Instructions: You must typeset your solution in LaTeX using the provided template: https://crypto.stanford.edu/cs355/homework.tex
More informationPseudorandom Functions: Three Decades Later
Pseudorandom Functions: Three Decades Later Andrej Bogdanov Alon Rosen Abstract In 1984, Goldreich, Goldwasser and Micali formalized the concept of pseudorandom functions and proposed a construction based
More informationQuantum-secure symmetric-key cryptography based on Hidden Shifts
Quantum-secure symmetric-key cryptography based on Hidden Shifts Gorjan Alagic QMATH, Department of Mathematical Sciences University of Copenhagen Alexander Russell Department of Computer Science & Engineering
More informationFast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems
Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems Benny Applebaum, David Cash, Chris Peikert, Amit Sahai Princeton University, Georgia Tech, SRI international,
More informationMinimalist Cryptography: Excerpt from an NSF Proposal
Minimalist Cryptography: Excerpt from an NSF Proposal Tal Malkin February 13th, 2016 Abstract This is part of a proposal submitted to NSF together with Allison Bishop Lewko in 2014 (and subsequently awarded).
More informationSecure and Practical Identity-Based Encryption
Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.
More informationFully Homomorphic Encryption without Modulus Switching from Classical GapSVP
Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP Zvika Brakerski Stanford University zvika@stanford.edu Abstract. We present a new tensoring techniue for LWE-based fully homomorphic
More informationThe LPN Problem in Cryptography
The LPN Problem in Cryptography Vadim Lyubashevsky INRIA / ENS, Paris Learning Parity with Noise (LPN) We have access to an oracle who has a secret s in Z 2 n On every query, the oracle: 1. Picks r Z 2
More informationHardness and advantages of Module-SIS and Module-LWE
Hardness and advantages of Module-SIS and Module-LWE Adeline Roux-Langlois EMSEC: Univ Rennes, CNRS, IRISA April 24, 2018 Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018
More informationA Lattice-Based Universal Thresholdizer for Cryptographic Systems
A Lattice-Based Universal Thresholdizer for Cryptographic Systems Dan Boneh Rosario Gennaro Steven Goldfeder Sam Kim Abstract We develop a general approach to thresholdizing a large class of (non-threshold)
More informationRelated-Key Security for Pseudorandom Functions Beyond the Linear Barrier
Related-Key Security for Pseudorandom Functions Beyond the Linear Barrier Michel Abdalla 1 Fabrice Benhamouda 1 Alain Passelègue 1 Kenneth. Paterson 2 1 Département d Informatique, École normale supérieure
More informationTargeted Homomorphic Attribute Based Encryption
Targeted Homomorphic Attribute Based Encryption Zvika Brakerski David Cash Rotem Tsabary Hoeteck Wee Abstract In (key-policy) attribute based encryption (ABE), messages are encrypted respective to attributes
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationAsymptotically Efficient Lattice-Based Digital Signatures
Asymptotically Efficient Lattice-Based Digital Signatures Vadim Lyubashevsky and Daniele Micciancio University of California, San Diego La Jolla, CA 92093-0404, USA {vlyubash,daniele}@cs.ucsd.edu Abstract.
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationFaster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds
Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds I. Chillotti 1 N. Gama 2,1 M. Georgieva 3 M. Izabachène 4 1 2 3 4 Séminaire GTBAC Télécom ParisTech April 6, 2017 1 / 43 Table
More informationLaconic Function Evaluation and Applications
2018 IEEE 59th Annual Symposium on Foundations of Computer Science Laconic Function Evaluation and Applications Willy Quach Northeastern University quach.w@husky.neu.edu Hoeteck Wee CNRS and ENS wee@di.ens.fr
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationHow to Use Linear Homomorphic Signature in Network Coding
How to Use Linear Homomorphic Signature in Network Coding Li Chen lichen.xd at gmail.com Xidian University September 28, 2013 How to Use Linear Homomorphic Signature in Network Coding Outline 1 Linear
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationRecent Advances in Identity-based Encryption Pairing-free Constructions
Fields Institute Workshop on New Directions in Cryptography 1 Recent Advances in Identity-based Encryption Pairing-free Constructions Kenny Paterson kenny.paterson@rhul.ac.uk June 25th 2008 Fields Institute
More informationReport on Learning with Errors over Rings-based HILA5 and its CCA Security
Report on Learning with Errors over Rings-based HILA5 and its CCA Security Jesús Antonio Soto Velázquez January 24, 2018 Abstract HILA5 is a cryptographic primitive based on lattices that was submitted
More information6.892 Computing on Encrypted Data September 16, Lecture 2
6.89 Computing on Encrypted Data September 16, 013 Lecture Lecturer: Vinod Vaikuntanathan Scribe: Britt Cyr In this lecture, we will define the learning with errors (LWE) problem, show an euivalence between
More informationCryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000
Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000 Amr Youssef 1 and Guang Gong 2 1 Center for Applied Cryptographic Research Department of Combinatorics & Optimization 2 Department of Electrical
More informationComputing with Encrypted Data Lecture 26
Computing with Encrypted Data 6.857 Lecture 26 Encryption for Secure Communication M Message M All-or-nothing Have Private Key, Can Decrypt No Private Key, No Go cf. Non-malleable Encryption Encryption
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationProvable Security in Symmetric Key Cryptography
Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X
More informationPractice Exam Winter 2018, CS 485/585 Crypto March 14, 2018
Practice Exam Name: Winter 2018, CS 485/585 Crypto March 14, 2018 Portland State University Prof. Fang Song Instructions This exam contains 8 pages (including this cover page) and 5 questions. Total of
More informationComputer Science A Cryptography and Data Security. Claude Crépeau
Computer Science 308-547A Cryptography and Data Security Claude Crépeau These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308-647A)
More informationHow to Encrypt with the LPN Problem
How to Encrypt with the LPN Problem Henri Gilbert, Matt Robshaw, and Yannick Seurin ICALP 2008 July 9, 2008 Orange Labs the context the authentication protocol HB + by Juels and Weis [JW05] recently renewed
More informationLeakage-Resilient Symmetric Encryption via Re-keying
Leakage-Resilient Symmetric Encryption via Re-keying Michel Abdalla 1, Sonia Belaïd 1,2, and Pierre-Alain Fouque 1 1 École Normale Supérieure, 45 rue d Ulm 75005 Paris 2 Thales Communications & Security,
More information