Hash-based signatures & Hash-and-sign without collision-resistance
|
|
- Jesse Moore
- 5 years ago
- Views:
Transcription
1 Hash-based signatures & Hash-and-sign without collision-resistance Andreas Hülsing
2 Hash-based Signature Schemes [Mer89] Post quantum Only secure hash function Security well understood Fast PAGE 2
3 RSA DSA EC-DSA... Intractability Assumption Cryptographic hash function RSA, DH, SVP, MQ, Digital signature scheme PAGE 3
4 (Hash) function families H n h k : {0,1} m n {0,1} n m(n) n efficient {0,1} n h k m n {0,1}
5 One-wayness H n h k : {0,1} m n {0,1} n y c, k h $ k H n x $ {0,1} h k x y c m n Success if h k x = y c x
6 Collision resistance H n h k : {0,1} m n {0,1} n k h k $ H n Success if h k x 1 = h k x 2 (x 1, x 2 )
7 Second-preimage resistance H n h k : {0,1} m n {0,1} n x c, k h $ k H n x $ m n c {0,1} Success if h k x c = h k x x
8 Undetectability H n h k : {0,1} m n {0,1} n h k $ H n b $ {0,1} If b = 1 else x $ m n {0,1} y c h k (x) y c $ {0,1} n y c, k b*
9 Pseudorandomness H n h k : {0,1} m n {0,1} n 1 n b x y = g(x) g If b = 1 g $ H n else g $ U m n,n b*
10 Assumption / Attacks Hash-function properties stronger / easier to break Collision-Resistance 2 nd -Preimage- Resistance weaker / harder to break One-way Pseudorandom PAGE 10
11 Attacks on Hash Functions MD5 Collisions (theo.) MD5 Collisions (practical!) SHA-1 Collisions (theo.) MD5 & SHA-1 No (Second-) Preimage Attacks! PAGE 11
12 Basic Construction PAGE 12
13 Lamport-Diffie OTS [Lam79] Message M = b1,,bm, OWF H * = n bit SK PK sk 1,0 sk 1,1 sk m,0 sk m,1 H H H H H H pk 1,0 pk 1,1 pk m,0 pk m,1 b1 Mux b2 Mux bm Mux Sig sk 1,b1 sk m,bm PAGE 13
14 EU-CMA for OTS pk, 1 n sk M (σ, M) SIGN (σ, M ) Success if M M and Verify pk, σ, M = Accept TU Darmstadt Andreas Hülsing 14
15 Security Theorem: If H is one-way then LD-OTS is one-time eu-cmasecure.
16 Reduction Input: y c, k Set H h k Replace random pk i,b sk 1,0 sk 1,1 sk m,0 sk m,1 H H H H H H pk 1,0 pk 1,1 y c pk m,0 pk m,1
17 Reduction Input: y c, k Set H h k Adv. Message: M = b1,,bm If bi = b return fail else return Sign(M) Replace random pk i,b? sk 1,0 sk 1,1 sk m,0 sk m,1 H H H H H pk 1,0 pk 1,1 y c pk m,0 pk m,1 b1 Mux b2 Mux bm Mux sk 1,b1 sk m,bm
18 Reduction Input: y c, k Set H h k Choose random pk i,b Forgery: M* = b1*,,bm*, σ = σ 1,, σ m If bi b return fail Else return σ i? σ i sk 1,0 sk 1,1 σ i sk m,0 sk m,1 H H H H H pk 1,0 pk 1,1 y c pk m,0 pk m,1
19 Reduction - Analysis Abort in two cases: 1. bi = b probability ½ : b is a random bit 2. bi b probability 1-1/m: At least one bit has to flip as M* M Reduction succeeds with A s success probability times 1/2m.
20 Merkle s Hash-based Signatures PK H SIG = (i=2,,,,, ) H OTS H H H H H H H H H H H H H OTS OTS OTS OTS OTS OTS OTS OTS SK PAGE 20
21 Security Theorem: MSS is eu-cma-secure if OTS is a one-time eu-cma secure signature scheme and H is a random element from a family of collision resistant hash functions.
22 Reduction Input: k, pk OTS 1. Choose random 0 i < 2 h 2. Generate key pair using pk OTS as ith OTS public key and H h k 3. Answer all signature queries using sk or sign oracle (for index i) 4. Extract OTS-forgery or collision from forgery
23 Reduction (Step 4, Extraction) Forgery: (i, σ OTS 1. If pk OTS, pk OTS, AUTH) equals OTS pk we used for i OTS, we got an OTS forgery. Can only be used if i = i. 2. Else adversary used different OTS pk. Hence, different leaves. Still same root! Pigeon-hole principle: Collision on path to root.
24 Winternitz-OTS
25 Recap LD-OTS [Lam79] Message M = b1,,bm, OWF H * = n bit SK sk 1,0 sk 1,1 sk m,0 sk m,1 H H H H H H PK pk 1,0 pk 1,1 pk m,0 pk m,1 b1 Mux b2 Mux bn Mux Sig sk 1,b1 sk m,bm
26 LD-OTS in MSS SIG = (i=2,,,,, ) Verification: 1. Verify 2. Verify authenticity of We can do better!
27 Trivial Optimization Message M = b1,,bm, OWF H * = n bit SK sk 1,0 sk 1,1 sk m,0 sk m,1 H H H H H H PK pk 1,0 pk 1,1 pk m,0 pk m,1 b1 Mux Mux b1 bm Mux Mux bm Sig sig 1,0 sig 1,1 sig m,0 sig m,1
28 Optimized LD-OTS in MSS Verification: X SIG = (i=2,,,,, ) 1. Compute from 2. Verify authenticity of Steps together verify
29 Germans love their Ordnung! Message M = b 1,,b m, OWF H SK: sk 1,,sk m,sk m+1,,sk 2m PK: H(sk 1 ),,H(sk m ),H(sk m+1 ),,H(sk 2m ) Encode M: M = M M = b 1,,b m, b 1,, b m (instead of b 1, b 1,,b m, b m ) Sig: sig i = sk i, if b i = 1 H(sk i ), otherwise Checksum with bad performance!
30 Optimized LD-OTS Message M = b 1,,b m, OWF H SK: sk 1,,sk m,sk m+1,,sk m+log m PK: H(sk 1 ),,H(sk m ),H(sk m+1 ),,H(sk m+log m ) Encode M: M = b 1,,b m, 1 m b i Sig: sig i = sk i, if b i = 1 H(sk i ), otherwise IF one b i is flipped from 1 to 0, another b j will flip from 0 to 1
31 Function chains Function family: H n h k : {0,1} n {0,1} n h k $ H n Parameter w Chain: c i ( x) i 1 h k ( c ( x)) hk hk hk ( x) i times c 0 (x) = x c 1 (x) = h k (x) c w 1 (x)
32 WOTS Winternitz parameter w, security parameter n, message length m, function family H n c 0 (sk 1 ) = sk 1 Key Generation: Compute l, sample h k pk 1 = c w-1 (sk 1 ) c 1 (sk 1 ) c 1 (sk l ) pk l = c w-1 (sk l ) c 0 (sk l ) = sk l
33 WOTS Signature generation M b 1 b 2 b 3 b 4 b m b m +1 b m +2 b l c 0 (sk 1 ) = sk 1 pk 1 = c w-1 (sk 1 ) C σ 1 =c b 1(sk 1 ) Signature: σ = (σ 1,, σ l ) pk l = c w-1 (sk l ) c 0 (sk l ) = sk l σ l =c b l (sk l )
34 WOTS Signature Verification Verifier knows: M, w b 1 b 2 b 3 b 4 b m b m +1 b l 1+2 b l σ 1 Signature: σ = (σ 1,, σ l ) c 1 (σ 1 ) c 2 (σ 1 ) c 3 (σ 1 ) σ l pk 1 =? c w 1 b 1 (σ 1 ) pk l =? c w 1 b l (σ l )
35 WOTS Function Chains For x 0,1 n define c 0 x = x and WOTS: c i x = h k (c i 1 x ) WOTS $ : c i x = h c i 1 x (r) WOTS + : c i x = h k (c i 1 x r i )
36 WOTS Security Theorem (informally): W-OTS is strongly unforgeable under chosen message attacks if H n is a collision resistant family of undetectable one-way functions. W-OTS $ is existentially unforgeable under chosen message attacks if H n is a pseudorandom function family. W-OTS + is strongly unforgeable under chosen message attacks if H n is a 2 nd -preimage resistant family of undetectable one-way functions.
37 XMSS
38 XMSS Tree: Uses bitmasks Leafs: Use binary tree with bitmasks OTS: WOTS + Mesage digest: Randomized hashing Collision-resilient -> signature size halved H b i H
39 Multi-Tree XMSS Uses multiple layers of trees -> Key generation (= Building first tree on each layer) Θ(2 h ) Θ(d2 h/d ) -> Allows to reduce worst-case signing times Θ(h/2) Θ(h/2d)
40 How to Eliminate the State
41 Protest? PAGE
42 Few-Time Signature Schemes PAGE 43
43 Recap LD-OTS Message M = b1,,bn, OWF H * = n bit SK PK sk 1,0 sk 1,1 sk n,0 sk n,1 H H H H H H pk 1,0 pk 1,1 pk n,0 pk n,1 b1 Mux b2 Mux bn Mux Sig sk 1,b1 sk n,bn PAGE 44
44 HORS [RR02] Message M, OWF H, CRHF H = n bit Parameters t=2 a,k, with m = ka (typical a=16, k=32) * SK sk 1 sk 2 sk t-1 sk t H H H H H H PK pk 1 pk 1 pk t-1 pk t PAGE 45
45 HORS mapping function Message M, OWF H, CRHF H = n bit Parameters t=2 a,k, with m = ka (typical a=16, k=32) * M H b 1 b 2 b a b ar i 1 i k PAGE 46
46 HORS Message M, OWF H, CRHF H * = n bit Parameters t=2 a,k, with m = ka (typical a=16, k=32) SK sk 1 sk 2 sk t-1 sk t H H H H H H PK pk 1 pk 1 pk t-1 pk t H (M) b 1 b 2 b a b a+1 b ka-2 b ka-1 b ka i 1 Mux Mux i k sk i1 sk ik PAGE 47
47 HORS Security M mapped to k element index set M i {1,, t} k Each signature publishes k out of t secrets Either break one-wayness or r-subset-resilience: After seeing index sets M i j for r messages msg j, 1 j r, hard to find msg r+1 i msg j such that M r+1 1 j r M i j. Best generic attack: Succ r-ssr (A, q) = q rk t Security shrinks with each signature! k PAGE 48
48 HORST Using HORS with MSS requires adding PK (tn) to MSS signature. HORST: Merkle Tree on top of HORS-PK New PK = Root Publish Authentication Paths for HORS signature values PK can be computed from Sig With optimizations: tn (k(log t x + 1) + 2 x )n E.g. SPHINCS-256: 2 MB 16 KB Use randomized message hash PAGE 49
49 SPHINCS Stateless Scheme XMSS MT + HORST + (pseudo-)random index Collision-resilient Deterministic signing SPHINCS-256: 128-bit post-quantum secure Hundrest of signatures / sec 41 kb signature 1 kb keys
50 Hash & sign without collision resistance
51 PKC with variable-length inputs Hard to build variable input length constructions (Schoolbook RSA) Direct constructions are inefficient (See the hash-based constructions for long messages) Full adversarial control over input can harm security (Schoolbook RSA) For encryption: Use hybrid encryption -> PKE only encrypts short symmetric key. For signatures: Hash-and-sign -> SIG only signs short message digest
52 Security of Hash & Sign Theorem. Given an EU-CMA-secure Signature scheme for fixed-length inputs and a collision-resistant family of hash functions. The hash & sign signature scheme for varibable-length inputs, obtained by first applying a hash function from the family and then signing the resulting digest, is EU-CMA-secure.
53 Reminder EU-CMA PK, 1 n SK q M i (σ i, M i ) SIGN (σ*, M*) Success if M* M i, Ɐ i [0, q] and Verify(pk,σ*,M*) = Accept
54 Security of Hash & Sign Reduction Input: pk & access to SIGN, hash function key k. Output: Forgery or collision. Give (pk, k) as public key to A. Answer signing queries M i computing md i = h k (M i ) and sending md i to SIGN. Given forgery (M, σ ) compute md = h k (M ) If i q: md == md i, return collision (M, M i ) Else, return forgery (md, σ )
55
56 Recall: Attacks on Hash Functions MD5 Collisions (theo.) MD5 Collisions (practical!) SHA-1 Collisions (theo.) MD5 & SHA-1 No (Second-) Preimage Attacks! PAGE 57
57 Target-collision resistance (TCR) H n h k : {0,1} m n {0,1} n Run 1 Run 2 H n x c, k, S h k $ H n Success if h k x c = h k x x c, S x
58 Assumption / Attacks Target-collision resistance stronger / easier to break Collision-Resistance 2 nd -Preimage- Resistance TCR weaker / harder to break One-way Pseudorandom
59 TCR vs. SPR TCR -> SPR: Note that A in Run 2 is just an SPR adversary! Every TCR function family must be SPR! SPR -> TCR: Per construction Given a SPR function, use key of length m Key the function by XORing key to message: h k x = h(x k)
60 TCR of XOR construction Reduction Input: SPR function h, target x c Output: Second-preimage x for x c Run TCR adversary A to obtain x c Compute k = x c x c Output x = x x c x c Note: h k x c = h x c k = h x c x c x c = h x c = h k x = h x k = h x x c x c = h(x )
61 TCR Hash & Sign Input: Fixed input-length signature scheme SIG=(KeyGen,Sign, Verify), TCR function family Output: Variable input length signature scheme SIG KeyGen = KeyGen Sign : Given M, sk sample random function key k, compute md = h k (M), compute σ = Sign((k md), sk), return σ = (k, σ) Verify : Compute md = h k (M), output Verify((k md), σ, pk)
62 Security of TCR Hash & Sign Reduction Input: pk & access to SIGN, hash function key k oracle. Output: Forgery or target-collision. Give pk as public key to A. Answer signing queries M i sending M i to oracle to get k i, computing md i = h k (M i ) and sending md i to SIGN. Given forgery (M, σ ) = (M, (k, σ )) compute md = h k (M ) If i q: md == md i, return collision (k i, M, M i ) Else, return forgery (md, σ )
63 Note: If the k i weren t signed, the second-to-last step wouldn t work! An adversary could output a forgery (M, σ ) = (M, (k, σ )) such that h k M = md = md i = h ki M i, for some i q, but k k i. Hence, (k i, M, M i ) is no target-collision! However, σ i still works as signature for md. EU-CMA of fixed-length input SIG not violated! Really need to sign keys!
64 Problem using XOR-construction: Key-length == Message-length Sign((k md), sk) We have to sign messages of length hash function key-length + digest length Even decreased possible message length!
65 Bellare & Rogway: XOR-tree m Reduce key-length to 2n log 2. (m-bit message, n-bit n digest) Given SPR hash h: 0,1 2n 0,1 n split message into m, n-bit blocks n m Build binary hash tree of height t = log 2 using n message blocks as leaves. (Assume t is integer) Keying: Split key into t 2n-bit blocks b j called bitmasks. XOR values on level j with j-th bitmask before applying h md is root of tree
66 NODE i,j j = H h b l,j XOR XOR b r,j j = 0 NODE 2i,j-1 NODE 2i+1,j-1
67 XOR-tree Reduction Input: SPR function h, target x c Output: Second-preimage x for x c Select random node N i,j in tree Given message M, compute tree up to children N 2i,j 1, N 2i +1,j 1 of N i,j, sampling the required b j at random. Select b j = (N 2i,j 1 N 2i +1,j 1 ) x c
68 XOR-tree Reduction, cont d Input: SPR function h, target x c Output: Second-preimage x for x c Select b j = (N 2i,j 1 N 2i +1,j 1 ) x c N i,j = h N 2i,j 1 N 2i +1,j 1 b j = h N 2i,j 1 N 2i +1,j 1 (N 2i,j 1 N 2i +1,j 1 ) x c = h(x c )
69 XOR-tree Reduction, cont d Select remaining b j at random Run M = A(M, k, S) with k = (b 1,, b t ) Compute x = N 2i,j 1 N 2i +1,j 1 b j from M and output it. Remember MSS reduction? As M M but h k M = h k M there must exist at least one node which is equal in both trees but has different children in the trees obtained from M and M. We selected a random node, so hit it with probability (#nodes) 1 = 2m 1 1 n
70 XOR-tree 2n log 2 m n still pretty large! Can be improved, but not asymptotically. For a large group of constructions, key length O log 2 m is optimal!
71
72 Approach 1: ROM An RO, keyed by prefixing with key, is a TCR hash function. No way to get TCR from Merkle-Damgard construction without (implicitly) assuming collision resistance.
73 Approach 2: etcr H n h k : {0,1} m n {0,1} n Run 1 Run 2 H n x c, k, S h k $ H n Success if h k x c = h k x x c, S k, x
74 Note: If the k i weren t signed, the second-to-last step wouldn t work! An adversary could Now output ok! a forgery (M, σ ) = (M, (k, σ )) such Don t that need to sign keys! h k M = md = md i = h ki M i, for some i q, but k k i. Hence, (k i, M, M i ) is no target-collision! However, σ i still works as signature for md. Still need to send key along with signature! EU-CMA of fixed-length input SIG not violated! Really need to sign keys!
75 Approach 2: etcr Can get short-key-constructions in standard model (from pretty strong, non-common assumptions) RO with prefixed key has this property Just require it as property from new hash functions (SHA-3 competition).
76 Real life version: Randomized Hashing etcr-hash & sign: SIGN M, sk = R, SIGN H R M, sk a R = PRF(sk b, M) where Not provably weaker assumption than collision resistance. In practice: Known collision does not help as R is unpredictable.
77 The multi-target issue What s the attack target? A special single Person? Wouldn t anyone in the company work? Wouldn t the ability to forge for any of Google s servers be sufficient?...
78 Cert 1 Cert 2 Cert 3 Cert 4
79 The multi-target issue Neglected in EU-CMA model Relevant in practice! Can significantly harm security! Assume security of signature relies on hardness of finding preimage Finding single preimage takes O(2 n ) time... Finding one out of p preimages takes O 2n p time
80 Multi-target etcr attack Collect as many signatures of as many possible vicitims as possible. Store the message digests used in the sigs in sorted DB Start search for k, x such that h k x matches entry in DB Complexity goes down from O(2 n ) to O 2n p
81 Preventing multi-target attacks, state of the art Not known how to prevent this for single user (without state / signing k) Can reduce #targets p: SIGN M, sk = R, SIGN H R pk M, sk a where R = PRF(sk b, M) Makes hash depending on pk For good hash function H, attacker has to decide on target for each evaluation of H. For stateful schemes: Also add signature index.
82 Multi-target attack prevention Used in recent Internet Drafts (e.g. draft-irtf-cfrgeddsa-08, draft-irtf-cfrg-xmss-hash-basedsignatures-07) If scheme already uses randomness (EC-DSA: R = r B) might reuse that -> authenticates R! Price for avoiding collision resistance...
83 Thank you! Questions? For references & further literature see PAGE 84
Hash-based Signatures. Andreas Hülsing
Hash-based Signatures Andreas Hülsing Post-Quantum Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters 23-2-2016 PAGE 2... 1 3 1 4 2 3 2 2 3 2 3 4 1 2 1 2 1 1 y x x x x
More informationMitigating Multi-Target-Attacks in Hash-based Signatures. Andreas Hülsing joint work with Joost Rijneveld, Fang Song
Mitigating Multi-Target-Attacks in Hash-based Signatures Andreas Hülsing joint work with Joost Rijneveld, Fang Song A brief motivation Trapdoor- / Identification Scheme-based (PQ-)Signatures Lattice, MQ,
More informationHash-based Signatures
Hash-based Signatures Andreas Hülsing Summer School on Post-Quantum Cryptography June 2017, TU Eindhoven Post-Quantum Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters
More informationAn update on Hash-based Signatures. Andreas Hülsing
An update on Hash-based Signatures Andreas Hülsing Trapdoor- / Identification Scheme-based (PQ-)Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters 9-9-2015 PAGE 2... 1
More informationSPHINCS: practical stateless hash-based signatures
SPHINCS: practical stateless hash-based signatures D. J. Bernstein, D. Hopwood, A. Hülsing, T. Lange, R. Niederhagen, L. Papachristodoulou, P. Schwabe, and Z. Wilcox O'Hearn Digital Signatures are Important!
More informationDigital Signature Schemes and the Random Oracle Model. A. Hülsing
Digital Signature Schemes and the Random Oracle Model A. Hülsing Today s goal Review provable security of in use signature schemes. (PKCS #1 v2.x) PAGE 1 Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/dsa.jpg
More informationXMSS A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions
XMSS A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions Johannes Buchmann and Andreas Hülsing {buchmann,huelsing}@cdc.informatik.tu-darmstadt.de Cryptography and Computeralgebra
More informationMitigating Multi-Target Attacks in Hash-based Signatures
Mitigating Multi-Target Attacks in Hash-based Signatures Andreas Hülsing 1, Joost Rijneveld 2, and Fang Song 3 1 Department of Mathematics and Computer Science Technische Universiteit Eindhoven P.O. Box
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Public-key crypto ECC RSA DSA Secret-key crypto AES SHA2 SHA1... Combination of both
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously Digital Signatures Algorithms: Gen() à (sk,pk) Sign(sk,m) à σ Ver(pk,m,σ) à 0/1 Correctness: Pr[Ver(pk,m,Sign(sk,m))=1:
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Asymmetric Crypto ECC RSA DSA Symmetric Crypto AES SHA2 SHA1... Combination of both
More informationTransitive Signatures Based on Non-adaptive Standard Signatures
Transitive Signatures Based on Non-adaptive Standard Signatures Zhou Sujing Nanyang Technological University, Singapore, zhousujing@pmail.ntu.edu.sg Abstract. Transitive signature, motivated by signing
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationDigital signature schemes
Digital signature schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction digital signature scheme security of digital
More informationOptimal Parameters for XMSS MT
Optimal Parameters for XMSS MT Andreas Hülsing, Lea Rausch, and Johannes Buchmann Cryptography and Computeralgebra Department of Computer Science TU Darmstadt, Germany huelsing@cdc.informatik.tu-darmstadt.de
More informationLecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004
CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce
More informationA Composition Theorem for Universal One-Way Hash Functions
A Composition Theorem for Universal One-Way Hash Functions Victor Shoup IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland sho@zurich.ibm.com Abstract. In this paper we present a new scheme
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 16 October 30, 2017 CPSC 467, Lecture 16 1/52 Properties of Hash Functions Hash functions do not always look random Relations among
More informationLecture 1. Crypto Background
Lecture 1 Crypto Background This lecture Crypto background hash functions random oracle model digital signatures and applications Cryptographic Hash Functions Hash function takes a string of arbitrary
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationNotes for Lecture 9. 1 Combining Encryption and Authentication
U.C. Berkeley CS276: Cryptography Handout N9 Luca Trevisan February 17, 2009 Notes for Lecture 9 Notes scribed by Joel Weinberger, posted March 1, 2009 Summary Last time, we showed that combining a CPA-secure
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationShort Signatures Without Random Oracles
Short Signatures Without Random Oracles Dan Boneh and Xavier Boyen (presented by Aleksandr Yampolskiy) Outline Motivation Preliminaries Secure short signature Extensions Conclusion Why signatures without
More informationQuantum-Safe Crypto Why & How? JP Aumasson, Kudelski Security
Quantum-Safe Crypto Why & How? JP Aumasson, Kudelski Security Flight plan What s a quantum computer? How broken are your public keys? AES vs. quantum search Hidden quantum powers Defeating quantum computing
More informationENEE 459-C Computer Security. Message authentication (continue from previous lecture)
ENEE 459-C Computer Security Message authentication (continue from previous lecture) Last lecture Hash function Cryptographic hash function Message authentication with hash function (attack?) with cryptographic
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationSIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography
SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 8 of Trappe and Washington DIGITAL SIGNATURES message sig 1. How do we bind
More informationFoundations of Cryptography
- 111 - Foundations of Cryptography Notes of lecture No. 10B & 11 (given on June 11 & 18, 1989) taken by Sergio Rajsbaum Summary In this lecture we define unforgeable digital signatures and present such
More informationIntroduction to Information Security
Introduction to Information Security Lecture 4: Hash Functions and MAC 2007. 6. Prof. Byoungcheon Lee sultan (at) joongbu. ac. kr Information and Communications University Contents 1. Introduction - Hash
More informationENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions
ENEE 457: Computer Systems Security 09/19/16 Lecture 6 Message Authentication Codes and Hash Functions Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationIntroduction to Cryptography
B504 / I538: Introduction to Cryptography Spring 2017 Lecture 12 Recall: MAC existential forgery game 1 n Challenger (C) k Gen(1 n ) Forger (A) 1 n m 1 m 1 M {m} t 1 MAC k (m 1 ) t 1 m 2 m 2 M {m} t 2
More informationFPGA-BASED ACCELERATOR FOR POST-QUANTUM SIGNATURE SCHEME SPHINCS-256
IMES FPGA-BASED ACCELERATOR FOR POST-QUANTUM SIGNATURE SCHEME SPHINCS-256 Dorian Amiet 1, Andreas Curiger 2 and Paul Zbinden 1 1 HSR Hochschule für Technik, Rapperswil, Switzerland 2 Securosys SA, Zürich,
More informationA survey on quantum-secure cryptographic systems
A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationIntroduction to Cryptography Lecture 4
Data Integrity, Message Authentication Introduction to Cryptography Lecture 4 Message authentication Hash functions Benny Pinas Ris: an active adversary might change messages exchanged between and M M
More informationOptimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample
Optimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample Fuchun Guo 1, Rongmao Chen 2, Willy Susilo 1, Jianchang Lai 1, Guomin Yang 1, and Yi Mu 1 1 Institute
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationW-OTS + Shorter Signatures for Hash-Based Signature Schemes
W-OTS + Shorter Signatures for Hash-Based Signature Schemes Andreas Hülsing huelsing@cdc.informati.tu-darmstadt.de Cryptography and Computeralgebra Department of Computer Science TU Darmstadt Abstract.
More informationJohn Hancock enters the 21th century Digital signature schemes. Table of contents
John Hancock enters the 21th century Digital signature schemes Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents From last time: Good news and bad There
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationCryptographic Solutions for Data Integrity in the Cloud
Cryptographic Solutions for Stanford University, USA Stanford Computer Forum 2 April 2012 Homomorphic Encryption Homomorphic encryption allows users to delegate computation while ensuring secrecy. Homomorphic
More informationLecture 14 More on Digital Signatures and Variants. COSC-260 Codes and Ciphers Adam O Neill Adapted from
Lecture 14 More on Digital Signatures and Variants COSC-260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Setting the Stage We will cover in more depth some issues for
More informationEx1 Ex2 Ex3 Ex4 Ex5 Ex6
Technische Universität München (I7) Winter 2012/13 Dr. M. Luttenberger / M. Schlund Cryptography Endterm Last name: First name: Student ID no.: Signature: If you feel ill, let us know immediately. Please,
More informationDigital Signatures. p1.
Digital Signatures p1. Digital Signatures Digital signature is the same as MAC except that the tag (signature) is produced using the secret key of a public-key cryptosystem. Message m MAC k (m) Message
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationTowards Tightly Secure Lattice Short Signature and Id-Based Encryption
Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li QUT Asiacrypt 16 2016-12-06 1 / 19 Motivations 1. Short lattice signature with tight security reduction w/o
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationBEYOND POST QUANTUM CRYPTOGRAPHY
BEYOND POST QUANTUM CRYPTOGRAPHY Mark Zhandry Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical Beyond Post-Quantum Cryptography
More informationAn introduction to Hash functions
An introduction to Hash functions Anna Rimoldi eriscs - Universitée de la Méditerranée, Marseille Secondo Workshop di Crittografia BunnyTN 2011 A. Rimoldi (eriscs) Hash function 12 September 2011 1 / 27
More informationHigher Order Universal One-Way Hash Functions from the Subset Sum Assumption
Higher Order Universal One-Way Hash Functions from the Subset Sum Assumption Ron Steinfeld, Josef Pieprzyk, Huaxiong Wang Dept. of Computing, Macquarie University, Australia {rons, josef, hwang}@ics.mq.edu.au
More informationII. Digital signatures
II. Digital signatures Alice m Bob Eve 1. Did Bob send message m, or was it Eve? 2. Did Eve modify the message m, that was sent by Bob? 1 Digital signatures Digital signature - are equivalent of handwritten
More informationCLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD
CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without
More informationOptimal Parameters for XMSSMT
Optimal Parameters for XMSSMT Andreas Hülsing, Lea Rausch, Johannes Buchmann To cite this version: Andreas Hülsing, Lea Rausch, Johannes Buchmann. Optimal Parameters for XMSSMT. Alfredo Cuzzocrea; Christian
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationUninstantiability of Full-Domain Hash
Uninstantiability of based on On the Generic Insecurity of, Crypto 05, joint work with Y.Dodis and R.Oliveira Krzysztof Pietrzak CWI Amsterdam June 3, 2008 Why talk about this old stuff? Why talk about
More informationHash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34
Hash Functions Ali El Kaafarani Mathematical Institute Oxford University 1 of 34 Outline 1 Definition and Notions of Security 2 The Merkle-damgård Transform 3 MAC using Hash Functions 4 Cryptanalysis:
More information2: Iterated Cryptographic Hash Functions
2: Iterated ryptographic Hash Functions we want hash function H : ({0, 1} n ) {0, 1} n of potentially infinite input size instead we have compression function F : {0, 1} m {0, 1} n {0, 1} n and define
More informationFrom Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes
From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 2001, vol. 2020 of Lecture Notes in Computer
More informationLeftovers from Lecture 3
Leftovers from Lecture 3 Implementing GF(2^k) Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x): (1,1,0,1,1) *(0,1,0,1,1) = (1,1,0,0,1) For small size finite
More informationImproving Stateless Hash-Based Signatures
Improving Stateless Hash-Based Signatures Jean-Philippe Aumasson 1 and Guillaume Endignoux 2 1 Kudelski Security, Switzerland 2 Google, Switzerland Abstract. We present several optimizations to SPHINCS,
More informationCryptographic Hash Functions
Cryptographic Hash Functions Çetin Kaya Koç koc@ece.orst.edu Electrical & Computer Engineering Oregon State University Corvallis, Oregon 97331 Technical Report December 9, 2002 Version 1.5 1 1 Introduction
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 15 October 20, 2014 CPSC 467, Lecture 15 1/37 Common Hash Functions SHA-2 MD5 Birthday Attack on Hash Functions Constructing New
More informationSchnorr Signature. Schnorr Signature. October 31, 2012
. October 31, 2012 Table of contents Salient Features Preliminaries Security Proofs Random Oracle Heuristic PKS and its Security Models Hardness Assumption The Construction Oracle Replay Attack Security
More informationShort Signatures From Diffie-Hellman: Realizing Short Public Key
Short Signatures From Diffie-Hellman: Realizing Short Public Key Jae Hong Seo Department of Mathematics, Myongji University Yongin, Republic of Korea jaehongseo@mju.ac.kr Abstract. Efficient signature
More informationSecure Signatures and Chosen Ciphertext Security in a Post-Quantum World
Secure Signatures and Chosen Ciphertext Security in a Post-Quantum World Dan Boneh Mark Zhandry Stanford University {dabo,zhandry}@cs.stanford.edu Abstract We initiate the study of quantum-secure digital
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #5 Sep 7 th 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list by end of today Quiz #1 will be on Thursday,
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #6 Sep 8 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Quiz #1 later today Still some have not signed up for class mailing list Perhaps
More informationMessage Authentication Codes (MACs)
Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands October 8, 2015 1 / 22 About Me 2 / 22 About Me Tung Chou (Tony) 2 / 22 About Me Tung Chou (Tony) Ph.D.
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationHigher Order Universal One-Way Hash Functions
Higher Order Universal One-Way Hash Functions Deukjo Hong 1, Bart Preneel 2, and Sangjin Lee 1 1 Center for Information Security Technologies(CIST), Korea University, Seoul, Korea {hongdj,sangjin}@cist.korea.ac.kr
More informationDesign Paradigms for Building Multi-Property Hash Functions
Design Paradigms or Building Multi-Property Hash Functions Thomas Ristenpart UCSD Security and Cryptography Lab Lorentz Workshop June, 2008 Multi-property hash unctions One hash unction with many security
More informationProblem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed
Problem 1 n bits k zero bits IV Block Block Block Block removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Missing bits January 27, 2011 Practical
More information3C - A Provably Secure Pseudorandom Function and Message Authentication Code. A New mode of operation for Cryptographic Hash Function
3C - A Provably Secure Pseudorandom Function and Message Authentication Code. A New mode of operation for Cryptographic Hash Function Praveen Gauravaram 1, William Millan 1, Juanma Gonzalez Neito 1, Edward
More informationSampling Lattice Trapdoors
Sampling Lattice Trapdoors November 10, 2015 Today: 2 notions of lattice trapdoors Efficient sampling of trapdoors Application to digital signatures Last class we saw one type of lattice trapdoor for a
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationMarch 19: Zero-Knowledge (cont.) and Signatures
March 19: Zero-Knowledge (cont.) and Signatures March 26, 2013 1 Zero-Knowledge (review) 1.1 Review Alice has y, g, p and claims to know x such that y = g x mod p. Alice proves knowledge of x to Bob w/o
More informationAnalysis of Random Oracle Instantiation Scenarios for OAEP and other Practical Schemes
Analysis of Random Oracle Instantiation Scenarios for OAEP and other Practical Schemes Alexandra Boldyreva 1 and Marc Fischlin 2 1 College of Computing, Georgia Institute of Technology, 801 Atlantic Drive,
More informationHashes and Message Digests Alex X. Liu & Haipeng Dai
Hashes and Message Digests Alex X. Liu & Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University Integrity vs. Secrecy Integrity: attacker cannot
More informationLecture 14: Cryptographic Hash Functions
CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is
More informationDigital Signatures from Strong RSA without Prime Genera7on. David Cash Rafael Dowsley Eike Kiltz
Digital Signatures from Strong RSA without Prime Genera7on David Cash Rafael Dowsley Eike Kiltz Digital Signatures Digital signatures are one of mostly deployed cryptographic primi7ves. Digital Signatures
More information12 Hash Functions Defining Security
12 Hash Functions A hash function is any function that takes arbitrary-length input and has fixed-length output, so H : {0, 1} {0, 1} n. Think of H (m) as a fingerprint of m. Calling H (m) a fingerprint
More informationLecture 10: NMAC, HMAC and Number Theory
CS 6903 Modern Cryptography April 10, 2008 Lecture 10: NMAC, HMAC and Number Theory Instructor: Nitesh Saxena Scribes: Jonathan Voris, Md. Borhan Uddin 1 Recap 1.1 MACs A message authentication code (MAC)
More informationClarifying the subset-resilience problem
Clarifying the subset-resilience problem Jean-Philippe Aumasson 1 and Guillaume Endignoux 2 1 Kudelski Security, Switzerland 2 firstname.surname@m4x.org Abstract. We investigate the subset-resilience problem,
More informationLecture 10: NMAC, HMAC and Number Theory
CS 6903 Modern Cryptography April 13, 2011 Lecture 10: NMAC, HMAC and Number Theory Instructor: Nitesh Saxena Scribes: Anand Desai,Manav Singh Dahiya,Amol Bhavekar 1 Recap 1.1 MACs A Message Authentication
More informationHASH FUNCTIONS. Mihir Bellare UCSD 1
HASH FUNCTIONS Mihir Bellare UCSD 1 Hashing Hash functions like MD5, SHA1, SHA256, SHA512, SHA3,... are amongst the most widely-used cryptographic primitives. Their primary purpose is collision-resistant
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 14 October 16, 2013 CPSC 467, Lecture 14 1/45 Message Digest / Cryptographic Hash Functions Hash Function Constructions Extending
More informationPerfectly-Crafted Swiss Army Knives in Theory
Perfectly-Crafted Swiss Army Knives in Theory Workshop Hash Functions in Cryptology * supported by Emmy Noether Program German Research Foundation (DFG) Hash Functions as a Universal Tool collision resistance
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationImproved Security for Linearly Homomorphic Signatures: A Generic Framework
Improved Security for Linearly Homomorphic Signatures: A Generic Framework Stanford University, USA PKC 2012 Darmstadt, Germany 23 May 2012 Problem: Computing on Authenticated Data Q: How do we delegate
More informationEnforcing honesty of certification authorities: Tagged one-time signature schemes
Enforcing honesty of certification authorities: Tagged one-time signature schemes Information Security Group Royal Holloway, University of London bertram.poettering@rhul.ac.uk Stanford, January 11, 2013
More informationProvable Chosen-Target-Forced-Midx Preimage Resistance
Provable Chosen-Target-Forced-Midx Preimage Resistance Elena Andreeva and Bart Mennink (K.U.Leuven) Selected Areas in Cryptography Toronto, Canada August 11, 2011 1 / 15 Introduction Hash Functions 2 /
More information