From 5-pass MQ-based identification to MQ-based signatures
|
|
- Charlene Booth
- 5 years ago
- Views:
Transcription
1 From 5-pass MQ-based identification to MQ-based signatures Ming-Shing Chen 1,2, Andreas Hülsing 3, Joost Rijneveld 4, Simona Samardjiska 5, Peter Schwabe 4 National Taiwan University 1 / Academia Sinica 2, Taipei, Taiwan Technische Universiteit Eindhoven, The Netherlands 3 Radboud University, Nijmegen, The Netherlands 4 Ss. Cyril and Methodius University, Skopje, Republic of Macedonia DiS Lunch Talk / 15
2 Post-quantum signatures Problem: we want a post-quantum signature scheme Security arguments Acceptable speed and size Overview / 15
3 Post-quantum signatures Problem: we want a post-quantum signature scheme Security arguments Acceptable speed and size Solutions: Hash-based: SPHINCS, XMSS Slow or stateful Lattice-based: (Ring-)TESLA, BLISS, GLP Large keys, or additional structure MQ:? Unclear security: many broken (except HFEv-, UOV) Overview / 15
4 Overview MQDSS is a signature scheme Overview / 15
5 Overview MQDSS is a signature scheme obtained by applying a Fiat-Shamir transform Overview / 15
6 Overview MQDSS is a signature scheme obtained by applying a Fiat-Shamir transform to a 5-pass identification scheme Overview / 15
7 Overview MQDSS is a signature scheme obtained by applying a Fiat-Shamir transform to a 5-pass identification scheme which relies on hardness of the MQ problem. Overview / 15
8 Overview MQDSS is a signature scheme obtained by applying a Fiat-Shamir transform to a 5-pass identification scheme which relies on hardness of the MQ problem. MQDSS provides post-quantum secure signatures. Overview / 15
9 This work Transform 5-pass IDS to signature schemes Prove an earlier attempt [EDV+12] vacuous Propose MQDSS Instantiate as MQDSS Implement using AVX2 But also: Reduction in the ROM (not in QROM) No tight proof Overview / 15
10 Identification schemes P V com P 0 (sk) com ch ch R ChS(1 k ) resp P 1 (sk, com, ch) resp b Vf(pk, com, ch, resp) Identification schemes / 15
11 Identification schemes P V com P 0 (sk) com ch ch R ChS(1 k ) resp P 1 (sk, com, ch) resp b Vf(pk, com, ch, resp) Informally: 1. Prover commits to some (random) value 2. Verifier picks a challenge ch 3. Prover computes response resp 4. Verifier checks if response matches challenge Identification schemes / 15
12 Zero-knowledge Special Soundness: given pk, (com, ch, resp), (com, ch, resp ), find sk. Honest-Verifier Zero-Knowledge: simulator can fake transcripts. Identification schemes / 15
13 Zero-knowledge Special Soundness: given pk, (com, ch, resp), (com, ch, resp ), find sk. Shows knowledge of secret Prover can guess right : soundness error κ Honest-Verifier Zero-Knowledge: simulator can fake transcripts. Shows that transcripts do not leak the secret Identification schemes / 15
14 Zero-knowledge Special Soundness: given pk, (com, ch, resp), (com, ch, resp ), find sk. Shows knowledge of secret Prover can guess right : soundness error κ Honest-Verifier Zero-Knowledge: simulator can fake transcripts. Shows that transcripts do not leak the secret Passively secure IDS Identification schemes / 15
15 Fiat-Shamir transform Transform passive IDS into signature Non-interactive: Identification schemes / 15
16 Fiat-Shamir transform Transform passive IDS into signature Non-interactive: Signer is prover Function H provides challenges Transcript is signature Identification schemes / 15
17 Fiat-Shamir transform Transform passive IDS into signature Non-interactive: Signer is prover Function H provides challenges Transcript is signature Repeat, to compensate for error κ Identification schemes / 15
18 Fiat-Shamir transform Transform passive IDS into signature Non-interactive: Signer is prover Function H provides challenges Transcript is signature Repeat, to compensate for error κ Generalise to 5-pass (of certain form) Reduces knowledge error Identification schemes / 15
19 Fiat-Shamir transform Signing a message M (r rounds such that κ r < 1 2 k ): Verifying a signature σ: Identification schemes / 15
20 Fiat-Shamir transform Signing a message M (r rounds such that κ r < 1 2 k ): 1. Generate r commitments com i P 0 (sk) Verifying a signature σ: Identification schemes / 15
21 Fiat-Shamir transform Signing a message M (r rounds such that κ r < 1 2 k ): 1. Generate r commitments com i P 0 (sk) 2. Construct σ 0 = com 0... com r 1 Verifying a signature σ: Identification schemes / 15
22 Fiat-Shamir transform Signing a message M (r rounds such that κ r < 1 2 k ): 1. Generate r commitments com i P 0 (sk) 2. Construct σ 0 = com 0... com r 1 3. Generate challenges ch i H(σ 0 M) Verifying a signature σ: Identification schemes / 15
23 Fiat-Shamir transform Signing a message M (r rounds such that κ r < 1 2 k ): 1. Generate r commitments com i P 0 (sk) 2. Construct σ 0 = com 0... com r 1 3. Generate challenges ch i H(σ 0 M) 4. Compute resp i P 1 (sk, com i, ch i ) Verifying a signature σ: Identification schemes / 15
24 Fiat-Shamir transform Signing a message M (r rounds such that κ r < 1 2 k ): 1. Generate r commitments com i P 0 (sk) 2. Construct σ 0 = com 0... com r 1 3. Generate challenges ch i H(σ 0 M) 4. Compute resp i P 1 (sk, com i, ch i ) 5. Construct σ 1 = (resp 0,... resp r 1 ), σ = (σ 0, σ 1 ) Verifying a signature σ: Identification schemes / 15
25 Fiat-Shamir transform Signing a message M (r rounds such that κ r < 1 2 k ): 1. Generate r commitments com i P 0 (sk) 2. Construct σ 0 = com 0... com r 1 3. Generate challenges ch i H(σ 0 M) 4. Compute resp i P 1 (sk, com i, ch i ) 5. Construct σ 1 = (resp 0,... resp r 1 ), σ = (σ 0, σ 1 ) Verifying a signature σ: 1. Generate challenges ch i H(σ 0 M) Identification schemes / 15
26 Fiat-Shamir transform Signing a message M (r rounds such that κ r < 1 2 k ): 1. Generate r commitments com i P 0 (sk) 2. Construct σ 0 = com 0... com r 1 3. Generate challenges ch i H(σ 0 M) 4. Compute resp i P 1 (sk, com i, ch i ) 5. Construct σ 1 = (resp 0,... resp r 1 ), σ = (σ 0, σ 1 ) Verifying a signature σ: 1. Generate challenges ch i H(σ 0 M) 2. Verify that i, Vf(pk, com i, ch i, resp i ) Identification schemes / 15
27 MQ problem The function family MQ(n, m, F q ): { F(x) = (f 1 (x),..., f m (x)) f i,j a l,i,jx i x j + i b l,i, l(x) = for a l,i,j, b l,i F q l 1,..., m } MQ / 15
28 MQ problem The function family MQ(n, m, F q ): { F(x) = (f 1 (x),..., f m (x)) f i,j a l,i,jx i x j + i b l,i, l(x) = for a l,i,j, b l,i F q l 1,..., m Problem: For given y F m q, find x F n q such that F(x) = y. } MQ / 15
29 MQ problem The function family MQ(n, m, F q ): { F(x) = (f 1 (x),..., f m (x)) f i,j a l,i,jx i x j + i b l,i, l(x) = for a l,i,j, b l,i F q l 1,..., m Problem: For given y F m q, find x F n q such that F(x) = y. } i.e., solve the system of equations: f 0 (x) =a 0,0,0 x 0 x 0 + a 0,0,1 x 0 x a 0,n,n x n x n + b 0, b 0,n. f m (x) =a m,0,0 x 0 x 0 + a m,0,1 x 0 x a m,n,n x n x n + b m, b m,n MQ / 15
30 Sakumoto et al. 5-pass IDS [SSH11] Key technique: v = F(s) = F(r 0 ) + F(r 1 ) + G(r 0, r 1 ) P : (F, v, s) V : (F, v) r 0, t 0 R F n q, e 0 R F m q r 1 s r 0 c 0 Com(r 0, t 0, e 0 ) c 1 Com(r 1, G(t 0, r 1 ) + e 0 ) (c 0, c 1 ) α α R F q t 1 αr 0 t 0 e 1 αf(r 0 ) e 0 resp1 = (t 1, e 1 ) ch 2 ch 2 R {0, 1} If ch 2 = 0, resp 2 r 0 Else resp 2 r 1 resp 2 If ch 2 = 0, Parse resp 2 = r 0, check c 0? = Com(r0, αr 0 t 1, αf(r 0 ) e 1 ) Else Parse resp 2 = r 1, check c 1? = Com(r1, α(v F(r 1 )) G(t 1, r 1 ) e 1 ) Identification schemes / 15
31 MQDSS Generate keys Sample seeds {0, 1} k, sk F q Expand to F, compute pk = F(sk) MQDSS / 15
32 MQDSS Generate keys Sample seeds {0, 1} k, sk F q Expand to F, compute pk = F(sk) Signing Sign deterministic digest D over M MQDSS / 15
33 MQDSS Generate keys Sample seeds {0, 1} k, sk F q Expand to F, compute pk = F(sk) Signing Sign deterministic digest D over M Perform r rounds of transformed IDS 2r commitments 2r MQ evaluations Some multiplications in F q MQDSS / 15
34 MQDSS Generate keys Sample seeds {0, 1} k, sk F q Expand to F, compute pk = F(sk) Signing Sign deterministic digest D over M Perform r rounds of transformed IDS 2r commitments 2r MQ evaluations Some multiplications in F q Tricks to reduce size Only include necessary commits (hash others) [SSH11] Commit to seeds MQDSS / 15
35 MQDSS Generate keys Sample seeds {0, 1} k, sk F q Expand to F, compute pk = F(sk) Signing Sign deterministic digest D over M Perform r rounds of transformed IDS 2r commitments 2r MQ evaluations Some multiplications in F q Tricks to reduce size Only include necessary commits (hash others) [SSH11] Commit to seeds Verifying Reconstruct D, F MQDSS / 15
36 MQDSS Generate keys Sample seeds {0, 1} k, sk F q Expand to F, compute pk = F(sk) Signing Sign deterministic digest D over M Perform r rounds of transformed IDS 2r commitments 2r MQ evaluations Some multiplications in F q Tricks to reduce size Only include necessary commits (hash others) [SSH11] Commit to seeds Verifying Reconstruct D, F Reconstruct challenges from σ 0, σ 1 Verify responses in σ2 MQDSS / 15
37 MQDSS Generate keys Sample seeds {0, 1} k, sk F q Expand to F, compute pk = F(sk) Signing Sign deterministic digest D over M Perform r rounds of transformed IDS 2r commitments 2r MQ evaluations Some multiplications in F q Tricks to reduce size Only include necessary commits (hash others) [SSH11] Commit to seeds Verifying Reconstruct D, F Reconstruct challenges from σ 0, σ 1 Verify responses in σ2 Reconstruct missing commitments Check combined commitments hash MQDSS / 15
38 MQDSS Generate keys Sample seeds {0, 1} k, sk F q Expand to F, compute pk = F(sk) Signing Sign deterministic digest D over M Perform r rounds of transformed IDS 2r commitments 2r MQ evaluations Some multiplications in F q Tricks to reduce size Only include necessary commits (hash others) [SSH11] Commit to seeds Verifying Reconstruct D, F Reconstruct challenges from σ 0, σ 1 Verify responses in σ2 Reconstruct missing commitments Check combined commitments hash Parameters: k, n, m, F q, Com, hash functions, PRGs MQDSS / 15
39 MQDSS Security parameter k = 256 Soundness error κ depends on q κ = q+1 2q Determines number of rounds: r = 269, κ 269 < 1 2 F q = F 31, n = m = 64 Bounded by attacks Chosen for ease of implementation 256 MQDSS / 15
40 MQDSS Security parameter k = 256 Soundness error κ depends on q κ = q+1 2q Determines number of rounds: r = 269, κ 269 < 1 2 F q = F 31, n = m = 64 Bounded by attacks Chosen for ease of implementation Commitments, hashes, PRGs: SHA3-256, SHAKE MQDSS / 15
41 Evaluating MQ From F(x) to x is hard From x to F(x) should be easy MQ / 15
42 Evaluating MQ From F(x) to x is hard From x to F(x) should be fast x 0 x 1 x 2. x n x 0 x 1 x 2... x n MQ / 15
43 Evaluating MQ From F(x) to x is hard From x to F(x) should be fast x 0 x 1 x 2. x n x 0 x 1 x 2... x n MQ / 15
44 Evaluating MQ From F(x) to x is hard From x to F(x) should be fast??? x 0 x 1 x 2... x n MQ / 15
45 Evaluating MQ From F(x) to x is hard From x to F(x) should be fast??? x 0 x 1 x 2... x n MQ / 15
46 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: A B C D E F MQ / 15
47 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: A B C D E F A 3B 0C 1D 2E 3F MQ / 15
48 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: <<< A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F MQ / 15
49 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F MQ / 15
50 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: <<< A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F A 4B 5C 6D 7E 4F MQ / 15
51 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F A 4B 5C 6D 7E 4F AA BB 8C 9D AE BF MQ / 15
52 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: <<< A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F A 4B 5C 6D 7E 4F AA BB 8C 9D AE BF 90 A1 B A5 B A9 BA 8B 9C AD BE 8F MQ / 15
53 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F A 4B 5C 6D 7E 4F AA BB 8C 9D AE BF 90 A1 B A5 B A9 BA 8B 9C AD BE 8F CC DD EE FF MQ / 15
54 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: <<< A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F A 4B 5C 6D 7E 4F AA BB 8C 9D AE BF 90 A1 B A5 B A9 BA 8B 9C AD BE 8F CC DD EE FF D0 E1 F2 C3 D4 E5 F6 C7 D8 E9 FA CB DC ED FE CF MQ / 15
55 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F A 4B 5C 6D 7E 4F AA BB 8C 9D AE BF 90 A1 B A5 B A9 BA 8B 9C AD BE 8F CC DD EE FF D0 E1 F2 C3 D4 E5 F6 C7 D8 E9 FA CB DC ED FE CF C2 D3 - - MQ / 15
56 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F A 4B 5C 6D 7E 4F AA BB 8C 9D AE BF 90 A1 B A5 B A9 BA 8B 9C AD BE 8F CC DD EE FF D0 E1 F2 C3 D4 E5 F6 C7 D8 E9 FA CB DC ED FE CF C2 D C6 D7 - - MQ / 15
57 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F A 4B 5C 6D 7E 4F AA BB 8C 9D AE BF 90 A1 B A5 B A9 BA 8B 9C AD BE 8F CC DD EE FF D0 E1 F2 C3 D4 E5 F6 C7 D8 E9 FA CB DC ED FE CF C2 D C6 D A 1B - - 4A 5B - - 8A 9B - - CA DB - - MQ / 15
58 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F A 4B 5C 6D 7E 4F AA BB 8C 9D AE BF 90 A1 B A5 B A9 BA 8B 9C AD BE 8F CC DD EE FF D0 E1 F2 C3 D4 E5 F6 C7 D8 E9 FA CB DC ED FE CF C2 D C6 D A 1B - - 4A 5B - - 8A 9B - - CA DB - - 0E 1F - - 4E 5F - - 8E 9F - - CE DF - - MQ / 15
59 Benchmarks & conclusion Signatures: ~40 KB ( SPHINCS) Public and private keys: 72 resp. 64 bytes Signing time: ~8.5M cycles (2.43ms) Verification 5.2M, key generation 1.8M ~6x faster than SPHINCS, >10x slower than lattices Conclusions / 15
60 Benchmarks & conclusion Signatures: ~40 KB ( SPHINCS) Public and private keys: 72 resp. 64 bytes Signing time: ~8.5M cycles (2.43ms) Verification 5.2M, key generation 1.8M ~6x faster than SPHINCS, >10x slower than lattices Competitive signatures with (non-tight) reduction to MQ Conclusions / 15
61 References Koichi Sakumoto, Taizo Shirai, and Harunaga Hiwatari. Public-key identification schemes based on multivariate quadratic polynomials. In Phillip Rogaway, editor, Advances in Cryptology CRYPTO 2011, volume 6841 of LNCS, pages Springer, Sidi Mohamed El Yousfi Alaoui, Özgür Dagdelen, Pascal Véron, David Galindo, and Pierre-Louis Cayrel. Extended security arguments for signature schemes. In Aikaterini Mitrokotsa and Serge Vaudenay, editors, Progress in Cryptology AFRICACRYPT 2012, volume 7374 of LNCS, pages Springer, References / 15
From 5-pass MQ-based identification to MQ-based signatures
From 5-pass MQ-based identification to MQ-based signatures Ming-Shing Chen 1,2, Andreas Hülsing 3, Joost Rijneveld 4, Simona Samardjiska 5, Peter Schwabe 4 National Taiwan University 1 / Academia Sinica
More informationMQDSS signatures: construction
MQDSS signatures: construction Ming-Shing Chen 1,2, Andreas Hülsing 3, Joost Rijneveld 4, Simona Samardjiska 5, Peter Schwabe 4 National Taiwan University 1 / Academia Sinica 2, Taipei, Taiwan Eindhoven
More informationFrom 5-pass MQ-based identification to MQ-based signatures
From 5-pass MQ-based identification to MQ-based signatures Andreas Hülsing, Joost Rijneveld, Simona Samardjiska, and Peter Schwabe 30 June 2016 1 / 31 Our take on PQ-Crypto Prepare for actual use Reliable
More informationSOFIA: MQ-based signatures in the QROM
SOFIA: MQ-based signatures in the QROM Ming-Shing Chen 1, Andreas Hülsing 2, Joost Rijneveld 3, Simona Samardjiska 3,4, and Peter Schwabe 3 1 National Taiwan University / Academia Sinica, Taipei, Taiwan
More informationPublic-Key Identification Schemes based on Multivariate Quadratic Polynomials
Public-Key Identification Schemes based on Multivariate Quadratic Polynomials Koichi Sakumoto, Taizo Shirai, Harunaga Hiwatari from Tokyo, Japan Sony Corporation @CRYPTO2011 Motivation Finding a new alternative
More informationMitigating Multi-Target-Attacks in Hash-based Signatures. Andreas Hülsing joint work with Joost Rijneveld, Fang Song
Mitigating Multi-Target-Attacks in Hash-based Signatures Andreas Hülsing joint work with Joost Rijneveld, Fang Song A brief motivation Trapdoor- / Identification Scheme-based (PQ-)Signatures Lattice, MQ,
More informationA Second Look at s Transforma3on
A Second Look at s Transforma3on - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Özgür Dagdelen Technische Universität Darmstadt Daniele Venturi Sapienza University
More informationAn update on Hash-based Signatures. Andreas Hülsing
An update on Hash-based Signatures Andreas Hülsing Trapdoor- / Identification Scheme-based (PQ-)Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters 9-9-2015 PAGE 2... 1
More informationA Lattice-Based Threshold Ring Signature Scheme (TRSS-L)
A Lattice-Based Threshold Ring Signature Scheme (TRSS-L) Pierre-Louis Cayrel 1 Richard Lindner 2 Markus Rückert 2 Rosemberg Silva 3 1 Center for Advanced Security Research Darmstadt (CASED) 2 Technische
More informationZero-Knowledge for Multivariate Polynomials
Zero-Knowledge for Multivariate Polynomials Valérie Nachef, Jacques Patarin 2, Emmanuel Volte Department of Mathematics, University of Cergy-Pontoise, CNRS UMR 888 2 avenue Adolphe Chauvin, 95 Cergy-Pontoise
More informationA Practical Multivariate Blind Signature Scheme
A Practical Multivariate Blind Signature Scheme Albrecht Petzoldt 1, Alan Szepieniec 2, Mohamed Saied Emam Mohamed 3 albrecht.petzoldt@nist.gov, alan.szepieniec@esat.kuleuven.be, mohamed@cdc.informatik.tu-darmstadt.de
More informationA new zero-knowledge code based identification scheme with reduced communication
A new zero-knowledge code based identification scheme with reduced communication Carlos Aguilar, Philippe Gaborit, Julien Schrek Université de Limoges, France. {carlos.aguilar,philippe.gaborit,julien.schrek}@xlim.fr
More informationPublic-Key Identification Schemes Based on Multivariate Quadratic Polynomials
Public-Key Identification Schemes Based on Multivariate Quadratic Polynomials Koichi Sakumoto, Taizo Shirai, and Harunaga Hiwatari Sony Corporation 5-1-12 Kitashinagawa Shinagawa-ku, Tokyo 141-0001, Japan
More informationMing-Shing Chen Andreas Hülsing Joost Rijneveld Simona Samardjiska Peter Schwabe. MQDSS specifications
Ming-Shing Chen Andreas Hülsing Joost Rijneveld Simona Samardjiska Peter Schwabe MQDSS specifications Version 1.0 November 2017 Introduction TODO: This document specifies Contents Part I Backbone Results
More informationCRYSTALS Kyber and Dilithium. Peter Schwabe February 7, 2018
CRYSTALS Kyber and Dilithium Peter Schwabe peter@cryptojedi.org https://cryptojedi.org February 7, 2018 Crypto today 5 building blocks for a secure channel Symmetric crypto Block or stream cipher (e.g.,
More informationPublic-Key Identification Schemes Based on Multivariate Quadratic Polynomials
Public-Key Identification Schemes Based on Multivariate Quadratic Polynomials Koichi Sakumoto, Taizo Shirai, and Harunaga Hiwatari Sony Corporation 5-1-12 Kitashinagawa Shinagawa-ku, Tokyo 141-0001, Japan
More informationPicnic Post-Quantum Signatures from Zero Knowledge Proofs
Picnic Post-Quantum Signatures from Zero Knowledge Proofs MELISSA CHASE, MSR THE PICNIC TEAM DAVID DERLER STEVEN GOLDFEDER JONATHAN KATZ VLAD KOLESNIKOV CLAUDIO ORLANDI SEBASTIAN RAMACHER CHRISTIAN RECHBERGER
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationThe Advanced Encryption Standard
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 48 The Advanced Encryption Standard Successor of DES DES considered insecure; 3DES considered too slow. NIST competition in 1997 15
More informationCode-based identification and signature schemes in software
Author manuscript, published in "MoCrySEn 2013, Germany (2013)" Code-based identification and signature schemes in software Sidi Mohamed El Yousfi Alaoui 1, Pierre-Louis Cayrel 2, Rachid El Bansarkhani
More informationMultivariate Quadratic Public-Key Cryptography Part 1: Basics
Multivariate Quadratic Public-Key Cryptography Part 1: Basics Bo-Yin Yang Academia Sinica PQCrypto Executive Summer School 2017 Eindhoven, the Netherlands Friday, 23.06.2017 B.-Y. Yang (Academia Sinica)
More informationAnalysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh
Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh Bruno Produit Institute of Computer Science University of Tartu produit@ut.ee December 19, 2017 Abstract This document is an analysis
More informationAURORA: A Cryptographic Hash Algorithm Family
AURORA: A Cryptographic Hash Algorithm Family Submitters: Sony Corporation 1 and Nagoya University 2 Algorithm Designers: Tetsu Iwata 2, Kyoji Shibutani 1, Taizo Shirai 1, Shiho Moriai 1, Toru Akishita
More informationHash-based Signatures
Hash-based Signatures Andreas Hülsing Summer School on Post-Quantum Cryptography June 2017, TU Eindhoven Post-Quantum Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Public-key crypto ECC RSA DSA Secret-key crypto AES SHA2 SHA1... Combination of both
More informationOn the Complexity of the Hybrid Approach on HFEv-
On the Complexity of the Hybrid Approach on HFEv- Albrecht Petzoldt National Institute of Standards and Technology, Gaithersburg, Maryland, USA albrecht.petzoldt@gmail.com Abstract. The HFEv- signature
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationDigital Signature Schemes and the Random Oracle Model. A. Hülsing
Digital Signature Schemes and the Random Oracle Model A. Hülsing Today s goal Review provable security of in use signature schemes. (PKCS #1 v2.x) PAGE 1 Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/dsa.jpg
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES
CS355: Cryptography Lecture 9: Encryption modes. AES Encryption modes: ECB } Message is broken into independent blocks of block_size bits; } Electronic Code Book (ECB): each block encrypted separately.
More informationThe Shortest Signatures Ever
The Shortest Signatures Ever Mohamed Saied Emam Mohamed 1, Albrecht Petzoldt 2 1 Technische Universität Darmstadt, Germany 2 Kyushu University, Fukuoka, Japan mohamed@cdc.informatik.tu-darmstadt.de, petzoldt@imi.kyushu-u.ac.jp
More informationFPGA-BASED ACCELERATOR FOR POST-QUANTUM SIGNATURE SCHEME SPHINCS-256
IMES FPGA-BASED ACCELERATOR FOR POST-QUANTUM SIGNATURE SCHEME SPHINCS-256 Dorian Amiet 1, Andreas Curiger 2 and Paul Zbinden 1 1 HSR Hochschule für Technik, Rapperswil, Switzerland 2 Securosys SA, Zürich,
More informationHash-based Signatures. Andreas Hülsing
Hash-based Signatures Andreas Hülsing Post-Quantum Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters 23-2-2016 PAGE 2... 1 3 1 4 2 3 2 2 3 2 3 4 1 2 1 2 1 1 y x x x x
More informationPost-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives
Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives Melissa Chase Microsoft Research melissac@microsoft.com Claudio Orlandi Aarhus University orlandi@cs.au.dk David Derler Graz University
More informationCryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1
Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes
More informationAn Identification Scheme Based on KEA1 Assumption
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More informationHomework 3 Solutions
5233/IOC5063 Theory of Cryptology, Fall 205 Instructor Prof. Wen-Guey Tzeng Homework 3 Solutions 7-Dec-205 Scribe Amir Rezapour. Consider an unfair coin with head probability 0.5. Assume that the coin
More informationIntroduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes
Introduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 03 13 More
More informationMessage Authentication Codes (MACs)
Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands October 8, 2015 1 / 22 About Me 2 / 22 About Me Tung Chou (Tony) 2 / 22 About Me Tung Chou (Tony) Ph.D.
More informationImproved Parameters for the Ring-TESLA Digital Signature Scheme
Improved Parameters for the Ring-TESLA Digital Signature Scheme Arjun Chopra Abstract Akleylek et al. have proposed Ring-TESLA, a practical and efficient digital signature scheme based on the Ring Learning
More informationSPHINCS: practical stateless hash-based signatures
SPHINCS: practical stateless hash-based signatures D. J. Bernstein, D. Hopwood, A. Hülsing, T. Lange, R. Niederhagen, L. Papachristodoulou, P. Schwabe, and Z. Wilcox O'Hearn Digital Signatures are Important!
More informationMTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Zero-knowledge Proofs Sven Laur University of Tartu Formal Syntax Zero-knowledge proofs pk (pk, sk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) (pk,sk)? R
More informationSecret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:
Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design: Secret Key Systems Encrypting a small block of text (say 64 bits) General considerations
More informationQuantum Attacks on Classical Proof Systems
Quantum Attacks on Classical Proof Systems The Hardness of Quantum Rewinding University of Tartu With Andris Ambainis, Ansis Rosmanis QCrypt 2014 Classical Crypto (Quick intro.) Quantum Attacks on Classical
More informationCommunication-Efficient Non-Interactive Proofs of Knowledge with Online Extractors
Communication-Efficient Non-Interactive Proofs of Knowledge with Online Extractors Marc Fischlin Institute for Theoretical Computer Science, ETH Zürich, Switzerland marc.fischlin @ inf.ethz.ch http://www.fischlin.de/
More informationConstructing Provably-Secure Identity-Based Signature Schemes
Constructing Provably-Secure Identity-Based Signature Schemes Chethan Kamath Indian Institute of Science, Bangalore November 23, 2013 Overview Table of contents Background Formal Definitions Schnorr Signature
More informationThe Fiat Shamir Transformation in a Quantum World
The Fiat Shamir Transformation in a Quantum World Özgür Dagdelen Marc Fischlin Tommaso Gagliardoni Technische Universität Darmstadt, Germany www.cryptoplexity.de oezguer.dagdelen @ cased.de marc.fischlin
More informationLecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension
CS 294 Secure Computation February 16 and 18, 2016 Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension Instructor: Sanjam Garg Scribe: Alex Irpan 1 Overview Garbled circuits
More informationQuantum-Safe Crypto Why & How? JP Aumasson, Kudelski Security
Quantum-Safe Crypto Why & How? JP Aumasson, Kudelski Security Flight plan What s a quantum computer? How broken are your public keys? AES vs. quantum search Hidden quantum powers Defeating quantum computing
More informationBorromean Ring Signatures
Borromean Ring Signatures Gregory Maxwell, Andrew Poelstra 2015-06-02 (commit 34241bb) Abstract In 2002, Abe, Ohkubo, and Suzuki developed a new type of ring signature based on the discrete logarithm problem,
More informationDifferential Fault Attacks on Deterministic Lattice Signatures
S C I E N C E P A S S I O N T E C H N O L O G Y Differential Fault Attacks on Deterministic Lattice Signatures Leon Groot Bruinderink 1, Peter Pessl 2 1 Technische Universiteit Eindhoven, 2 Graz University
More informationRandom Oracles in a Quantum World
Dan Boneh 1 Özgür Dagdelen 2 Marc Fischlin 2 Anja Lehmann 3 Christian Schaffner 4 Mark Zhandry 1 1 Stanford University, USA 2 CASED & Darmstadt University of Technology, Germany 3 IBM Research Zurich,
More informationMarch 19: Zero-Knowledge (cont.) and Signatures
March 19: Zero-Knowledge (cont.) and Signatures March 26, 2013 1 Zero-Knowledge (review) 1.1 Review Alice has y, g, p and claims to know x such that y = g x mod p. Alice proves knowledge of x to Bob w/o
More informationCMSC 858K Introduction to Secure Computation October 18, Lecture 19
CMSC 858K Introduction to Secure Computation October 18, 2013 Lecturer: Jonathan Katz Lecture 19 Scribe(s): Alex J. Malozemoff 1 Zero Knowledge Variants and Results Recall that a proof-of-knowledge (PoK)
More informationFrom Secure MPC to Efficient Zero-Knowledge
From Secure MPC to Efficient Zero-Knowledge David Wu March, 2017 The Complexity Class NP NP the class of problems that are efficiently verifiable a language L is in NP if there exists a polynomial-time
More informationCryptographic Protocols Notes 2
ETH Zurich, Department of Computer Science SS 2018 Prof. Ueli Maurer Dr. Martin Hirt Chen-Da Liu Zhang Cryptographic Protocols Notes 2 Scribe: Sandro Coretti (modified by Chen-Da Liu Zhang) About the notes:
More informationSome ZK security proofs for Belenios
Some ZK security proofs for Belenios Pierrick Gaudry CNRS, INRIA, Université de Lorraine January 30, 2017 The purpose of this document is to justify the use of ZK proofs in Belenios. Most of them are exactly
More informationEfficient Public-Key Distance Bounding
Efficient Public-Key Distance Bounding HNDN KILINÇ ND SERGE VUDENY 1 1. Introduction of Distance Bounding 2. Formal Definitions for Security and Privacy 3. Weak uthenticated Key greement 4. Our Protocols:
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Asymmetric Crypto ECC RSA DSA Symmetric Crypto AES SHA2 SHA1... Combination of both
More informationMasking the GLP Lattice-Based Signature Scheme at Any Order
Masking the GLP Lattice-Based Signature Scheme at Any Order Sonia Belaïd Joint Work with Gilles Barthe, Thomas Espitau, Pierre-Alain Fouque, Benjamin Grégoire, Mélissa Rossi, and Mehdi Tibouchi 1 / 31
More informationA Post-Quantum Digital Signature Scheme based on Supersingular Isogenies
Post-Quantum Digital Signature Scheme based on Supersingular Isogenies by Youngho Yoo thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master of
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Fun with Public-Key Tonight we ll Introduce some basic tools of public-key crypto Combine the tools to create more powerful tools Lay the ground work for substantial
More informationTESLA: Tightly-Secure Efficient Signatures from Standard Lattices.
TESLA: Tightly-Secure Efficient Signatures from Standard Lattices. Erdem Alkim Nina Bindel Johannes Buchmann Özgür Dagdelen Peter Schwabe Date: 2016-10-05 Abstract Generally, lattice-based cryptographic
More informationIntroduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES
CSC/ECE 574 Computer and Network Security Topic 3.1 Secret Key Cryptography Algorithms CSC/ECE 574 Dr. Peng Ning 1 Outline Introductory Remarks Feistel Cipher DES AES CSC/ECE 574 Dr. Peng Ning 2 Introduction
More informationSchnorr Signature. Schnorr Signature. October 31, 2012
. October 31, 2012 Table of contents Salient Features Preliminaries Security Proofs Random Oracle Heuristic PKS and its Security Models Hardness Assumption The Construction Oracle Replay Attack Security
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More informationOn The (In)security Of Fischlin s Paradigm
On The (In)security Of Fischlin s Paradigm Prabhanjan Ananth 1, Raghav Bhaskar 1, Vipul Goyal 1, and Vanishree Rao 2 1 Microsoft Research India prabhanjan.va@gmail.com,{rbhaskar,vipul}@microsoft.com 2
More informationA Prover-Anonymous and Terrorist-Fraud Resistant Distance-Bounding Protocol
A Prover-Anonymous and Terrorist-Fraud Resistant Distance-Bounding Protocol Xavier Bultel 1 Sébastien Gambs 2 David Gerault 1 Pascal Lafourcade 1 Cristina Onete 3 Jean-Marc Robert 4 1 University Clermont
More informationMasking the GLP Lattice-Based Signature Scheme at any Order
Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software Institute) Sonia Belaïd (CryptoExperts) Thomas Espitau (UPMC) Pierre-Alain Fouque (Univ. Rennes I and IUF) Benjamin
More informationHash-based signatures & Hash-and-sign without collision-resistance
Hash-based signatures & Hash-and-sign without collision-resistance Andreas Hülsing 22.12.2016 Hash-based Signature Schemes [Mer89] Post quantum Only secure hash function Security well understood Fast 22-12-2016
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationTighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)
1 Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shuichi Katsumata (The University of Tokyo /AIST) Shota Yamada (AIST) Takashi Yamakawa
More informationFault Attacks Against Lattice-Based Signatures
Fault Attacks Against Lattice-Based Signatures T. Espitau P-A. Fouque B. Gérard M. Tibouchi Lip6, Sorbonne Universités, Paris August 12, 2016 SAC 16 1 Towards postquantum cryptography Quantum computers
More informationImproved S-Box Construction from Binomial Power Functions
Malaysian Journal of Mathematical Sciences 9(S) June: 21-35 (2015) Special Issue: The 4 th International Cryptology and Information Security Conference 2014 (Cryptology 2014) MALAYSIAN JOURNAL OF MATHEMATICAL
More informationFast Signature Generation with a. Fiat Shamir { Like Scheme. Fachbereich Mathematik / Informatik. Abstract
Fast Signature Generation with a Fiat Shamir { Like Scheme H. Ong Deutsche Bank AG Stuttgarter Str. 16{24 D { 6236 Eschborn C.P. Schnorr Fachbereich Mathematik / Informatik Universitat Frankfurt Postfach
More informationIdentity-Based Identification Schemes
Identity-Based Identification Schemes Guomin Yang Centre for Computer and Information Security Research School of Computing and Information Technology University of Wollongong G. Yang (CCISR, SCIT, UOW)
More informationA Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems
A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems Jean-Charles Faugère, Danilo Gligoroski, Ludovic Perret, Simona Samardjiska, Enrico Thomae PKC 2015, March 30 - April 1, Maryland, USA 2 Summary
More informationZero-knowledge Identification based on Lattices with Low Communication Costs
Zero-knowledge Identification based on Lattices with Low Communication Costs Rosemberg Silva 1, Pierre-Louis Cayrel 2, Richard Lindner 3 1 State University of Campinas (UNICAMP) Institute of Computing
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationFast Lattice-Based Encryption: Stretching SPRING
Fast Lattice-Based Encryption: Stretching SPRING Charles Bouillaguet 1 Claire Delaplace 1,2 Pierre-Alain Fouque 2 Paul Kirchner 3 1 CFHP team, CRIStAL, Université de Lille, France 2 EMSEC team, IRISA,
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationPAPER An Identification Scheme with Tight Reduction
IEICE TRANS. FUNDAMENTALS, VOL.Exx A, NO.xx XXXX 200x PAPER An Identification Scheme with Tight Reduction Seiko ARITA, Member and Natsumi KAWASHIMA, Nonmember SUMMARY There are three well-known identification
More informationNon-Interactive Zero-Knowledge from Homomorphic Encryption. Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU)
Non-Interactive Zero-Knowledge from Homomorphic Encryption Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU) January 27th, 2006 NYU Crypto Reading Group Zero-Knowledge and Interaction
More informationCryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95
Cryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95 Jean-Sébastien Coron and David Naccache Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France {jean-sebastien.coron,
More informationTightly-Secure Signatures From Lossy Identification Schemes
Tightly-Secure Signatures From Lossy Identification Schemes Michel Abdalla, Pierre-Alain Fouque, Vadim Lyubashevsky, and Mehdi Tibouchi 2 École normale supérieure {michel.abdalla,pierre-alain.fouque,vadim.lyubashevsky}@ens.fr
More informationImproved Cryptanalysis of HFEv- via Projection
Improved Cryptanalysis of HFEv- via Projection Jintai Ding, Ray Perlner, Albrecht Petzoldt, Daniel Smith-Tone PQ Crypto 2018 Fort Lauderdale, Florida 04/10/2018 A. Petzoldt Cryptanalysis of HFEv- via Projection
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationFrom Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes
From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 2001, vol. 2020 of Lecture Notes in Computer
More informationGQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attacks
GQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attacks [Mihir Bellare, Adriana Palacio] Iliopoulos Fotis School of Electrical and Computer Engineering
More informationOn the (In)security of the Fiat-Shamir Paradigm
On the (In)security of the Fiat-Shamir Paradigm Shafi Goldwasser Yael Tauman February 2, 2004 Abstract In 1986, Fiat and Shamir proposed a general method for transforming secure 3-round public-coin identification
More informationPerfectly-Crafted Swiss Army Knives in Theory
Perfectly-Crafted Swiss Army Knives in Theory Workshop Hash Functions in Cryptology * supported by Emmy Noether Program German Research Foundation (DFG) Hash Functions as a Universal Tool collision resistance
More informationMcBits: fast constant-time code-based cryptography. (to appear at CHES 2013)
McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationCRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme
CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme Léo Ducas 1, Eike Kiltz 2, Tancrède Lepoint 3, Vadim Lyubashevsky 4, Peter Schwabe 5, Gregor Seiler 6 and Damien Stehlé 7 1 CWI, Netherlands
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationCRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16
CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16 Groth-Sahai proofs helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Interactive zero knowledge from Σ-protocols
More informationBoneh-Franklin Identity Based Encryption Revisited
Boneh-Franklin Identity Based Encryption Revisited David Galindo Institute for Computing and Information Sciences Radboud University Nijmegen P.O.Box 9010 6500 GL, Nijmegen, The Netherlands. d.galindo@cs.ru.nl
More informationEntity Authentication
Entity Authentication Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie? α k The
More informationLecture 14 More on Digital Signatures and Variants. COSC-260 Codes and Ciphers Adam O Neill Adapted from
Lecture 14 More on Digital Signatures and Variants COSC-260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Setting the Stage We will cover in more depth some issues for
More informationCode-based cryptography
Code-based graphy Laboratoire Hubert Curien, UMR CNRS 5516, Bâtiment F 18 rue du professeur Benoît Lauras 42000 Saint-Etienne France pierre.louis.cayrel@univ-st-etienne.fr 16 Novembre 2011 Pierre-Louis
More informationOil-Vinegar signature cryptosystems
Oil-Vinegar signature cryptosystems Jintai Ding University of Cincinnati Workshop on multivariate public key cryptosystems, 2006 Taiwan Information Security Center The National Taiwan University of Science
More information