Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XI
|
|
- Nora Sutton
- 5 years ago
- Views:
Transcription
1 Codes and Cryptography MAMME, Fall 2015 PART XI
2 Outline 1 Defining Security 2
3 Defining a Security Notion Defining security for a particular system requires: Defining the functionality of the system Defining the capabilities of the adversary Defining the goal of the adversary
4 Defining a Security Notion Defining security for a particular system requires: Defining the functionality of the system Defining the capabilities of the adversary Defining the goal of the adversary The latter two can be captured by a random experiment (game) between a Challenger and the Adversary a special outcome indicating success of the Adversary a statement about the probability of that outcome
5 Example 1: One-Way Security Assume that Π = (KeyGen, Enc, Dec) is a symmetric encryption scheme for the spaces M, C, K and security parameter l. Experiment Exp-SE-OW(Π, A, l) : k KeyGen(l); m M l ; c Enc(k, m ); m A(1 l, c ); if m = m output 1; //A wins else output 0;
6 Example 1: One-Way Security Assume that Π = (KeyGen, Enc, Dec) is a symmetric encryption scheme for the spaces M, C, K and security parameter l. Experiment Exp-SE-OW(Π, A, l) : k KeyGen(l); m M l ; c Enc(k, m ); m A(1 l, c ); if m = m output 1; //A wins else output 0; The security statement is Definition (SE-OW) The symmetric encryption scheme Π is SE-OW secure if for all Probabilistic Polynomial-Time Turing Machine (PPTM), A, Pr[Exp-SE-OW(Π, A, l) = 1] negl(l)
7 Example 2: Stronger Attacks In some practical scenarios, an adversary has access to some pairs plaintext/ciphertext for the target key. Experiment Exp-SE-OW(Π, A, l) : k KeyGen(l); m M l ; c Enc(k, m ); m A(1 l, c ); if m = m output 1; //A wins else output 0;
8 Example 2: Stronger Attacks In some practical scenarios, an adversary has access to some pairs plaintext/ciphertext for the target key. Experiment Exp-SE-OW-CPA(Π, A, l) : k KeyGen(l); m M l ; c Enc(k, m ); m A O Enc (1 l, c ); if m = m output 1; //A wins else output 0; Oracle O Enc (m) : output Enc(k, m);
9 Example 2: Stronger Attacks In some practical scenarios, an adversary has access to some pairs plaintext/ciphertext for the target key. Experiment Exp-SE-OW-CCA(Π, A, l) : k KeyGen(l); m M l ; c Enc(k, m ); m A O Enc,O Dec (1 l, c ); if m = m output 1; //A wins else output 0; Oracle O Enc (m) : output Enc(k, m); Oracle O Dec (c) : if c = c output ; //Illegal oracle query else output Dec(k, c);
10 Example 2: Stronger Attacks In some practical scenarios, an adversary has access to some pairs plaintext/ciphertext for the target key. Experiment Exp-SE-OW-CCA(Π, A, l) : k KeyGen(l); m M l ; c Enc(k, m ); m A O Enc,O Dec (1 l, c ); if m = m output 1; //A wins else output 0; Oracle O Enc (m) : output Enc(k, m); Oracle O Dec (c) : if c = c output ; //Illegal oracle query else output Dec(k, c); The number of queries q Enc and q Dec can be considered as additional security parameters
11 Oracle Turing Machine OTM s f = = normal_tape = = oracle_tape Special state: oracle_query The OTM enters in a waiting state until some external entity (not necessarily a Turing Machine) replaces the information in the oracle tape, in unit time. NOTATION: OTM O The oracle tape is used as a communication tape. Interactive Turing Machines can be defined following the same idea.
12 Example 3: Even Stronger Attacks The adversary could have some a priori information about the target plaintext.
13 Example 3: Even Stronger Attacks The adversary could have some a priori information about the target plaintext. Experiment Exp-SE-LR(Π, A, l) : k KeyGen(l); b {0, 1}; b A O LR (1 l ); if b = b output 1; //A wins else output 0; Oracle O LR (m 0, m 1 ) : if length(m 0 ) length(m 1 ) output ; output Enc(k, m b ); //Illegal oracle query
14 Example 3: Even Stronger Attacks Definition (SE-LR) The symmetric encryption scheme Π is SE-LR secure if for all Probabilistic Polynomial-Time Oracle Turing Machine (PPOTM), A, Pr[Exp-SE-LR(Π, A, l) = 1] 1/2 negl(l)
15 Example 3: Even Stronger Attacks Definition (SE-LR) The symmetric encryption scheme Π is SE-LR secure if for all Probabilistic Polynomial-Time Oracle Turing Machine (PPOTM), A, Pr[Exp-SE-LR(Π, A, l) = 1] 1/2 negl(l) The number of queries q LR can be considered as an additional security parameter
16 Example 3: Even Stronger Attacks Definition (SE-LR) The symmetric encryption scheme Π is SE-LR secure if for all Probabilistic Polynomial-Time Oracle Turing Machine (PPOTM), A, Pr[Exp-SE-LR(Π, A, l) = 1] 1/2 negl(l) The number of queries q LR can be considered as an additional security parameter The other notions SE-LR-CPA and SE-LR-CCA are defined accordingly
17 Outline 1 Defining Security 2
18 Translating Languages Reduction: An efficient transformation T : {0, 1} {0, 1} that maps a language L into another language L, and also maps {0, 1} \ L into {0, 1} \ L. NOTATION: L PP L or L reduces to L
19 Translating Languages Reduction: An efficient transformation T : {0, 1} {0, 1} that maps a language L into another language L, and also maps {0, 1} \ L into {0, 1} \ L. NOTATION: L PP L or L reduces to L Definition (PP-Reduction of Languages) A language L is PP-reducible to another language L if there exists a PPTM T and a integer-valued function q poly such that T ({0, 1} l ) {0, 1} q(l), T (L) L and T ({0, 1} \ L) {0, 1} \ L
20 Translating Languages Reduction: An efficient transformation T : {0, 1} {0, 1} that maps a language L into another language L, and also maps {0, 1} \ L into {0, 1} \ L. NOTATION: L PP L or L reduces to L Definition (PP-Reduction of Languages) A language L is PP-reducible to another language L if there exists a PPTM T and a integer-valued function q poly such that T ({0, 1} l ) {0, 1} q(l), T (L) L and T ({0, 1} \ L) {0, 1} \ L Theorem L BPP and L PP L implies L BPP
21 Reducing Computational Problems Let P, P be two (search/decision) problem families.
22 Reducing Computational Problems Let P, P be two (search/decision) problem families. What s the meaning of P is hard on average implies P is hard on average?
23 Reducing Computational Problems Let P, P be two (search/decision) problem families. What s the meaning of P is hard on average implies P is hard on average? Or equivalently, P is not hard on average implies neither is P
24 Reducing Computational Problems Let P, P be two (search/decision) problem families. What s the meaning of P is hard on average implies P is hard on average? Or equivalently, P is not hard on average implies neither is P P is not hard on average means there exists a PPTM with a non-negligible success probability/advantage in solving a random instance of P
25 Reducing Computational Problems Let P, P be two (search/decision) problem families. What s the meaning of P is hard on average implies P is hard on average? Or equivalently, P is not hard on average implies neither is P P is not hard on average means there exists a PPTM with a non-negligible success probability/advantage in solving a random instance of P Showing only the existence is a non-constructive proof. Not meaningful in practice.
26 Reducing Computational Problems Let P, P be two (search/decision) problem families. What s the meaning of P is hard on average implies P is hard on average? Or equivalently, P is not hard on average implies neither is P P is not hard on average means there exists a PPTM with a non-negligible success probability/advantage in solving a random instance of P Showing only the existence is a non-constructive proof. Not meaningful in practice. Constructive proof: Explicitly (and efficiently) build a PPTM solving P from another PPTM solving P
27 Reducing Computational Problems Constructive proofs for the statement P PP P : Give a PPTM R that transforms (the description of) any PPTM A solving a random instance of P into (the description of) another PPTM A = R[A ] solving P such that Succ P,A (l) > negl(l) Succ P,R[A ](l) > negl(l) where Succ P,A (l) is Pr[A(x) sol(x) : x P l ] for search problems, and Pr[A(x) = 1 : x L P {0, 1} l ] Pr[A(x) = 1 : x {0, 1} l \ L P ] for decision problems
28 Black-Box Reductions R is just a Oracle PPTM and now A = R[A ] = R A
29 Black-Box Reductions R is just a Oracle PPTM and now A = R[A ] = R A R has no access to the internals of A, but only to its input-output behavior (functionality)
30 Black-Box Reductions R is just a Oracle PPTM and now A = R[A ] = R A R has no access to the internals of A, but only to its input-output behavior (functionality) Recall that A is non-perfect, i.e., it solves P with a (very small) non-negligible probability/advantage
31 Black-Box Reductions R is just a Oracle PPTM and now A = R[A ] = R A R has no access to the internals of A, but only to its input-output behavior (functionality) Recall that A is non-perfect, i.e., it solves P with a (very small) non-negligible probability/advantage R can run several instances of A on different inputs, but then it is hard to relate Succ P,A (l) and Succ P,R[A ](l)
32 Black-Box Reductions R is just a Oracle PPTM and now A = R[A ] = R A R has no access to the internals of A, but only to its input-output behavior (functionality) Recall that A is non-perfect, i.e., it solves P with a (very small) non-negligible probability/advantage R can run several instances of A on different inputs, but then it is hard to relate Succ P,A (l) and Succ P,R[A ](l) A typical reduction: Black-Box with a single call to A : R[A ] transforms its input x P into x P R[A ] runs A with input x R[A ] computes its output from the output of A
33 Self-Reductions: An Example Probability Amplification by Repetition is an example of Black-Box Self-Reduction of a decision problem
34 Self-Reductions: An Example Probability Amplification by Repetition is an example of Black-Box Self-Reduction of a decision problem R[A ] runs n times A on the same input and decides its output by majority voting among the n outputs
35 Self-Reductions: An Example Probability Amplification by Repetition is an example of Black-Box Self-Reduction of a decision problem R[A ] runs n times A on the same input and decides its output by majority voting among the n outputs For small Succ P,A (l) Succ P,R[A ](l) while time(r[a ], x) n time(a, x) 2n π Succ P,A (l)
36 Self-Reductions: An Example Probability Amplification by Repetition is an example of Black-Box Self-Reduction of a decision problem R[A ] runs n times A on the same input and decides its output by majority voting among the n outputs For small Succ P,A (l) Succ P,R[A ](l) while time(r[a ], x) n time(a, x) 2n π Succ P,A (l) For ( checkable ) search problems and small Succ P,A (l) Succ P,R[A ](l) n Succ P,A (l) and the meaningful quantity for comparisons is probability/time
37 Random Self-Reducibility Definition The decision problem family P is random self-reducible if there exists a PPTM T that transforms any particular instance x P l into a random (uniform) instance in P l.
38 Random Self-Reducibility Definition The decision problem family P is random self-reducible if there exists a PPTM T that transforms any particular instance x P l into a random (uniform) instance in P l. T transforms any probability distribution in P l into the uniform
39 Random Self-Reducibility Definition The decision problem family P is random self-reducible if there exists a PPTM T that transforms any particular instance x P l into a random (uniform) instance in P l. T transforms any probability distribution in P l into the uniform Using T as a self-reduction R T, A(x) = R T [A ](x) = A (T (x)) proves that solving a random instance of P is not easier than (thus, equivalent to) solving all instances in P.
40 Random Self-Reducibility Definition The decision problem family P is random self-reducible if there exists a PPTM T that transforms any particular instance x P l into a random (uniform) instance in P l. T transforms any probability distribution in P l into the uniform Using T as a self-reduction R T, A(x) = R T [A ](x) = A (T (x)) proves that solving a random instance of P is not easier than (thus, equivalent to) solving all instances in P. For a random self-reducible problem average hardness is equivalent to worst-case hardness
41 Applications of Reductions (I) Recall that security definitions are stated as (interactive) problem families.
42 Applications of Reductions (I) Recall that security definitions are stated as (interactive) problem families. Reductions between security notions show implications, or relative hardness, e.g., details... SE-LR-CCA SE-LR-CPA SE-OW-CPA SE-OW (strongest) (weakest)
43 Applications of Reductions (I) Recall that security definitions are stated as (interactive) problem families. Reductions between security notions show implications, or relative hardness, e.g., details... SE-LR-CCA SE-LR-CPA SE-OW-CPA SE-OW (strongest) (weakest) A reduction R from a security notion SEC1 into another notion SEC2 transforms an adversary A 2 breaking SEC2 into another A 1 = R[A 2 ] breaking SEC1.
44 Applications of Reductions (I) Recall that security definitions are stated as (interactive) problem families. Reductions between security notions show implications, or relative hardness, e.g., details... SE-LR-CCA SE-LR-CPA SE-OW-CPA SE-OW (strongest) (weakest) A reduction R from a security notion SEC1 into another notion SEC2 transforms an adversary A 2 breaking SEC2 into another A 1 = R[A 2 ] breaking SEC1. Thus, R simulates any oracle given in SEC2 for A 2, but it can use the oracles given in SEC1.
45 Applications of Reductions (II) Reductions between computational problems show relative strongness of the different security assumptions,
46 Applications of Reductions (II) Reductions between computational problems show relative strongness of the different security assumptions, e.g., for a cyclic group G, DDH G CDH G DLOG G (strongest) (weakest)
47 Applications of Reductions (II) Reductions between computational problems show relative strongness of the different security assumptions, e.g., for a cyclic group G, DDH G CDH G DLOG G (strongest) (weakest) Security proofs by reduction: A reduction of a computational problem family P to the problem of breaking a security notion SEC for a cryptosystem Π, proves security of Π under the assumption that P is hard P SEC Π It reads if someone breaks Π, he also solves P
48 Provable Security Main goal in provable security: Give a proof by reduction under a well-known and well-studied assumption
49 Provable Security Main goal in provable security: Give a proof by reduction under a well-known and well-studied assumption The same assumption can be used for several cryptosystems... even if they are of different type (e.g., encryption and signatures) It makes easier comparing them Cryptoanalysis focus on computational problems and not on specific schemes
50 Provable Security Main goal in provable security: Give a proof by reduction under a well-known and well-studied assumption The same assumption can be used for several cryptosystems... even if they are of different type (e.g., encryption and signatures) It makes easier comparing them Cryptoanalysis focus on computational problems and not on specific schemes
51 Provable Security Main goal in provable security: Give a proof by reduction under a well-known and well-studied assumption The same assumption can be used for several cryptosystems... even if they are of different type (e.g., encryption and signatures) It makes easier comparing them Cryptoanalysis focus on computational problems and not on specific schemes
52 Provable Security Main goal in provable security: Give a proof by reduction under a well-known and well-studied assumption The same assumption can be used for several cryptosystems... even if they are of different type (e.g., encryption and signatures) It makes easier comparing them Cryptoanalysis focus on computational problems and not on specific schemes
53 Provable Security Main goal in provable security: Give a proof by reduction under a well-known and well-studied assumption The same assumption can be used for several cryptosystems... even if they are of different type (e.g., encryption and signatures) It makes easier comparing them Cryptoanalysis focus on computational problems and not on specific schemes... but some reductions are not meaningful in practice...
54 A Remark About Tightness P SEC Π reads if someone breaks Π, he also solves P
55 A Remark About Tightness P SEC Π reads if someone breaks Π, he also solves P More precisely, there exists R such that if A breaks Π in time t 1 with probability/advantage ε 1 > negl(l), then R[A] solves P in time t 2 with probability/advantage ε 2 > negl(l)
56 A Remark About Tightness P SEC Π reads if someone breaks Π, he also solves P More precisely, there exists R such that if A breaks Π in time t 1 with probability/advantage ε 1 > negl(l), then R[A] solves P in time t 2 with probability/advantage ε 2 > negl(l) If t 2 t 1 and ε 2 ε 1, R is tight If t 2 t 1 but ε 2 Cε 1 for some constant C 1, R is almost tight If t 2 t 1 but ε 2 /ε 1 0 as l, R is almost not tight
57 A Remark About Tightness P SEC Π reads if someone breaks Π, he also solves P More precisely, there exists R such that if A breaks Π in time t 1 with probability/advantage ε 1 > negl(l), then R[A] solves P in time t 2 with probability/advantage ε 2 > negl(l) If t 2 t 1 and ε 2 ε 1, R is tight Meaningful reduction! If t 2 t 1 but ε 2 Cε 1 for some constant C 1, R is almost tight Quite meaningful reduction! If t 2 t 1 but ε 2 /ε 1 0 as l, R is almost not tight It depends...
58 A Remark About Tightness P SEC Π reads if someone breaks Π, he also solves P More precisely, there exists R such that if A breaks Π in time t 1 with probability/advantage ε 1 > negl(l), then R[A] solves P in time t 2 with probability/advantage ε 2 > negl(l) If t 2 t 1 and ε 2 ε 1, R is tight Meaningful reduction! If t 2 t 1 but ε 2 Cε 1 for some constant C 1, R is almost tight Quite meaningful reduction! If t 2 t 1 but ε 2 /ε 1 0 as l, R is almost not tight It depends... If t 2 t 1, compare the ratios ε 1 /t 1 and ε 2 /t 2
59 Codes and Cryptography MAMME, Fall 2015 END OF PART XI
60 Extra Slides A Sample Reduction: SE-LR-CPA SE-OW-CPA Experiment Exp-SE-LR-CPA(Π, A, l) : k KeyGen(l); b {0, 1}; b A O LR,O Enc (1 l ); if b = b output 1; else output 0; Oracle O LR (m 0, m 1 ) : if m 0 = m 1 output ; else output Enc(k, m b ); Oracle O Enc (m) : output Enc(k, m); Experiment Exp-SE-OW-CPA(Π, A, l) : k KeyGen(l); m M l ; c Enc(k, m ); m A O Enc (1 l, c ); if m = m output 1; else output 0; Oracle O Enc (m) : output Enc(k, m);
61 Extra Slides A Sample Reduction: SE-LR-CPA SE-OW-CPA Experiment Exp-SE-LR-CPA(Π, A, l) : k KeyGen(l); b {0, 1}; Reduction: b A O LR,O Enc (1 l ); if b = b output 1; else output 0; Oracle O LR (m 0, m 1 ) : if m 0 = m 1 output ; else output Enc(k, m b ); Oracle O Enc (m) : output Enc(k, m); Experiment Exp-SE-OW-CPA(Π, A, l) : k KeyGen(l); m M l ; c Enc(k, m ); m A O Enc (1 l, c ); if m = m output 1; else output 0; Oracle O Enc (m) : output Enc(k, m);
62 Extra Slides A Sample Reduction: SE-LR-CPA SE-OW-CPA Experiment Exp-SE-LR-CPA(Π, A, l) : k KeyGen(l); b {0, 1}; b A O LR,O Enc (1 l ); if b = b output 1; else output 0; Oracle O LR (m 0, m 1 ) : if m 0 = m 1 output ; else output Enc(k, m b ); Oracle O Enc (m) : output Enc(k, m); Reduction: m 0, m 1 M l ; c O LR (m 0, m 1 ); Experiment Exp-SE-OW-CPA(Π, A, l) : k KeyGen(l); m M l ; c Enc(k, m ); m A O Enc (1 l, c ); if m = m output 1; else output 0; Oracle O Enc (m) : output Enc(k, m);
63 Extra Slides A Sample Reduction: SE-LR-CPA SE-OW-CPA Experiment Exp-SE-LR-CPA(Π, A, l) : k KeyGen(l); b {0, 1}; b A O LR,O Enc (1 l ); if b = b output 1; else output 0; Oracle O LR (m 0, m 1 ) : if m 0 = m 1 output ; else output Enc(k, m b ); Oracle O Enc (m) : output Enc(k, m); Reduction: m 0, m 1 M l ; c O LR (m 0, m 1 ); m A O Enc (1 l, c ); Experiment Exp-SE-OW-CPA(Π, A, l) : k KeyGen(l); m M l ; c Enc(k, m ); m A O Enc (1 l, c ); if m = m output 1; else output 0; Oracle O Enc (m) : output Enc(k, m);
64 Extra Slides A Sample Reduction: SE-LR-CPA SE-OW-CPA Experiment Exp-SE-LR-CPA(Π, A, l) : k KeyGen(l); b {0, 1}; b A O LR,O Enc (1 l ); if b = b output 1; else output 0; Oracle O LR (m 0, m 1 ) : if m 0 = m 1 output ; else output Enc(k, m b ); Oracle O Enc (m) : output Enc(k, m); Reduction: m 0, m 1 M l ; c O LR (m 0, m 1 ); m A O Enc (1 l, c ); Experiment Exp-SE-OW-CPA(Π, A, l) : k KeyGen(l); m M l ; c Enc(k, m ); m A O Enc (1 l, c ); if m = m output 1; else output 0; Oracle O Enc (m) : output Enc(k, m);
65 Extra Slides A Sample Reduction: SE-LR-CPA SE-OW-CPA Experiment Exp-SE-LR-CPA(Π, A, l) : k KeyGen(l); b {0, 1}; b A O LR,O Enc (1 l ); if b = b output 1; else output 0; Oracle O LR (m 0, m 1 ) : if m 0 = m 1 output ; else output Enc(k, m b ); Oracle O Enc (m) : output Enc(k, m); Reduction: m 0, m 1 M l ; c O LR (m 0, m 1 ); m A O Enc (1 l, c ); if m = m 1 output 1; else if m = m 0 output 0; else output b {0, 1}; Experiment Exp-SE-OW-CPA(Π, A, l) : k KeyGen(l); m M l ; c Enc(k, m ); m A O Enc (1 l, c ); if m = m output 1; else output 0; Oracle O Enc (m) : output Enc(k, m);
66 Extra Slides A Sample Reduction: SE-LR-CPA SE-OW-CPA Experiment Exp-SE-LR-CPA(Π, A, l) : k KeyGen(l); b {0, 1}; b A O LR,O Enc (1 l ); if b = b output 1; else output 0; Oracle O LR (m 0, m 1 ) : if m 0 = m 1 output ; else output Enc(k, m b ); Oracle O Enc (m) : output Enc(k, m); Reduction: m 0, m 1 M l ; c O LR (m 0, m 1 ); m A O Enc (1 l, c ); if m = m 1 output 1; else if m = m 0 output 0; else output b {0, 1}; Experiment Exp-SE-OW-CPA(Π, A, l) : k KeyGen(l); m M l ; c Enc(k, m ); m A O Enc (1 l, c ); if m = m output 1; else output 0; Oracle O Enc (m) : output Enc(k, m); go back...
Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII
Codes and Cryptography MAMME, Fall 2015 PART XII Outline 1 Symmetric Encryption (II) 2 Construction Strategies Construction Strategies Stream ciphers: For arbitrarily long messages (e.g., data streams).
More informationOn the CCA1-Security of Elgamal and Damgård s Elgamal
On the CCA1-Security of Elgamal and Damgård s Elgamal Cybernetica AS, Estonia Tallinn University, Estonia October 21, 2010 Outline I Motivation 1 Motivation 2 3 Motivation Three well-known security requirements
More informationModern symmetric-key Encryption
Modern symmetric-key Encryption Citation I would like to thank Claude Crepeau for allowing me to use his slide from his crypto course to mount my course. Some of these slides are taken directly from his
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationAdvanced Topics in Cryptography
Advanced Topics in Cryptography Lecture 6: El Gamal. Chosen-ciphertext security, the Cramer-Shoup cryptosystem. Benny Pinkas based on slides of Moni Naor page 1 1 Related papers Lecture notes of Moni Naor,
More informationLectures 2+3: Provable Security
Lectures 2+3: Provable Security Contents 1 Motivation 1 2 Syntax 3 3 Correctness 5 4 Security Definitions 6 5 Important Cryptographic Primitives 8 6 Proofs of Security 10 7 Limitations of Provable Security
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationLecture 7: CPA Security, MACs, OWFs
CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationIII. Pseudorandom functions & encryption
III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion:
More informationIdentity-based encryption
Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages
More informationLecture Note 3 Date:
P.Lafourcade Lecture Note 3 Date: 28.09.2009 Security models 1st Semester 2007/2008 ROUAULT Boris GABIAM Amanda ARNEDO Pedro 1 Contents 1 Perfect Encryption 3 1.1 Notations....................................
More informationOutline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.
Provable Security in the Computational Model III Signatures David Pointcheval Ecole normale supérieure, CNRS & INRI Public-Key Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions
More informationAdvanced Cryptography 1st Semester Public Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 1st 2007 1 / 64 Last Time (I) Indistinguishability Negligible function Probabilities Indistinguishability
More informationLecture 4: Computationally secure cryptography
CS 7880 Graduate Cryptography September 18, 017 Lecture 4: Computationally secure cryptography Lecturer: Daniel Wichs Scribe: Lucianna Kiffer 1 Topic Covered ε-security Computationally secure cryptography
More information1 Indistinguishability for multiple encryptions
CSCI 5440: Cryptography Lecture 3 The Chinese University of Hong Kong 26 September 2012 1 Indistinguishability for multiple encryptions We now have a reasonable encryption scheme, which we proved is message
More informationQuantum-secure symmetric-key cryptography based on Hidden Shifts
Quantum-secure symmetric-key cryptography based on Hidden Shifts Gorjan Alagic QMATH, Department of Mathematical Sciences University of Copenhagen Alexander Russell Department of Computer Science & Engineering
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationOn The Security of The ElGamal Encryption Scheme and Damgård s Variant
On The Security of The ElGamal Encryption Scheme and Damgård s Variant J. Wu and D.R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, ON, Canada {j32wu,dstinson}@uwaterloo.ca
More informationLecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge
CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to
More informationSemantic Security and Indistinguishability in the Quantum World
Semantic Security and Indistinguishability in the Quantum World Tommaso Gagliardoni 1, Andreas Hülsing 2, Christian Schaffner 3 1 IBM Research, Swiss; TU Darmstadt, Germany 2 TU Eindhoven, The Netherlands
More informationThe Cramer-Shoup Cryptosystem
The Cramer-Shoup Cryptosystem Eileen Wagner October 22, 2014 1 / 28 The Cramer-Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space
More informationBEYOND POST QUANTUM CRYPTOGRAPHY
BEYOND POST QUANTUM CRYPTOGRAPHY Mark Zhandry Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical Beyond Post-Quantum Cryptography
More informationNotes on Property-Preserving Encryption
Notes on Property-Preserving Encryption The first type of specialized encryption scheme that can be used in secure outsourced storage we will look at is property-preserving encryption. This is encryption
More informationWhite-Box Security Notions for Symmetric Encryption Schemes
White-Box Security Notions for Symmetric Encryption Schemes Cécile Delerablée 1 Tancrède Lepoint 1,2 Pascal Paillier 1 Matthieu Rivain 1 CryptoExperts 1, École Normale Supérieure2 SAC 2013 Outline 1 What
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More information8 Security against Chosen Plaintext
8 Security against Chosen Plaintext Attacks We ve already seen a definition that captures security of encryption when an adversary is allowed to see just one ciphertext encrypted under the key. Clearly
More informationLecture 9 - Symmetric Encryption
0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationLecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko
CMSC 858K Advanced Topics in Cryptography February 26, 2004 Lecturer: Jonathan Katz Lecture 10 Scribe(s): Jeffrey Blank Chiu Yuen Koo Nikolai Yakovenko 1 Summary We had previously begun to analyze the
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More information5.4 ElGamal - definition
5.4 ElGamal - definition In this section we define the ElGamal encryption scheme. Next to RSA it is the most important asymmetric encryption scheme. Recall that for a cyclic group G, an element g G is
More informationVerifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin
Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Béguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationPr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]
Midterm Review Sheet The definition of a private-key encryption scheme. It s a tuple Π = ((K n,m n,c n ) n=1,gen,enc,dec) where - for each n N, K n,m n,c n are sets of bitstrings; [for a given value of
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationComplete problems for classes in PH, The Polynomial-Time Hierarchy (PH) oracle is like a subroutine, or function in
Oracle Turing Machines Nondeterministic OTM defined in the same way (transition relation, rather than function) oracle is like a subroutine, or function in your favorite PL but each call counts as single
More informationHistorical cryptography. cryptography encryption main applications: military and diplomacy
Historical cryptography cryptography encryption main applications: military and diplomacy ancient times world war II Historical cryptography All historical cryptosystems badly broken! No clear understanding
More informationShift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3
Shift Cipher For 0 i 25, the ith plaintext character is shifted by some value 0 k 25 (mod 26). E.g. k = 3 a b c d e f g h i j k l m n o p q r s t u v w x y z D E F G H I J K L M N O P Q R S T U V W X Y
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationTheory of Computation Chapter 12: Cryptography
Theory of Computation Chapter 12: Cryptography Guan-Shieng Huang Dec. 20, 2006 0-0 Introduction Alice wants to communicate with Bob secretely. x Alice Bob John Alice y=e(e,x) y Bob y??? John Assumption
More informationChapter 11. Asymmetric Encryption Asymmetric encryption schemes
Chapter 11 Asymmetric Encryption The setting of public-key cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationLecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics
0368.4162: Introduction to Cryptography Ran Canetti Lecture 11 12th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics Introduction to cryptographic protocols Commitments 1 Cryptographic
More informationNon-malleability under Selective Opening Attacks: Implication and Separation
Non-malleability under Selective Opening Attacks: Implication and Separation Zhengan Huang 1, Shengli Liu 1, Xianping Mao 1, and Kefei Chen 2,3 1. Department of Computer Science and Engineering, Shanghai
More informationPrivate-Key Encryption
Private-Key Encryption Ali El Kaafarani Mathematical Institute Oxford University 1 of 37 Outline 1 Pseudo-Random Generators and Stream Ciphers 2 More Security Definitions: CPA and CCA 3 Pseudo-Random Functions/Permutations
More informationBlock ciphers And modes of operation. Table of contents
Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation
More informationComputational and Statistical Learning Theory
Computational and Statistical Learning Theory TTIC 31120 Prof. Nati Srebro Lecture 6: Computational Complexity of Learning Proper vs Improper Learning Efficient PAC Learning Definition: A family H n of
More informationComputational Complexity Theory
Computational Complexity Theory Marcus Hutter Canberra, ACT, 0200, Australia http://www.hutter1.net/ Assumed Background Preliminaries Turing Machine (TM) Deterministic Turing Machine (DTM) NonDeterministic
More informationGeneral Impossibility of Group Homomorphic Encryption in the Quantum World
General Impossibility of Group Homomorphic Encryption in the Quantum World Frederik Armknecht Tommaso Gagliardoni Stefan Katzenbeisser Andreas Peter PKC 2014, March 28th Buenos Aires, Argentina 1 An example
More informationREMARKS ON IBE SCHEME OF WANG AND CAO
REMARKS ON IBE SCEME OF WANG AND CAO Sunder Lal and Priyam Sharma Derpartment of Mathematics, Dr. B.R.A.(Agra), University, Agra-800(UP), India. E-mail- sunder_lal@rediffmail.com, priyam_sharma.ibs@rediffmail.com
More informationSymmetric Encryption
1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently
More informationChosen-Ciphertext Security (I)
Chosen-Ciphertext Security (I) CS 601.442/642 Modern Cryptography Fall 2018 S 601.442/642 Modern Cryptography Chosen-Ciphertext Security (I) Fall 2018 1 / 20 Recall: Public-Key Encryption Syntax: Genp1
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationLecture 1. 1 Introduction to These Notes. 2 Trapdoor Permutations. CMSC 858K Advanced Topics in Cryptography January 27, 2004
CMSC 858K Advanced Topics in Cryptography January 27, 2004 Lecturer: Jonathan Katz Lecture 1 Scribe(s): Jonathan Katz 1 Introduction to These Notes These notes are intended to supplement, not replace,
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky Lecture 4 Lecture date: January 26, 2005 Scribe: Paul Ray, Mike Welch, Fernando Pereira 1 Private Key Encryption Consider a game between
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Alexandra (Sasha) Boldyreva Symmetric encryption, encryption modes, security notions. 1 Symmetric encryption schemes A scheme is specified by a key generation algorithm K,
More informationGentry IBE Paper Reading
Gentry IBE Paper Reading Y. Jiang 1 1 University of Wollongong September 5, 2014 Literature Craig Gentry. Practical Identity-Based Encryption Without Random Oracles. Advances in Cryptology - EUROCRYPT
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from
More informationMaster s thesis, defended on June 20, 2007, supervised by Dr. Oleg Karpenkov. Mathematisch Instituut. Universiteit Leiden
Master s thesis, defended on June 20, 2007, supervised by Dr. Oleg Karpenkov Angela Zottarel Encryption from Weaker Assumptions Master thesis defended on June 28, 2010. Thesis Advisor: dr. Eike Kiltz.
More informationSolutions to homework 2
ICS 180: Introduction to Cryptography 4/22/2004 Solutions to homework 2 1 Security Definitions [10+20 points] Definition of some security property often goes like this: We call some communication scheme
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationCryptography CS 555. Topic 24: Finding Prime Numbers, RSA
Cryptography CS 555 Topic 24: Finding Prime Numbers, RSA 1 Recap Number Theory Basics Abelian Groups φφ pppp = pp 1 qq 1 for distinct primes p and q φφ NN = Z N gg xx mod N = gg [xx mmmmmm φφ NN ] mod
More informationBlock encryption of quantum messages
Block encryption of quantum messages Min Liang 1 and Li Yang,3 1 Data Communication Science and Technology Research Institute, Beijing 100191, China liangmin07@mails.ucas.ac.cn State Key Laboratory of
More informationShort Exponent Diffie-Hellman Problems
Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and
More informationA Strong Identity Based Key-Insulated Cryptosystem
A Strong Identity Based Key-Insulated Cryptosystem Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275, P.R.China
More informationCSA E0 235: Cryptography March 16, (Extra) Lecture 3
CSA E0 235: Cryptography March 16, 2015 Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Ajith S 1 Chosen Plaintext Attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which
More informationOn the power of non-adaptive quantum chosen-ciphertext attacks
On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic (UMD, NIST), Stacey Jeffery (QuSoft, CWI), and Maris Ozols (QuSoft, UvA) Alexander Poremba August 29, 2018 Heidelberg
More informationComputational and Statistical Learning Theory
Computational and Statistical Learning Theory TTIC 31120 Prof. Nati Srebro Lecture 6: Computational Complexity of Learning Proper vs Improper Learning Learning Using FIND-CONS For any family of hypothesis
More informationScribe for Lecture #5
CSA E0 235: Cryptography 28 January 2016 Scribe for Lecture #5 Instructor: Dr. Arpita Patra Submitted by: Nidhi Rathi 1 Pseudo-randomness and PRG s We saw that computational security introduces two relaxations
More informationCryptography CS 555. Topic 22: Number Theory/Public Key-Cryptography
Cryptography CS 555 Topic 22: Number Theory/Public Key-Cryptography 1 Exam Recap 2 Exam Recap Highest Average Score on Question Question 4: (Feistel Network with round function f(x) = 0 n ) Tougher Questions
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationUnforgeable quantum encryption. Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! (Using AES with 128 bit block size in Galois Counter Mode and SHA2) Authenticated
More informationOn the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups
On the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups Goichiro Hanaoka, Takahiro Matsuda, Jacob C.N. Schuldt Research Institute for Secure Systems (RISEC)
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019
Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationLecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]
CMSC 858K Advanced Topics in Cryptography February 19, 2004 Lecturer: Jonathan Katz Lecture 8 Scribe(s): Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan 1 Introduction Last time we introduced
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationPROPERTY PRESERVING SYMMETRIC ENCRYPTION REVISITED
PROPERTY PRESERVING SYMMETRIC ENCRYPTION REVISITED SANJIT CHATTERJEE AND M. PREM LAXMAN DAS Abstract. At Eurocrypt 12, Pandey and Rouselakis [PR12a] proposed the notion of property preserving symmetric
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationProvable Security against Side-Channel Attacks
Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com MCrypt Seminar Aug. 11th 2014 Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationWinter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2
0368.3049.01 Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod Assignment #2 Published Sunday, February 17, 2008 and very slightly revised Feb. 18. Due Tues., March 4, in Rani Hod
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Takeaway: Crypto is Hard Designing crypto is hard, even experts get it wrong Just because I don t know
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More information