Modeling Random Oracles under Unpredictable Queries
|
|
- Jared Lang
- 6 years ago
- Views:
Transcription
1 Modeling Random Oracles under Unpredictable Queries Pooya Farshim 1 Arno Mittelbach 2 1 ENS, CNRS & INRIA, PSL Research University, Paris, France 2 TU Darmstadt, Germany 23rd Fast Software Encryption Nordrhein-Westfalen Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 1
2 The Random-Oracle Model (ROM) Random oracles (ROs) model ideal hash functions [BR93]. In the RO model: All parties have oracle access to a uniformly chosen random function. ROs enable the security proofs of a wide range of practical and strongly secure cryptosystems: Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 2
3 The Random-Oracle Model (ROM) Random oracles (ROs) model ideal hash functions [BR93]. In the RO model: All parties have oracle access to a uniformly chosen random function. ROs enable the security proofs of a wide range of practical and strongly secure cryptosystems: encryption & signature schemes, key exchange, disk encryption,... Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 2
4 The Random-Oracle Model (ROM) Random oracles (ROs) model ideal hash functions [BR93]. In the RO model: All parties have oracle access to a uniformly chosen random function. ROs enable the security proofs of a wide range of practical and strongly secure cryptosystems: encryption & signature schemes, key exchange, disk encryption,... Reliance on ROM, although practical, is also debatable: There are uninstantiable ROM schemes [CGH98]: Enc O : Enc RO is secure but Enc H is insecure for any H. Lack of a definition formalizing RO-like behavior. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 2
5 (Very) Naïve Attempt at Modeling ROs Call a hash function IND-RO if, over a random choice of hk: H hk /RO A(hk) Adv ind-ro H,A (λ) := 2 Pr [ b = b ] 1 Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 3
6 (Very) Naïve Attempt at Modeling ROs Call a hash function IND-RO if, over a random choice of hk: H hk /RO A(hk) Adv ind-ro H,A (λ) := 2 Pr [ b = b ] 1 Clearly uninstantiable: A(hk): compute H hk (0) and compare to the oracle s answer. But observe: The attack works because the full input (hk, 0) is known to A. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 3
7 Can We Fix the Naïve Model? Let s hide hk. H hk /RO A(1 ) Adv prf H,A (λ) := 2 Pr [ b = b ] 1 We obtain PRF security: Not so useful in the context of hashing as hk is publicly available. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 4
8 Can We Fix the Naïve Model? Let s hide hk. H hk /RO A(1 ) Adv prf H,A (λ) := 2 Pr [ b = b ] 1 We obtain PRF security: Not so useful in the context of hashing as hk is publicly available. First idea: Split A: one part gets hk and the other gets oracle access. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 4
9 Modeling ROs via Split Adversaries Call the two components of A the source S and the distinguisher D: Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 5
10 Modeling ROs via Split Adversaries Call the two components of A the source S and the distinguisher D: H hk /RO x i S(1 ) L D(hk) Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 5
11 Modeling ROs via Split Adversaries Call the two components of A the source S and the distinguisher D: H hk /RO x i S(1 ) L D(hk) Adv uce H,S,D (λ) := 2 Pr [ b = b ] 1 Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 5
12 Modeling ROs via Split Adversaries Call the two components of A the source S and the distinguisher D: H hk /RO x i S(1 ) L D(hk) Adv uce H,S,D (λ) := 2 Pr [ b = b ] 1 Still uninstantiable: S leaks oracle s response on 0 via L, and D(hk) checks where it s coming from. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 5
13 Modeling ROs via Split Adversaries Call the two components of A the source S and the distinguisher D: H hk /RO x i S(1 ) L D(hk) Adv uce H,S,D (λ) := 2 Pr [ b = b ] 1 Still uninstantiable: Second idea: S leaks oracle s response on 0 via L, and D(hk) checks where it s coming from. Restrict L: it must not leak any of S s queries. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 5
14 Universal Computational Extractors (UCEs) [BHK13] H hk /RO x i S(1 ) L D(hk) Adv uce H,S,D (λ) := 2 Pr [ b = b ] 1 Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 6
15 Universal Computational Extractors (UCEs) [BHK13] H hk /RO RO x i x i S(1 ) L D(hk) S(1 ) P x 0 Adv uce H,S,D (λ) := 2 Pr [ b = b ] 1 Adv pred S,P (λ) := Pr [ x {x 1,..., x n } ] Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 6
16 Universal Computational Extractors (UCEs) [BHK13] H hk /RO RO x i x i S(1 ) L D(hk) S(1 ) P x 0 Adv uce H,S,D (λ) := 2 Pr [ b = b ] 1 Adv pred S,P (λ) := Pr [ x {x 1,..., x n } ] Say S is unpredictable if Adv pred S,P (λ) is negl. for all efficient P. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 6
17 Universal Computational Extractors (UCEs) [BHK13] H hk /RO RO x i x i S(1 ) L D(hk) S(1 ) P x 0 Adv uce H,S,D (λ) := 2 Pr [ b = b ] 1 Adv pred S,P (λ) := Pr [ x {x 1,..., x n } ] Say S is unpredictable if Adv pred S,P (λ) is negl. for all efficient P. Say H is UCE secure if Adv uce H,S,D (λ) is negl. for any unpredictable S. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 6
18 Applications of UCE [BHK13] UCE-secure hash functions can instantiate the RO in: Deterministic public-key encryption (D-PKE) Message-locked encryption (MLE) Selective related-key and key-dependent message security Point-function obfuscation Proofs of storage Poly-many hard-core bits OAEP, garbling schemes,... UCEs model many RO-like properties. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 7
19 Shortcomings of UCEs H hk /RO x i S(1 ) L D(hk) Three inter-related drawbacks: UCEs are not instantiable with unkeyed hash functions Queries are independent of the hash key The model does not allow for adaptive queries Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 8
20 Shortcomings of UCEs H hk /RO x i S(1 ) L D(hk) Three inter-related drawbacks: UCEs are not instantiable with unkeyed hash functions Queries are independent of the hash key The model does not allow for adaptive queries Can we overcome these? Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 8
21 Goal Note also that: Conceptually UCEs avoid the CGH attack by restricting queries to high entropy ones. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 9
22 Goal Note also that: Conceptually UCEs avoid the CGH attack by restricting queries to high entropy ones. To what extent can we build on this view of UCEs to formulate A more general framework modeling a wider class of RO-like properties for hash functions. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 9
23 Interactive Computational Extractors (ICEs) Hash b (hk, ) S(1 ) L D(hk) Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 10
24 Interactive Computational Extractors (ICEs) Hash b (hk, ) Hash b (, ) S(1 ) L D(hk) D 1 (1 ) D 2 (1 ) b 0 Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 10
25 Interactive Computational Extractors (ICEs) Hash b (hk, ) Hash b (, ) S(1 ) L D(hk) D 1 (1 ) D 2 (1 ) b 0 Unpredictability: Wrt. an RO, no P can predict a query of D 1 or D 2 : Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 10
26 Interactive Computational Extractors (ICEs) Hash b (hk, ) Hash b (, ) S(1 ) L D(hk) D 1 (1 ) D 2 (1 ) b 0 Unpredictability: Wrt. an RO, no P can predict a query of D 1 or D 2 : x $ P(View(D i )) st. x Qrys(D 1 ) Qrys(D 2 ), where View(D i ) := Everything that D i sees = Coins(D i ) + InLeakage(D i ) + Hash values. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 10
27 Example Application: RKA Security Recall the Black Rogaway Shrimpton [BRS03] encryption scheme: Enc H (K, M; R) := ( R, H(K R) M ) Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 11
28 Example Application: RKA Security Recall the Black Rogaway Shrimpton [BRS03] encryption scheme: Enc H (K, M; R) := ( R, H(K R) M ) This was shown to be KDM secure in the ROM, where Adversary gets to see: Enc(K, f (K )). Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 11
29 Example Application: RKA Security Recall the Black Rogaway Shrimpton [BRS03] encryption scheme: Enc H (K, M; R) := ( R, H(K R) M ) This was shown to be KDM secure in the ROM, where Adversary gets to see: Enc(K, f (K )). We establish its RKA (and KDM) security without ROs, where Adversary gets to see: Enc(f (K ), M). Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 11
30 Example Application: RKA Security Recall the Black Rogaway Shrimpton [BRS03] encryption scheme: Enc H (K, M; R) := ( R, H(K R) M ) This was shown to be KDM secure in the ROM, where Adversary gets to see: Enc(K, f (K )). We establish its RKA (and KDM) security without ROs, where Theorem Adversary gets to see: Enc(f (K ), M). The BRS scheme is RKA secure against split functions: f : K 1 K 2 f 1 (K 1 ) f 2 (K 2 ) if H is ICE secure. (As we ll see, this implies RKA security in ROM.) Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 11
31 Example Application: RKA Security Recall the Black Rogaway Shrimpton [BRS03] encryption scheme: Enc H (K, M; R) := ( R, H(K R) M ) This was shown to be KDM secure in the ROM, where Adversary gets to see: Enc(K, f (K )). We establish its RKA (and KDM) security without ROs, where Theorem Adversary gets to see: Enc(f (K ), M). The BRS scheme is RKA secure against split functions: f : K 1 K 2 f 1 (K 1 ) f 2 (K 2 ) if H is ICE secure. (As we ll see, this implies RKA security in ROM.) Full RKA: Via a new ICE notion (see upcoming full version). Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 11
32 Other Applications All applications of UCEs: Non-adaptive RKA/KDM security Point function obfuscation Message-locked encryption,... Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 12
33 Other Applications All applications of UCEs: Non-adaptive RKA/KDM security Point function obfuscation Message-locked encryption,... Semi-adaptive split KDM security of the BRS scheme Correlated-input hashing Foundational primitives: (weak) PRFs, Randomness extractors, One-way security for polynomial regularity,... Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 12
34 Feasibility I: VIL-ROM Why consider this question at all? Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 13
35 Feasibility I: VIL-ROM Why consider this question at all? No generic attacks: the ICE model is structurally sound Enables a layered approach to security analysis: one first proves security under ICEs, and then applies ROM feasibility. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 13
36 Feasibility I: VIL-ROM Why consider this question at all? No generic attacks: the ICE model is structurally sound Enables a layered approach to security analysis: one first proves security under ICEs, and then applies ROM feasibility. Theorem H RO (hk, M) := RO(hk M) is ICE secure against computationally unpredictable (D 1, D 2 ). Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 13
37 Feasibility II: FIL-ROM Let s look at HMAC/NMAC: Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 14
38 Feasibility II: FIL-ROM Let s look at HMAC/NMAC: Claim: HMAC is ICE secure in the FIL-ROM. Proof: HMAC is indifferentiable from RO, and RO is ICE secure. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 14
39 Feasibility II: FIL-ROM Let s look at HMAC/NMAC: Claim: HMAC is ICE secure in the FIL-ROM. Proof: HMAC is indifferentiable from RO, and RO is ICE secure. Not true! ICE is a multi-staged and indifferentiability can fail in these settings [RSS11]. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 14
40 Feasibility II: FIL-ROM Let s look at HMAC/NMAC: Claim: HMAC is ICE secure in the FIL-ROM. Proof: HMAC is indifferentiable from RO, and RO is ICE secure. Not true! ICE is a multi-staged and indifferentiability can fail in these settings [RSS11]. Indeed, there are ICE attacks on HMAC via chain completion. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 14
41 Feasibility II: Zipper Hash Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 15
42 Feasibility II: Zipper Hash Theorem The Keyed & Chopped Zipper Hash above is ICE secure against Hash b(hk, ) hk D 1(1 ) D 2(1 ) b 0 Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 15
43 Feasibility II: Zipper Hash Theorem The Keyed & Chopped Zipper Hash above is ICE secure against Hash b(hk, ) hk D 1(1 ) D 2(1 ) b 0 Sufficient for many applications, including split RKA security. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 15
44 Feasibility II: Zipper Hash Theorem The Keyed & Chopped Zipper Hash above is ICE secure against Hash b(hk, ) hk D 1(1 ) D 2(1 ) b 0 Sufficient for many applications, including split RKA security. Shows multi-pass hash functions can provide extra security over their single-pass counterparts. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 15
45 What about Full ICE in FIL-ROM? Consider a message M := [m 1, m 2 ] [m }{{} 3, m 4 ] [m }{{} 2n 1, m 2n ] }{{} M 1 M 2 M n Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 16
46 What about Full ICE in FIL-ROM? Consider a message M := [m 1, m 2 ] [m }{{} 3, m 4 ] [m }{{} 2n 1, m 2n ] }{{} M 1 M 2 Construct all half-block pairs: M n M :=[m 1, m 2 ] [m 1, m 3 ] [m 1, m 2n ] [m 2, m 3 ] [m 2, m 4 ] [m 2, m 2n ] [m 3, m 4 ] [m 2n 1, m 2n ] Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 16
47 What about Full ICE in FIL-ROM? Consider a message M := [m 1, m 2 ] [m }{{} 3, m 4 ] [m }{{} 2n 1, m 2n ] }{{} M 1 M 2 Construct all half-block pairs: Now define: M n M :=[m 1, m 2 ] [m 1, m 3 ] [m 1, m 2n ] [m 2, m 3 ] [m 2, m 4 ] [m 2, m 2n ] [m 3, m 4 ] [m 2n 1, m 2n ] MixHash h (hk, M) := HMAC h (0, hk M). Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 16
48 What about Full ICE in FIL-ROM? Consider a message M := [m 1, m 2 ] [m }{{} 3, m 4 ] [m }{{} 2n 1, m 2n ] }{{} M 1 M 2 Construct all half-block pairs: Now define: Conjecture M n M :=[m 1, m 2 ] [m 1, m 3 ] [m 1, m 2n ] [m 2, m 3 ] [m 2, m 4 ] [m 2, m 2n ] [m 3, m 4 ] [m 2n 1, m 2n ] MixHash h (hk, M) := HMAC h (0, hk M). MixHash is fully ICE secure in the FIL-ROM. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 16
49 Final Thoughts What this talk was about: Hash b (, ) A new security model capturing many RO-like properties. D 1 (1 ) D 2 (1 ) b 0 Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 17
50 Final Thoughts What this talk was about: Hash b (, ) A new security model capturing many RO-like properties. D 1 (1 ) D 2 (1 ) b 0 Future directions: What s the most general model for RO-like behavior? In particular, are there extensions that get us up to full KDM security? Weakening assumptions: domain/range extenders for ICEs. Are ICEs instantiable in the standard-model? Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 17
51 Final Thoughts What this talk was about: Hash b (, ) A new security model capturing many RO-like properties. D 1 (1 ) D 2 (1 ) b 0 Future directions: What s the most general model for RO-like behavior? In particular, are there extensions that get us up to full KDM security? Weakening assumptions: domain/range extenders for ICEs. Are ICEs instantiable in the standard-model? Thank you. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 17
The Magic of ELFs. Mark Zhandry Princeton University (Work done while at MIT)
The Magic of ELFs Mark Zhandry Princeton University (Work done while at MIT) Prove this secure: Enc(m) = ( TDP(r), H(r) m ) (CPA security, many- bit messages, arbitrary TDP) Random Oracles Random Oracle
More informationRandom Oracles - OAEP
Random Oracles - OAEP Anatoliy Gliberman, Dmitry Zontov, Patrick Nordahl September 23, 2004 Reading Overview There are two papers presented this week. The first paper, Random Oracles are Practical: A Paradigm
More information1 Achieving IND-CPA security
ISA 562: Information Security, Theory and Practice Lecture 2 1 Achieving IND-CPA security 1.1 Pseudorandom numbers, and stateful encryption As we saw last time, the OTP is perfectly secure, but it forces
More informationCSC 5930/9010 Modern Cryptography: Cryptographic Hashing
CSC 5930/9010 Modern Cryptography: Cryptographic Hashing Professor Henry Carter Fall 2018 Recap Message integrity guarantees that a message has not been modified by an adversary Definition requires that
More informationComputer Security CS 526
Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes CS555 Topic 4 1 Readings for This Lecture Required reading from wikipedia Block Cipher Ciphertext Indistinguishability
More informationDefinitions and Notations
Chapter 2 Definitions and Notations In this chapter, we present definitions and notation. We start with the definition of public key encryption schemes and their security models. This forms the basis of
More informationBlock ciphers, stream ciphers
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Jan 31, 2018 Announcements Project 1 is out, due Feb 14 midnight Recall: Block cipher A
More informationFunctional Encryption: Deterministic to Randomized Functions from Simple Assumptions. Shashank Agrawal and David J. Wu
Functional Encryption: Deterministic to Randomized Functions from Simple Assumptions Shashank Agrawal and David J. Wu Public-Key Functional Encryption [BSW11, O N10] x f(x) Keys are associated with deterministic
More informationLecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model
CMSC 858K Advanced Topics in Cryptography March 11, 2004 Lecturer: Jonathan Katz Lecture 14 Scribe(s): Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze 1 A Note on Adaptively-Secure NIZK A close look
More informationLectures 4+5: The (In)Security of Encrypted Search
Lectures 4+5: The (In)Security of Encrypted Search Contents 1 Overview 1 2 Data Structures 2 3 Syntax 3 4 Security 4 4.1 Formalizing Leaky Primitives.......................... 5 1 Overview In the first
More informationMessage-Locked Encryption and Secure Deduplication
Message-Locked Encryption and Secure Deduplication Eurocrypt 2013 Mihir Bellare 1 Sriram Keelveedhi 1 Thomas Ristenpart 2 1 University of California, San Diego 2 University of Wisconsin-Madison 1 Deduplication
More informationLecture 8 - Message Authentication Codes
Lecture 8 - Message Authentication Codes Benny Applebaum, Boaz Barak October 12, 2007 Data integrity Until now we ve only been interested in protecting secrecy of data. However, in many cases what we care
More informationLecture 10, Zero Knowledge Proofs, Secure Computation
CS 4501-6501 Topics in Cryptography 30 Mar 2018 Lecture 10, Zero Knowledge Proofs, Secure Computation Lecturer: Mahmoody Scribe: Bella Vice-Van Heyde, Derrick Blakely, Bobby Andris 1 Introduction Last
More informationHomework 3: Solution
Homework 3: Solution March 28, 2013 Thanks to Sachin Vasant and Xianrui Meng for contributing their solutions. Exercise 1 We construct an adversary A + that does the following to win the CPA game: 1. Select
More informationRandom Oracle Instantiation in Distributed Protocols Using Trusted Platform Modules
Appeared in the 3rd IEEE Symposium on Security in Networks and Distributed Systems, 2007, pp. 463 469. Random Oracle Instantiation in Distributed Protocols Using Trusted Platform Modules Vandana Gunupudi
More information6 Pseudorandom Functions
6 Pseudorandom Functions A pseudorandom generator allows us to take a small amount of uniformly sampled bits, and amplify them into a larger amount of uniform-looking bits A PRG must run in polynomial
More information1 Defining Message authentication
ISA 562: Information Security, Theory and Practice Lecture 3 1 Defining Message authentication 1.1 Defining MAC schemes In the last lecture we saw that, even if our data is encrypted, a clever adversary
More informationLecture 8: Cryptography in the presence of local/public randomness
Randomness in Cryptography Febuary 25, 2013 Lecture 8: Cryptography in the presence of local/public randomness Lecturer: Yevgeniy Dodis Scribe: Hamidreza Jahanjou So far we have only considered weak randomness
More informationAuthenticated encryption
Authenticated encryption Mac forgery game M {} k R 0,1 s m t M M {m } t mac k (m ) Repeat as many times as the adversary wants (m, t) Wins if m M verify m, t = 1 Mac forgery game Allow the adversary to
More informationSymmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University
Symmetric-Key Cryptography Part 1 Tom Shrimpton Portland State University Building a privacy-providing primitive I want my communication with Bob to be private -- Alice What kind of communication? SMS?
More informationBlock ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016
Block ciphers CS 161: Computer Security Prof. Raluca Ada Popa February 26, 2016 Announcements Last time Syntax of encryption: Keygen, Enc, Dec Security definition for known plaintext attack: attacker provides
More informationOn the Security of a Certificateless Public-Key Encryption
On the Security of a Certificateless Public-Key Encryption Zhenfeng Zhang, Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing 100080,
More informationIntroduction to Cryptography. Lecture 3
Introduction to Cryptography Lecture 3 Benny Pinkas March 6, 2011 Introduction to Cryptography, Benny Pinkas page 1 Pseudo-random generator seed s (random, s =n) Pseudo-random generator G Deterministic
More informationLecture 8. 1 Some More Security Definitions for Encryption Schemes
U.C. Berkeley CS276: Cryptography Lecture 8 Professor David Wagner February 9, 2006 Lecture 8 1 Some More Security Definitions for Encryption Schemes 1.1 Real-or-random (rr) security Real-or-random security,
More informationCRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS
CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs NYU NY Area Crypto Reading Group Continuous Leakage Resilience (CLR): A Brief History
More informationCS 6903 Modern Cryptography February 14th, Lecture 4: Instructor: Nitesh Saxena Scribe: Neil Stewart, Chaya Pradip Vavilala
CS 6903 Modern Cryptography February 14th, 2008 Lecture 4: Instructor: Nitesh Saxena Scribe: Neil Stewart, Chaya Pradip Vavilala Definition 1 (Indistinguishability (IND-G)) IND-G is a notion that was defined
More informationCSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018
CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring 2018 5 and 6 February 2018 Identification schemes are mechanisms for Alice to prove her identity to Bob They comprise a setup
More informationLecture 18 - Chosen Ciphertext Security
Lecture 18 - Chosen Ciphertext Security Boaz Barak November 21, 2005 Public key encryption We now go back to public key encryption. As we saw in the case of private key encryption, CPA security is not
More information2018: Problem Set 1
crypt@b-it 2018 Problem Set 1 Mike Rosulek crypt@b-it 2018: Problem Set 1 1. Sometimes it is not clear whether certain behavior is an attack against a protocol. To decide whether something is an attack
More informationInformation Security CS526
Information CS 526 Topic 3 Ciphers and Cipher : Stream Ciphers, Block Ciphers, Perfect Secrecy, and IND-CPA 1 Announcements HW1 is out, due on Sept 10 Start early, late policy is 3 total late days for
More informationMulti-Theorem Preprocessing NIZKs from Lattices
Multi-Theorem Preprocessing NIZKs from Lattices Sam Kim and David J. Wu Stanford University Soundness: x L, P Pr P, V (x) = accept = 0 No prover can convince honest verifier of false statement Proof Systems
More informationData Integrity & Authentication. Message Authentication Codes (MACs)
Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice (sender) Bob (receiver) Fran
More informationLecture 4: Authentication and Hashing
Lecture 4: Authentication and Hashing Introduction to Modern Cryptography 1 Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 1 These slides are based on Benny Chor s slides. Some Changes in Grading
More informationLeakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter
Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter Baodong Qin and Shengli Liu Shanghai Jiao Tong University ASIACRYPT 2013 Dec 5, Bangalore,
More informationHash Proof Systems and Password Protocols
Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David Pointcheval CNRS, Ecole normale supe rieure/psl & INRIA 8th BIU Winter School Key Exchange February 2018 CNRS/ENS/PSL/INRIA
More informationCryptology complementary. Symmetric modes of operation
Cryptology complementary Symmetric modes of operation Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 05 03 Symmetric modes 2018 05 03
More informationDigital Signatures. Sven Laur University of Tartu
Digital Signatures Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic identity,
More informationA Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security. T. Shrimpton October 18, 2004
A Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security T. Shrimpton October 18, 2004 Abstract In this note we introduce a variation of the standard definition of chosen-ciphertext
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationMessage authentication codes
Message authentication codes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction security of MAC Constructions block cipher
More informationOn Symmetric Encryption with Distinguishable Decryption Failures
On Symmetric Encryption with Distinguishable Decryption Failures Alexandra Boldyreva, Jean Paul Degabriele, Kenny Paterson, and Martijn Stam FSE - 12th Mar 2013 Outline Distinguishable Decryption Failures
More informationApplication to More Efficient Obfuscation
Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Program Obfuscation [BGIRSVY01, GGHRSW13] Indistinguishability obfuscation (io)
More informationBrief Introduction to Provable Security
Brief Introduction to Provable Security Michel Abdalla Département d Informatique, École normale supérieure michel.abdalla@ens.fr http://www.di.ens.fr/users/mabdalla 1 Introduction The primary goal of
More informationCryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1
Cryptography CS 555 Topic 11: Encryption Modes and CCA Security CS555 Spring 2012/Topic 11 1 Outline and Readings Outline Encryption modes CCA security Readings: Katz and Lindell: 3.6.4, 3.7 CS555 Spring
More informationWhat Can Be Proved About Security?
What Can Be Proved About Security? Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in Centre for Artificial Intelligence and Robotics Bengaluru 23 rd
More informationStateful Key Encapsulation Mechanism
Stateful Key Encapsulation Mechanism Peng Yang, 1 Rui Zhang, 2 Kanta Matsuura 1 and Hideki Imai 2 The concept of stateful encryption was introduced to reduce computation cost of conventional public key
More informationCryptographic Agents: Towards a Unified Theory of Computing on Encrypted Data
Cryptographic Agents: Towards a Unified Theory of Computing on Encrypted Data Shashank Agrawal 1, Shweta Agrawal 2, and Manoj Prabhakaran 1 University of Illinois Urbana-Champaign {sagrawl2,mmp}@illinois.edu
More informationCryptographic Hash Functions
ECE458 Winter 2013 Cryptographic Hash Functions Dan Boneh (Mods by Vijay Ganesh) Previous Lectures: What we have covered so far in cryptography! One-time Pad! Definition of perfect security! Block and
More informationOAEP 3-Round A Generic and Secure Asymmetric Encryption Padding. Asiacrypt '04 Jeju Island - Korea
OAEP 3-Round A Generic and Secure Asymmetric Encryption Padding Duong Hieu Phan ENS France David Pointcheval CNRS-ENS France Asiacrypt '04 Jeju Island - Korea December 6 th 2004 Summary Asymmetric Encryption
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationMTAT Cryptology II. Commitment Schemes. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Commitment Schemes Sven Laur University of Tartu Formal Syntax m M 0 (c,d) Com pk (m) pk Canonical use case Gen c d pk m Open pk (c,d) A randomised key generation algorithm Gen
More informationAdaptively Secure Computation with Partial Erasures
Adaptively Secure Computation with Partial Erasures Carmit Hazay Yehuda Lindell Arpita Patra Abstract Adaptive security is a strong corruption model that captures hacking attacks where an external attacker
More informationEncryption from the Diffie-Hellman assumption. Eike Kiltz
Encryption from the Diffie-Hellman assumption Eike Kiltz Elliptic curve public-key crypto Key-agreement Signatures Encryption Diffie-Hellman 76 passive security ElGamal 84 passive security Hybrid DH (ECDH)
More informationSecurity of Message Authentication Codes in the Presence of Key-Dependent Messages
Designs, Codes and Cryptography manuscript No. (will be inserted by the editor) Security of Message Authentication Codes in the Presence of Key-Dependent Messages Madeline González Muñiz Rainer Steinwandt
More informationAn Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem
An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem Mihir Bellare, Alexandra Boldyreva and Adriana Palacio Dept. of Computer Science & Engineering, University of California, San
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Message Authentication Codes Syntax: Key space K λ Message space M Tag space T λ MAC(k,m) à σ Ver(k,m,σ) à 0/1 Correctness: m,k,
More informationParallel and Dynamic Searchable Symmetric Encryption
Parallel and Dynamic Searchable Symmetric Encryption Seny Kamara 1 and Charalampos Papamanthou 2 1 Microsoft Research, senyk@microsoft.com 2 UC Berkeley, cpap@cs.berkeley.edu Abstract. Searchable symmetric
More information6.897: Selected Topics in Cryptography Lectures 13 and 14. Lecturer: Ran Canetti
6.897: Selected Topics in Cryptography Lectures 13 and 14 Lecturer: Ran Canetti Highlights of last week s lectures Showed how to realize F zk in the F com -hybrid model. Showed how to realize any standard
More informationLecture 8 Message Authentication. COSC-260 Codes and Ciphers Adam O Neill Adapted from
Lecture 8 Message Authentication COSC-260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Setting the Stage We now have two lower-level primitives in our tool bag: blockciphers
More informationIntroduction to Cryptography. Lecture 3
Introduction to Cryptography Lecture 3 Benny Pinkas March 6, 2011 Introduction to Cryptography, Benny Pinkas page 1 Pseudo-random generator seed s (random, s =n) Pseudo-random generator G Deterministic
More informationPseudorandomness and Cryptographic Applications
Pseudorandomness and Cryptographic Applications Michael Luby PRINCETON UNIVERSITY PRESS PRINCETON, NEW JERSEY Overview and Usage Guide Mini-Courses Acknowledgments ix xiii xv Preliminaries 3 Introduction
More informationThe OCB Authenticated-Encryption Algorithm
The OCB Authenticated-Encryption Algorithm Ted Krovetz California State University, Sacramento, USA Phillip Rogaway University of California, Davis, USA IETF 83 Paris, France CFRG 11:20-12:20 in 212/213
More informationIntroduction to Security Reduction
springer.com Computer Science : Data Structures, Cryptology and Information Theory Springer 1st edition Printed book Hardcover Printed book Hardcover ISBN 978-3-319-93048-0 Ca. $ 109,00 Planned Discount
More informationLecture 15: Public Key Encryption: I
CSE 594 : Modern Cryptography 03/28/2017 Lecture 15: Public Key Encryption: I Instructor: Omkant Pandey Scribe: Arun Ramachandran, Parkavi Sundaresan 1 Setting In Public-key Encryption (PKE), key used
More informationOn Deniability in the Common Reference String and Random Oracle Model
On Deniability in the Common Reference String and Random Oracle Model Rafael Pass Department of Numerical Analysis and Computer Science Royal Institute of Technology, Stockholm, Sweden rafael@nada.kth.se
More informationSTRONGER SECURITY NOTIONS FOR DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES AND MORE EFFICIENT CONSTRUCTIONS
STRONGER SECURITY NOTIONS FOR DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES AND MORE EFFICIENT CONSTRUCTIONS Essam Ghadafi University College London e.ghadafi@ucl.ac.uk CT-RSA 2015 STRONGER SECURITY
More informationSemi-Adaptive Security and Bundling Functionalities Made Generic and Easy
Semi-Adaptive Security and Bundling Functionalities Made Generic and Easy Rishab Goyal rgoyal@cs.utexas.edu Venkata Koppula kvenkata@cs.utexas.edu Brent Waters bwaters@cs.utexas.edu Abstract Semi-adaptive
More informationLecture Note 05 Date:
P.Lafourcade Lecture Note 05 Date: 29.09.2009 Security models 1st Semester 2008/2009 MANGEOT Guillaume ROJAT Antoine THARAUD Jrmie Contents 1 Block Cipher Modes 2 1.1 Electronic Code Block (ECB) [Dwo01]....................
More informationNew Approach to Practical Leakage-Resilient Public-Key Cryptography
New Approach to Practical Leakage-Resilient Public-Key Cryptography Suvradip Chakraborty 1, Janaka Alawatugoda 2, and C. Pandu Rangan 1 1 Computer Science and Engineering Department, Science and Engineering
More informationMessage Authentication ( 消息认证 )
Message Authentication ( 消息认证 ) Sheng Zhong Yuan Zhang Computer Science and Technology Department Nanjing University 2017 Fall Sheng Zhong, Yuan Zhang (CS@NJU) Message Authentication ( 消息认证 ) 2017 Fall
More informationCryptography. Lecture 12. Arpita Patra
Cryptography Lecture 12 Arpita Patra Digital Signatures q In PK setting, privacy is provided by PKE q Integrity/authenticity is provided by digital signatures (counterpart of MACs in PK world) q Definition:
More informationFrom CryptoVerif Specifications to Computationally Secure Implementations of Protocols
From CryptoVerif Specifications to Computationally Secure Implementations of Protocols Bruno Blanchet and David Cadé INRIA, École Normale Supérieure, CNRS, Paris April 2012 Bruno Blanchet and David Cadé
More informationAutomated Analysis and Synthesis of Block-Cipher Modes of Operation
Automated Analysis and Synthesis of Block-Cipher Modes of Operation Alex J. Malozemoff 1 Jonathan Katz 1 Matthew D. Green 2 1 University of Maryland 2 Johns Hopkins University Presented at the IEEE Computer
More informationInformation Security
SE 4472b Information Security Week 2-2 Some Formal Security Notions Aleksander Essex Fall 2015 Formalizing Security As we saw, classical ciphers leak information: Caeser/Vigenere leaks letter frequency
More informationData Integrity & Authentication. Message Authentication Codes (MACs)
Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice (sender) Bob (reciever) Fran
More informationSecurity of Cryptosystems
Security of Cryptosystems Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Symmetric key cryptosystem m M 0 c Enc sk (m) sk Gen c sk m Dec sk (c) A randomised key generation algorithm outputs
More informationGeneric collision attacks on hash-functions and HMAC
Generic collision attacks on hash-functions and HMAC Chris Mitchell Royal Holloway, University of London 1 Agenda 1. Hash-functions and collision attacks 2. Memoryless strategy for finding collisions 3.
More informationSecurity Analysis of a Design Variant of Randomized Hashing
Security Analysis of a Design Variant of Randomized ashing Praveen Gauravaram 1, Shoichi irose 2, Douglas Stebila 3 1 Tata Consultancy Services, Australia 2 University of Fukui, Japan 3 McMaster University,
More informationOn the Relationship between Functional Encryption, Obfuscation, and Fully Homomorphic Encryption
On the Relationship between Functional Encryption, Obfuscation, and Fully Homomorphic Encryption Joël Alwen 1, Manuel Barbosa 2, Pooya Farshim 3, Rosario Gennaro 4, S. Dov Gordon 5, Stefano Tessaro 6,7,
More informationCS408 Cryptography & Internet Security
CS408 Cryptography & Internet Security Lectures 16, 17: Security of RSA El Gamal Cryptosystem Announcement Final exam will be on May 11, 2015 between 11:30am 2:00pm in FMH 319 http://www.njit.edu/registrar/exams/finalexams.php
More informationLectures 6+7: Zero-Leakage Solutions
Lectures 6+7: Zero-Leakage Solutions Contents 1 Overview 1 2 Oblivious RAM 1 3 Oblivious RAM via FHE 2 4 Oblivious RAM via Symmetric Encryption 4 4.1 Setup........................................ 5 4.2
More informationA Punctured Programming Approach to Adaptively Secure Functional Encryption
A Punctured Programming Approach to Adaptively Secure Functional Encryption Brent Waters University of Texas at Austin bwaters@cs.utexas.edu Abstract We propose the first construction for achieving adaptively
More informationCOMS W4995 Introduction to Cryptography November 13, Lecture 21: Multiple Use Signature Schemes
COMS W4995 Introduction to Cryptography November 13, 2003 Lecture 21: Multiple Use Signature Schemes Lecturer: Tal Malkin Scribes: M. Niccolai, M. Raibert Summary In this lecture, we use the one time secure
More informationThe Simplest Protocol for Oblivious Transfer
The Simplest Protocol for Oblivious Transfer Preliminary Report in MTAT.07.022 Research Seminar in Cryptography, Fall 2015 Author: Sander Siim Supervisor: Pille Pullonen December 15, 2015 Abstract This
More informationProofs for Key Establishment Protocols
Information Security Institute Queensland University of Technology December 2007 Outline Key Establishment 1 Key Establishment 2 3 4 Purpose of key establishment Two or more networked parties wish to establish
More informationPlaintext Awareness via Key Registration
Plaintext Awareness via Key Registration Jonathan Herzog CIS, TOC, CSAIL, MIT Plaintext Awareness via Key Registration p.1/38 Context of this work Originates from work on Dolev-Yao (DY) model Symbolic
More informationA CCA2 Secure PKE Based on McEliece Assumptions in the Standard Model
A CCA2 Secure PKE Based on McEliece Assumptions in the Standard Model Jörn Müller-Quade European Institute for System Security KIT, Karlsruhe, Germany 04/23/09 Session ID: CRYP301 Session Classification:
More informationComputer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS
More informationRandomness Extractors. Secure Communication in Practice. Lecture 17
Randomness Extractors. Secure Communication in Practice Lecture 17 11:00-12:30 What is MPC? Manoj Monday 2:00-3:00 Zero Knowledge Muthu 3:30-5:00 Garbled Circuits Arpita Yuval Ishai Technion & UCLA 9:00-10:30
More informationCSA E0 312: Secure Computation October 14, Guest Lecture 2-3
CSA E0 312: Secure Computation October 14, 2015 Guest Lecture 2-3 Guest Instructor: C. Pandu Rangan Submitted by: Cressida Hamlet 1 Introduction Till now we have seen only semi-honest parties. From now
More informationMulti-Key Searchable Encryption, Revisited
Multi-Key Searchable Encryption, Revisited Ariel Hamlin abhi shelat Mor Weiss Daniel Wichs March 19, 2018 Abstract We consider a setting where users store their encrypted documents on a remote server and
More informationInductive Trace Properties for Computational Security
Inductive Trace Properties for Computational Security Arnab Roy, Anupam Datta, Ante Derek, John C. Mitchell Department of Computer Science, Stanford University Abstract. Protocol authentication properties
More informationParallel Coin-Tossing and Constant-Round Secure Two-Party Computation
Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Yehuda Lindell Department of Computer Science and Applied Math, Weizmann Institute of Science, Rehovot, Israel. lindell@wisdom.weizmann.ac.il
More informationA Survey of Certificateless Encryption Schemes and Security Models
A Survey of Certificateless Encryption Schemes and Security Models Alexander W. Dent Information Security Group, Royal Holloway, Egham Hill, Egham, Surrey, U.K. a.dent@rhul.ac.uk Abstract. In this paper
More informationCryptographic Primitives and Protocols for MANETs. Jonathan Katz University of Maryland
Cryptographic Primitives and Protocols for MANETs Jonathan Katz University of Maryland Fundamental problem(s) How to achieve secure message authentication / transmission in MANETs, when: Severe resource
More informationISA 562: Information Security, Theory and Practice. Lecture 1
ISA 562: Information Security, Theory and Practice Lecture 1 1 Encryption schemes 1.1 The semantics of an encryption scheme. A symmetric key encryption scheme allows two parties that share a secret key
More informationFormal Methods and Cryptography
Formal Methods and Cryptography Michael Backes 1, Birgit Pfitzmann 2, and Michael Waidner 3 1 Saarland University, Saarbrücken, Germany, backes@cs.uni-sb.de 2 IBM Research, Rueschlikon, Switzerland, bpf@zurich.ibm.com
More informationPaper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage
1 Announcements Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage 2 Recap and Overview Previous lecture: Symmetric key
More informationRefining Computationally Sound Mech. Proofs for Kerberos
Refining Computationally Sound Mechanized Proofs for Kerberos Bruno Blanchet Aaron D. Jaggard Jesse Rao Andre Scedrov Joe-Kai Tsay 07 October 2009 Protocol exchange Meeting Partially supported by ANR,
More informationEncrypted databases. Tom Ristenpart CS 6431
Encrypted databases Tom Ristenpart CS 6431 Outsourced storage settings Client wants to store data up on Dropbox High availability, synch across devices Server includes much value-add functionality Keyword
More information