Yilei Chen Craig Gentry Shai 2017
|
|
- Rachel Davis
- 5 years ago
- Views:
Transcription
1 e t a d i d n a c f s o r s o e t s a y c l s a u n f a b t o p y m r a C r g o r p g n i h c n a br Yilei Chen Craig Gentry Shai 07
2 976, Diffie, Hellman: We stand today on the brink of a revolution in cryptography
3 976, Diffie, Hellman: We stand today on the brink of a revolution in cryptography 03, Garg, Gentry, Halevi, Raykova, Sahai, Waters: We didn t say we stand today on the brink of another revolution in cryptography, but it is happening. 3
4 io 4
5 io => fancy applications, new ways of thinking in cryptography OWF, TDP, full-domain hash, NKE, traitor tracing, FE, adaptive FE, multi-input FE, MPC, adaptive MPC, communication-efficient MPC, better MPC, deniable encryption, garbled Turing machine, Succinct RE, garbled ram, succinct garbled ram, polynomially-many hardcore bits for any OWF, ZAPs and NW, constant-round zero-knowledge proofs, traitor tracing, PPAD hardness, watermarking, Fully-homomorphic encryption, self-bilinear maps, multilinear maps, correlation intractability, Fiat-Shamir, UCE, counterexamples for UCE,5 Adaptive succinct garbled ram, Time-lock puzzle, io combiner
6 ??????? => io candidates 6
7 Candidate multilinear maps => io candidates 7
8 How much do we know about multilinear maps, and the io candidates based on them? 8
9 Multilinear maps in cryptography 003 Boneh, Silverberg: motives 03 Garg, Gentry, Halevi: first candidate 03 Coron, Lepoint, Tibouchi: second candidate 05 Gentry, Gorbunov, Halevi: third candidate 9
10 Status of candidate multilinear maps GGH3, CLT3, GGH5: Even the ``one-wayness of these schemes is not understood. 0
11 Status of candidate multilinear maps GGH3, CLT3, GGH5: Even the ``one-wayness of these schemes is not understood. Benchmarks: key exchange and indistinguishability Obfuscation Key Exchange io [GGHRSW 3] (need public sample) (do not need public sample) GGH3 CLT3 GGH5
12 Status of candidate multilinear maps GGH3, CLT3, GGH5: Even the ``one-wayness of these schemes is not understood. Benchmarks: key exchange and indistinguishability Obfuscation Key Exchange io [GGHRSW 3] (need public sample) (do not need public sample) GGH3 Broken [Hu, Jia 6] Broken for simpler variants [ Miles et al 6 ] CLT3 Broken [Cheon et al 5] Broken for some program [Coron et al 5] GGH5 Broken [Coron et al 6]?
13 n this work we show new attacks: Key Exchange io [GGHRSW 3] (need public sample) (do not need public sample) GGH3 Broken [Hu, Jia 6] New attack [ CGH 7 ] CLT3 Broken [Cheon et al 5] Broken for some program [Coron et al 5] GGH5 Broken [Coron et al 6] New attack [ CGH 7 ] 3
14 n this work we show new attacks: Key Exchange io [GGHRSW 3] (need public sample) (do not need public sample) GGH3 Broken [Hu, Jia 6] New attack [ CGH 7 ] CLT3 Broken [Cheon et al 5] Broken for some program [Coron et al 5] GGH5 Broken [Coron et al 6] New attack [ CGH 7 ] Feature of the new attacks: zeroizing attack [ Cheon et al 5 ] + exploiting the weakness inside the obfuscation 4
15 Plan for the rest of the talk Review GGHRSW3 obfuscation Analyze GGHRSW + GGH5 Analyze GGHRSW + GGH3 (very briefly) 5
16 Candidate io from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters 3 ] 6
17 Candidate io from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters 3 ] (0) Representation of plaintext program. () Safeguard () Safeguard (3) Safeguard 3 (4) Wrap (0-3) by multilinear maps (GGH3, CLT3, or GGH5) Safeguards aim at randomizing the plaintext program, preventing illegal operations; mmaps is the source of computational hardness 7
18 Candidate io from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters 3 ] (0) Representation of plaintext program: Oblivious branching program () Safeguard () Safeguard (3) Safeguard 3 (4) Wrap (0-3) by multilinear maps (GGH3, CLT3, or GGH5) 8
19 Candidate io from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters 3 ] (0) Representation of plaintext program: Oblivious branching program () Safeguard () Safeguard (3) Safeguard 3 (4) Wrap (0-3) by multilinear maps (GGH3, CLT3, or GGH5) B, B, B3, B4, 0 B,0 B,0 B3,0 B4,0 i B, B, B 3, B'4, 0 B,0 B,0 B 3,0 B 4,0 i function branch Evaluate: B =? Dummy branch All B'u,v = 9
20 Candidate io from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters 3 ] (0) Representation of plaintext program: Oblivious branching program () Safeguard : Kilian randomization [Kilian 88] () Safeguard (3) Safeguard 3 (4) Wrap (0-3) by multilinear maps (GGH3, CLT3, or GGH5) B,K K-B,K K-B3,K3 K3-B4, 0 B,0K K-B,0K K-B3,0K3 K3-B4,0 i B,K K -B,K K -B 3,K 3 K 3-B 4, 0 B,0K K -B,0K K -B 3,0K 3 K 3-B 4,0 i Random matrix K, K 0
21 Candidate io from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters 3 ] (0) Representation of plaintext program: Oblivious branching program () Safeguard : Kilian randomization () Safeguard : Bundling scalars (against mix-input attack) (3) Safeguard 3 (4) Wrap (0-3) by multilinear maps (GGH3, CLT3, or GGH5) 0 i a,b,k a,k-b,k a3,k-b3,k3 a4,k3-b4, a a =, 3, a,0b,0k a,0k-b,0k a3,0k-b3,0k3 a4,0k3-b4,0 a,0a3,0 = a,a4, = a,0a4,0 = a,a 3, a,0a 3,0 a,a 4, a,0a 4,0 a,b,k a,k -B,K a 3,K -B 3,K 3 a 4,K 3-B 4, 0 a,0b,0k a,0k -B,0K a 3,0K -B 3,0K 3 a 4,0K 3-B 4,0 i
22 Spoiler: the scalar is the Achilles heel exploited in our attack
23 3
24 Candidate io from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters 3 ] (0) Representation of plaintext program: Oblivious branching program () Safeguard : Kilian randomization () Safeguard : Bundling scalars (against mix-input attack) (3) Safeguard 3 (4) Wrap (0-3) by multilinear maps (GGH3, CLT3, or GGH5) 0 i a,b,k a,k-b,k a3,k-b3,k3 a4,k3-b4, a a =, 3, a,0b,0k a,0k-b,0k a3,0k-b3,0k3 a4,0k3-b4,0 a,0a3,0 = a,a4, = a,0a4,0 = a,a 3, a,0a 3,0 a,a 4, a,0a 4,0 a,b,k a,k -B,K a 3,K -B 3,K 3 a 4,K 3-B 4, 0 a,0b,0k a,0k -B,0K a 3,0K -B 3,0K 3 a 4,0K 3-B 4,0 i 4
25 Candidate io from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters 3 ] (0) Representation of plaintext program: Oblivious branching program () Safeguard : Kilian randomization () Safeguard : Bundling scalars (against mix-input attack) (3) Safeguard 3: random diagonal entries and bookends (4) Wrap (0-3) by multilinear maps (GGH3, CLT3, or GGH5) a,j B,K a,k-b,k a3,k-b3,k3 a4,k3-b4,l 0 a,0j B,0K a,0k-b,0k a3,0k-b3,0k3 a4,0k3-b4,0l i a,j B,K a,k -B,K a 3,K -B 3,K 3 a 4,K 3-B 4,L 0 a,0j B,0K a,0k -B,0K i a 3,0K -B 3,0K3 a 4,0K 3-B 4,0L 5
26 Zoom in: random diagonal entries and bookends U J a,k - B, S,= a,k [ B, ]K K L S,= a, J[ vb, ]K - v V Sh,= ah,kh--[ vbh, ]L S, S,... Sh, 0 S,0 S,0... Sh,0 i i i... ih 6
27 Spoiler: the random diagonal entries were thought to be what stops the previous attack on GGH3-based candidates. 7
28 Candidate io from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters 3 ] (0) Representation of plaintext program: Oblivious branching program () Safeguard : Kilian randomization () Safeguard : Bundling scalars (3) Safeguard 3: random diagonal entries and bookends (4) Wrap (0-3) by multilinear maps (GGH3, CLT3, or GGH5) a,j B,K a,k-b,k a3,k-b3,k3 a4,k3-b4,l 0 a,0j B,0K a,0k-b,0k a3,0k-b3,0k3 a4,0k3-b4,0l i a,j B,K a,k -B,K a 3,K -B 3,K 3 a 4,K 3-B 4,L 0 a,0j B,0K a,0k -B,0K i a 3,0K -B 3,0K3 a 4,0K 3-B 4,0L 8
29 Candidate io from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters 3 ] (0) Representation of plaintext program: Oblivious branching program () Safeguard : Kilian randomization () Safeguard : Bundling scalars (3) Safeguard 3: random diagonal entries and bookends (4) Wrap (0-3) by multilinear maps (GGH3, CLT3, or GGH5) More candidates for branching programs: [Canetti-Vaikuntanathan about B.C. 6-5], [Barak-Garg-Kalai-Paneth-Sahai 4], [Brakerski-Rothblum 4], [Pass-Seth-Telang 4], [Gentry-Lewko-Sahai-Waters 5], [Badrinarayanan-Miles-Sahai-Zhandry 6], [Garg-Miles-Mukherjee-Sahai-Srinivasan-Zhandry 6] Other candidates in the circuit model or bootstrapped from FE or hybrid: [Zimmerman 5], [Applebaum-Brakerski 5], [Ananth-Jain 5], [Bitansky-Vaikuntanathan 5], [Lin 6], [Lin-Vaikuntanathan 6], etc. Candidates for BP requires degree of multilinearity = length of BP (poly) The smallest known multilinearity that implies io is 5 (assuming some PRG with locality 5) 9
30 Easier to break <<<<<<<<<<<<< harder to break GGH3 CLT3 GGH5 Candidates without GGHRSW3 the diagonal padding [any BP + diagonal] GMRSSZ6 Broken [Miles et al 6] Secure in an idealized model? Broken [Cheon et al 5, Coron et al 5]?? [dual-input + diagonal]?? Status of BP obfuscation candidates before this work 30
31 Plan for the rest of the talk Review GGHRSW3 obfuscation Analyze GGHRSW + GGH5 Analyze GGHRSW + GGH3 (very briefly) 3
32 Review of GGH5 encoding [Gentry, Gorbunov, Halevi 5] 3
33 Goal: Multiply these S matrices without revealing them, and test equality at the end S,= a,k-[ vb, ]K S,= a, J[ vb, ]K Sh,= ah,kh--[ vbh, a,j B,K a,k-b,k a3,k-b3,k3 a4,k3-b4,l 0 a,0j B,0K a,0k-b,0k a3,0k-b3,0k3 a4,0k3-b4,0l i a,j B,K a,k -B,K a 3,K -B 3,K 3 a 4,K 3-B 4,L 0 a,0j B,0K a,0k -B,0K i a 3,0K -B 3,0K3 a 4,0K 3-B 4,0L 33 ]L
34 GGH5 encoding for the ith hop: Si, Ai Si,0 Ai+ 34
35 GGH5 encoding for the ith hop: Yi, = si, Ai++Ei, Si, Ai Si,0 Ai+ Yi,0 = si,0 Ai++Ei,0 Encode(si,b): steps. Yi,b = si,b Ai++Ei,b 35
36 GGH5 encoding for the ith hop: Ai Di, Di,0 Yi, = si, Ai++Ei, Si, Si,0 Ai+ Yi,0 = si,0 Ai++Ei,0 Encode(si,b): steps. Yi,b = si,b Ai++Ei,b. Sample (by the trapdoor of Ai) small Di,b s.t. AiDi,b=Yi,b Di,b = Encoding( Si,b ) 36
37 37 D, D,... D,0 D,0... A S,= a, J[ vb, ]K D, A D,0 D, D, Dh, Dh,0 D h, AL D h,0 [GGHRSW3]+[GGH5]
38 Setting for the cryptanalysts 38
39 Target: Branching programs that always compute the identity matrix (corresponds to 0), with an input partitioning feature 0 i Goal: extract the scalars there, run the mixed-input attack. versus 0 P P- i X zone Z zone Where P 39
40 Step, honestly evaluate many inputs that lead to zero outputs 40
41 Attack GGHRSW3+GGH5 Step : Accumulate a matrix W via honest evaluations that yields zero. A A D, D,... Dh-, Dh, D,0 D,0... Dh-,0 Dh,0 D, D,... D h-, D h, D,0 D,0... D h-, D h,0 X zone 0 w, w,v w, w,v wu, wu,v Z zone wi,j= A DxiDzj - A D xid zj 4
42 Step, compute the left-kernel 4
43 Attack GGHRSW3+GGH5 Step : Accumulate a matrix W via honest evaluations. Step : Compute the left-kernel of W (n the rest of the analysis in this talk, will ignore the dummy branch. ) Sx Ex Sx Ex Sxu Exu X zone SzvA0+Ezv SzA0+Ez x Dz Dzv w, w,v w, w,v = wu, wu,v Z zone wi,j= A DxiDzj - A D xid zj 43
44 Attack GGHRSW3+GGH5 Step : Accumulate a matrix W via honest evaluations. Step : Compute the left-kernel of W (n the rest of the analysis in this talk, will ignore the dummy branch. ) Sx Ex Sx Ex Sxu X Exu SzvA0+Ezv SzA0+Ez x Dz ZD w, w,v w, w,v = zv F W = F X Z = 0 => F X=0 W wu, wu,v 44
45 Attack GGHRSW3+GGH5 Step : Accumulate a matrix W via honest evaluations. Step : Compute the left-kernel of W (n the rest of the analysis in this talk, will ignore the dummy branch. ) First two steps are taken from the previous zeroizing attack [CLLT6], the next few steps will be more involved. 45
46 Step, from the left-kernel F, extract information about scalars 46
47 Attack GGHRSW3+GGH5 Step : Accumulate a matrix W via honest evaluations. Step : Compute the left-kernel of W: FW = FXZ = 0 => FX=0 Step 3: From F, learn something about scalars f,, f,,..., f,k... fd,, fd,,..., fd,k The useful equations: g in [,d] ki= fg,i xiai,xi=0 what we have what we want x Sx Ex Sx Ex Sxk =0 Exk Sxi = axi J diag(uxi, vxi, xi) K 47
48 Attack GGHRSW3+GGH5 Step : Accumulate a matrix W via honest evaluations. Step : Compute the left-kernel of W: FW = FXZ = 0 => FX=0 Step 3: From F, learn something about scalars The useful equations: g in [,d] ki= fg,i xiai,xi=0 Challenge: solve the non-linear equations. 48
49 Attack GGHRSW3+GGH5 Step : Accumulate a matrix W via honest evaluations. Step : Compute the left-kernel of W: FW = FXZ = 0 => FX=0 Step 3: From F, learn something about scalars The useful equations: g in [,d] ki= fg,i xiai,xi=0 Challenge: solve the non-linear equations. Solution: use the homogeneous feature, possible to get partial relations of some ai,xi/aj,xj 49
50 Step V, wait, more? 50
51 Attack GGHRSW3+GGH5 Step : Accumulate a matrix W via honest evaluations. Step : Compute the left-kernel of W: FW = FXZ = 0 => FX=0 Step 3: From F, learn something about scalars What we can get: a,a3,/a,0a3,0 a,a3,/a,a4, a,a3,/a,0a4,0 What we want: each of them a,, a3,, a,0, a3,0.. 0 i P P- i
52 Attack GGHRSW3+GGH5 Step : Accumulate a matrix W via honest evaluations. Step : Compute the left-kernel of W: FW = FXZ = 0 => FX=0 Step 3: From F, learn something about scalars What we can get: a,a3,/a,0a3,0 a,a3,/a,a4, a,a3,/a,0a4,0 What we want: each of them a,, a3,, a,0, a3,0.. Possible to get some pairs via PP solver and factoring oracles. 0 i P P- i
53 f you have a quantum computer (or willing to spend subexponential time classically), you have PP and factoring oracles 53
54 Attack GGHRSW3+GGH5: summary Step : (Evaluate, reorganize results) Accumulate equations to get a matrix W Step : (linear algebra) Compute the left-kernel F of W Step 3: (alternative linear algebra) From F, find out ratios of scalars from X zone Step 4: (Quantum polynomial or subexponential classical) From the ratios of scalars, find the small representations, and run the mixed-input attack 0 i X zone Z zone 0 P P- i
55 Plan for the rest of the talk Review GGHRSW3 obfuscation How to break GGHRSW + GGH5 How to break GGHRSW + GGH3 (very briefly) 55
56 GGH3 quick recap Base ring: R = Z[x]/(xn+) Master secret: a small g in R deal generated by g: = <g> = { gu, u R } B(g) = { g, Xg,..., Xn-g } Plaintext space: R/ Zero-test parameter: hzk/g Encode(m): (m+gr)/z 56
57 GGHRSW+GGH3 attack overview Step : Using zeroizing attack to recover = <g> (f you have a quantum computer or willing to spend subexponential time, can get g itself from ; yield a total break) Step : compute ratios of scalars in some form Step : Once you have the ratios of scalars, can use a simplified version of annihilation attack [MSZ 6] 0 P i 3 4 X zone P Y zone 4 Z zone 57
58 Summary of the status of BP obfuscation some single input BPs with input partition some single input BPs without input partition* all BPs (esp. Dual-input) GGH3 Classical polynomial time Candidates without [ CGH7 ] diagonal paddings [ MSZ6, ADGM7 ]??????? CLT3 Classical poly [ CHLRS5 ] Quantum [Factoring] GGH5 Quantum polynomial or? classical Subexponential time [ CGH7 ] Classical poly [ CLLT 7 ]??????? * Missing details of the exact statements. For the exact parameters see the references. Blue: concurrent works that use the tensoring method. 58
59 The next benchmark for cryptanalyst: [ Garg-Miles-Mukherjee-Sahai-Srinivasan-Zhandry 6 ] (0) Dual-input branching program () Bundling scalars (against mixed-input attacks) () Kilian randomization (against partial evaluation) (3) Adding random diagonal matrices and bookends (4) Wrap (0-3) by multilinear maps For this candidate no attack is published for GGH3, CLT3, GGH5 With idealized-model-type security proof for GGH3 Another direction for cryptanalyst: Attack without using encodings of zero (e.g. targeting obfuscation for evasive functions) 59
60 The next benchmark for cryptanalyst: [ Garg-Miles-Mukherjee-Sahai-Srinivasan-Zhandry 6 ] (0) Dual-input branching program () Bundling scalars (against mixed-input attacks) () Kilian randomization (against partial evaluation) (3) Adding random diagonal matrices and bookends (4) Wrap (0-3) by multilinear maps For this candidate no attack is published for GGH3, CLT3, GGH5 With idealized-model-type security proof for GGH3 Another direction for cryptanalyst: Attack without using encodings of zero (e.g. targeting obfuscation for evasive functions) For counter-cryptanalyst: can identify secure mode for GGH5 that can be based on LWE: Constraint-hiding constrained PRFs for NC from LWE Ran Canetti, Yilei Chen Separating Semantic and Circular Security for Symmetric-Key Bit Encryption from the Learning with Errors Assumption Rishab Goyal, Venkata Koppula, Brent Waters And more on eprint recently, possibly more safe applications. 60
61 A story of pursuing the truth and happiness in the crusade of postmodern cryptography. 6
62 Thanks for your time. Bye! 6
Constraint hiding constrained PRF for NC1 from LWE. Ran Canetti, Yilei Chen, # Eurocrypt 2017 special edition
Constraint hiding constrained PRF for NC1 from LWE Ran Canetti, Yilei Chen, # Eurocrypt 2017 special edition 1 2 Puncture! 3 4 Puncturable/constrained PRF [Boneh, Waters 13, Kiayias, Papadopoulos, Triandopoulos,
More informationAdaptively Secure Succinct Garbled RAM with Persistent Memory
Adaptively Secure Succinct Garbled RAM with Persistent Memory Ran Canetti, Yilei Chen, Justin Holmgren, Mariana Raykova DIMACS workshop MIT Media Lab June 8~10, 2016 1 : June 11, 2016, Boston, heavy snow.
More informationPROGRAM obfuscation is the process of making it unintelligible
INTL JOURNAL OF ELECTRONICS AND TELECOMMUNICATIONS, 2018, VOL. 64, NO. 2, PP. 173 178 Manuscript received January 24, 2018; revised March, 2018. DOI: 10.24425/119366 Block Cipher Based Public Key Encryption
More informationApplication to More Efficient Obfuscation
Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Program Obfuscation [BGIRSVY01, GGHRSW13] Indistinguishability obfuscation (io)
More informationOn Virtual Grey Box Obfuscation for General Circuits
On Virtual Grey Box Obfuscation for General Circuits Nir Bitansky 1, Ran Canetti 1,2, Yael Tauman Kalai 3, and Omer Paneth 2 1 Tel Aviv University, Tel Aviv, Israel 2 Boston University, Boston, U.S.A.
More informationFunctional Encryption and its Impact on Cryptography
Functional Encryption and its Impact on Cryptography Hoeteck Wee ENS, Paris, France Abstract. Functional encryption is a novel paradigm for public-key encryption that enables both fine-grained access control
More informationTools for Computing on Encrypted Data
Tools for Computing on Encrypted Data Scribe: Pratyush Mishra September 29, 2015 1 Introduction Usually when analyzing computation of encrypted data, we would like to have three properties: 1. Security:
More informationSomewhat Homomorphic Encryption
Somewhat Homomorphic Encryption Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Part 1: Homomorphic Encryption: Background, Applications, Limitations Computing
More informationCryptography with Updates
Cryptography with Updates Slides and research in collaboration with: Prabhanjan Ananth UCLA Aloni Cohen MIT Abhishek Jain JHU Garbled Circuits C Offline: slow Online: fast x C(x) Garbled Circuits C Offline:
More informationIndistinguishability Obfuscation with Non-trivial Efficiency
Indistinguishability Obfuscation with Non-trivial Efficiency Huijia Lin Rafael Pass Karn Seth Sidharth Telang January 4, 2016 Abstract It is well known that inefficient indistinguishability obfuscators
More informationNotes for Lecture 5. 2 Non-interactive vs. Interactive Key Exchange
COS 597C: Recent Developments in Program Obfuscation Lecture 5 (9/29/16) Lecturer: Mark Zhandry Princeton University Scribe: Fermi Ma Notes for Lecture 5 1 Last Time Last time, we saw that we can get public
More informationObfuscation (IND-CPA Security Circular Security)
Obfuscation (IND-CPA Security Circular Security) Antonio Marcedone 1, and Claudio Orlandi 2 1 Scuola Superiore di Catania, University of Catania, Italy, amarcedone@cs.au.dk 2 Aarhus University, Denmark,
More informationNotes for Lecture 14
COS 533: Advanced Cryptography Lecture 14 (November 6, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Fermi Ma Notes for Lecture 14 1 Applications of Pairings 1.1 Recap Consider a bilinear e
More informationA Punctured Programming Approach to Adaptively Secure Functional Encryption
A Punctured Programming Approach to Adaptively Secure Functional Encryption Brent Waters University of Texas at Austin bwaters@cs.utexas.edu Abstract We propose the first construction for achieving adaptively
More informationAttribute-Based Encryption. Allison Lewko, Microsoft Research
Attribute-Based Encryption Allison Lewko, Microsoft Research The Cast of Characters This talk will feature work by: Brent Waters Amit Sahai Vipul Goyal Omkant Pandey With special guest appearances by:
More informationOn Obfuscation with Random Oracles
On Obfuscation with Random Oracles Ran Canetti Yael Tauman Kalai Omer Paneth January 20, 2015 Abstract Assuming trapdoor permutations, we show that there eist function families that cannot be VBBobfuscated
More informationOn the Implausibility of Differing-Inputs Obfuscation and Extractable Witness Encryption with Auxiliary Input
On the Implausibility of Differing-Inputs Obfuscation and Extractable Witness Encryption with Auxiliary Input Sanjam Garg 1, Craig Gentry 1, Shai Halevi 1, and Daniel Wichs 2 1 IBM Research, T.J. Watson.
More informationGarbled Circuits via Structured Encryption Seny Kamara Microsoft Research Lei Wei University of North Carolina
Garbled Circuits via Structured Encryption Seny Kamara Microsoft Research Lei Wei University of North Carolina Garbled Circuits Fundamental cryptographic primitive Possess many useful properties Homomorphic
More informationFully Succinct Garbled RAM
Fully Succinct Garbled RAM Ran Canetti Tel-Aviv University and Boston University canetti@bu.edu Justin Holmgren MIT holmgren@csail.mit.edu ABSTRACT We construct the first fully succinct garbling scheme
More informationThe Magic of ELFs. Mark Zhandry Princeton University (Work done while at MIT)
The Magic of ELFs Mark Zhandry Princeton University (Work done while at MIT) Prove this secure: Enc(m) = ( TDP(r), H(r) m ) (CPA security, many- bit messages, arbitrary TDP) Random Oracles Random Oracle
More informationMultiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation
Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation Dan Boneh and Mark Zhandry Stanford University {dabo,zhandry}@cs.stanford.edu Abstract. In this work,
More informationMulti-Theorem Preprocessing NIZKs from Lattices
Multi-Theorem Preprocessing NIZKs from Lattices Sam Kim and David J. Wu Stanford University Soundness: x L, P Pr P, V (x) = accept = 0 No prover can convince honest verifier of false statement Proof Systems
More informationImplementing Fully Key-Homomorphic Encryption in Haskell. Maurice Shih CS 240h
Implementing Fully Key-Homomorphic Encryption in Haskell Maurice Shih CS 240h Abstract Lattice based encryption schemes have many desirable properties. These include uantum and classic computer attack
More information5Gen-C: Multi-input Functional Encryption and Program Obfuscation for Arithmetic Circuits
5Gen-C: Multi-input Functional Encryption and Program Obfuscation for Arithmetic Circuits Brent Carmer Oregon State University Galois, Inc. bcarmer@galois.com Alex J. Malozemoff Galois, Inc. amaloz@galois.com
More informationCrypto for PRAM from io (via Succinct Garbled PRAM)
Crypto for PRAM from io (via Succinct Garbled PRAM) Kai-Min Chung Academia Sinica, Taiwan Joint work with: Yu-Chi Chen, Sherman S.M. Chow, Russell W.F. Lai, Wei-Kai Lin, Hong-Sheng Zhou Computation in
More informationBetter 2-round adaptive MPC
Better 2-round adaptive MPC Ran Canetti, Oxana Poburinnaya TAU and BU BU Adaptive Security of MPC Adaptive corruptions: adversary adversary can decide can decide who to who corrupt to corrupt adaptively
More informationSeparating IND-CPA and Circular Security for Unbounded Length Key Cycles
Separating IND-CPA and Circular Security for Unbounded Length Key Cycles Rishab Goyal Venkata Koppula Brent Waters Abstract A public key encryption scheme is said to be n-circular secure if no PPT adversary
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Previously on COS 433 Confusion/Diffusion Paradigm f 1 f 2 f 3 f 4 f 5 f 6 Round π 1 f 7 f 8 f 9 f 10 f 11 f 12 π 2 Substitution
More informationUpdatable Functional Encryption
Updatable Functional Encryption Afonso Arriaga 1, Vincenzo Iovino 1, and Qiang Tang 1 SnT, University of Luxembourg, Luxembourg City, Luxembourg afonso.delerue@uni.lu, vincenzo.iovino@uni.lu, tonyrhul@gmail.com
More informationFunction-Private Functional Encryption in the Private-Key Setting
Function-Private Functional Encryption in the Private-Key Setting Zvika Brakerski 1 and Gil Segev 2 1 Department of Computer Science and Applied Mathematics, Weizmann Institute of Science, Rehovot 76100,
More informationIntroduction to Public-Key Cryptography
Introduction to Public-Key Cryptography Nadia Heninger University of Pennsylvania June 11, 2018 We stand today on the brink of a revolution in cryptography. Diffie and Hellman, 1976 Symmetric cryptography
More informationSemi-Adaptive Security and Bundling Functionalities Made Generic and Easy
Semi-Adaptive Security and Bundling Functionalities Made Generic and Easy Rishab Goyal rgoyal@cs.utexas.edu Venkata Koppula kvenkata@cs.utexas.edu Brent Waters bwaters@cs.utexas.edu Abstract Semi-adaptive
More informationSecurity of RLWE problems for Homomorphic Encryptions
Security of RLWE problems for Homomorphic Encryptions Jung Hee Cheon Seoul National University Jung Hee Cheon (SNU) Security of RLWE problems for Homomorphic Encryptions 1 / 9 About Me Cryptanalysis Discrete
More informationHOMOMORPHIC ENCRYPTION: A SURVEY
HOMOMORPHIC ENCRYPTION: A SURVEY Daniel Okunbor and Chekad Sarami Department of Mathematics and Computer Science Fayetteville State University Fayetteville, NC 28301 {diokunbor, csarami}@uncfsu.edu) Abstract:
More informationPrivate Database Queries Using Somewhat Homomorphic Encryption. Dan Boneh, Craig Gentry, Shai Halevi, Frank Wang, David J. Wu
Private Database Queries Using Somewhat Homomorphic Encryption Dan Boneh, Craig Gentry, Shai Halevi, Frank Wang, David J. Wu ACNS 2013 Fully Private Conjunctive Database Queries user SELECT * FROM db WHERE
More informationKey-policy Attribute-based Encryption for Boolean Circuits from Bilinear Maps
Key-policy Attribute-based Encryption for Boolean Circuits from Bilinear Maps Ferucio Laurenţiu Ţiplea and Constantin Cătălin Drăgan Department of Computer Science Al.I.Cuza University of Iaşi Iaşi 700506,
More informationMTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov October 31, 2005 Abstract Standard security assumptions (IND-CPA, IND- CCA) are explained. A number of cryptosystems
More informationFrom Selective to Adaptive Security in Functional Encryption
From Selective to Adaptive Security in Functional Encryption Prabhanjan Ananth 1, Zvika Brakerski 2, Gil Segev 3, and Vinod Vaikuntanathan 4 1 University of California, Los Angeles, USA. 2 Weizmann Institute
More informationLeakage-Resilient Zero Knowledge
Leakage-Resilient Zero Knowledge Sanjam Garg, Abhishek Jain, and Amit Sahai UCLA {sanjamg,abhishek,sahai}@cs.ucla.edu Abstract. In this paper, we initiate a study of zero knowledge proof systems in the
More informationBRENT WATERS. Research Interests. Cryptography and computer security
Research Interests BRENT WATERS University of Texas at Austin phone: 512 232 7464 Department of Computer Sciences email: bwaters@cs.utexas.edu 2317 Speedway, Stop D9500 web: www.cs.utexas.edu/~bwaters
More informationSome Advances in. Broadcast Encryption and Traitor Tracing
Some Advances in Broadcast Encryption and Traitor Tracing Duong Hieu Phan (Séminaire LIPN - 18 Novembre 2014 ) Duong Hieu Phan Some Advances in BE&TT Séminaire LIPN 1 / 42 Multi-receiver Encryption From
More informationAn IBE Scheme to Exchange Authenticated Secret Keys
An IBE Scheme to Exchange Authenticated Secret Keys Waldyr Dias Benits Júnior 1, Routo Terada (Advisor) 1 1 Instituto de Matemática e Estatística Universidade de São Paulo R. do Matão, 1010 Cidade Universitária
More informationResearch Statement. Computational Assumptions in Cryptography. Mohammad Mahmoody (August 2018)
Research Statement Mohammad Mahmoody (August 2018) My research is focused on foundations of cryptography, which is the the science of designing provably secure protocols based computationally intractable
More informationCryptographic Agents: Towards a Unified Theory of Computing on Encrypted Data
Cryptographic Agents: Towards a Unified Theory of Computing on Encrypted Data Shashank Agrawal 1, Shweta Agrawal 2, and Manoj Prabhakaran 1 University of Illinois Urbana-Champaign {sagrawl2,mmp}@illinois.edu
More informationAggregate and Verifiably Encrypted Signatures from Multilinear Maps Without Random Oracles
A preliminary version appears in ISA 2009, Lecture Notes in Computer Science, Springer-Verlag, 2009. Aggregate and Verifiably Encrypted Signatures from Multilinear Maps Without Random Oracles Markus Rückert
More informationKeynote: White-Box Cryptography
Keynote: White-Box Cryptography Matthieu Rivain PHIIC Workshop, 4 Oct 2016 Outline Context: white-box crypto: big trend in the industry cryptographic obfuscation: big trend in the scientific literature
More informationKeywords: Multi-authority attribute based encryption, key policy, ciphertext policy, central authority free
Computing and Informatics, Vol. 35, 2016, 128 142 SIMPLE MULTI-AUTHORITY ATTRIBUTE-BASED ENCRYPTION FOR SHORT MESSAGES Viktória I. Villányi Department of Operations Research ELTECRYPT Research Group Eötvös
More informationFoundations of Cryptography CS Shweta Agrawal
Foundations of Cryptography CS 6111 Shweta Agrawal Course Information 4-5 homeworks (20% total) A midsem (25%) A major (35%) A project (20%) Attendance required as per institute policy Challenge questions
More informationPredicate Encryption for Circuits from LWE
Predicate Encryption for Circuits from LWE Sergey Gorbunov 1, Vinod Vaikuntanathan 1, and Hoeteck Wee 2 1 MIT 2 ENS Abstract. In predicate encryption, a ciphertext is associated with descriptive attribute
More informationTwo-round Secure MPC from Indistinguishability Obfuscation
Two-round Secure MPC from Indistinguishability Obfuscation Sanjam Garg 1, Craig Gentry 1, Shai Halevi 1, and Mariana Raykova 2 1 IBM T. J. Watson 2 SRI International Abstract. One fundamental complexity
More informationThe Birth of Cryptographic Obfuscation A Survey
The Birth of Cryptographic Obfuscation A Survey Máté Horváth, Levente Buttyán {mhorvath,buttyan}@crysys.hu Budapest University of Technology and Economics Laboratory of Cryptography and System Security
More informationIntroduction to Cryptography Lecture 7
Introduction to Cryptography Lecture 7 Public-Key Encryption: El-Gamal, RSA Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing
More informationIND-CCA2 secure cryptosystems, Dan Bogdanov
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee 1 Overview Notion of indistinguishability The Cramer-Shoup cryptosystem Newer results
More informationYuval Ishai Technion
Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Yuval Ishai Technion 1 Zero-knowledge proofs for NP [GMR85,GMW86] Bar-Ilan University Computational MPC with no honest
More informationPrivately Constraining and Programming PRFs, the LWE Way PKC 2018
Privately Constraining and Programming PRFs, the LWE Way Chris Peikert Sina Shiehian PKC 2018 1 / 15 Constrained Pseudorandom Functions [KPTZ 13,BW 13,BGI 14] 1 Ordinary evaluation algorithm Eval(msk,
More informationFunctional Signatures and Pseudorandom Functions
Functional Signatures and Pseudorandom Functions The MIT Faculty has made this article openly available. Please share how this access benefits you. Your story matters. Citation As Published Publisher Boyle,
More informationSide-Channel Attacks on RSA with CRT. Weakness of RSA Alexander Kozak Jared Vanderbeck
Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck What is RSA? As we all know, RSA (Rivest Shamir Adleman) is a really secure algorithm for public-key cryptography.
More informationThe ElGamal Public- key System
Online Cryptography Course Dan Boneh Public key encryp3on from Diffie- Hellman The ElGamal Public- key System Recap: public key encryp3on: (Gen, E, D) Gen pk sk m c c m E D Recap: public- key encryp3on
More informationFunctional Encryption from (Small) Hardware Tokens
Functional Encryption from (Small) Hardware Tokens Kai-Min Chung 1, Jonathan Katz 2, and Hong-Sheng Zhou 3 1 Academia Sinica, kmchung@iis.sinica.edu.tw 2 University of Maryland, jkatz@cs.umd.edu 3 Virginia
More informationHash Proof Systems and Password Protocols
Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David Pointcheval CNRS, Ecole normale supe rieure/psl & INRIA 8th BIU Winter School Key Exchange February 2018 CNRS/ENS/PSL/INRIA
More informationISA 562: Information Security, Theory and Practice. Lecture 1
ISA 562: Information Security, Theory and Practice Lecture 1 1 Encryption schemes 1.1 The semantics of an encryption scheme. A symmetric key encryption scheme allows two parties that share a secret key
More informationAttribute-Based Fully Homomorphic Encryption with a Bounded Number of Inputs
Attribute-Based Fully Homomorphic Encryption with a Bounded Number of Inputs Michael Clear and Ciarán McGoldrick School of Computer Science and Statistics, Trinity College Dublin {clearm, Ciaran.McGoldrick}@scss.tcd.ie
More informationCSC 5930/9010 Cloud S & P: Cloud Primitives
CSC 5930/9010 Cloud S & P: Cloud Primitives Professor Henry Carter Spring 2017 Methodology Section This is the most important technical portion of a research paper Methodology sections differ widely depending
More informationEncryption from the Diffie-Hellman assumption. Eike Kiltz
Encryption from the Diffie-Hellman assumption Eike Kiltz Elliptic curve public-key crypto Key-agreement Signatures Encryption Diffie-Hellman 76 passive security ElGamal 84 passive security Hybrid DH (ECDH)
More informationProgram Obfuscation with Leaky Hardware
Program Obfuscation with Leaky Hardware The MIT Faculty has made this article openly available. Please share how this access benefits you. Your story matters. Citation As Published Publisher Bitansky,
More informationIntroduction to Security Reduction
springer.com Computer Science : Data Structures, Cryptology and Information Theory Springer 1st edition Printed book Hardcover Printed book Hardcover ISBN 978-3-319-93048-0 Ca. $ 109,00 Planned Discount
More informationClient-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity
Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity Ran Canetti 1, Abhishek Jain 2, and Omer Paneth 3 1 Boston University and Tel-Aviv University, canetti@bu.edu 2 Boston
More informationImproved Delegation Of Computation Using Somewhat Homomorphic Encryption To Reduce Storage Space
Improved Delegation Of Computation Using Somewhat Homomorphic Encryption To Reduce Storage Space Dhivya.S (PG Scholar) M.E Computer Science and Engineering Institute of Road and Transport Technology Erode,
More informationLecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model
CMSC 858K Advanced Topics in Cryptography March 11, 2004 Lecturer: Jonathan Katz Lecture 14 Scribe(s): Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze 1 A Note on Adaptively-Secure NIZK A close look
More informationCryptography for Parallel RAM via Indistinguishability Obfuscation
Cryptography for Parallel RM via Indistinguishability Obfuscation Yu-Chi Chen Sherman S. M. Chow Kai-Min Chung Russell W. F. Lai Wei-Kai Lin Hong-Sheng Zhou ugust 22, 2015 bstract Since many cryptographic
More informationFunctional Encryption: Deterministic to Randomized Functions from Simple Assumptions. Shashank Agrawal and David J. Wu
Functional Encryption: Deterministic to Randomized Functions from Simple Assumptions Shashank Agrawal and David J. Wu Public-Key Functional Encryption [BSW11, O N10] x f(x) Keys are associated with deterministic
More informationLaconic Zero Knowledge to. Akshay Degwekar (MIT)
Laconic Zero Knowledge to Public Key Cryptography Akshay Degwekar (MIT) Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78, Goldwasser-Micali82] sk pk Public Key Encryption ct = Enc
More informationCS 395T. Formal Model for Secure Key Exchange
CS 395T Formal Model for Secure Key Exchange Main Idea: Compositionality Protocols don t run in a vacuum Security protocols are typically used as building blocks in a larger secure system For example,
More informationOptimal-Rate Non-Committing Encryption in a CRS Model
Optimal-Rate Non-Committing Encryption in a CRS Model Ran Canetti Oxana Poburinnaya Mariana Raykova May 24, 2016 Abstract Non-committing encryption (NCE) implements secure channels under adaptive corruptions
More informationLecture 19 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)
Lecture 19 - Oblivious Transfer (OT) and Private Information Retrieval (PIR) Boaz Barak November 29, 2007 Oblivious Transfer We are thinking of the following situation: we have a server and a client (or
More informationFunction-Private Identity-Based Encryption: Hiding the Function in Functional Encryption
Function-Private Identity-Based Encryption: Hiding the Function in Functional Encryption Dan Boneh, Ananth Raghunathan, and Gil Segev Computer Science Department Stanford University, Stanford, CA 94305.
More informationFrom obfuscation to white-box crypto: relaxation and security notions
From obfuscation to white-box crypto: relaxation and security notions Matthieu Rivain WhibOx 26, 4 Aug, UCB What does this program do? ([]+/H/)[&>>]+(+[[]+(-~ )+(~+e)+(.^!)])[[([]+!![
More informationIntroduction to Cryptography. Lecture 6
Introduction to Cryptography Lecture 6 Benny Pinkas page 1 1 Data Integrity, Message Authentication Risk: an active adversary might change messages exchanged between Alice and Bob M Alice M M M Bob Eve
More informationCryptanalysis of Brenner et al. s Somewhat Homomorphic Encryption Scheme
Proceedings of the Eleventh Australasian Information Security Conference (AISC 2013), Adelaide, Australia Cryptanalysis of Brenner et al. s Somewhat Homomorphic Encryption Scheme Russell Paulet Xun Yi
More informationMulti-authority attribute based encryption with honest-but-curious central authority
Proceedings of the 10th International Conference on Computational and Mathematical Methods in Science and Engineering, CMMSE 2010 27 30 June 2010. Multi-authority attribute based encryption with honest-but-curious
More information1 A Tale of Two Lovers
CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Dec. 12, 2006 Lecture Notes 19 (expanded): Secure Two-Party Computation Recommended Reading. Goldreich Volume II 7.2.2, 7.3.2, 7.3.3.
More information- Presentation 25 minutes + 5 minutes for questions. - Presentation is on Wednesday, 11:30-12:00 in B05-B06
Information: - Presentation 25 minutes + 5 minutes for questions. - Presentation is on Wednesday, 11:30-12:00 in B05-B06 - Presentation is after: Abhi Shelat (fast two-party secure computation with minimal
More informationSecurity in Data Science
SDSI Nov. 2017 Security in Data Science Dan Boneh Stanford University Private genomic data analysis [Jagadeesh, Wu, Birgmeier, Boneh, Bejerano, Science, 2017] What genes causes a specific disorder? 2 v
More informationA Mathematical Proof. Zero Knowledge Protocols. Interactive Proof System. Other Kinds of Proofs. When referring to a proof in logic we usually mean:
A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of statements. 2. Based on axioms. Zero Knowledge Protocols 3. Each statement is derived via the derivation rules.
More informationZero Knowledge Protocols. c Eli Biham - May 3, Zero Knowledge Protocols (16)
Zero Knowledge Protocols c Eli Biham - May 3, 2005 442 Zero Knowledge Protocols (16) A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of statements. 2. Based on axioms.
More informationReplacing a Random Oracle: Full Domain Hash From Indistinguishability Obfuscation
Replacing a Random Oracle: Full Domain Hash From Indistinguishability Obfuscation Susan Hohenberger, Amit Sahai, and Brent Waters 1 Johns Hopkins University, susan@cs.jhu.edu 2 UCLA, sahai@cs.ucla.edu
More informationCryptanalyzing the Polynomial Reconstruction based Public-Key System under Optimal Parameter Choice
Cryptanalyzing the Polynomial Reconstruction based Public-Key System under Optimal Parameter Choice Aggelos Kiayias - Moti Yung U. of Connecticut - Columbia U. (Public-Key) Cryptography intractability
More informationEfficient Private Matching and Set Intersection
Efficient Private Matching and Set Intersection Mike Freedman, NYU Kobbi Nissim, MSR Benny Pinkas, HP Labs EUROCRYPT 2004 A Story Is there any chance we might be compatible? We could see if we have similar
More informationObfuscation Omer Paneth
Obfuscation Omer Paneth What does it do? #include void primes(int cap) { int i, j, composite; for(i = 2; i < cap; ++i) { composite = 0; for(j = 2; j * j
More informationResearch Statement. Yehuda Lindell. Dept. of Computer Science Bar-Ilan University, Israel.
Research Statement Yehuda Lindell Dept. of Computer Science Bar-Ilan University, Israel. lindell@cs.biu.ac.il www.cs.biu.ac.il/ lindell July 11, 2005 The main focus of my research is the theoretical foundations
More informationThe Exact Round Complexity of Secure Computation
The Exact Round Complexity of Secure Computation Antigoni Polychroniadou (Aarhus University) joint work with Sanjam Garg, Pratyay Mukherjee (UC Berkeley), Omkant Pandey (Drexel University) Background:
More informationFunctional Encryption from (Small) Hardware Tokens
Functional Encryption from (Small) Hardware Tokens Kai-Min Chung 1, Jonathan Katz 2, and Hong-Sheng Zhou 3 1 Academia Sinica kmchung@iis.sinica.edu.tw 2 University of Maryland jkatz@cs.umd.edu 3 Virginia
More informationENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel
(a) Introduction - recall symmetric key cipher: III. BLOCK CIPHERS k Symmetric Key Cryptography k x e k y yʹ d k xʹ insecure channel Symmetric Key Ciphers same key used for encryption and decryption two
More informationGroup Key Establishment Protocols
Group Key Establishment Protocols Ruxandra F. Olimid EBSIS Summer School on Distributed Event Based Systems and Related Topics 2016 July 14, 2016 Sinaia, Romania Outline 1. Context and Motivation 2. Classifications
More informationRound-Optimal Secure Multi-Party Computation
TPMPC 2018 Round-Optimal Secure Multi-Party Computation WITHOUT Setup C R Y P T O Shai Halevi, IBM Carmit Hazay, Bar Ilan University Antigoni Polychroniadou, Cornell Tech Muthuramakrishnan Venkitasubramaniam,
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary Introduction Stream & Block Ciphers Block Ciphers Modes (ECB,CBC,OFB) Advanced Encryption Standard (AES) Message Authentication
More informationComputer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS
More informationIntroduction to Cryptography Lecture 7
Introduction to Cryptography Lecture 7 El Gamal Encryption RSA Encryption Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing
More informationWhite-Box Cryptography State of the Art. Paul Gorissen
White-Box Cryptography State of the Art Paul Gorissen paul.gorissen@philips.com Outline Introduction Attack models White-box cryptography How it is done Interesting properties State of the art Conclusion
More informationarxiv: v1 [cs.cr] 17 Jun 2012
Multiparty Cloud Computation Qingji Zheng 1 and Xinwen Zhang 2 arxiv:1206.3717v1 [cs.cr] 17 Jun 2012 1 University of Texas at San Antonio, TX, USA qzheng@cs.utsa.edu 2 Huawei Research Center, Santa Clara,
More information