Sequential Aggregate Signatures with Lazy Verification from Trapdoor Permutations
|
|
- Brianne Gilmore
- 6 years ago
- Views:
Transcription
1 Sequential Aggregate Signatures with Lazy Verification from Trapdoor Permutations Kyle Brogle 1 Sharon Goldberg 2 Leo Reyzin 2 1 Stanford University; work done while at Boston University 2 Boston University Asiacrypt 2012 Beijing, China 6 December 2012
2 BGP Internet Routing between Autonomous Systems (ASes) Alice Bob: 18.*.*.* has path Alice MIT Alice: 18.*.*.* has path MIT BU: 18.*.*.* has path Alice MIT MIT Owns 18.*.*.* Bob BU: 18.*.*.* has path Bob Alice MIT MIT BU
3 BGPSEC Sign announcements sent Include announcements you received for the path Problem: Announcements get big! Alice: (MIT,18.*.*.*) Alice MIT Alice: (MIT,18.*.*.*) Bob: (Alice,MIT,18.*.*.*) Alice: (MIT,18.*.*.*) BU: (Alice,MIT,18.*.*.*) Bob Alice: (MIT,18.*.*.*) Bob: (Alice,MIT,18.*.*.*) BU: (Bob,Alice,MIT,18.*.*.*) BU
4 Lazy Verification Problem: To verify these signatures, routers need to retrieve and maintain ~40,000 public keys. ard to do with low latency packet forwarding. Want to be able to defer verification of signatures time permits (but can t afford to defer sending announcements) Must be able to sign before verifying. Alice Alice: (MIT,18.*.*.*) MIT Alice: (MIT,18.*.*.*) Bob: (Alice,MIT,18.*.*.*) Alice: (MIT,18.*.*.*) BU: (Alice,MIT,18.*.*.*) Bob Alice: (MIT,18.*.*.*) BU Bob: (Alice,MIT,18.*.*.*) BU: (Bob,Alice,MIT,18.*.*.*)
5 Sequential Aggregate Signatures m 1, m 2, sig 2 m 3, sig 3 Best known aggregate signature scheme is BGLS [Boneh-Gentry-Lynn-Shacham 03] Based on Pairings over Elliptic Curves as desired properties, but would be nice to have alternative from different assumptions. sig 1 [Fischlin-Lehmann-Schröder 11] Variant of BGLS with stronger security guarantees. Guarantees aren t needed in BGP, but are interesting in other contexts. What about an alternative built from TDPs? All known constructions without pairings: Don t allow for lazy verification Some operations using other signers public keys
6 Sequential Aggregate Signatures m 1, sig 1 m 2, sig 2 m 3, sig 3 Sequential Aggregate Sigs can solve the problem of large announcements One signature instead of n But can Sequential Aggregate Sigs also andle lazy verification? Two prior schemes from TDPs: By Lysyanskaya-Micali-Reyzin-Shacham (LMRS) By Neven Both require verifying the aggregate-so-far before signing (no lazy verification), and both use other signer s public keys in signing operation. Goal: Build a scheme from TDPs, removing requirement for verify before sign to allow for lazy verification. To do so, we will have to let sig grow by a small amount per signer (much less than growth in msg length)
7 Previous Sequential Aggregate Signature Schemes
8 Full-Domain ash RSA [Rivest-Shamir-Adleman 78, Bellare-Rogaway 93] Going to use RSA as an example for today, but can be done with any TDP. ash function (full RSA domain outputs; random oracle ). Public key PK = (n, e). Secret key SK = (n, d). Signer: y = (m) x = y d mod n Verifier: y = (m)? y = x e mod n m m y? = y RSA 1 RSA x x
9 LMRS Signature Scheme [LMRS 04] Signer 1: PK 1 m 1 y 1 RSA 1 x 1 Signer 2: PK 1, PK 2 m 1, m 2 2 y 2 RSA 1 x 2 Steps for Signer 2: Check that PK 1 specifies permutation Verify x 1 using PK 1, m 1 Possible to generate a malicious PK that doesn t specify a permutation. 2 = (PK 1, PK 2, m 1, m 2 ) y 2 = 2 x 1 d x 2 = y 2 2 mod n 2 Prevents Lazy Verification (Need to verify aggregateso-far before you add your sig)
10 LMRS Fails Under Lazy Verification Signer 2 wants to sign m 2 But Signer 1 wants to get a sig on bad-m 2 (Chosen Message Attack) Signer 1: PK m 1 1 PK 1, PK 2 m 1, m 2 2 RSA 1 x 1 PK 1, PK 2 m 1, bad-m 2 Signer 2: PK 1, PK 2 m 1, m 2 bad- 2 2 bad-x y 1 2 RSA 1 x 2 Valid aggregate sig on (m 1, bad-m 2 )
11 Neven Signature Scheme [Neven 08] ash functions (short outputs), G (full RSA domain outputs) Signature has two components: (x, h) Signer 2: h PK 1,PK 1 2 m 2 1, m 2 G Signer 3: h 2 y 2 RSA 1 x 1 x 2 PK 1, PK 2, PK 3 m 1, m 2, m 3 y 3 3 G RSA 1 x 3 Verify (x 1, h 1 ) using PK 1, m 1 2 = (PK 1, PK 2, x 1, m 1, m 2 ) h 2 = 2 h 1 y 2 = G(h 2 ) x 1 d x 2 = y 2 2 mod n 2 h 3 No more certified permutations Without verification, same bad-m 2 attack works! Will always work if signer i knows exactly what goes into RSA -1 for signer i+1 Need something to be out of previous signer s control!
12 Our Scheme [BGR 12] ash functions (short outputs), G (full RSA domain outputs) Signature has two components: (x, h) plus an r value per signer Signer 2: x h 1 PK 1 1,PK 2 2 y m 2 1, m 2 G RSA 1 x 2 Signer 3: r 2 h 2 PK 1, PK 2, PK 3 3 y m 3 1, m 2, m 3 G RSA 1 x 3 Random r 2 Verify (x 1, h 1 ) using PK 1, m 1 2 = (PK 1, PK 2, x 1, m 1, m 2 ), r 2 ) h 2 = 2 h 1 y 2 = G(h 2 ) x 1 d x 2 = y 2 2 mod n 2 r 3 h 3 No more verification necessary malicious signer i cannot predict input to RSA -1 for signer i+1 Lazy Verification Achieved! Note: Security proof improves if r is pseudorandom; see paper for interesting combinatorial tricks.
13 Need for Lazy Verification Sequential Aggregate Signatures Our Scheme Proof Benchmarks
14 Security Proof Warm Up: Full-Domain-ash Proof [Bellare-Rogaway 93] m y RSA 1 x y (m)? y F x = RSA 1 (y) Proof logic: if forger F succeeds, we can invert RSA on a given y is a random oracle F has to query it answer one query with y By programming the random oracle to respond with y, we can ensure that if the forger succeeds, we will have inverted RSA on a given y.
15 Security Proof cont d PK 1 m 1 r 1 1 h 1 G x 1 y 1 RSA 1 x 1 Note G(h Reduction 1 ) = RSA PK1 sees (x 1 ). This can Reduction all be queries used to to pair. the two. needs Need to find one x 1 to match to x 1. PK 2 m 2 r 2 2 h 2 G?? y 2 RSA 1 x 2 Now we have a pair of matched queries, so we ve found x 1! G G(h 2 )? (x 1, )? ( )? y 2 x 2 = RSA 1 (y 2 ) F
16 Need for Lazy Verification Sequential Aggregate Signatures Our Scheme Proof Benchmarks
17 Benchmarks Implemented our scheme with OpenSSL primitives Benchmarks computed with software implementations. Things may look different in hardware. Benchmarks computed using OpenSSL: 2GB Ram, 2.4Gz Core i3 BLGS benchmark computed with MIRACL crypto library, as OpenSSL did not have an implementation. Benchmarks considered were signature length, verify time, and sign time.
18 Signature Length Bit Length ECDSA shorter for small k Average path length Path length k BGLS-256 RSA-2048 BGR-2048 ECDSA-256 Weaker routers see longer k => BGR more efficient
19 Verify Time Time (ms) BGLS costs approx 20ms + 6ms per signer Average path length BGLS-256 RSA-2048 BGR-2048 ECDSA Path length k
20 Sign Time Time (ms) RSA-2048 BGR-2048 ECDSA-256 BGLS Out Degree
21 Conclusions Sequential Aggregate Signatures From any TDP (in RO model) Lazy Verification (In fact, don t need to know previous signers at all) Signature grows ~128 bits/signer Already have linear growth due to messages, which are on average longer than 128 bytes. ± Speed comparable to RSA (fast verify, slower sign).
Aggregate and Verifiably Encrypted Signatures from Multilinear Maps Without Random Oracles
A preliminary version appears in ISA 2009, Lecture Notes in Computer Science, Springer-Verlag, 2009. Aggregate and Verifiably Encrypted Signatures from Multilinear Maps Without Random Oracles Markus Rückert
More informationSequential Aggregate Signatures with Lazy Verification from Trapdoor Permutations
Sequential Aggregate Signatures with Lazy Verification from Trapdoor Permutations (Extended Abstract) Kyle Brogle 1,, Sharon Goldberg 2, and Leonid Reyzin 2 1 Stanford University Department of Computer
More informationA Survey of Two Signature Aggregation Techniques
A Survey of Two Signature Aggregation Techniques Dan Boneh dabo@cs.stanford.edu Ben Lynn blynn@cs.stanford.edu Craig Gentry cgentry@docomolabs-usa.com Hovav Shacham hovav@cs.stanford.edu Abstract We survey
More informationAggregate and Verifiably Encrypted Signatures from Multilinear Maps Without Random Oracles
Aggregate and Verifiably Encrypted Signatures from Multilinear Maps Without Random Oracles Markus Rückert and Dominique Schröder 2 Cryptography and Computeralgebra 2 Minicrypt TU Darmstadt, Germany rueckert
More informationCSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography
CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography Outline 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography
More informationOutline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA
CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography 1. Introduction 2. RSA Outline 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography
More informationOutline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)
Outline AIT 682: Network and Systems Security 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard Topic 5.2 Public Key Cryptography Instructor: Dr. Kun Sun 2 Public Key
More information10 More on Signatures and the Public-Key Infrastructure
Leo Reyzin. Notes for BU CAS CS 538. 1 10 More on Signatures and the Public-Key Infrastructure 10.1 Random Oracle Model and Full-Domain-Hash Very efficient stateless signatures seem to come from the so-called
More informationLecture 10, Zero Knowledge Proofs, Secure Computation
CS 4501-6501 Topics in Cryptography 30 Mar 2018 Lecture 10, Zero Knowledge Proofs, Secure Computation Lecturer: Mahmoody Scribe: Bella Vice-Van Heyde, Derrick Blakely, Bobby Andris 1 Introduction Last
More informationBU CAS CS 538: Cryptography Lecture Notes. Fall itkis/538/
BU CAS CS 538: Cryptography Lecture Notes. Fall 2005. http://www.cs.bu.edu/ itkis/538/ Gene Itkis Boston University Computer Science Dept. 1 General One-Way and Trapdoor Functions In this section, we will
More informationEncryption from the Diffie-Hellman assumption. Eike Kiltz
Encryption from the Diffie-Hellman assumption Eike Kiltz Elliptic curve public-key crypto Key-agreement Signatures Encryption Diffie-Hellman 76 passive security ElGamal 84 passive security Hybrid DH (ECDH)
More informationChapter 9 Public Key Cryptography. WANG YANG
Chapter 9 Public Key Cryptography WANG YANG wyang@njnet.edu.cn Content Introduction RSA Diffie-Hellman Key Exchange Introduction Public Key Cryptography plaintext encryption ciphertext decryption plaintext
More informationCSC 5930/9010 Modern Cryptography: Digital Signatures
CSC 5930/9010 Modern Cryptography: Digital Signatures Professor Henry Carter Fall 2018 Recap Implemented public key schemes in practice commonly encapsulate a symmetric key for the rest of encryption KEM/DEM
More informationPublic-Key Encryption, Key Exchange, Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 7
Public-Key Encryption, Key Exchange, Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 7 David Cash University of Chicago Plan 1. Security of RSA 2. Key Exchange, Diffie-Hellman 3. Begin digital
More informationSequential Aggregate Signatures and Multisignatures without Random Oracles
Sequential Aggregate Signatures and Multisignatures without Random Oracles Steve Lu 1, Rafail Ostrovsky 2, Amit Sahai 3, Hovav Shacham 4, and Brent Waters 5 1 UCLA, stevelu@math.ucla.edu 2 UCLA, rafail@cs.ucla.edu
More informationVerifiably Encrypted Signature Scheme with Threshold Adjudication
Verifiably Encrypted Signature Scheme with Threshold Adjudication M. Choudary Gorantla and Ashutosh Saxena Institute for Development and Research in Banking Technology Road No. 1, Castle Hills, Masab Tank,
More informationPublic-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7
Public-Key Cryptography Professor Yanmin Gong Week 3: Sep. 7 Outline Key exchange and Diffie-Hellman protocol Mathematical backgrounds for modular arithmetic RSA Digital Signatures Key management Problem:
More informationCryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III
Cryptography III Public-Key Cryptography Digital Signatures 2/1/18 Cryptography III 1 Public Key Cryptography 2/1/18 Cryptography III 2 Key pair Public key: shared with everyone Secret key: kept secret,
More informationHomomorphic encryption (whiteboard)
Crypto Tutorial Homomorphic encryption Proofs of retrievability/possession Attribute based encryption Hidden vector encryption, predicate encryption Identity based encryption Zero knowledge proofs, proofs
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously Exchanging keys and public key encryption Public Key Encryption pk sk Public Key Encryption pk cß Enc(pk,m) sk m Public
More informationIntroduction to Public-Key Cryptography
Introduction to Public-Key Cryptography Nadia Heninger University of Pennsylvania June 11, 2018 We stand today on the brink of a revolution in cryptography. Diffie and Hellman, 1976 Symmetric cryptography
More informationEfficient identity-based GQ multisignatures
Int. J. Inf. Secur. DOI 10.1007/s10207-008-0072-z REGULAR CONTRIBUTION Efficient identity-based GQ multisignatures Lein Harn Jian Ren Changlu Lin Springer-Verlag 2008 Abstract ISO/IEC 14888 specifies a
More informationOptimistic Fair Exchange in a Multi-User Setting
Optimistic Fair Exchange in a Multi-User Setting Yevgeniy Dodis 1, Pil Joong Lee 2, and Dae Hyun Yum 2 1 Department of Computer Science, New York University, NY, USA dodis@cs.nyu.edu 2 Department of Electronic
More informationCertificateless Onion Routing
Certificateless Onion Routing Dario Catalano Dipartimento di Matematica e Informatica Università di Catania - Italy catalano@dmi.unict.it Dario Fiore Dipartimento di Matematica e Informatica Università
More informationFailure Localization in the Internet
Failure Localization in the Internet Boaz Barak, Sharon Goldberg, David Xiao Princeton University Excerpts of talks presented at Stanford, U Maryland, NYU. Why use Internet path-quality monitoring? Internet:
More informationLecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model
CMSC 858K Advanced Topics in Cryptography March 11, 2004 Lecturer: Jonathan Katz Lecture 14 Scribe(s): Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze 1 A Note on Adaptively-Secure NIZK A close look
More informationPublic-Key Cryptography
Computer Security Spring 2008 Public-Key Cryptography Aggelos Kiayias University of Connecticut A paradox Classic cryptography (ciphers etc.) Alice and Bob share a short private key using a secure channel.
More informationIntroduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption
Introduction to Cryptography and Security Mechanisms: Unit 5 Public-Key Encryption Learning Outcomes Explain the basic principles behind public-key cryptography Recognise the fundamental problems that
More informationDr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Public Key Cryptography Modular Arithmetic RSA
More informationThe Transition to BGP Security Is the Juice Worth the Squeeze?
The Transition to BGP Security Is the Juice Worth the Squeeze? RPKI Sharon Goldberg Boston University November 2013 Work with Kyle Brogle (Stanford), Danny Cooper (BU), Ethan Heilman (BU), Robert Lychev
More informationCOMS W4995 Introduction to Cryptography November 13, Lecture 21: Multiple Use Signature Schemes
COMS W4995 Introduction to Cryptography November 13, 2003 Lecture 21: Multiple Use Signature Schemes Lecturer: Tal Malkin Scribes: M. Niccolai, M. Raibert Summary In this lecture, we use the one time secure
More informationA Forward-Secure Signature with Backward-Secure Detection
A Forward-Secure Signature with Backward-Secure Detection Dai-Rui Lin and Chih-I Wang Department of Computer Science and Engineering National Sun Yat-sen University, Kaohsiung 804, Taiwan June 17, 2007
More informationSecure Multiparty Computation
CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationAggregated Path Authentication for Efficient BGP Security
Aggregated Path Authentication for Efficient BGP Security Meiyuan Zhao and Sean W. Smith Department of Computer Science Dartmouth College David M. Nicol Department of Electrical and Computer Engineering
More informationApplied Cryptography and Computer Security CSE 664 Spring 2018
Applied Cryptography and Computer Security Lecture 13: Public-Key Cryptography and RSA Department of Computer Science and Engineering University at Buffalo 1 Public-Key Cryptography What we already know
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.5 Public Key Algorithms CSC 474/574 Dr. Peng Ning 1 Public Key Algorithms Public key algorithms covered in this class RSA: encryption and digital signature
More informationCryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39
Cryptography 2017 Lecture 4 Attacks against Block Ciphers Introduction to Public Key Cryptography November 14, 2017 1 / 39 What have seen? What are we discussing today? What is coming later? Lecture 3
More informationForward-Secure Sequential Aggregate Authentication
Forward-Secure Sequential Aggregate Authentication Di Ma, Gene Tsudik University of California, Irvine {dma1,gts}@ics.uci.edu Abstract. Wireless sensors are employed in a wide range of applications. One
More informationReferences O. Goldreich. Foundations of Cryptography, vol. 2: Basic Applications. Cambridge University
References 1. M. Abdalla, J. H. An, M. Bellare, and C. Namprempre. From identification to signatures via the Fiat-Shamir transform: Necessary and sufficient conditions for security and forwardsecurity.
More informationA public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks
A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks Jan Camenisch 1, Nishanth Chandran 2, and Victor Shoup 3 1 IBM Research, work funded
More informationCS155. Cryptography Overview
CS155 Cryptography Overview Cryptography Is n n A tremendous tool The basis for many security mechanisms Is not n n n n The solution to all security problems Reliable unless implemented properly Reliable
More informationOptimistic Fair Exchange in a Multi-user Setting
Optimistic Fair Exchange in a Multi-user Setting Yevgeniy Dodis New York University dodis@cs.nyu.edu Pil Joong Lee POSTECH pjl@postech.ac.kr May 10, 2007 Dae Hyun Yum POSTECH dhyum@postech.ac.kr Abstract
More informationReplacing a Random Oracle: Full Domain Hash From Indistinguishability Obfuscation
Replacing a Random Oracle: Full Domain Hash From Indistinguishability Obfuscation Susan Hohenberger, Amit Sahai, and Brent Waters 1 Johns Hopkins University, susan@cs.jhu.edu 2 UCLA, sahai@cs.ucla.edu
More informationThe Application of Elliptic Curves Cryptography in Embedded Systems
The Application of Elliptic Curves Cryptography in Embedded Systems Wang Qingxian School of Computer Science and Engineering University of Electronic Science and Technology China Introduction to Cryptography
More informationDistributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015
Distributed Systems 26. Cryptographic Systems: An Introduction Paul Krzyzanowski Rutgers University Fall 2015 1 Cryptography Security Cryptography may be a component of a secure system Adding cryptography
More informationEncryption. INST 346, Section 0201 April 3, 2018
Encryption INST 346, Section 0201 April 3, 2018 Goals for Today Symmetric Key Encryption Public Key Encryption Certificate Authorities Secure Sockets Layer Simple encryption scheme substitution cipher:
More informationStand-Alone and Setup-Free Verifiably Committed Signatures
Stand-Alone and Setup-Free Verifiably Committed Signatures Huafei Zhu and Feng Bao Department of Information Security, I 2 R, A-Star, Singapore 119613 {huafei, baofeng}@i2r.a-star.edu.sg Abstract. In this
More informationBAF: An Efficient Publicly Verifiable Secure Audit Logging Scheme for Distributed Systems
BAF: An Efficient Publicly Verifiable Secure Audit Logging Scheme for Distributed Systems Attila A. Yavuz and Peng Ning Department of Computer Science North Carolina State University Raleigh, USA {aayavuz,
More informationStructure-Preserving Certificateless Encryption and Its Application
SESSION ID: CRYP-T06 Structure-Preserving Certificateless Encryption and Its Application Prof. Sherman S. M. Chow Department of Information Engineering Chinese University of Hong Kong, Hong Kong @ShermanChow
More informationHomomorphic Encryption
Homomorphic Encryption Travis Mayberry Cloud Computing Cloud Computing Cloud Computing Cloud Computing Cloud Computing Northeastern saves money on infrastructure and gets the benefit of redundancy and
More informationPublic Key Algorithms
Public Key Algorithms 1 Public Key Algorithms It is necessary to know some number theory to really understand how and why public key algorithms work Most of the public key algorithms are based on modular
More informationPart VI. Public-key cryptography
Part VI Public-key cryptography Drawbacks with symmetric-key cryptography Symmetric-key cryptography: Communicating parties a priori share some secret information. Secure Channel Alice Unsecured Channel
More informationCSE 127: Computer Security Cryptography. Kirill Levchenko
CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017 Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified
More informationKey Exchange. Secure Software Systems
1 Key Exchange 2 Challenge Exchanging Keys &!"#h%&'() & & 1 2 6(6 1) 2 15! $ The more parties in communication, the more keys that need to be securely exchanged " # Do we have to use out-of-band methods?
More informationREMOVE KEY ESCROW FROM THE IDENTITY-BASED ENCRYPTION SYSTEM
REMOVE KEY ESCROW FROM THE IDENTITY-BASED ENCRYPTION SYSTEM Zhaohui Cheng, Richard Comley Luminita Vasiu School of Computing Science, Middlesex University White Hart Lane, London N17 8HR, United Kingdom
More informationDigital Signatures. Sven Laur University of Tartu
Digital Signatures Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic identity,
More informationIntroduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell
Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell 1 Cryptography Merriam-Webster Online Dictionary: 1. secret writing 2. the enciphering and deciphering
More informationLeakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter
Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter Baodong Qin and Shengli Liu Shanghai Jiao Tong University ASIACRYPT 2013 Dec 5, Bangalore,
More informationAmbiguous Optimistic Fair Exchange
Ambiguous Optimistic Fair Exchange Qiong Huang 1, Guomin Yang 1, Duncan S. Wong 1, and Willy Susilo 2 1 City University of Hong Kong, Hong Kong, China {csqhuang@student., csyanggm@cs., duncan@}cityu.edu.hk
More informationIntroduction to Cryptography Lecture 10
Introduction to Cryptography Lecture 10 Digital signatures, Public Key Infrastructure (PKI) Benny Pinkas January 1, 2012 page 1 Non Repudiation Prevent signer from denying that it signed the message I.e.,
More informationALIKE: Authenticated Lightweight Key Exchange. Sandrine Agagliate, GEMALTO Security Labs
ALIKE: Authenticated Lightweight Key Exchange Sandrine Agagliate, GEMALTO Security Labs Outline: Context Description of ALIKE Generic description Full specification Security properties Chip Unforgeability
More informationCS155. Cryptography Overview
CS155 Cryptography Overview Cryptography! Is n A tremendous tool n The basis for many security mechanisms! Is not n The solution to all security problems n Reliable unless implemented properly n Reliable
More informationASYMMETRIC CRYPTOGRAPHY
ASYMMETRIC CRYPTOGRAPHY CONTENT: 1. Number Theory 2. One Way Function 3. Hash Function 4. Digital Signature 5. RSA (Rivest-Shamir Adleman) References: 1. Applied Cryptography, Bruce Schneier 2. Cryptography
More informationLecture 18 - Chosen Ciphertext Security
Lecture 18 - Chosen Ciphertext Security Boaz Barak November 21, 2005 Public key encryption We now go back to public key encryption. As we saw in the case of private key encryption, CPA security is not
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationAppend-Only Signatures
Append-Only Signatures Eike Kiltz Anton Mityagin Saurabh Panjwani Barath Raghavan April 29, 2005 Abstract We present a new primitive Append-only Signatures (AOS) with the property that any party given
More informationCS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong
CS573 Data Privacy and Security Cryptographic Primitives and Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationPart II Bellare-Rogaway Model (Active Adversaries)
Part II Bellare-Rogaway Model (Active Adversaries) 8th BIU Winter School on Key Exchange, 2018 Marc Fischlin 13. Oktober 2010 Dr.Marc Fischlin Kryptosicherheit 1 Active Attacks Adversary may tamper, drop,
More informationPractical Byzantine Fault Tolerance. Castro and Liskov SOSP 99
Practical Byzantine Fault Tolerance Castro and Liskov SOSP 99 Why this paper? Kind of incredible that it s even possible Let alone a practical NFS implementation with it So far we ve only considered fail-stop
More informationCryptography and Network Security. Sixth Edition by William Stallings
Cryptography and Network Security Sixth Edition by William Stallings Chapter 13 Digital Signatures To guard against the baneful influence exerted by strangers is therefore an elementary dictate of savage
More informationGrenzen der Kryptographie
Microsoft Research Grenzen der Kryptographie Dieter Gollmann Microsoft Research 1 Summary Crypto does not solve security problems Crypto transforms security problems Typically, the new problems relate
More informationDigital Signatures. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 54
Digital Signatures Ali El Kaafarani Mathematical Institute Oxford University 1 of 54 Outline 1 Definitions 2 Factoring Based Signatures 3 Dlog Based Signatures 4 Hash-Based Signatures 5 Certificates 6
More informationCryptography. Lecture 12. Arpita Patra
Cryptography Lecture 12 Arpita Patra Digital Signatures q In PK setting, privacy is provided by PKE q Integrity/authenticity is provided by digital signatures (counterpart of MACs in PK world) q Definition:
More informationCompact and Anonymous Role-Based Authorization Chain
Compact and Anonymous Role-Based Authorization Chain DANFENG YAO Computer Science Department Brown University Providence, RI 02912 dyao@cs.brown.edu and ROBERTO TAMASSIA Computer Science Department Brown
More informationAn Exploration of Group and Ring Signatures
An Exploration of Group and Ring Signatures Sarah Meiklejohn February 4, 2011 Abstract Group signatures are a modern cryptographic primitive that allow a member of a specific group (e.g., the White House
More information(Extended Abstract) , USA.
Security of Blind Digital Signatures (Extended Abstract) Ari Juels 1? Michael Luby 2 Rafail Ostrovsky 3 1 RSA Laboratories. Email: ari@rsa.com. 2 Digital Equipment Corporation, 130 Lytton Avenue, Palo
More informationRSA. Public Key CryptoSystem
RSA Public Key CryptoSystem DIFFIE AND HELLMAN (76) NEW DIRECTIONS IN CRYPTOGRAPHY Split the Bob s secret key K to two parts: K E, to be used for encrypting messages to Bob. K D, to be used for decrypting
More informationMessage-Aware Cryptographic Primitives
Message-Aware Cryptographic Primitives Philippe Golle, Stanford University, USA Stanislaw Jarecki, Intertrust, USA Ilya Mironov, Stanford University, USA Abstract. We introduce a new type of cryptographic
More informationFoundations of Cryptography CS Shweta Agrawal
Foundations of Cryptography CS 6111 Shweta Agrawal Course Information 4-5 homeworks (20% total) A midsem (25%) A major (35%) A project (20%) Attendance required as per institute policy Challenge questions
More informationOn the security of a certificateless signature scheme in the standard model
On the security of a certificateless signature scheme in the standard model Lin Cheng, Qiaoyan Wen, Zhengping Jin, Hua Zhang State Key Laboratory of Networking and Switch Technology, Beijing University
More informationCertificateless Public Key Cryptography
Certificateless Public Key Cryptography Mohsen Toorani Department of Informatics University of Bergen Norsk Kryptoseminar November 9, 2011 1 Public Key Cryptography (PKC) Also known as asymmetric cryptography.
More informationUNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering. Introduction to Cryptography ECE 597XX/697XX
UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Introduction to Cryptography ECE 597XX/697XX Part 10 Digital Signatures Israel Koren ECE597/697 Koren Part.10.1 Content of this part
More informationLecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005
Lecture 30 Security April 11, 2005 Cryptography K A ciphertext Figure 7.3 goes here K B symmetric-key crypto: sender, receiver keys identical public-key crypto: encrypt key public, decrypt key secret Symmetric
More informationCryptographic Primitives and Protocols for MANETs. Jonathan Katz University of Maryland
Cryptographic Primitives and Protocols for MANETs Jonathan Katz University of Maryland Fundamental problem(s) How to achieve secure message authentication / transmission in MANETs, when: Severe resource
More informationThreshold Signatures, Multisignatures and Blind Signatures Based on the Gap-Diffie-Hellman-Group Signature Scheme
Threshold Signatures, Multisignatures and Blind Signatures Based on the Gap-Diffie-Hellman-Group Signature Scheme Alexandra Boldyreva Dept. of Computer Science & Engineering, University of California at
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationLecture 20 Public key Crypto. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller and Bailey s ECE 422
Lecture 20 Public key Crypto Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller and Bailey s ECE 422 Review: Integrity Problem: Sending a message over an untrusted
More informationSecuring Distributed Computation via Trusted Quorums. Yan Michalevsky, Valeria Nikolaenko, Dan Boneh
Securing Distributed Computation via Trusted Quorums Yan Michalevsky, Valeria Nikolaenko, Dan Boneh Setting Distributed computation over data contributed by users Communication through a central party
More information1. Digital Signatures 2. ElGamal Digital Signature Scheme 3. Schnorr Digital Signature Scheme 4. Digital Signature Standard (DSS)
Digital Signature Overview Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: 13-1 1. Digital Signatures 2.
More informationA Survey of ESIGN: State of the Art and Proof of Security
Richard A. Kramer Oregon State University kramerri@onid.oregonstate.edu UPDATED: WINTER TERM 2017 Abstract RSA [1] generates digital signatures and cipher text, S, by performing exponentiation on a message,
More informationCONIKS BRINGING KEY TRANSPARENCY TO END USERS. Marcela Melara. Aaron Blankstein, Joseph Bonneau*, Edward W. Felten, Michael J.
CONIKS BRINGING KEY TRANSPARENCY TO END USERS Marcela Melara Aaron Blankstein, Joseph Bonneau*, Edward W. Felten, Michael J. Freedman Princeton University, *Stanford University/EFF E2E Encrypted Communication
More informationCS 494/594 Computer and Network Security
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Real-Time Communication Security Network layers
More informationAnonymous Credentials: How to show credentials without compromising privacy. Melissa Chase Microsoft Research
Anonymous Credentials: How to show credentials without compromising privacy Melissa Chase Microsoft Research Credentials: Motivation ID cards Sometimes used for other uses E.g. prove you re over 21, or
More informationNotes for Lecture 21. From One-Time Signatures to Fully Secure Signatures
U.C. Berkeley CS276: Cryptography Handout N21 Luca Trevisan April 7, 2009 Notes for Lecture 21 Scribed by Anand Bhaskar, posted May 1, 2009 Summary Today we show how to construct an inefficient (but efficiently
More informationShort Schnorr signatures require a hash function with more than just random-prefix resistance
Short Schnorr signatures require a hash function with more than just random-prefix resistance Daniel R. L. Brown February 27, 2015 Abstract Neven, Smart and Warinschi (NSW) proved, in the generic group
More informationPaper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage
1 Announcements Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage 2 Recap and Overview Previous lecture: Symmetric key
More informationKey Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings
Key Exchange References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings Outlines Primitives Root Discrete Logarithm Diffie-Hellman ElGamal Shamir s Three Pass
More informationCascaded Authorization with Anonymous-Signer Aggregate Signatures
Proceedings of the 2006 IEEE Workshop on Information Assurance United States Military Academy, West Point, NY, 21-23 June 2006 Cascaded Authorization with Anonymous-Signer Aggregate Signatures Danfeng
More informationHash Functions, Public-Key Encryption CMSC 23200/33250, Autumn 2018, Lecture 6
Hash Functions, Public-Key Encryption CMSC 23200/33250, Autumn 2018, Lecture 6 David Cash University of Chicago Plan 1. A few points about hash functions 2. Introducing Public-Key Encryption 3. Math for
More informationGreat Theoretical Ideas in Computer Science. Lecture 27: Cryptography
15-251 Great Theoretical Ideas in Computer Science Lecture 27: Cryptography What is cryptography about? Adversary Eavesdropper I will cut his throat I will cut his throat What is cryptography about? loru23n8uladjkfb!#@
More information