An Identification Scheme Based on KEA1 Assumption
|
|
- Marilyn Berry
- 6 years ago
- Views:
Transcription
1 All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to SCIS 2006 does not prevent future submissions to any journals or conferences with proceedings. SCIS 2006 The 2006 Symposium on Cryptography and Information Security Hiroshima, Japan, Jan , 2006 The Institute of Electronics, Information and Communication Engineers An Identification Scheme Based on KEA1 Assumption Natsumi Kawashima Seigo Arita Abstract There are three well-known identification schemes: Fiat-Shamir, GQ and Schnorr identification schemes. All of them are proven secure against passive or active attacks under number theoretic assumptions. However, the efficiencies of reductions in those proofs are not tight, since they need rewinding. We show an identification scheme IDKEA1. Although it needs four exchanges of messages and slightly more exponentiations, IDKEA1 is proved to be secure under KEA1 assumption with tight reduction to DLA. The idea underlying IDKEA1 is to use extractable commitment for prover s commitment. In the proof of security, the simulator can open the commitment in two different ways: one by the non-black-box extractor of KEA1 assumption and the another through the simulated transcript. So, we don t need to rewind and can prove the security without the loss of efficiency of the reduction. Keywords: identification scheme, rewinding, KEA1 assumption, tight reduction. 1 Introduction 1.1 Zero-Knowledge Identification Scheme The zero-knowledge identification scheme is a triple (K, P, V ) of probabilistic polynomial-time algorithms. Key-generator K generates a pair (pk, sk) of public and private keys on input security parameter k. Prover P with the secret key sk (and the public key pk) proves its identity to verifier V (with the public key pk) through showing its possession of sk in (honest-verifier) zeroknowledge. The major security goal of identification scheme is to prevent an adversary A with no secret key sk from impersonating the prover P. Such an adversary A is called passive if A only eavesdrops message flows between honest P and honest V. If A acts as a cheating prover or verifier beyond eavesdropping, A is called active adversary. In particular, if A can act as a cheating verifier concurrently against several prover clones with the same secret key, the attack is called concurrent attack, in which interest has been growing. There are three well-known identification schemes: Fiat-Shamir [5], GQ [6] and Schnorr [8] identification schemes. Fiat-Shamir scheme is proven to be secure against impersonation of active adversary based on the difficulty of integer factorization problem. However, it needs rather long secret keys. GQ identification scheme is an extension of Fiat-Shamir scheme, which reduces both number of messages exchanged and memory requirements for secret keys. GQ identification scheme is proven to be secure against passive and concurrent attack under RSA assumption and One-moreinversion assumption, respectively [3]. Schnorr identification scheme is an alternative to Fiat-Shamir and GQ schemes. It is also proven to be secure against passive and concurrent attack under DLA (Discrete Log- Institute of Information Security, Graduate School of Information Security, Japan. arithmic Assumption) and One-More-DL assumption, respectively [3]. 1.2 Provable Security of Identification Scheme Let us briefly see how the proof of the security against impersonation does work in the case of Schnorr scheme. Remember that in Schnorr scheme, P has a secret key x and V has a public key q, g, h(= g x ). P randomly chooses k from Z q, computes a commitment t = g k and sends t to V. V, then, randomly chooses a challenge c from Z q and sends c to P. P responses y = k + xc to V, which sees whether y can correctly open h c t or not, that is, the equality of g y = h c t. Suppose there is an adversary A which can impersonate a prover in Schnorr scheme with a non-negligible probability. A simulator S invokes a copy of A, which is given a public key h(= g x ) of security parameter k, and plays a role of a verifier. The simulator S, receiving a cheating commitment t from A, sends a random challenge c to A and gets a cheating response y. Then, we have g y = h c t with the probability equal to success probability of A. Now, we rewind S to the point generating a random challenge to get a new challenge c 1 and the corresponding new response y1. We have g y 1 = h c 1 t also with the probability equal to success probability of A. Then, we can compute the discrete logarithm x = (y y1)(c c 1 ) 1 of h with the probability of square of success probability of A. Thus, we have with some negligible function η Adv imp (k) Adv dl G,E(k) + η(k), where Adv imp and Advdl G,E denotes the advantage of the impersonator A against ID and the advantage of the extractor E of DLP (Discrete Logarithmic Problem) on G = g, respectively. This contradicts to DLA. Note the time-complexity t E of E is about the twice t E (k) 2t A (k) + O(k 3 ).
2 The above (standard) proof depends on the wellknown technique rewind to extract. As seen above, the technique sacrifices the efficiency of the reduction. The probability to extract the secret is only the square of probability of the successful attack. The similar situation holds also for Fiat-Shamir and GQ schemes. 1.3 Our results We show an identification scheme IDKEA1. Although it needs four messages exchanged and one more and two more exponentiations for a prover and a verifier respectively than Schnorr s scheme, IDKEA1 is proved to be secure under KEA1 assumption [7, 4] with tight reduction to DLA. The idea underlying IDKEA1, which is inspired by Barak s generic non-back-box techniques [1, 2], is to use extractable commitment for prover s commitment. The extractable commitment is actually extractable only by the simulator who can use the nonblack-box extractor of KEA1 assumption. In the proof of security, the simulator can open the commitment in two different ways: one by the non-black-box extractor and the another through the simulated transcript. So, we don t need to use the rewind technique and can prove the security without the loss of efficiency of the reduction. Our first main theorem is as follows. Theorem 1. Under the assumptions DLA and KEA1 is secure under passive attack. More precisely, for all passive adversary A = (A 1, A 2 ) against the scheme, there is DL extractor E and a negligible function η( ) satisfying (k) Advdl G,E(k) + η(k). Furthermore, the time-complexity of E is about the twice t E (k) 2t A (k) + O(k 3 q(k)), where q(k) denotes the number of queries by A 1. Using the variant OMDL+ of OMDL assumption [3], we can prove IDKEA1 is secure even under the concurrent attack also with tight reduction: Theorem 2. Under the assumptions OMDL+ and KEA1 is secure under the concurrent attack. More precisely, for all adversary A = (A 1, A 2 ) under the concurrent attack against the scheme, there is OMDL+ solver I and a negligible function η( ) satisfying (k) Advomdl+ (k) + η(k). Furthermore, the time-complexity of I is about the twice t I (k) 2t A (k) + O(n(k) k 3 ), where n(k) denotes the number of prover clones in the concurrent attack. 1.4 Related works [4] shows 3-Round Zero-Knowledge protocol in which KEA3 assumption (a variant of KEA1) is used to prove its soundness. However the role played by KEA3 assumption is different from ours. The proof of the soundness in [4] needs the rewinding to extract the secret of the cheating prover. [9] shows a proof of knowledge system of DL knowledge, which establishes the tight reduction to DLA in the random oracle model. Our protocol doesn t rely on the random oracle. 2 Definitions and Assumptions In this section, we clarify the security of identification scheme under passive and concurrent attacks and introduce two assumptions KEA1 [7, 4] and OMDL Definition of security of id scheme Let a triple ID = (K, P, V ) of probabilistic polynomialtime algorithms be an identification scheme. Key-generator K generates a pair (pk, sk) of public and private keys on input security parameter k. Prover P with the secret key sk (and the public key pk) proves its identity to verifier V (with the public key pk) through showing its possession of sk. The security of identification scheme ID under passive attack is defined as follows. In the following A 1 acts as an eavesdropper of conversations between an honest prover and an honest verifier. After halting A 1 with output some string St, A 2 with St tries to impersonate the prover. Definition 1 (Security under passive attack). Let a triple ID = (K, P, V ) of probabilistic polynomialtime algorithms be an identification scheme. Let A = (A 1, A 2 ) be any probabilistic polynomial-time adversary. For ID and A, an experiment Exp imp pa is defined as follows (ɛ denotes the empty string). Exp imp pa : (pk, sk) K(k); Invoke A 1 (pk); When A 1 makes query ɛ, reply with the simulated transcript between P (sk, pk) and V (pk); Let St be an output of A 1 ; Invoke A 2 (St); Simulate responses of verifier V (pk) to A 2 (St); Output 1 if the simulated V accepts; else output 0. Then, the advantage of adversary A against ID under passive attack is defined by (k) = Pr[Expimp pa(k) = 1]. ID is called secure under passive attack if for any probabilistic polynomial-time adversary A the advantage ( ) is upper bounded by a negligible function. The security of identification scheme ID under concurrent attack is defined as follows. In the following A 1 acts as a cheating verifier that can take place in concurrent conversations with several prover clones P i (sk)
3 with the same secret key. Those conversations can be interleaved in any ways. After halting A 1 with output some string St, A 2 with St tries to impersonate the prover P (sk). Definition 2 (Security under concurrent attack). Let a triple ID = (K, P, V ) of probabilistic polynomialtime algorithms be an identification scheme. Let A = (A 1, A 2 ) be any probabilistic polynomial-time adversary. For ID and A = (A 1, A 2 ), an experiment Exp imp ca is defined as follows. Exp imp ca : (pk, sk) K(k); Invoke A 1 (pk); Simulate responses of prover clones P i (sk) concurrently to A 1 ; Let St be an output of A 1 ; Invoke A 2 (St); Simulate responses of verifier V (pk) to A 2 ; Output 1 if the simulated V accepts; else output 0. Then, the advantage of adversary A against ID under concurrent attack is defined by (k) = Pr[Expimp ca(k) = 1]. ID is called secure under concurrent attack if for any probabilistic polynomial-time adversary A its advantage ( ) is upper bounded by a negligible function. 2.2 KEA1 assumption KEA1 assumption [7, 4] for group G = g means that it is possible only when one knows b to generate a DH-pair (g b, g ab ) for a randomly selected g a. Definition 3 (KEA1 Assumption [4]). Let G be a probabilistic polynomial-time algorithm which on input a security parameter k, outputs a prime number q of k bits and a generator g of a group of order q. Let H be any probabilistic polynomial-time algorithm which on input q, g, A( g ) and an auxiliary input w, outputs a pair (B,W) of elements in G. Let H be an extractor for H, that is, any probabilistic polynomial-time algorithm which on input q, g, A and an auxiliary input w, outputs b. For any string w and such G, H, H, an experiment Exp w G,H,H is defined as follows. Exp w G,H,H : (q, g) G(1 k ); a $ Z q ; A = g a ; (B, W ) H(q, g, A, w); b H (q, g, A, w); If W = B a, B g b then return 1; Else return 0. Then, the advantage of adversary H in G for extractor H is defined by Adv w G,H,H (k) = Pr[Expw G,H,H (k) = 1]. G is called to satisfy KEA1 assumption if for any w and any adversary H with time-complexity t H (k), there exists an extractor H with the negligible Adv w G,H,H (k) and with time-complexity t H (k) not larger than time complexity t H (k) of H. KEA1 assumption in [4] is stated without such an auxiliary input w or the condition on the time-complexity. Providing the auxiliary input w for both H and H seems not to affect the validness of the assumption. The condition t H (k) t H (k) on the time-complexity is seemed valid, since H is being assumed to need b to construct (B, W ). 2.3 OMDL+ assumption OMDL+ assumption is a stronger version of OMDL assumption used in [3]. OMDL assumption means it is difficult to solve one more DLP (Discrete Logarithmic Problem) instance even if one is provided with several randomly selected DLP instances with their answers, all sharing the same base element. OMDL+ assumption is stronger in the sense that the challenge problems are given with some hints. Definition 4 (OMDL+ Assumption). Let G be a probabilistic polynomial-time algorithm which on input a security parameter k, outputs a prime number q of k bits and a generator g of a group of order q. Let I be any probabilistic polynomial-time algorithm which on input q, g outputs x 1,..., x n using the challenge oracle CO and the DL oracle DL. The challenge oracle CO g given query h answers with a pair of g x and h x, where x is randomly chosen from Z q independently by every query. The DL oracle DL g, given query h, answers with x satisfying h = g x. For such G and I, an experiment Exp omdl+ is defined as follows. Exp omdl+ : (q, g) G(1 k ); Invoke I CO g,dl g (q, g); When I makes a query to CO g, let CO g reply with such (g i, h i ); When I makes query h to DL g, let DL g reply with log g (h); Let (x 1,..., x n ) be an output of I; Let (g 1, h 1 ),..., (g n, h n ) be the overall challenges by CO g ; Let m be the number of the overall replies by DL g ; If g i = g x i for all i = 1,..., n and m < n then return 1; Else return 0. Then, the advantage of adversary I against G is defined by Adv omdl+ (k) = Pr[Exp omdl+ (k) = 1]. G is called to satisfy OMDL+ assumption if for any probabilistic polynomial-time algorithm adversary I its advantage Adv omdl+ ( ) is upper bounded by a negligible function. It is easily seen that OMDL+ assumption means OMDL assumption and that OMDL assumption means CDH assumption or OMDL+ assumption. 3 The Identification Scheme IDKEA1 We describe our identification scheme IDKEA1= {K, P, V }.
4 Let G be a probabilistic polynomial-time algorithm which given security parameter k outputs a prime number q of k bits and a generator g of a group of order q. Key-generation algorithm K of IDKEA1 on input k runs G(k) to get q, g 1, chooses x randomly from Z q, computes h 1 = g x 1 and outputs x and q, g 1, h 1 as a secret key and a public key, respectively. In IDKEA1, prover P (with a secret key x) proves its identity to verifier V (with a public key q, g 1, h 1 ) as follows. 1 V randomly selects a from Z q and computes g 2 = g a 1. V sends g 2 to P. 2 P randomly selects m 0 from Z q and computes c 1 = g m 0 1, c 2 = g m 0 2. P sends c 1, c 2 to V. 3 V sees whether c 2 = c a 1 or not. If not V aborts, else V randomly selects r from Z q and sends r to P. 4 P computes m = m 0 rx and sends m to V. 5 V sees whether c 1 = g m 1 h r 1 dose hold or not. If it does, V accepts. Otherwise V rejects. As seen above, IDKEA1 needs two exponentiations for a prover and three exponentiations for a verifier, and it needs four message exchanged. Thus, IDKEA1 is not so efficient as Schnorr identification scheme in computations and communications. However, IDKEA1 has security proof with tight reduction without the loss of security. 4 Security of IDKEA1 We prove the security of IDKEA1. In the proof, the simulator can open the cheating prover s commitment in two different ways: one by the non-black-box extractor of KEA1 assumption and the another through the simulated transcript. So, we don t need to rewind. 4.1 Security under passive attack Security of IDKEA1 under passive attack is proven under the assumptions DLA and KEA1 with tight reduction. Theorem 1. Under the assumptions DLA and KEA1 is secure under passive attack. More precisely, for all passive adversary A = (A 1, A 2 ) against the scheme, there is DL extractor E and a negligible function η( ) satisfying (k) Advdl G,E(k) + η(k). Furthermore, the time-complexity of E is about the twice t E (k) 2t A (k) + O(k 3 q(k)), where q(k) denotes the number of queries by A 1. Proof. Let A = (A 1, A 2 ) be any passive adversary against ID = {K, P, V }. We construct a DL extractor E by using A. Let q, g 1, h 1 be generated as in K(k): q, g 1 G(k); x $ Z q ; h 1 = g x 1. On inputs q, g 1, h 1, DL extractor E proceeds as follows. 1 E starts the adversary A 1 with inputs q, g 1, h 1. When A 1 makes a query ɛ, E computes a $ Zq ; g 2 = g a $ Zq m, r c 1 = g1 m h r 1 ; c 2 = c a 1 and answer A 1 with transcript (g 2, (c 1, c 2), r, m ). Note the simulated transcripts are distributed just as real ones between honest P and V. Suppose A 1 halts and outputs string St. 2 E starts the adversary A 2 with input St and with random coins R. E randomly selects a from Z q, computes g 2 = g1, a and gives g 2 to A 2. Suppose A 2 replies with message c 1, c 2. If c 1 a c 2, then E aborts. Else E randomly selects r from Z q and sends r to A 2. Then, A 2 is supposed to output m and halt. If c 1 g1 m h r 1, E aborts. Note informations given to A 2 are distributed just as real ones given by real V. 3 Consider the following KEA1 adversary H on inputs (of the above) g 1, g 2 and w = St, R: KEA1 adversary H(g 1, g 2, (St, R)): Invoke A 2 (St; R); Give g 2 to A 2 ; Get c 1, c 2 from A 2 ; Output c 1, c 2. E invokes the corresponding extractor H to H on the same inputs: m 0 H (g 1, g 2, (St, R)); 4 E outputs ˆx = (m 0 m )r 1. Now we evaluate the success probability Pr[ˆx = x] of the DL extractor E. Let Imp be an event that A 2 successfully impersonates P in the above simulation by E and Ext be an event the equation c 1 = g m 0 1 does hold. Note that if Imp holds, we have If Ext holds, we have 1 c 2 = c a 1, c 1 = g1 m h r 1. (1) c 1 = g m 0 1. (2) By the second equation of Equation (1) and Equation (2), we see x = (m 0 m )r 1 = ˆx.
5 Thus, So, Pr[ˆx = x] Pr[Imp Ext] Pr[Imp] Pr[ Ext Imp] Pr[Imp] Pr[ˆx = x] + Pr[ Ext Imp]. By the definition of Ext and Imp, Pr[ Ext Imp] Pr[c 2 = c a 1 c 1 g m 0 1 ]. However, by KEA1 assumption w.r.t. H and H, the right-hand side of the above inequality is upper bounded by a negligible function η( ). So, we have Pr[Imp] Pr[ˆx = x] + η. This means the claimed inequality for the advantages. Since KEA1 assumes that t H t H, the inequality for the time-complexity is easily seen. 4.2 Security under concurrent attack Under OMDL+ and KEA1 assumptions, IDKEA1 is proven to be secure even under the concurrent attack also with tight reduction. Theorem 2. Under the assumptions OMDL+ and KEA1 is secure under the concurrent attack. More precisely, for all adversary A = (A 1, A 2 ) under the concurrent attack against the scheme, there is OMDL+ solver I and a negligible function η( ) satisfying (k) Advomdl+ (k) + η(k). Furthermore, the time-complexity of I is about the twice t I (k) 2t A (k) + O(n(k) k 3 ), where n(k) denotes the number of prover clones in the concurrent attack. Proof. Let A = (A 1, A 2 ) be any adversary in concurrent attack against ID = {K, P, V }. We construct an OMDL+ solver I by using A. Let q, g 1 be generated by q, g 1 G(k). On inputs q, g 1, OMDL+ solver I proceeds as follows. 1 I randomly chooses a from Z q and computes g 2 = g1 a. I sends g 2 to the challenge oracle CO g1 to get the response h 1 (= g x0 1 ), h 2(= g 2x 0 ). I starts the adversary A 1 with inputs q, g 1, h 1. 2 When A 1 sends the message g2 (i) to some prover clone (in the i-th session), I forwards the message g2 (i) to the challenge oracle CO g1 and get the response c (i) 1 (= gxi 1 ), c(i) 2 (= g 2 (i)x i ). I hands c (i) 1, c(i) 2 to A 1. When A 1 sends the response message r (i) to the prover clone, I makes a query c (i) 1 h r (i) 1 to the DL oracle DL g1 and gets the response m (i), which is transferred to A 1 by I. Suppose A 1 halts and outputs string St after performing concurrently such n sessions(i = 1,..., n). It is easy to see that the above simulation of prover clones for A 1 is perfect. 3 I starts the adversary A 2 with input St and with random coins R. I randomly selects a from Z q, computes g 2 = g1, a and gives g 2 to A 2. Suppose A 2 replies with message c 1, c 2. If c 1 a c 2, then I aborts. Else I randomly selects r from Z q and sends r to A 2. Then, A 2 is supposed to output m and halt. If c 1 g1 m h r 1, I aborts. Note the simulation of verifier V is perfect for A 2. 4 Consider the following KEA1 adversary H on inputs (of the above) g 1, g 2 and w = St, R: KEA1 adversary H(g 1, g 2, (St, R)): Invoke A 2 (St; R); Give g 2 to A 2 ; Get c 1, c 2 from A 2 ; Output c 1, c 2. I invokes the corresponding extractor H to H on the same inputs: m 0 H (g 1, g 2, (St, R)); 5 I outputs ˆx 0 = (m 0 m )r 1 and ˆx i = m (i) + ˆx 0 r (i) for i = 1,..., n. Now we evaluate the success probability Pr[ ˆx i = x i (i = 0, 1,..., n)] of the OMDL+ solver I. Let Imp be an event that A 2 successfully impersonates P in the above simulation by I and Ext be an event the equation c 1 = g m 0 1 does hold. Note that if Imp holds, we have If Ext holds, we have c 2 = c a 1, c 1 = g1 m h r 1. (3) c 1 = g m 0 1. (4) By the second equation of Equation (3) and Equation (4), we see and since g m(i) Thus, x 0 = (m 0 m )r 1 = ˆx 0, = c (i) 1 h r (i) 1, we have x i = DL g1 (c (i) 1 ) = m(i) + x 0 r (i) = ˆx i. Pr[ ˆx i = x i (i = 0, 1,..., n)] Pr[Imp Ext] So, Pr[Imp] Pr[ Ext Imp] Pr[Imp] Pr[ ˆx i = x i (i = 0, 1,..., n)]+pr[ Ext Imp].
6 By the definition of Ext and Imp, Pr[ Ext Imp] Pr[c 2 = c a 1 c 1 g m 0 1 ]. However, by KEA1 assumption w.r.t. H and H, the right-hand side of the above inequality is upper bounded by a negligible function η( ). So, we have Pr[Imp] Pr[ ˆx i = x i (i = 0, 1,..., n)] + η. This means the claimed inequality for the advantages. Since KEA1 assumes that t H t H, the inequality for the time-complexity is easily seen. References [1] B. Barak, How to go beyond the black-box simulation barrier, Proc. 42nd FOCS, pp , IEEE, [2] B. Barak, and Y. Lindell, Strict Polynomial-time in Simulation and Extraction, In Proceedings of the 34th Annual Symposium on Theory of Computing. ACM, [3] M. Bellare and A. Palacio, GQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attacks, pp , Proc. of Crypto 2002, LNCS [4] M. Bellare and A. Palacio, The Knowledgeof-Exponent Assumptions and 3-Round Zero- Knowledge Protocols, pp , Proc. of Crypto 2004, LNCS [5] A. Fiat and A. Shamir, How to prove yourself: Practical solutions to identification and signature problems, Proc. of Crypto 86, LNCS 263. [6] L. Guillou and J.J. Quisquater, A paradoxical identity-based signature scheme resulting from zero-knowledge, Proc. of Crypto 88, LNCS 403. [7] S. Hada and T. Tanaka, On the existence of 3-round zero-knowledge protocols, pp , Proc. of Crypto 98, LNCS [8] C. P. Schnorr, Efficient signature generation by smart cards, Journal of Cryptology, 4(3), pp , [9] I. Teranishi, Computationally efficient signature scheme with tight security reduction to Discrete Logarithm Problem, SCIS 05, 3E3-4, 2005.
PAPER An Identification Scheme with Tight Reduction
IEICE TRANS. FUNDAMENTALS, VOL.Exx A, NO.xx XXXX 200x PAPER An Identification Scheme with Tight Reduction Seiko ARITA, Member and Natsumi KAWASHIMA, Nonmember SUMMARY There are three well-known identification
More informationGQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attacks
GQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attacks [Mihir Bellare, Adriana Palacio] Iliopoulos Fotis School of Electrical and Computer Engineering
More informationON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL
1 ON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL GIOVANNI DI CRESCENZO Telcordia Technologies, Piscataway, NJ, USA. E-mail: giovanni@research.telcordia.com IVAN VISCONTI Dipartimento di Informatica
More informationIdentification Schemes of Proofs of Ability Secure against Concurrent Man-in-the-Middle Attacks
Identification Schemes of Proofs of Ability Secure against Concurrent Man-in-the-Middle Attacks Hiroaki Anada and Seiko Arita Institute of Information Security, Yokohama, Japan hiroaki.anada@gmail.com,
More informationA Note on the Cramer-Damgård Identification Scheme
A Note on the Cramer-Damgård Identification Scheme Yunlei Zhao 1, Shirley H.C. Cheung 2,BinyuZang 1,andBinZhu 3 1 Software School, Fudan University, Shanghai 200433, P.R. China {990314, byzang}@fudan.edu.cn
More informationHomework 3 Solutions
5233/IOC5063 Theory of Cryptology, Fall 205 Instructor Prof. Wen-Guey Tzeng Homework 3 Solutions 7-Dec-205 Scribe Amir Rezapour. Consider an unfair coin with head probability 0.5. Assume that the coin
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationThe Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols
The Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols Mihir Bellare and Adriana Palacio Dept. of Computer Science & Engineering, University of California, San Diego 9500 Gilman Drive,
More informationPAIRING-BASED IDENTIFICATION SCHEMES
PAIRING-BASED IDENTIFICATION SCHEMES DAVID FREEMAN Abstract. We propose four different identification schemes that make use of bilinear pairings, and prove their security under certain computational assumptions.
More informationEntity Authentication
Entity Authentication Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie? α k The
More informationImpossibility and Feasibility Results for Zero Knowledge with Public Keys
Impossibility and Feasibility Results for Zero Knowledge with Public Keys Joël Alwen 1, Giuseppe Persiano 2, and Ivan Visconti 2 1 Technical University of Vienna A-1010 Vienna, Austria. e9926980@stud3.tuwien.ac.at
More informationSession 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University
Session 4: Efficient Zero Knowledge Yehuda Lindell Bar-Ilan University 1 Proof Systems Completeness: can convince of a true statement Soundness: cannot convince for a false statement Classic proofs: Written
More informationAugmented Black-Box Simulation and Zero Knowledge Argument for NP
Augmented Black-Box Simulation and Zero Knowledge Argument for N Li Hongda, an Dongxue, Ni eifang The Data Assurance and Communication Security Research Center, School of Cyber Security, University of
More informationThe Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols
A preliminary version of this paper appeared in Advances in Cryptology CRYPTO 04, Lecture Notes in Computer Science ol.??, M. Franklin ed., Springer-erlag, 2004. This is the full version. The Knowledge-of-Exponent
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationMTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Zero-knowledge Proofs Sven Laur University of Tartu Formal Syntax Zero-knowledge proofs pk (pk, sk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) (pk,sk)? R
More informationPairing-Based Identification Schemes
Pairing-Based Identification Schemes David Freeman Information Theory Research HP Laboratories Palo Alto HPL-2005-154 August 24, 2005* public-key cryptography, identification, zero-knowledge, pairings
More informationIdentity-Based Identification Schemes
Identity-Based Identification Schemes Guomin Yang Centre for Computer and Information Security Research School of Computing and Information Technology University of Wollongong G. Yang (CCISR, SCIT, UOW)
More informationOn The (In)security Of Fischlin s Paradigm
On The (In)security Of Fischlin s Paradigm Prabhanjan Ananth 1, Raghav Bhaskar 1, Vipul Goyal 1, and Vanishree Rao 2 1 Microsoft Research India prabhanjan.va@gmail.com,{rbhaskar,vipul}@microsoft.com 2
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationInteractive Zero-Knowledge with Restricted Random Oracles
Interactive Zero-Knowledge with Restricted Random Oracles Moti Yung 1 and Yunlei Zhao 2 1 RSA Laboratories and Department of Computer Science, Columbia University, New York, NY, USA. moti@cs.columbia.edu
More informationCryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1
Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes
More informationA Fair and Efficient Solution to the Socialist Millionaires Problem
In Discrete Applied Mathematics, 111 (2001) 23 36. (Special issue on coding and cryptology) A Fair and Efficient Solution to the Socialist Millionaires Problem Fabrice Boudot a Berry Schoenmakers b Jacques
More informationLecture 10: Zero-Knowledge Proofs
Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam
More informationStatistically Secure Sigma Protocols with Abort
AARHUS UNIVERSITY COMPUTER SCIENCE MASTER S THESIS Statistically Secure Sigma Protocols with Abort Author: Anders Fog BUNZEL (20112293) Supervisor: Ivan Bjerre DAMGÅRD September 2016 AARHUS AU UNIVERSITY
More informationAnalysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh
Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh Bruno Produit Institute of Computer Science University of Tartu produit@ut.ee December 19, 2017 Abstract This document is an analysis
More informationInteractive protocols & zero-knowledge
Interactive protocols & zero-knowledge - interactive protocols formalize what can be recognized by polynomial time restricted verifiers in arbitrary protocols - generalizes NP - zero-knowledge formalizes
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationOn The (In)security Of Fischlin s Paradigm
On The (In)security Of Fischlin s Paradigm PRABHANJAN ANANTH Microsoft Research India prabhanjan.va@gmail.com RAGHAV BHASKAR Microsoft Research India rbhaskar@microsoft.com VIPUL GOYAL Microsoft Research
More informationDigital Signatures from Challenge-Divided Σ-Protocols
Digital Signatures from Challenge-Divided Σ-Protocols Andrew C. Yao Yunlei Zhao Abstract Digital signature is one of the basic primitives in cryptography. A common paradigm of obtaining signatures, known
More informationFoundations of Cryptography
- 111 - Foundations of Cryptography Notes of lecture No. 10B & 11 (given on June 11 & 18, 1989) taken by Sergio Rajsbaum Summary In this lecture we define unforgeable digital signatures and present such
More informationConstant-Round Concurrently-Secure rzk in the (Real) Bare Public-Key Model
Electronic Colloquium on Computational Complexity, Report No. 48 (2005) Constant-Round Concurrently-Secure rzk in the (Real) Bare Public-Key Model Moti Yung Yunlei Zhao Abstract We present constant-round
More informationIntroduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes
Introduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 03 13 More
More informationShort Exponent Diffie-Hellman Problems
Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and
More informationHow many rounds can Random Selection handle?
How many rounds can Random Selection handle? Shengyu Zhang Abstract The construction of zero-knowledge proofs can be greatly simplified if the protocol is only required be secure against the honest verifier.
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationEfficient Password-based Authenticated Key Exchange without Public Information
An extended abstract of this paper appears in ESORICS 2007, J. Biskup and J. Lopez (Eds.), volume 4734 of LNCS, pp. 299-310, Sringer-Verlag, 2007. Efficient Password-based Authenticated Key Exchange without
More informationThe Round-Complexity of Black-Box Zero-Knowledge: A Combinatorial Characterization
The Round-Complexity of Black-Box Zero-Knowledge: A Combinatorial Characterization Daniele Micciancio and Scott Yilek Dept. of Computer Science & Engineering, University of California, San Diego 9500 Gilman
More informationIII. Authentication - identification protocols
III. Authentication - identification protocols Definition 3.1 A cryptographic protocol is a distributed algorithm describing precisely the interaction between two or more parties, achieving certain security
More informationTightly-Secure Signatures From Lossy Identification Schemes
Tightly-Secure Signatures From Lossy Identification Schemes Michel Abdalla, Pierre-Alain Fouque, Vadim Lyubashevsky, and Mehdi Tibouchi 2 École normale supérieure {michel.abdalla,pierre-alain.fouque,vadim.lyubashevsky}@ens.fr
More informationMarch 19: Zero-Knowledge (cont.) and Signatures
March 19: Zero-Knowledge (cont.) and Signatures March 26, 2013 1 Zero-Knowledge (review) 1.1 Review Alice has y, g, p and claims to know x such that y = g x mod p. Alice proves knowledge of x to Bob w/o
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationPractical Verifiable Encryption and Decryption of Discrete Logarithms
Practical Verifiable Encryption and Decryption of Discrete Logarithms Jan Camenisch IBM Zurich Research Lab Victor Shoup New York University p.1/27 Verifiable encryption of discrete logs Three players:
More informationConcurrent Non-malleable Commitments from any One-way Function
Concurrent Non-malleable Commitments from any One-way Function Margarita Vald Tel-Aviv University 1 / 67 Outline Non-Malleable Commitments Problem Presentation Overview DDN - First NMC Protocol Concurrent
More informationLecture 15 - Zero Knowledge Proofs
Lecture 15 - Zero Knowledge Proofs Boaz Barak November 21, 2007 Zero knowledge for 3-coloring. We gave a ZK proof for the language QR of (x, n) such that x QR n. We ll now give a ZK proof (due to Goldreich,
More informationParallel Coin-Tossing and Constant-Round Secure Two-Party Computation
Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Yehuda Lindell Dept. of Computer Science and Applied Math. The Weizmann Institute of Science Rehovot 76100, Israel. lindell@wisdom.weizmann.ac.il
More informationTransitive Signatures Based on Non-adaptive Standard Signatures
Transitive Signatures Based on Non-adaptive Standard Signatures Zhou Sujing Nanyang Technological University, Singapore, zhousujing@pmail.ntu.edu.sg Abstract. Transitive signature, motivated by signing
More informationOutline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.
Provable Security in the Computational Model III Signatures David Pointcheval Ecole normale supérieure, CNRS & INRI Public-Key Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions
More informationThe odd couple: MQV and HMQV
The odd couple: MQV and HMQV Jean-Philippe Aumasson 1 / 49 Summary MQV = EC-DH-based key agreement protocol, proposed by Menezes, Qu and Vanstone (1995), improved with Law and Solinas (1998), widely standardized
More informationConstructing Provably-Secure Identity-Based Signature Schemes
Constructing Provably-Secure Identity-Based Signature Schemes Chethan Kamath Indian Institute of Science, Bangalore November 23, 2013 Overview Table of contents Background Formal Definitions Schnorr Signature
More informationExtracting Witnesses from Proofs of Knowledge in the Random Oracle Model
Extracting Witnesses from Proofs of Knowledge in the Random Oracle Model Jens Groth Cryptomathic and BRICS, Aarhus University Abstract We prove that a 3-move interactive proof system with the special soundness
More informationCryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95
Cryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95 Jean-Sébastien Coron and David Naccache Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France {jean-sebastien.coron,
More informationProofs of Storage from Homomorphic Identification Protocols
Proofs of Storage from Homomorphic Identification Protocols Giuseppe Ateniese The Johns Hopkins University ateniese@cs.jhu.edu Seny Kamara Microsoft Research senyk@microsoft.com Jonathan Katz University
More informationLecture 3: Interactive Proofs and Zero-Knowledge
CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic
More informationPublic Key Authentication with One (Online) Single Addition
Public Key Authentication with One (Online) Single Addition Marc Girault and David Lefranc France Télécom R&D 42 rue des Coutures F-14066 Caen, France {marc.girault,david.lefranc}@francetelecom.com Abstract.
More informationImproved ID-based Authenticated Group Key Agreement Secure Against Impersonation Attack by Insider
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More informationCommunication-Efficient Non-Interactive Proofs of Knowledge with Online Extractors
Communication-Efficient Non-Interactive Proofs of Knowledge with Online Extractors Marc Fischlin Institute for Theoretical Computer Science, ETH Zürich, Switzerland marc.fischlin @ inf.ethz.ch http://www.fischlin.de/
More informationLecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004
CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce
More informationHow to Go Beyond the Black-Box Simulation Barrier
How to Go Beyond the Black-Box Simulation Barrier Boaz Barak December 30, 2008 Abstract The simulation paradigm is central to cryptography. A simulator is an algorithm that tries to simulate the interaction
More informationConstant-Round Concurrently-Secure rzk in the (Real) Bare Public-Key Model
Electronic Colloquium on Computational Complexity, Revision 1 of Report No. 48 (2005) Constant-Round Concurrently-Secure rzk in the (Real) Bare Public-Key Model Moti Yung Yunlei Zhao Abstract We present
More informationInteractive protocols & zero-knowledge
Interactive protocols & zero-knowledge - interactive protocols formalize what can be recognized by polynomial time restricted verifiers in arbitrary protocols - generalizes NP - zero-knowledge formalizes
More informationResettable Zero-Knowledge in the Weak Public-Key Model
Resettable Zero-Knowledge in the Weak Public-Key Model Yunlei Zhao 1,3, Xiaotie Deng 2, C.H. Lee 2, and Hong Zhu 3 1 Software School Fudan University, Shanghai, China csylzhao@cityu.edu.hk 2 Department
More informationSchnorr Signature. Schnorr Signature. October 31, 2012
. October 31, 2012 Table of contents Salient Features Preliminaries Security Proofs Random Oracle Heuristic PKS and its Security Models Hardness Assumption The Construction Oracle Replay Attack Security
More informationOn the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner 1, Alon Rosen 2, and Ronen Shaltiel 3 1 Microsoft Research, New England Campus. iftach@microsoft.com 2 Herzliya Interdisciplinary
More informationDecentralized Identity Management Scheme and its Realization by RSA and Discrete-Log-Based Encryption
Computer Security Symposium 2014 22-24 October 2014 RSA 814-0002 2-1-22 SRP 7 anada@isit.or.jp 819-0395 744 2 712 {kawamoto,sakurai}@inf.kyushu-u.ac.jp 510632 601 cryptjweng@gmail.com RSA Lenstra Decentralized
More informationDigital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay
Digital Signatures Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay July 24, 2018 1 / 29 Group Theory Recap Groups Definition A set
More informationProbabilistically Checkable Arguments
Probabilistically Checkable Arguments Yael Tauman Kalai Microsoft Research yael@microsoft.com Ran Raz Weizmann Institute of Science ran.raz@weizmann.ac.il Abstract We give a general reduction that converts
More informationCMSC 858K Introduction to Secure Computation October 18, Lecture 19
CMSC 858K Introduction to Secure Computation October 18, 2013 Lecturer: Jonathan Katz Lecture 19 Scribe(s): Alex J. Malozemoff 1 Zero Knowledge Variants and Results Recall that a proof-of-knowledge (PoK)
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationNon-Conversation-Based Zero Knowledge
Non-Conversation-Based Zero Knowledge JOËL ALWEN Università di Salerno 84084 Fisciano (SA) ITALY jfa237@nyu.edu GIUSEPPE PERSIANO Università di Salerno 84084 Fisciano (SA) ITALY giuper@dia.unisa.it Submission
More informationFast Signature Generation with a. Fiat Shamir { Like Scheme. Fachbereich Mathematik / Informatik. Abstract
Fast Signature Generation with a Fiat Shamir { Like Scheme H. Ong Deutsche Bank AG Stuttgarter Str. 16{24 D { 6236 Eschborn C.P. Schnorr Fachbereich Mathematik / Informatik Universitat Frankfurt Postfach
More informationFrom Secure MPC to Efficient Zero-Knowledge
From Secure MPC to Efficient Zero-Knowledge David Wu March, 2017 The Complexity Class NP NP the class of problems that are efficiently verifiable a language L is in NP if there exists a polynomial-time
More informationOn the Security of Classic Protocols for Unique Witness Relations
On the Security of Classic Protocols for Unique Witness Relations Yi Deng 1,2, Xuyang Song 1,2, Jingyue Yu 1,2, and Yu Chen 1,2 1 State Key Laboratory of Information Security, Institute of Information
More informationLecture 3,4: Universal Composability
6.897: Advanced Topics in Cryptography Feb 5, 2004 Lecture 3,4: Universal Composability Lecturer: Ran Canetti Scribed by: Yael Kalai and abhi shelat 1 Introduction Our goal in these two lectures is to
More informationOn the (In)security of the Fiat-Shamir Paradigm
On the (In)security of the Fiat-Shamir Paradigm Shafi Goldwasser Yael Tauman February 2, 2004 Abstract In 1986, Fiat and Shamir proposed a general method for transforming secure 3-round public-coin identification
More informationLecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge
CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to
More informationVI. The Fiat-Shamir Heuristic
VI. The Fiat-Shamir Heuristic - as already seen signatures can be used and are used in practice to design identification protocols - next we show how we can obtain signatures schemes from - protocols using
More informationAn Efficient Transform from Sigma Protocols to NIZK with a CRS and Non-Programmable Random Oracle
An Efficient Transform from Sigma Protocols to NIZK with a CRS and Non-Programmable Random Oracle Yehuda Lindell Dept. of Computer Science Bar-Ilan University, Israel lindell@biu.ac.il September 6, 2015
More informationCryptographic Protocols Notes 2
ETH Zurich, Department of Computer Science SS 2018 Prof. Ueli Maurer Dr. Martin Hirt Chen-Da Liu Zhang Cryptographic Protocols Notes 2 Scribe: Sandro Coretti (modified by Chen-Da Liu Zhang) About the notes:
More informationZero-Knowledge Proofs and Protocols
Seminar: Algorithms of IT Security and Cryptography Zero-Knowledge Proofs and Protocols Nikolay Vyahhi June 8, 2005 Abstract A proof is whatever convinces me. Shimon Even, 1978. Zero-knowledge proof is
More informationLecture 14 More on Digital Signatures and Variants. COSC-260 Codes and Ciphers Adam O Neill Adapted from
Lecture 14 More on Digital Signatures and Variants COSC-260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Setting the Stage We will cover in more depth some issues for
More informationZero-knowledge proofs of knowledge for group homomorphisms
Des. Codes Cryptogr. (2015) 77:663 676 DOI 10.1007/s10623-015-0103-5 Zero-knowledge proofs of knowledge for group homomorphisms Ueli Maurer 1 Received: 13 October 2014 / Revised: 23 May 2015 / Accepted:
More informationSecure and Practical Identity-Based Encryption
Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.
More information18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018
18734: Foundations of Privacy Anonymous Cash Anupam Datta CMU Fall 2018 Today: Electronic Cash Goals Alice can ask for Bank to issue coins from her account. Alice can spend coins. Bank cannot track what
More informationLecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension
CS 294 Secure Computation February 16 and 18, 2016 Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension Instructor: Sanjam Garg Scribe: Alex Irpan 1 Overview Garbled circuits
More informationSimple SK-ID-KEM 1. 1 Introduction
1 Simple SK-ID-KEM 1 Zhaohui Cheng School of Computing Science, Middlesex University The Burroughs, Hendon, London, NW4 4BT, United Kingdom. m.z.cheng@mdx.ac.uk Abstract. In 2001, Boneh and Franklin presented
More information3-Move Undeniable Signature Scheme
3-Move Undeniable Signature Scheme Kaoru Kurosawa 1 and Swee-Huay Heng 2 1 Ibaraki University, 4-12-1 Nakanarusawa, Hitachi, Ibaraki 316-8511, Japan kurosawa@cis.ibaraki.ac.jp 2 Multimedia University,
More informationOn The Security of The ElGamal Encryption Scheme and Damgård s Variant
On The Security of The ElGamal Encryption Scheme and Damgård s Variant J. Wu and D.R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, ON, Canada {j32wu,dstinson}@uwaterloo.ca
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationLimits of Security Reductions From Standard Assumptions
Limits of Security Reductions From Standard Assumptions Rafael Pass Cornell University rafael@cs.cornell.edu December 27, 2010 Abstract We show that the security of some well-known cryptographic protocols,
More informationPractical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits
Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits Damien Vergnaud École normale supérieure CHES September, 15th 2015 (with Aurélie Bauer) Damien Vergnaud
More informationLecture 13: Seed-Dependent Key Derivation
Randomness in Cryptography April 11, 2013 Lecture 13: Seed-Dependent Key Derivation Lecturer: Yevgeniy Dodis Scribe: Eric Miles In today s lecture, we study seeded key-derivation functions (KDFs) in the
More informationZero Knowledge in the Random Oracle Model, Revisited
Zero Knowledge in the Random Oracle Model, Revisited Hoeteck Wee Queens College, CUNY hoeteck@cs.qc.cuny.edu Abstract. We revisit previous formulations of zero knowledge in the random oracle model due
More informationGeorge Danezis Microsoft Research, Cambridge, UK
George Danezis Microsoft Research, Cambridge, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationAn Epistemic Characterization of Zero Knowledge
An Epistemic Characterization of Zero Knowledge Joseph Y. Halpern, Rafael Pass, and Vasumathi Raman Computer Science Department Cornell University Ithaca, NY, 14853, U.S.A. e-mail: {halpern, rafael, vraman}@cs.cornell.edu
More informationA Strong Identity Based Key-Insulated Cryptosystem
A Strong Identity Based Key-Insulated Cryptosystem Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275, P.R.China
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More information