Strong Security Models for Public-Key Encryption Schemes
|
|
- Russell Burke
- 6 years ago
- Views:
Transcription
1 Strong Security Models for Public-Key Encryption Schemes Pooya Farshim (Joint Work with Manuel Barbosa) Information Security Group, Royal Holloway, University of London, Egham TW20 0EX, United Kingdom. ACISP 2010, Sydney 5 July 2010
2 Outline Strong Security Background and Motivation Four Strong Security Models Relations Among Notions A Strongly Secure Scheme Extractor-Based Notions Strong Plaintext Awareness Secret Key Awareness Schemes: First Steps Summary
3 Part I Strong Security
4 Public-Key Encryption and IND-CCA2 Syntax: Setup(1 k ): Generates common (domain) parameters I Gen(I): Generates a key pair (SK, PK) Enc(m, PK): Outputs a ciphertext c Dec(c, PK, SK): Recovers the message m Security IND-CCA2: It should be infeasible to distinguish which of two chosen messages (m 0, m 1 ) is encrypted within a ciphertext c even with the help of an oracle which decrypts any ciphertext c.
5 Non-Malleability Non-Malleability (NM): Adversary is given (PK, c), where c encrypts m. The goal is to come up with a related c encrypting m : R(m, m ) = T, Relation R should be interesting : it doesn t hold for a random m (and a fixed m). Meanwhile A can ask for decryptions (NM-CCA2).
6 Brief History of Non-Malleability DDN00 Introduced non-malleability in the simulation paradigm (1991). BDPR98 Formulated it as a comparison-based notion and studied its relation to IND-CCA2. BS06 Established equivalence between simulation- and comparison-based notions of non-malleability (revision of [BS99]). PSV07 Studied non-malleability more carefully: -allowing vs. -disallowing relations. Effect of message space: {0, 1}, finite, etc. Composability of notions: single multi? Where V=Vaikuntanathan.
7 Complete Non-Malleability Introduced by Fischlin (ICALP 05). Allows tampering with the public key. Adversary outputs a related ciphertext/public key pair. CS and RSA-OAEP are not completely non-malleable. RSA-OAEP: replace e by 3e and c with c 3. RSA-OAEP: bind PK to the ciphertext by hashing it with m. Technique similar to those in certificateless encryption schemes. Hard to construct in the standard model Technically: with respect to black-box simulators. Ventre and Visconti (PKC 08) gave a comparison-based definition. Showed equivalence under some technical conditions. They also give a NIZKPK-based scheme.
8 Why Consider Complete Non-Malleability? Commitment scheme: Sender sends a commitment com(m) to receiver. Sender later de-commitments by revealing a dec Hiding: receiver cannot see what s inside com Binding: sender cannot de-commit to m m. Non-malleable: hard to construct a related com(m ) Generic construction through encryption schemes: com(m) = (PK, Enc(m, PK; r)) where (SK, PK) $ Gen() dec = (m, r) or (m, SK) Gives a NM commitment if encryption is completely NM.
9 Strong Decryption Oracle Recall in IND-CCAx model, adversary has access to: which returns Dec(c, PK, SK). Decrypt(c) Introduce a strong decryption oracle: SDecrypt V (c, PK) Returns the message encapsulated by c as defined by validity criterion V. ( ) V(c, PK, m, r):= c =? Enc(m, PK; r) ( ) V (c, PK, m, r):= (SK, PK) =? Gen(r) m =? Dec(c, SK, PK).
10 Strong and Parallel CCA: IND-SCCAx Run A on (I, PK) SDecrypt (x = 1, 2) A returns m 0, m 1 Resume A on c := Enc(m 0, PK) Run A on (I, PK) SDecrypt (x = 1, 2) A returns m 0, m 1 Resume A on c := Enc(m 1, PK) SDecrypt except c (x = 2) A returns a bit b Return b SDecrypt except c (x = 2) A returns a bit b Return b Adv ind-sccax Π (A):=Pr [ IND-SCCAx A 0,Π T] Pr [ IND-SCCAx A 1,Π T]
11 Strong and Parallel CCA: IND-SCCAx/ SPCAx Run A on (I, PK) SDecrypt (x = 1, 2) A returns m 0, m 1 Resume A on c := Enc(m 0, PK) PSDecrypt(c 1,PK 1,...) except c SDecrypt except c (x = 2) A returns a bit b Return b Run A on (I, PK) SDecrypt (x = 1, 2) A returns m 0, m 1 Resume A on c := Enc(m 1, PK) PSDecrypt(c 1,PK 1,...) except c SDecrypt except c (x = 2) A returns a bit b Return b Adv ind-sccax Π (A):=Pr [ IND-SCCAx A 0,Π T] Pr [ IND-SCCAx A 1,Π T] Note: Security models match at x = 2.
12 Simulation-Based Complete NM: SNM-SCCAx Real A in real world vs. Ideal assisted S in ideal world Run A on (I, PK) SDecrypt (x = 1, 2) A returns M; m $ M Resume A on c := Enc(m,PK) SDecrypt except c (x = 2) A returns (PK, c, st R ) m SDecrypt(c, PK ) & Ret. R(I,m,m,PK,PK,c,M,st R ) For all R and for all A, there is an S: Run S on (I, PK) SDecrypt (x = 1, 2 if Assed) S returns M; m $ M Resume S SDecrypt (x = 2 if Assed) S returns (PK, c, st R ) m SDecrypt(c, PK ) & Ret. R(I,m,m,PK,PK,c,M,st R ) Adv snm-sccax Π,R,S (A) := Pr [ Real-SNM-SCCAx A Π,R T] Pr [ Ideal-SNM-SCCAx S Π,R T] Remark: In [Fis05] the oracles are Decrypt and final SDecrypt is for a specific V.
13 Comparison-Based Complete NM: CNM-SCCAx Run A on (I, PK) SDecrypt (x = 1, 2) Run A on (I, PK) SDecrypt (x = 1, 2) A returns M; m 0, m 1 $ M A returns M; m 0, m 1 $ M Resume A on c := Enc(m 0, PK) SDecrypt except c (x = 2) A returns (PK, c, R, st R ) m SDecrypt(c, PK ) & Ret. R(I,m 0,m,PK,PK,c,M,st R ) For all R, for all A: Resume A on c := Enc(m 0, PK) SDecrypt except c (x = 2) A returns (PK, c, R, st R ) m SDecrypt(c, PK ) & Ret. R(I,m 1,m,PK,PK,c,st R ) Adv cnm-sccax Π,R (A) := Pr [ CNM-SCCAx A 0,Π,R T] Pr [ CNM-SCCAx A 1,Π,R T] Remark: In [VV05] the oracles are Decrypt and V is fixed. Equiv. with non-assed simulator for lacking" relations not depending on PK.
14 Equivalence Theorem 1 IND-SPCAx CNM-SCCAx. 2 CNM-SCCAx SNM-SCCAx. 3 SNM-SCCAx IND-SPCAx. for assisted simulators. PSDecrypt captures the implicit decryption" in NM. The above self-compose as SPCAx does (standard hybrid argument). The equivalence theorem shows strong security models are relevant to practice. (c.f. strong models in certificateless cryptography).
15 IND-SCCA2 Scheme from [DLP08] procedure Setup GP,H,n (): k $ Key(); (α, β, u 0,..., u n) $ G G n+2 I (GP, H k, α, β, u 0,..., u n) Return I procedure Gen(): x $ Z p; X g x ; Y α x PK (X, Y ); SK x Return (SK, PK) procedure Enc(m, PK): $ t Z p; (X, Y ) PK If e(x, α) e(g, Y ) Return C 1 m e(y, β t ); C 2 α t w H k (C 1, C 2, PK) C 3 WH(w) t c (C 1, C 2, C 3 ) Return c procedure Dec(c, SK, PK): (X, Y ) PK If g SK X α SK Y Return (C 1, C 2, C 3 ) c w H k (C 1, C 2, PK) If e(c 2, WH(w)) e(α, C 3 ) Return m C 1 /e(c 2, β x ) Return m Theorem DBDH CR IND-SCCA2. Proof: As in [DLP08] but used modifications of [BR09] to avoid artificial aborts. Waters hash is programmed in a way which permits recovering ephemeral key.
16 Part II Extractor-Based Notions
17 Intuition: When does a machine know something? A knows m if it can output m. But A has a specified I/O behaviour so: A knows m if it can be tweaked to output m. A knows m if there is a K which gets the same view (inputs and coins of A) and outputs m. Adapt this to an environment" where A s view include various I/O pairs from different oracles. Two worlds: 1st world: m is computed properly. 2nd world: m is computed using K. These should be indistinguishable. Application: If a machine already knows the plaintext encapsulated within ciphertext of its choice the decryption oracle is of no help.
18 Plaintext Awareness: PAx where x = 1 or x = 2 Run A(I, PK) in one of two possible environments: Dec World: access to Decrypt returning Dec(, SK) Ext World: access to Decrypt returning K(, View[A]). Both worlds: Access to Enc(P(Q), PK) if x = 2. P allows A to obtain ciphertexts with unknown plaintexts in a controlled way". No Decrypt in IND-CCA1 after challenge phase. The behaviours should be indistinguishable: D(A s output in Dec P World) D(A s output in Ext P,K World) Theorem (BP04) PAx IND-CPA IND-CCAx. Proof: Adversary already knows the decryption through K.
19 Strong Plaintext Awareness: SPAx Replace Decrypt with SDecrypt. Run A(I, PK) in one of two possible environments: Dec World: access to SDecrypt Ext World: access to SDecrypt returning K(, View[A]). Both worlds: Access to Enc(P(Q), PK) if x = 2. The behaviours should be indistinguishable: D(A s output in Dec P World) D(A s output in Ext P,K World) Theorem SPAx IND-CPA IND-SCCAx.
20 SPAx and Complete Non-Malleability Theorem SPAx SNM-CPA Non-Assed SNM-SCCAx. But: Theorem (Fischlin) In the standard model, completely non-malleable schemes with respect to non-assisted black-box simulators do not exist. So: Strong plaintext awareness, being a non-black-box notion, allows one to go beyond this black-box simulation barrier: plaintext awareness is more relevant in the strong setting.
21 Invert and Chosen-Ciphertext Attacks: IND-ICAx Intuition: One way to achieve SPA is to require that any adversary which comes up with a PK, knows the SK. Working towards this goal: Replace SDecrypt with oracle: Returns SK for PK. Invert(PK) Bring back Decrypt (for challenge PK). Theorem IND-ICAx IND-SCCAx Proof: Use Invert and Decrypt to simulate SDecrypt.
22 Secret Key Awareness: SKAx Definitional approach is similar to SPA: Run A(I, PK) in two environments: The Inv world: access to Invert The Ext world: access to a secret key extractor K Access to a Decrypt oracle. Access to Enc(P(Q), PK) (x = 2). The behaviours should be indistinguishable: For all A, there exists a K s.t. for all P and D: D(A s output in Dec P World) D(A s output in Ext P,K World) Theorem SKAx IND-CCAx IND-ICAx.
23 Remarks Get complete non-malleability with non-assed simulators. Non-malleability of commitment holds wrt opening SK (simulator should be provided with SK). Not the case for SPA: need randomness awareness". (schemes from lossy TDFs?) Also: there is a natural interaction with SPA and PA: Theorem SKAx PAx SPAx. Proof: Replace oracles by extractors one at a time.
24 Schemes: Generic Technique in ROM Transformation: Attach H(SK, PK) to public keys. Transformation does not affect the security of the original scheme. Public keys are invalid with high prob. unless SK queried to H. When applied to RSA-OAEP, allows us to achieve a stronger result: [Fis05] only considered A which return a valid PK.
25 Schemes: Generic Technique in Standard Model Let Π be such that its Gen = Enc of some Π PK : Secret key is a random message Public key is the corresponding ciphertext. (Actually better to consider a KEM). Suppose Π PK is PA2 wrt P which returns a random m. Then Π is SKA0. Remark: Restriction on P necessary: else as in [TO08b] we get IND keys which is not possible.
26 Schemes: The Knowledge of Factor Assumption The only way to come up with a number of the form P 2 Q is to choose a P and a Q and compute P 2 Q. In other words: any adversary which comes up with P 2 Q must know P and Q. Not the case for RSA numbers: probability that a random 2k-bit number is of the form PQ is roughly: (2 k /k) 2 (2 2k ) = 1 k 2 which is not negligible.
27 Schemes in Standard model RSA-based encryption with a fixed encryption exponent (e = ) satisfies SKA0 (vanilla-flavoured SKA). To get IND-SCCA1 security: RSA-CCA1" assumption: add a phase-1 (partial) Root oracle. Gives IND-CCA1 after some padding (short messages). KFA-CCA1" assumption: add a (partial) Root oracle to above. Gives SKA1 Then RSA-CCA1" + KFA-CCA1" gives IND-SCCA1. Can also build extractable one-way function [CD08,CD09].
28 Summary Defined strong decryption oracles Proved equivalence between strong security notions Gave a strongly secure scheme Formulated strong PA and secret key awareness (SKA) Proved they lead to expected results Introduced knowledge of factorisation assumption Discussed ways to build SPA and SKA schemes
29 The End IND-SPCA1 CNM-SCCA1 SNM-SCCA1 = IND-SCCA1 = SPA1 IND-CPA IND-SPCA2 IND-SCCA2 = SPA2 IND-CPA CNM-SCCA2 SNM-SCCA2 SKA2 PA2 IND-CPA IND-ICA2 = SKA2 IND-CCA2 Thank you for your attention. Questions/Comments?
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More informationThe Cramer-Shoup Cryptosystem
The Cramer-Shoup Cryptosystem Eileen Wagner October 22, 2014 1 / 28 The Cramer-Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive
More informationNon-malleability under Selective Opening Attacks: Implication and Separation
Non-malleability under Selective Opening Attacks: Implication and Separation Zhengan Huang 1, Shengli Liu 1, Xianping Mao 1, and Kefei Chen 2,3 1. Department of Computer Science and Engineering, Shanghai
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationChosen-Ciphertext Security (I)
Chosen-Ciphertext Security (I) CS 601.442/642 Modern Cryptography Fall 2018 S 601.442/642 Modern Cryptography Chosen-Ciphertext Security (I) Fall 2018 1 / 20 Recall: Public-Key Encryption Syntax: Genp1
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationSearchable encryption & Anonymous encryption
Searchable encryption & Anonymous encryption Michel Abdalla ENS & CNS February 17, 2014 MPI - Course 2-12-1 Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, 2014 1 /
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationRelations Among Notions of Security for Public-Key Encryption Schemes. Debdeep Mukhopadhyay IIT Kharagpur. Notions
Relations Among Notions of Security for Public-Key Encryption Schemes Debdeep Muhopadhyay IIT Kharagpur Notions To organize the definitions of secure encryptions Classified depending on: security goals:
More informationOn the Selective-Opening Security of DHIES
On the Selective-Opening Security of DHIES and other practical encryption schemes UbiCrypt Research Retreat, Schloss Raesfeld: 29.& 30. Sep. 2014 Felix Heuer, Tibor Jager, Eike Kiltz, Sven Schäge Horst
More informationChapter 11 : Private-Key Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 1 Chapter 11 Public-Key Encryption Apologies: all numbering
More informationIdentity-based encryption
Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages
More informationHierarchical identity-based encryption
Hierarchical identity-based encryption Michel Abdalla ENS & CNS September 26, 2011 MPI - Course 2-12-1 Lecture 3 - Part 1 Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26,
More informationIII. Pseudorandom functions & encryption
III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion:
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationLecture 14 - CCA Security
Lecture 14 - CCA Security Boaz Barak November 7, 2007 Key exchange Suppose we have following situation: Alice wants to buy something from the well known website Bob.com Since they will exchange private
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationG /G Advanced Cryptography November 11, Lecture 10. defined Adaptive Soundness and Adaptive Zero Knowledge
G22.3220-001/G63.2180 Advanced Cryptography November 11, 2009 Lecture 10 Lecturer: Yevgeniy Dodis Scribe: Adriana Lopez Last time we: defined Adaptive Soundness and Adaptive Zero Knowledge defined Unbounded
More informationLecture 7: CPA Security, MACs, OWFs
CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space
More information14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption. Victor Shoup New York University
14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption Victor Shoup New York University A Historical Perspective The wild years (mid 70 s-mid 80 s): Diffie-Hellman, RSA, ElGamal The
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationOn the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups
On the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups Goichiro Hanaoka, Takahiro Matsuda, Jacob C.N. Schuldt Research Institute for Secure Systems (RISEC)
More informationOutline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.
Provable Security in the Computational Model III Signatures David Pointcheval Ecole normale supérieure, CNRS & INRI Public-Key Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationGeneral Impossibility of Group Homomorphic Encryption in the Quantum World
General Impossibility of Group Homomorphic Encryption in the Quantum World Frederik Armknecht Tommaso Gagliardoni Stefan Katzenbeisser Andreas Peter PKC 2014, March 28th Buenos Aires, Argentina 1 An example
More informationSimple SK-ID-KEM 1. 1 Introduction
1 Simple SK-ID-KEM 1 Zhaohui Cheng School of Computing Science, Middlesex University The Burroughs, Hendon, London, NW4 4BT, United Kingdom. m.z.cheng@mdx.ac.uk Abstract. In 2001, Boneh and Franklin presented
More informationLecture Note 3 Date:
P.Lafourcade Lecture Note 3 Date: 28.09.2009 Security models 1st Semester 2007/2008 ROUAULT Boris GABIAM Amanda ARNEDO Pedro 1 Contents 1 Perfect Encryption 3 1.1 Notations....................................
More informationLecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]
CMSC 858K Advanced Topics in Cryptography February 19, 2004 Lecturer: Jonathan Katz Lecture 8 Scribe(s): Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan 1 Introduction Last time we introduced
More informationRSA-OAEP and Cramer-Shoup
RSA-OAEP and Cramer-Shoup Olli Ahonen Laboratory of Physics, TKK 11th Dec 2007 T-79.5502 Advanced Cryptology Part I: Outline RSA, OAEP and RSA-OAEP Preliminaries for the proof Proof of IND-CCA2 security
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationPublic-Key Encryption
Public-Key Encryption 601.642/442: Modern Cryptography Fall 2017 601.642/442: Modern Cryptography Public-Key Encryption Fall 2017 1 / 14 The Setting Alice and Bob don t share any secret Alice wants to
More informationAdvanced Cryptography 1st Semester Public Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 1st 2007 1 / 64 Last Time (I) Indistinguishability Negligible function Probabilities Indistinguishability
More informationNotes on Property-Preserving Encryption
Notes on Property-Preserving Encryption The first type of specialized encryption scheme that can be used in secure outsourced storage we will look at is property-preserving encryption. This is encryption
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationCryptography CS 555. Topic 24: Finding Prime Numbers, RSA
Cryptography CS 555 Topic 24: Finding Prime Numbers, RSA 1 Recap Number Theory Basics Abelian Groups φφ pppp = pp 1 qq 1 for distinct primes p and q φφ NN = Z N gg xx mod N = gg [xx mmmmmm φφ NN ] mod
More informationOAEP Reconsidered. Victor Shoup. IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland
OAEP Reconsidered Victor Shoup IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland sho@zurich.ibm.com February 13, 2001 Abstract The OAEP encryption scheme was introduced by Bellare and
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationChapter 11. Asymmetric Encryption Asymmetric encryption schemes
Chapter 11 Asymmetric Encryption The setting of public-key cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret
More informationLecture 15 & 16: Trapdoor Permutations, RSA, Signatures
CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.
More informationStronger Public Key Encryption Schemes
Stronger Public Key Encryption Schemes Withstanding RAM Scraper Like Attacks Prof. C.Pandu Rangan Professor, Indian Institute of Technology - Madras, Chennai, India-600036. C.Pandu Rangan (IIT Madras)
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
More information1 Indistinguishability for multiple encryptions
CSCI 5440: Cryptography Lecture 3 The Chinese University of Hong Kong 26 September 2012 1 Indistinguishability for multiple encryptions We now have a reasonable encryption scheme, which we proved is message
More informationSYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:
Syntax symmetric encryption scheme = (K, E, D) consists of three algorithms: SYMMETRIC ENCRYPTION K is randomized E can be randomized or stateful D is deterministic 1/ 116 2/ 116 Correct decryption requirement
More informationLectures 2+3: Provable Security
Lectures 2+3: Provable Security Contents 1 Motivation 1 2 Syntax 3 3 Correctness 5 4 Security Definitions 6 5 Important Cryptographic Primitives 8 6 Proofs of Security 10 7 Limitations of Provable Security
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More informationBoneh-Franklin Identity Based Encryption Revisited
Boneh-Franklin Identity Based Encryption Revisited David Galindo Institute for Computing and Information Sciences Radboud University Nijmegen P.O.Box 9010 6500 GL, Nijmegen, The Netherlands. d.galindo@cs.ru.nl
More informationNon-Malleable Encryption: Equivalence between Two Notions, and an Indistinguishability-Based Characterization
A preliminary version of this paper appears in Advances in Cryptology CRYPTO 99, Lecture Notes in Computer Science Vol. 1666, M. Wiener ed., Springer-Verlag, 1999. This revised version corrects some mistakes
More informationStandard versus Selective Opening Security: Separation and Equivalence Results
Standard versus Selective Opening Security: Separation and Equivalence Results Dennis Hofheinz and Andy Rupp Karlsruhe Institute of Technology, Germany {dennis.hofheinz,andy.rupp}@kit.edu Supported by
More informationStandard Security Does Not Imply Indistinguishability Under Selective Opening
Standard Security Does Not Imply Indistinguishability Under Selective Opening Dennis Hofheinz 1, Vanishree Rao 2, and Daniel Wichs 3 1 Karlsruhe Institute of Technology, Germany, dennis.hofheinz@kit.edu
More informationAdditive Conditional Disclosure of Secrets
Additive Conditional Disclosure of Secrets Sven Laur swen@math.ut.ee Helsinki University of Technology Motivation Consider standard two-party computation protocol. x f 1 (x, y) m 1 m2 m r 1 mr f 2 (x,
More informationA Strong Identity Based Key-Insulated Cryptosystem
A Strong Identity Based Key-Insulated Cryptosystem Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275, P.R.China
More informationNotes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.
COS 533: Advanced Cryptography Lecture 9 (October 11, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Udaya Ghai Notes for Lecture 9 1 Last Time Last time, we introduced zero knowledge proofs
More informationA ROBUST AND PLAINTEXT-AWARE VARIANT OF SIGNED ELGAMAL ENCRYPTION
A ROBUST AND PLAINTEXT-AWARE VARIANT OF SIGNED ELGAMAL ENCRYPTION Joana Treger ANSSI, France. Session ID: CRYP-W21 Session Classification: Advanced ELGAMAL ENCRYPTION & BASIC CONCEPTS CDH / DDH Computational
More informationSmooth Projective Hash Function and Its Applications
Smooth Projective Hash Function and Its Applications Rongmao Chen University of Wollongong November 21, 2014 Literature Ronald Cramer and Victor Shoup. Universal Hash Proofs and a Paradigm for Adaptive
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Alexandra (Sasha) Boldyreva Symmetric encryption, encryption modes, security notions. 1 Symmetric encryption schemes A scheme is specified by a key generation algorithm K,
More informationCSA E0 312: Secure Computation September 09, [Lecture 9-10]
CSA E0 312: Secure Computation September 09, 2015 Instructor: Arpita Patra [Lecture 9-10] Submitted by: Pratik Sarkar 1 Summary In this lecture we will introduce the concept of Public Key Samplability
More informationCONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS
CONSRUCIONS SECURE AGAINS RECEIVER SELECIVE OPENING AND CHOSEN CIPHEREX AACKS Dingding Jia, Xianhui Lu, Bao Li jiadingding@iie.ac.cn C-RSA 2017 02-17 Outline Background Motivation Our contribution Existence:
More informationVerifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin
Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Béguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationLecture 2: Perfect Secrecy and its Limitations
CS 4501-6501 Topics in Cryptography 26 Jan 2018 Lecture 2: Perfect Secrecy and its Limitations Lecturer: Mohammad Mahmoody Scribe: Mohammad Mahmoody 1 Introduction Last time, we informally defined encryption
More informationLossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More informationSecure Certificateless Public Key Encryption without Redundancy
Secure Certificateless Public Key Encryption without Redundancy Yinxia Sun and Futai Zhang School of Mathematics and Computer Science Nanjing Normal University, Nanjing 210097, P.R.China Abstract. Certificateless
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationEfficient Constructions of Deterministic Encryption from Hybrid Encryption and Code-Based PKE
Efficient Constructions of Deterministic Encryption from Hybrid Encryption and Code-Based PKE Yang Cui 1,2, Kirill Morozov 1, Kazukuni Kobara 1,2, and Hideki Imai 1,2 1 Research Center for Information
More informationLecture 9 - Symmetric Encryption
0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,
More informationBlock ciphers And modes of operation. Table of contents
Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation
More informationCryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley dbrumley@cmu.edu Carnegie Mellon University The Landscape Jargon in Cryptography 2 Good News: OTP has perfect secrecy Thm:
More informationModels and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5
Models and analysis of security protocols 1st Semester 2009-2010 Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: September 29th 2009 1 / 60 Last Time (I) Security
More informationEnhanced Chosen-Ciphertext Security and Applications
Enhanced Chosen-Ciphertext Security and Applications Dana Dachman-Soled 1 Georg Fuchsbauer 2 Payman Mohassel 3 Adam O Neill 4 Abstract We introduce and study a new notion of enhanced chosen-ciphertext
More informationReport on Learning with Errors over Rings-based HILA5 and its CCA Security
Report on Learning with Errors over Rings-based HILA5 and its CCA Security Jesús Antonio Soto Velázquez January 24, 2018 Abstract HILA5 is a cryptographic primitive based on lattices that was submitted
More informationMTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Zero-knowledge Proofs Sven Laur University of Tartu Formal Syntax Zero-knowledge proofs pk (pk, sk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) (pk,sk)? R
More informationA Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM
A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM Paulo S. L. M. Barreto Bernardo David Rafael Dowsley Kirill Morozov Anderson C. A. Nascimento Abstract Oblivious Transfer
More informationGentry IBE Paper Reading
Gentry IBE Paper Reading Y. Jiang 1 1 University of Wollongong September 5, 2014 Literature Craig Gentry. Practical Identity-Based Encryption Without Random Oracles. Advances in Cryptology - EUROCRYPT
More informationCLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD
CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without
More informationSymmetric Encryption
1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationParallel Decryption Queries in Bounded Chosen Ciphertext Attacks
Parallel Decryption Queries in Bounded Chosen Ciphertext Attacks Takahiro Matsuda and Kanta Matsuura The University of Tokyo, Japan {tmatsuda,kanta}@iis.u-tokyo.ac.jp Abstract. Whether it is possible to
More informationON CIPHERTEXT UNDETECTABILITY. 1. Introduction
Tatra Mt. Math. Publ. 41 (2008), 133 151 tm Mathematical Publications ON CIPHERTEXT UNDETECTABILITY Peter Gaži Martin Stanek ABSTRACT. We propose a novel security notion for public-key encryption schemes
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More information8 Security against Chosen Plaintext
8 Security against Chosen Plaintext Attacks We ve already seen a definition that captures security of encryption when an adversary is allowed to see just one ciphertext encrypted under the key. Clearly
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationOn The (In)security Of Fischlin s Paradigm
On The (In)security Of Fischlin s Paradigm PRABHANJAN ANANTH Microsoft Research India prabhanjan.va@gmail.com RAGHAV BHASKAR Microsoft Research India rbhaskar@microsoft.com VIPUL GOYAL Microsoft Research
More informationEl Gamal A DDH based encryption scheme. Table of contents
El Gamal A DDH based encryption scheme Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction El Gamal Practical Issues The El Gamal encryption
More informationChosen-Ciphertext Security without Redundancy
This is the full version of the extended abstract which appears in Advances in Cryptology Proceedings of Asiacrypt 03 (30 november 4 december 2003, Taiwan) C. S. Laih Ed. Springer-Verlag, LNCS 2894, pages
More informationTowards RSA-OAEP without Random Oracles
Towards RSA-OAEP without Random Oracles Nairen Cao 1 Adam O Neill 2 Mohammad Zaheri 3 November 28, 2018 In Memoriam: John C. O Neill (1953 2018). Abstract We give the first positive results about instantiability
More informationSemantic Security and Indistinguishability in the Quantum World
Semantic Security and Indistinguishability in the Quantum World Tommaso Gagliardoni 1, Andreas Hülsing 2, Christian Schaffner 3 1 IBM Research, Swiss; TU Darmstadt, Germany 2 TU Eindhoven, The Netherlands
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationCSA E0 235: Cryptography March 16, (Extra) Lecture 3
CSA E0 235: Cryptography March 16, 2015 Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Ajith S 1 Chosen Plaintext Attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which
More information