SECURE AND ANONYMOUS HYBRID ENCRYPTION FROM CODING THEORY
|
|
- Amber Potter
- 5 years ago
- Views:
Transcription
1 SECURE AND ANONYMOUS HYBRID ENCRYPTION FROM CODING THEORY Edoardo Persichetti University of Warsaw 06 June 2013 (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
2 Part I PRELIMINARIES (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
3 ERROR-CORRECTING CODES [n, k] LINEAR CODE OVER F q A subspace of dimension k of F n q. w-error correcting: exists decoding algorithm that corrects up to w errors occurred on a codeword. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
4 ERROR-CORRECTING CODES [n, k] LINEAR CODE OVER F q A subspace of dimension k of F n q. w-error correcting: exists decoding algorithm that corrects up to w errors occurred on a codeword. HAMMING WEIGHT Number of non-zero entries: wt(x) = {i : x i 0, 1 i n}. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
5 ERROR-CORRECTING CODES [n, k] LINEAR CODE OVER F q A subspace of dimension k of F n q. w-error correcting: exists decoding algorithm that corrects up to w errors occurred on a codeword. HAMMING WEIGHT Number of non-zero entries: wt(x) = {i : x i 0, 1 i n}. PARITY-CHECK MATRIX H F (n k) n q defines the code as follows: x C Hx T = 0. Systematic form: (M I n k ). (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
6 CODE-BASED PUBLIC-KEY ENCRYPTION SCHEMES McEliece: first cryptosystem using error correcting codes (1978). (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
7 CODE-BASED PUBLIC-KEY ENCRYPTION SCHEMES McEliece: first cryptosystem using error correcting codes (1978). Based on the hardness of decoding random linear codes. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
8 CODE-BASED PUBLIC-KEY ENCRYPTION SCHEMES McEliece: first cryptosystem using error correcting codes (1978). Based on the hardness of decoding random linear codes. Dual version proposed by Niederreiter (1985). (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
9 CODE-BASED PUBLIC-KEY ENCRYPTION SCHEMES McEliece: first cryptosystem using error correcting codes (1978). Based on the hardness of decoding random linear codes. Dual version proposed by Niederreiter (1985). PROBLEM (COMPUTATIONAL SYNDROME DECODING) Given: H F (n k) n q, y F (n k) q and w N. Goal: find a word e F n q with wt(e) w such that He T = y. Unique solution and hardness only if w is below a certain threshold (GV bound). (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
10 CODE-BASED PUBLIC-KEY ENCRYPTION SCHEMES McEliece: first cryptosystem using error correcting codes (1978). Based on the hardness of decoding random linear codes. Dual version proposed by Niederreiter (1985). PROBLEM (COMPUTATIONAL SYNDROME DECODING) Given: H F (n k) n q, y F (n k) q and w N. Goal: find a word e F n q with wt(e) w such that He T = y. Unique solution and hardness only if w is below a certain threshold (GV bound). If H defines an error-correcting code, we have a trapdoor: special description allows decoding algorithm to correct errors. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
11 NIEDERREITER, REVISITED KEY GENERATION Choose w-error correcting code C. SK: code description for C. PK: parity-check matrix H in systematic form for C. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
12 NIEDERREITER, REVISITED KEY GENERATION Choose w-error correcting code C. SK: code description for C. PK: parity-check matrix H in systematic form for C. ENCRYPTION Message is a word e F n 2 of weight w. c = He T. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
13 NIEDERREITER, REVISITED KEY GENERATION Choose w-error correcting code C. SK: code description for C. PK: parity-check matrix H in systematic form for C. ENCRYPTION Message is a word e F n 2 of weight w. c = He T. DECRYPTION Set e = Decode (c) and return e. Return if decoding fails. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
14 Part II HYBRID ENCRYPTION (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
15 MOTIVATION Purpose of public-key encryption: encrypt key for symmetric scheme. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
16 MOTIVATION Purpose of public-key encryption: encrypt key for symmetric scheme. Niederreiter cryptosystem requires use of constant-weight encoding functions to transform symmetric key into fixed-weight string e. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
17 MOTIVATION Purpose of public-key encryption: encrypt key for symmetric scheme. Niederreiter cryptosystem requires use of constant-weight encoding functions to transform symmetric key into fixed-weight string e. Can do this in a more efficient way: build a KEM based on Niederreiter s assumptions. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
18 THE KEM-DEM FRAMEWORK Introduced by Cramer and Shoup (2001), combines the actions of two independent mechanisms. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
19 THE KEM-DEM FRAMEWORK Introduced by Cramer and Shoup (2001), combines the actions of two independent mechanisms. KEY ENCAPSULATION MECHANISM (KEM) Keygen: generates private key SK and public key PK. Enc KEM (PK): produces a symmetric key K and a ciphertext c 0. Dec KEM (SK, c 0 ): returns the symmetric key K (or ). (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
20 THE KEM-DEM FRAMEWORK Introduced by Cramer and Shoup (2001), combines the actions of two independent mechanisms. KEY ENCAPSULATION MECHANISM (KEM) Keygen: generates private key SK and public key PK. Enc KEM (PK): produces a symmetric key K and a ciphertext c 0. Dec KEM (SK, c 0 ): returns the symmetric key K (or ). DATA ENCAPSULATION MECHANISM (DEM) Enc DEM (K, m): produces the ciphertext c 1. Dec DEM (K, c 1 ): returns the plaintext m (or ). (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
21 HYBRID ENCRYPTION HYBRID ENCRYPTION SCHEME Keygen: generates private key SK and public key PK. Enc HY (PK,m): Run Enc KEM (PK) and get (K, c 0 ). Run Enc DEM (K, m) and get c 1. Final ciphertext c = (c 0, c 1 ). Dec HY (SK, c): Run Dec KEM (SK,c 0 ) and get K. Run Dec DEM (K, c 1 ) and recover m. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
22 SECURITY Independent components with separate security definitions, however (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
23 SECURITY Independent components with separate security definitions, however IND-CCA secure KEM + IND-CCA secure DEM = IND-CCA secure hybrid scheme! (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
24 SECURITY Independent components with separate security definitions, however IND-CCA secure KEM + IND-CCA secure DEM = IND-CCA secure hybrid scheme! DEM: usual symmetric encryption IND-CCA requirement. Can use any symmetric scheme (e.g. one-time pad) + MAC. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
25 SECURITY Independent components with separate security definitions, however IND-CCA secure KEM + IND-CCA secure DEM = IND-CCA secure hybrid scheme! DEM: usual symmetric encryption IND-CCA requirement. Can use any symmetric scheme (e.g. one-time pad) + MAC. IND-CCA SECURITY FOR KEM Get public key PK. Perform decryption queries. Challenge ciphertext: (K, c ) either honestly obtained (b = 1) by Enc KEM (PK) or by choosing K as a random string (b = 0). Perform decryption queries ( c ). Return b. Adv KEM (A, λ) = Pr[b = b] 1/2 (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
26 NIEDERREITER KEM Secure in Random Oracle model, makes use of Key Derivation Function (KDF), e.g. SHA-3. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
27 NIEDERREITER KEM Secure in Random Oracle model, makes use of Key Derivation Function (KDF), e.g. SHA-3. KEY GENERATION Choose w-error correcting code C. SK: code description for C. PK: parity-check matrix H in systematic form for C. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
28 NIEDERREITER KEM Secure in Random Oracle model, makes use of Key Derivation Function (KDF), e.g. SHA-3. KEY GENERATION Choose w-error correcting code C. SK: code description for C. PK: parity-check matrix H in systematic form for C. ENCRYPTION Choose a random word e F n 2 of weight w. K = KDF(e), c 0 = He T. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
29 NIEDERREITER KEM Secure in Random Oracle model, makes use of Key Derivation Function (KDF), e.g. SHA-3. KEY GENERATION Choose w-error correcting code C. SK: code description for C. PK: parity-check matrix H in systematic form for C. ENCRYPTION Choose a random word e F n 2 of weight w. K = KDF(e), c 0 = He T. DECRYPTION Set e = Decode (c 0 ) and return K = KDF (e). Return KDF(c 0 ) if decoding fails. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
30 PROOF OF SECURITY (SKETCH) THEOREM Let A be an adversary for KEM and N = W n,q,w. There exists an adversary A for SDP such that Adv KEM (A, λ) Adv SDP (A, λ) + n DEC /N. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
31 PROOF OF SECURITY (SKETCH) THEOREM Let A be an adversary for KEM and N = W n,q,w. There exists an adversary A for SDP such that Adv KEM (A, λ) Adv SDP (A, λ) + n DEC /N. Model KDF as a random oracle H. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
32 PROOF OF SECURITY (SKETCH) THEOREM Let A be an adversary for KEM and N = W n,q,w. There exists an adversary A for SDP such that Adv KEM (A, λ) Adv SDP (A, λ) + n DEC /N. Model KDF as a random oracle H. Game 0: the KEM security game. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
33 PROOF OF SECURITY (SKETCH) THEOREM Let A be an adversary for KEM and N = W n,q,w. There exists an adversary A for SDP such that Adv KEM (A, λ) Adv SDP (A, λ) + n DEC /N. Model KDF as a random oracle H. Game 0: the KEM security game. Game 1: halt if challenge ciphertext c 0 = He T had been previously queried. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
34 PROOF OF SECURITY (SKETCH) THEOREM Let A be an adversary for KEM and N = W n,q,w. There exists an adversary A for SDP such that Adv KEM (A, λ) Adv SDP (A, λ) + n DEC /N. Model KDF as a random oracle H. Game 0: the KEM security game. Game 1: halt if challenge ciphertext c 0 = He T had been previously queried. Game 2: generate c 0 at beginning and halt if H queried at e. Use adversary A as a simulator. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
35 PROOF OF SECURITY (SKETCH) THEOREM Let A be an adversary for KEM and N = W n,q,w. There exists an adversary A for SDP such that Adv KEM (A, λ) Adv SDP (A, λ) + n DEC /N. Model KDF as a random oracle H. Game 0: the KEM security game. Game 1: halt if challenge ciphertext c 0 = He T had been previously queried. Game 2: generate c 0 at beginning and halt if H queried at e. Use adversary A as a simulator. Simulation possible thanks to modification in the decryption algorithm. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
36 THE SIMULATOR A has to solve an instance (H, y, w) of SDP. Interaction with A: (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
37 THE SIMULATOR A has to solve an instance (H, y, w) of SDP. Interaction with A: KEY GENERATION Set PK= H and give PK to A. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
38 THE SIMULATOR A has to solve an instance (H, y, w) of SDP. Interaction with A: KEY GENERATION Set PK= H and give PK to A. CHALLENGE QUERIES Set c = y and K random string and give (K, c ) to A. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
39 THE SIMULATOR A has to solve an instance (H, y, w) of SDP. Interaction with A: KEY GENERATION Set PK= H and give PK to A. CHALLENGE QUERIES Set c = y and K random string and give (K, c ) to A. RANDOM ORACLE QUERIES Receive query e and compute s = He T. If s = y then win the game and halt. Otherwise, generate K at random. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
40 THE SIMULATOR A has to solve an instance (H, y, w) of SDP. Interaction with A: KEY GENERATION Set PK= H and give PK to A. CHALLENGE QUERIES Set c = y and K random string and give (K, c ) to A. RANDOM ORACLE QUERIES Receive query e and compute s = He T. If s = y then win the game and halt. Otherwise, generate K at random. DECRYPTION QUERIES Receive query c 0 and reply with a random string K. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
41 THE SIMULATOR A has to solve an instance (H, y, w) of SDP. Interaction with A: KEY GENERATION Set PK= H and give PK to A. CHALLENGE QUERIES Set c = y and K random string and give (K, c ) to A. RANDOM ORACLE QUERIES Receive query e and compute s = He T. If s = y then win the game and halt. Otherwise, generate K at random. DECRYPTION QUERIES Receive query c 0 and reply with a random string K. Use of tables to guarantee integrity. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
42 Part III ANONYMITY (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
43 INTRODUCTION Increasingly important notion in the community. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
44 INTRODUCTION Increasingly important notion in the community. Key Privacy vs Data Privacy (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
45 INTRODUCTION Increasingly important notion in the community. Key Privacy vs Data Privacy IK-CCA SECURITY FOR PKE Get two public keys PK 0 and PK 1. Perform decryption queries (for either). Choose message m. Challenge ciphertext: c =Enc(PK b, m) for b {0, 1}. Perform decryption queries ( c ). Return b. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
46 ANONYMITY FOR CODE-BASED SCHEMES Plain Niederreiter (or McEliece) scheme: not secure. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
47 ANONYMITY FOR CODE-BASED SCHEMES Plain Niederreiter (or McEliece) scheme: not secure. IND-CPA randomized variant by Nojima et al.: IK-CPA secure (Yamakawa et al., 2007). (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
48 ANONYMITY FOR CODE-BASED SCHEMES Plain Niederreiter (or McEliece) scheme: not secure. IND-CPA randomized variant by Nojima et al.: IK-CPA secure (Yamakawa et al., 2007). What about hybrid encryption? (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
49 ANONYMITY FOR CODE-BASED SCHEMES Plain Niederreiter (or McEliece) scheme: not secure. IND-CPA randomized variant by Nojima et al.: IK-CPA secure (Yamakawa et al., 2007). What about hybrid encryption? Unfortunately (Mohassel, 2010) IK-CCA secure KEM + IK-CCA secure DEM IK-CCA secure hybrid scheme = (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
50 ANONYMITY FOR CODE-BASED SCHEMES Plain Niederreiter (or McEliece) scheme: not secure. IND-CPA randomized variant by Nojima et al.: IK-CPA secure (Yamakawa et al., 2007). What about hybrid encryption? Unfortunately (Mohassel, 2010) IK-CCA secure KEM + IK-CCA secure DEM IK-CCA secure hybrid scheme We prove IK-CCA security for our scheme directly. = (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
51 PROOF OF SECURITY (SKETCH) ALTERNATIVE DEFINITION OF ADV Adv Pr[b IND CCA (A, λ) = = 1 b = 1] Pr[b = 1 b = 0]. Equivalent since Adv IND-CCA (A, λ) = 2 Adv IND-CCA(A, λ). (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
52 PROOF OF SECURITY (SKETCH) ALTERNATIVE DEFINITION OF ADV Adv Pr[b IND CCA (A, λ) = = 1 b = 1] Pr[b = 1 b = 0]. Equivalent since Adv IND-CCA (A, λ) = 2 Adv IND-CCA(A, λ). THEOREM Let A be an adversary for KEM and N = W n,q,w. There exists an adversary A for IND-CCA such that Adv IK -CCA (A, λ) Adv IND-CCA (A, λ) + n DEC /2N. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
53 PROOF OF SECURITY (SKETCH) ALTERNATIVE DEFINITION OF ADV Adv Pr[b IND CCA (A, λ) = = 1 b = 1] Pr[b = 1 b = 0]. Equivalent since Adv IND-CCA (A, λ) = 2 Adv IND-CCA(A, λ). THEOREM Let A be an adversary for KEM and N = W n,q,w. There exists an adversary A for IND-CCA such that Adv IK -CCA (A, λ) Adv IND-CCA (A, λ) + n DEC /2N. Model KDF as a random oracle H. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
54 PROOF OF SECURITY (SKETCH) ALTERNATIVE DEFINITION OF ADV Adv Pr[b IND CCA (A, λ) = = 1 b = 1] Pr[b = 1 b = 0]. Equivalent since Adv IND-CCA (A, λ) = 2 Adv IND-CCA(A, λ). THEOREM Let A be an adversary for KEM and N = W n,q,w. There exists an adversary A for IND-CCA such that Adv IK -CCA (A, λ) Adv IND-CCA (A, λ) + n DEC /2N. Model KDF as a random oracle H. Game 0: the KEM security game. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
55 PROOF OF SECURITY (SKETCH) ALTERNATIVE DEFINITION OF ADV Adv Pr[b IND CCA (A, λ) = = 1 b = 1] Pr[b = 1 b = 0]. Equivalent since Adv IND-CCA (A, λ) = 2 Adv IND-CCA(A, λ). THEOREM Let A be an adversary for KEM and N = W n,q,w. There exists an adversary A for IND-CCA such that Adv IK -CCA (A, λ) Adv IND-CCA (A, λ) + n DEC /2N. Model KDF as a random oracle H. Game 0: the KEM security game. Game 1: halt if challenge ciphertext c =Enc(PK b, m) had been previously queried. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
56 PROOF OF SECURITY (SKETCH) ALTERNATIVE DEFINITION OF ADV Adv Pr[b IND CCA (A, λ) = = 1 b = 1] Pr[b = 1 b = 0]. Equivalent since Adv IND-CCA (A, λ) = 2 Adv IND-CCA(A, λ). THEOREM Let A be an adversary for KEM and N = W n,q,w. There exists an adversary A for IND-CCA such that Adv IK -CCA (A, λ) Adv IND-CCA (A, λ) + n DEC /2N. Model KDF as a random oracle H. Game 0: the KEM security game. Game 1: halt if challenge ciphertext c =Enc(PK b, m) had been previously queried. Game 2: return additional random string m together with c. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
57 PROOF OF SECURITY (SKETCH) ALTERNATIVE DEFINITION OF ADV Adv Pr[b IND CCA (A, λ) = = 1 b = 1] Pr[b = 1 b = 0]. Equivalent since Adv IND-CCA (A, λ) = 2 Adv IND-CCA(A, λ). THEOREM Let A be an adversary for KEM and N = W n,q,w. There exists an adversary A for IND-CCA such that Adv IK -CCA (A, λ) Adv IND-CCA (A, λ) + n DEC /2N. Model KDF as a random oracle H. Game 0: the KEM security game. Game 1: halt if challenge ciphertext c =Enc(PK b, m) had been previously queried. Game 2: return additional random string m together with c. Game 3: set challenge ciphertext c =Enc(PK b, m ). Use adversary A as a simulator. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
58 Part IV CONCLUSIONS (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
59 CONCLUSIONS First KEM based directly on coding theory problem. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
60 CONCLUSIONS First KEM based directly on coding theory problem. Simple construction and tight security proof. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
61 CONCLUSIONS First KEM based directly on coding theory problem. Simple construction and tight security proof. Extending (Yamakawa et al., 2007), obtains IK-CCA security. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
62 CONCLUSIONS First KEM based directly on coding theory problem. Simple construction and tight security proof. Extending (Yamakawa et al., 2007), obtains IK-CCA security. Implementation? (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
63 Merci beaucoup Thank you Grazie (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20
A CCA2 Secure PKE Based on McEliece Assumptions in the Standard Model
A CCA2 Secure PKE Based on McEliece Assumptions in the Standard Model Jörn Müller-Quade European Institute for System Security KIT, Karlsruhe, Germany 04/23/09 Session ID: CRYP301 Session Classification:
More informationRelaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack
Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Indian Statistical Institute Kolkata January 14, 2012 Outline 1 Definitions Encryption Scheme IND-CPA IND-CCA IND-CCVA
More informationSecurity of Cryptosystems
Security of Cryptosystems Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Symmetric key cryptosystem m M 0 c Enc sk (m) sk Gen c sk m Dec sk (c) A randomised key generation algorithm outputs
More informationStateful Key Encapsulation Mechanism
Stateful Key Encapsulation Mechanism Peng Yang, 1 Rui Zhang, 2 Kanta Matsuura 1 and Hideki Imai 2 The concept of stateful encryption was introduced to reduce computation cost of conventional public key
More informationBotan s Implementation of the McEliece PKC
Botan s Implementation of the McEliece PKC Falko Strenzke cryptosource GmbH 1 1 Introduction The cryptographic C++ library Botan [1] features an implementation of the McEliece public key cryptosystem (PKC)
More informationClassic McEliece: conservative code-based cryptography
Classic McEliece: conservative code-based cryptography 1 D. J. Bernstein classic.mceliece.org Fundamental literature: 1962 Prange (attack) + many more attack papers. 1968 Berlekamp (decoder). 1970 1971
More informationLecture 18 - Chosen Ciphertext Security
Lecture 18 - Chosen Ciphertext Security Boaz Barak November 21, 2005 Public key encryption We now go back to public key encryption. As we saw in the case of private key encryption, CPA security is not
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationCode-Based Cryptography McEliece Cryptosystem
Code-Based Cryptography McEliece Cryptosystem I. Márquez-Corbella 0 2. McEliece Cryptosystem 1. Formal Definition 2. Security-Reduction Proof 3. McEliece Assumptions 4. Notions of Security 5. Critical
More informationMcEliece Cryptosystem in real life: security and implementation
McEliece Cryptosystem in real life: security and implementation SECRET - INRIA Rocq. Some numbers! scheme key gen enc cycle dec cycle Ntru 203983313 894427 1617090 RSA1-1024 188582730 225593 6240622 RSA1-2048
More informationA Designer s Guide to KEMs. Errata List
A Designer s Guide to KEMs Alexander W. Dent Information Security Group, Royal Holloway, University of London, Egham Hill, Egham, Surrey, U.K. alex@fermat.ma.rhul.ac.uk http://www.isg.rhul.ac.uk/~alex/
More informationA Closer Look at Anonymity and Robustness in Encryption Schemes
A Closer Look at Anonymity and Robustness in Encryption Schemes Payman Mohassel Computer Science Department, University of Calgary pmohasse@cpsc.ucalgary.ca Abstract. In this work, we take a closer look
More informationConcrete Security of Symmetric-Key Encryption
Concrete Security of Symmetric-Key Encryption Breno de Medeiros Department of Computer Science Florida State University Concrete Security of Symmetric-Key Encryption p.1 Security of Encryption The gold
More informationRelaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack
Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar Pandey, Santanu Sarkar and Mahavir Prasad Jhanwar CR Rao AIMSCS Hyderabad November 2, 2012 Outline 1 Definitions
More informationLecture 15: Public Key Encryption: I
CSE 594 : Modern Cryptography 03/28/2017 Lecture 15: Public Key Encryption: I Instructor: Omkant Pandey Scribe: Arun Ramachandran, Parkavi Sundaresan 1 Setting In Public-key Encryption (PKE), key used
More informationCryptography. Andreas Hülsing. 6 September 2016
Cryptography Andreas Hülsing 6 September 2016 1 / 21 Announcements Homepage: http: //www.hyperelliptic.org/tanja/teaching/crypto16/ Lecture is recorded First row might be on recordings. Anything organizational:
More informationIND-CCA2 secure cryptosystems, Dan Bogdanov
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee 1 Overview Notion of indistinguishability The Cramer-Shoup cryptosystem Newer results
More informationEfficient chosen ciphertext secure PKE scheme with short ciphertext
Efficient chosen ciphertext secure PKE scheme with short ciphertext Xianhui Lu 1, Xuejia Lai 2, Dake He 1, Guomin Li 1 Email:lu xianhui@gmail.com 1:School of Information Science & Technology, SWJTU, Chengdu,
More informationBrief Introduction to Provable Security
Brief Introduction to Provable Security Michel Abdalla Département d Informatique, École normale supérieure michel.abdalla@ens.fr http://www.di.ens.fr/users/mabdalla 1 Introduction The primary goal of
More informationCS 6903 Modern Cryptography February 14th, Lecture 4: Instructor: Nitesh Saxena Scribe: Neil Stewart, Chaya Pradip Vavilala
CS 6903 Modern Cryptography February 14th, 2008 Lecture 4: Instructor: Nitesh Saxena Scribe: Neil Stewart, Chaya Pradip Vavilala Definition 1 (Indistinguishability (IND-G)) IND-G is a notion that was defined
More informationOn Symmetric Encryption with Distinguishable Decryption Failures
On Symmetric Encryption with Distinguishable Decryption Failures Alexandra Boldyreva, Jean Paul Degabriele, Kenny Paterson, and Martijn Stam FSE - 12th Mar 2013 Outline Distinguishable Decryption Failures
More informationChapter 11 : Private-Key Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 1 Chapter 11 Public-Key Encryption Apologies: all numbering
More informationBlock ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 74 Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways
More informationPublic-Key Encryption
Public-Key Encryption Glorianna Jagfeld & Rahiel Kasim University of Amsterdam 10 March 2016 Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March 2016 1 / 24 Warmup: crossword puzzle! Please
More informationCRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS
CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs NYU NY Area Crypto Reading Group Continuous Leakage Resilience (CLR): A Brief History
More informationApplied Cryptography and Computer Security CSE 664 Spring 2018
Applied Cryptography and Computer Security Lecture 13: Public-Key Cryptography and RSA Department of Computer Science and Engineering University at Buffalo 1 Public-Key Cryptography What we already know
More informationStrong Privacy for RFID Systems from Plaintext-Aware Encryption
Strong Privacy for RFID Systems from Plaintext-Aware Encryption Khaled Ouafi and Serge Vaudenay ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE http://lasec.epfl.ch/ supported by the ECRYPT project SV strong
More informationCSC 5930/9010 Modern Cryptography: Public Key Cryptography
CSC 5930/9010 Modern Cryptography: Public Key Cryptography Professor Henry Carter Fall 2018 Recap Number theory provides useful tools for manipulating integers and primes modulo a large value Abstract
More informationThe Cramer-Shoup Encryption Scheme is Plaintext Aware in the Standard Model
The Cramer-Shoup Encryption Scheme is Plaintext Aware in the Standard Model Alexander W. Dent Royal Holloway, University of London Egham, Surrey, TW20 0EX, U.K. a.dent@rhul.ac.uk Abstract. In this paper
More informationOn the Application of Generic CCA-Secure Transformations to Proxy Re-Encryption
D. Nuñez, I. Agudo, and J. Lopez, On the Application of Generic CCA-Secure Transformations to Proxy Re-Encryption, Security and Communication Networks, vol. 9, pp. 1769-1785, 2016. http://doi.org/10.1002/sec.1434
More informationEncryption from the Diffie-Hellman assumption. Eike Kiltz
Encryption from the Diffie-Hellman assumption Eike Kiltz Elliptic curve public-key crypto Key-agreement Signatures Encryption Diffie-Hellman 76 passive security ElGamal 84 passive security Hybrid DH (ECDH)
More informationProvably Secure Public-Key Encryption for Length-Preserving Chaumian Mixes
Technical Report TI-5/02 (9th August 2002) TU Darmstadt, Fachbereich Informatik Provably Secure Public-Key Encryption for Length-Preserving Chaumian Mixes Bodo Möller Technische Universität Darmstadt,
More informationAuthenticated encryption
Authenticated encryption Mac forgery game M {} k R 0,1 s m t M M {m } t mac k (m ) Repeat as many times as the adversary wants (m, t) Wins if m M verify m, t = 1 Mac forgery game Allow the adversary to
More informationLeakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter
Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter Baodong Qin and Shengli Liu Shanghai Jiao Tong University ASIACRYPT 2013 Dec 5, Bangalore,
More informationWeak adaptive chosen ciphertext secure hybrid encryption scheme
Weak adaptive chosen ciphertext secure hybrid encryption scheme Xianhui Lu 1, Xuejia Lai 2, Dake He 1, Guomin Li 1 Email:luxianhui@gmail.com 1:School of Information Science & Technology, SWJTU, Chengdu,
More informationLecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model
CMSC 858K Advanced Topics in Cryptography March 11, 2004 Lecturer: Jonathan Katz Lecture 14 Scribe(s): Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze 1 A Note on Adaptively-Secure NIZK A close look
More informationTable of Contents. Preface... vii Abstract... vii Kurzfassung... x Acknowledgements... xiii. I The Preliminaries 1
Preface............................................ vii Abstract............................................ vii Kurzfassung.......................................... x Acknowledgements......................................
More informationAn Efficient ID-KEM Based On The Sakai Kasahara Key Construction
An Efficient ID-KEM Based On The Sakai Kasahara Key Construction L. Chen 1, Z. Cheng 2, J. Malone Lee 3, and N.P. Smart 3 1 Hewlett-Packard Laboratories, Filton Road, Stoke Gifford, Bristol, BS34 8QZ,
More informationUnbounded Inner Product Functional Encryption from Bilinear Maps ASIACRYPT 2018
Unbounded Inner Product Functional Encryption from Bilinear Maps ASIACRYPT 2018 Junichi Tomida (NTT), Katsuyuki Takashima (Mitsubishi Electric) Functional Encryption[OʼNeill10, BSW11] msk Bob f(x) sk f
More informationCS408 Cryptography & Internet Security
CS408 Cryptography & Internet Security Lectures 16, 17: Security of RSA El Gamal Cryptosystem Announcement Final exam will be on May 11, 2015 between 11:30am 2:00pm in FMH 319 http://www.njit.edu/registrar/exams/finalexams.php
More informationWhat Can Be Proved About Security?
What Can Be Proved About Security? Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in Centre for Artificial Intelligence and Robotics Bengaluru 23 rd
More informationComputational Security, Stream and Block Cipher Functions
Computational Security, Stream and Block Cipher Functions 18 March 2019 Lecture 3 Most Slides Credits: Steve Zdancewic (UPenn) 18 March 2019 SE 425: Communication and Information Security 1 Topics for
More informationOn the Security of Group-based Proxy Re-encryption Scheme
On the Security of Group-based Proxy Re-encryption Scheme Purushothama B R 1, B B Amberker Department of Computer Science and Engineering National Institute of Technology Warangal Warangal, Andhra Pradesh-506004,
More informationMurali Godi. A Thesis
NEW TECHNIQUES FOR PUBLIC KEY ENCRYPTION WITH SENDER RECOVERY Murali Godi A Thesis Submitted to the Graduate Faculty of the State University of New York Polytechnic Institute in Partial Fulfillment of
More informationA Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security. T. Shrimpton October 18, 2004
A Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security T. Shrimpton October 18, 2004 Abstract In this note we introduce a variation of the standard definition of chosen-ciphertext
More informationHomework 3: Solution
Homework 3: Solution March 28, 2013 Thanks to Sachin Vasant and Xianrui Meng for contributing their solutions. Exercise 1 We construct an adversary A + that does the following to win the CPA game: 1. Select
More informationMTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov October 31, 2005 Abstract Standard security assumptions (IND-CPA, IND- CCA) are explained. A number of cryptosystems
More informationAdvanced Cryptography 1st Semester Symmetric Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 22th 2007 1 / 58 Last Time (I) Security Notions Cyclic Groups Hard Problems One-way IND-CPA,
More informationNotion Of Security. February 18, 2009
Notion Of Security Dibyendu Mallik Sabyasachi Karati February 18, 2009 1 Introduction. In this chapter we compare the relative strengths of various notion of security for public key encryption. We want
More informationAdvances in Implementations of Code-based Cryptography on Embedded Systems
Advances in Implementations of Code-based Cryptography on Embedded Systems Worcester Polytechnic Institute (WPI) September 25, 2013 Tim Güneysu (joint work with Ingo von Maurich and Stefan Heyse) Horst
More informationCryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1
Cryptography CS 555 Topic 11: Encryption Modes and CCA Security CS555 Spring 2012/Topic 11 1 Outline and Readings Outline Encryption modes CCA security Readings: Katz and Lindell: 3.6.4, 3.7 CS555 Spring
More informationOn the Security of a Certificateless Public-Key Encryption
On the Security of a Certificateless Public-Key Encryption Zhenfeng Zhang, Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing 100080,
More informationLecture 07: Private-key Encryption. Private-key Encryption
Lecture 07: Three algorithms Key Generation: Generate the secret key sk Encryption: Given the secret key sk and a message m, it outputs the cipher-text c (Note that the encryption algorithm can be a randomized
More informationRelations between robustness and RKA security under public-key encryption
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2016 Relations between robustness and RKA security
More informationChosen-Ciphertext Security (II)
Chosen-Ciphertext Security (II) CS 601.442/642 Modern Cryptography Fall 2018 S 601.442/642 Modern Cryptography Chosen-Ciphertext Security (II) Fall 2018 1 / 13 Recall: Chosen-Ciphertext Attacks (CCA) Adversary
More informationDefinitions and Notations
Chapter 2 Definitions and Notations In this chapter, we present definitions and notation. We start with the definition of public key encryption schemes and their security models. This forms the basis of
More informationIntroduction. Cambridge University Press Mathematics of Public Key Cryptography Steven D. Galbraith Excerpt More information
1 Introduction Cryptography is an interdisciplinary field of great practical importance. The subfield of public key cryptography has notable applications, such as digital signatures. The security of a
More informationCryptography Today. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 44
Cryptography Today Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 About the Course Regular classes with worksheets so you can work with some concrete examples (every Friday at 1pm).
More informationHomework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.
Homework 2: Symmetric Crypto February 17, 2015 Submission policy. information: This assignment MUST be submitted as a PDF via websubmit and MUST include the following 1. List of collaborators 2. List of
More informationIntroduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell
Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell 1 Cryptography Merriam-Webster Online Dictionary: 1. secret writing 2. the enciphering and deciphering
More informationSecure Cryptographic Workflow in the Standard Model
Secure Cryptographic Workflow in the Standard Model M. Barbosa 1 and P. Farshim 2 1 Departamento de Informática, Universidade do Minho, Campus de Gualtar, 4710-057 Braga, Portugal. mbb@di.uminho.pt 2 Department
More information2 Secure Communication in Private Key Setting
CSA E0 235: Cryptography January 11, 2016 Instructor: Arpita Patra Scribe for Lecture 2 Submitted by: Jayam Modi 1 Discrete Probability Background Probability Distribution -A probability distribution over
More informationBlock ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016
Block ciphers CS 161: Computer Security Prof. Raluca Ada Popa February 26, 2016 Announcements Last time Syntax of encryption: Keygen, Enc, Dec Security definition for known plaintext attack: attacker provides
More informationDirect Chosen Ciphertext Security from Identity-Based Techniques
Updated version of a paper published in the proceedings of the 12th ACM Conference on Computer and Communications Security CCS 2005, Alexandria, VA, November 2005. Current version available from the IACR
More informationAttribute-Based Authenticated Key Exchange
1 / 22 Attribute-Based Authenticated Key Exchange Choudary Gorantla, Colin Boyd and Juan González Nieto ACISP 2010 2 / 22 Outline Introduction 1 Introduction 2 3 4 3 / 22 Outline Introduction 1 Introduction
More informationRSA. Public Key CryptoSystem
RSA Public Key CryptoSystem DIFFIE AND HELLMAN (76) NEW DIRECTIONS IN CRYPTOGRAPHY Split the Bob s secret key K to two parts: K E, to be used for encrypting messages to Bob. K D, to be used for decrypting
More informationProvably Secure Public-Key Encryption for Length-Preserving Chaumian Mixes
Appears in M. Joye (Ed.): Topics in Cryptology CT-RSA 2003, Springer-Verlag LNCS 2612, pp. 244 262, ISBN 3-540-00847-0. Provably Secure Public-Key Encryption for Length-Preserving Chaumian Mixes Bodo Möller
More informationPublic key encryption: definitions and security
Online Cryptography Course Public Key Encryption from trapdoor permutations Public key encryption: definitions and security Public key encryption Bob: generates (PK, SK) and gives PK to Alice Alice Bob
More informationA New Hierarchical ID-Based Cryptosystem and CCA-Secure PKE
A New Hierarchical ID-Based Cryptosystem and CCA-Secure PKE Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275,
More informationInformation Security
SE 4472b Information Security Week 2-2 Some Formal Security Notions Aleksander Essex Fall 2015 Formalizing Security As we saw, classical ciphers leak information: Caeser/Vigenere leaks letter frequency
More informationStateful Public-Key Cryptosystems: How to Encrypt with One 160-bit Exponentiation
A preliminary version of this paper appears in Proceedings of the 13th Annual Conference on Computer and Communications Security, ACM, 2006. This is the full version. Stateful Public-Key Cryptosystems:
More informationOn the Joint Security of Encryption and Signature, Revisited
On the Joint Security of Encryption and Signature, Revisited Kenneth G. Paterson 1, Jacob C.N. Schuldt 2, Martijn Stam 3, and Susan Thomson 1 1 Royal Holloway, University of London 2 Research Center for
More informationThe ElGamal Public- key System
Online Cryptography Course Dan Boneh Public key encryp3on from Diffie- Hellman The ElGamal Public- key System Recap: public key encryp3on: (Gen, E, D) Gen pk sk m c c m E D Recap: public- key encryp3on
More informationOAEP 3-Round A Generic and Secure Asymmetric Encryption Padding. Asiacrypt '04 Jeju Island - Korea
OAEP 3-Round A Generic and Secure Asymmetric Encryption Padding Duong Hieu Phan ENS France David Pointcheval CNRS-ENS France Asiacrypt '04 Jeju Island - Korea December 6 th 2004 Summary Asymmetric Encryption
More informationLecture 8 - Message Authentication Codes
Lecture 8 - Message Authentication Codes Benny Applebaum, Boaz Barak October 12, 2007 Data integrity Until now we ve only been interested in protecting secrecy of data. However, in many cases what we care
More informationCryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39
Cryptography 2017 Lecture 4 Attacks against Block Ciphers Introduction to Public Key Cryptography November 14, 2017 1 / 39 What have seen? What are we discussing today? What is coming later? Lecture 3
More informationImproved Efficiency for CCA-Secure Cryptosystems Built Using Identity-Based Encryption
Improved Efficiency for CCA-Secure Cryptosystems Built Using Identity-Based Encryption Dan Boneh 1 and Jonathan Katz 2 1 Computer Science Department, Stanford University, Stanford CA 94305 dabo@cs.stanford.edu
More informationHomomorphic Encryption
Homomorphic Encryption Travis Mayberry Cloud Computing Cloud Computing Cloud Computing Cloud Computing Cloud Computing Northeastern saves money on infrastructure and gets the benefit of redundancy and
More informationReturn Code Schemes for Electronic Voting Systems
Return Code Schemes for Electronic Voting Systems Shahram Khazaei Douglas Wikström Sharif University of Technology, Iran KTH Royal Institute of Technology, Sweden E-Vote-ID 2017 Presented by: Johannes
More informationDefining Encryption. Lecture 2. Simulation & Indistinguishability
Defining Encryption Lecture 2 Simulation & Indistinguishability Roadmap First, Symmetric Key Encryption Defining the problem We ll do it elaborately, so that it will be easy to see different levels of
More informationLecture 3.4: Public Key Cryptography IV
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2012 Nitesh Saxena Course Administration HW1 submitted Trouble with BB Trying to check with BB support HW1 solution will be posted very soon
More informationRandom Oracle Instantiation in Distributed Protocols Using Trusted Platform Modules
Appeared in the 3rd IEEE Symposium on Security in Networks and Distributed Systems, 2007, pp. 463 469. Random Oracle Instantiation in Distributed Protocols Using Trusted Platform Modules Vandana Gunupudi
More informationRandom Oracles - OAEP
Random Oracles - OAEP Anatoliy Gliberman, Dmitry Zontov, Patrick Nordahl September 23, 2004 Reading Overview There are two papers presented this week. The first paper, Random Oracles are Practical: A Paradigm
More informationLecture 8: Cryptography in the presence of local/public randomness
Randomness in Cryptography Febuary 25, 2013 Lecture 8: Cryptography in the presence of local/public randomness Lecturer: Yevgeniy Dodis Scribe: Hamidreza Jahanjou So far we have only considered weak randomness
More informationNetwork Security Technology Project
Network Security Technology Project Shanghai Jiao Tong University Presented by Wei Zhang zhang-wei@sjtu.edu.cn!1 Part I Implement the textbook RSA algorithm. The textbook RSA is essentially RSA without
More informationIdentity-Based Encryption Secure Against Selective Opening Chosen-Ciphertext Attack
Identity-Based Encryption Secure Against Selective Opening Chosen-Ciphertext Attack Junzuo Lai 1, Robert H. Deng 2, Shengli Liu 3, Jian Weng 1, and Yunlei Zhao 4 1 Department of Computer Science, Jinan
More informationComputer Security CS 526
Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes CS555 Topic 4 1 Readings for This Lecture Required reading from wikipedia Block Cipher Ciphertext Indistinguishability
More informationCoding-theoretic problems in public key cryptography
Coding-theoretic problems in public key cryptography Carl Löndahl Department of Electrical and Information Technology Lund University, Sweden SWITS 12 June 3rd, 2012 Outline 1 Error correcting codes 2
More informationINDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator
INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator EXAMINATION ( Mid Semester ) SEMESTER ( Spring ) Roll Number Section Name Subject Number C S 6 0 0 8 8 Subject Name Foundations
More informationProofs for Key Establishment Protocols
Information Security Institute Queensland University of Technology December 2007 Outline Key Establishment 1 Key Establishment 2 3 4 Purpose of key establishment Two or more networked parties wish to establish
More informationA Parametric Family of Attack Models for Proxy Re-Encryption
2015 IEEE 28th Computer Security Foundations Symposium A Parametric Family of Attack Models for Proxy Re-Encryption David Nuñez, Isaac Agudo, Javier Lopez Network, Information and Computer Security Laboratory
More informationSecurity & Indistinguishability in the Presence of Traffic Analysis
Security & Indistinguishability in the Presence of Traffic Analysis Cristina Onete 1 Daniele Venturi 2 1 Darmstadt University of Technology & CASED, Germany www.minicrypt.de 2 SAPIENZA University of Rome,
More informationBlock ciphers, stream ciphers
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Jan 31, 2018 Announcements Project 1 is out, due Feb 14 midnight Recall: Block cipher A
More informationIf DDH is secure then ElGamal is also secure w.r.t IND-CPA
CS 6903 Modern Cryptography May 5th, 2011 Lecture 12 Instructor:Nitesh Saxena Recap of the previous lecture Scribe:Orcun Berkem, Turki Turki, Preetham Deshikachar Shrinivas The ElGamal encryption scheme
More informationSecurity Analysis and Modification of ID-Based Encryption with Equality Test from ACISP 2017
Security Analysis and Modification of ID-Based Encryption with Equality Test from ACISP 2017 Hyung Tae Lee 1, Huaxiong Wang 2, Kai Zhang 3, 4 1 Chonbuk National University, Republic of Korea 2 Nanyang
More informationIntroduction to Security Reduction
springer.com Computer Science : Data Structures, Cryptology and Information Theory Springer 1st edition Printed book Hardcover Printed book Hardcover ISBN 978-3-319-93048-0 Ca. $ 109,00 Planned Discount
More informationISA 562: Information Security, Theory and Practice. Lecture 1
ISA 562: Information Security, Theory and Practice Lecture 1 1 Encryption schemes 1.1 The semantics of an encryption scheme. A symmetric key encryption scheme allows two parties that share a secret key
More informationA Proposal for an ISO Standard for Public Key Encryption
A Proposal for an ISO Standard for Public Key Encryption Victor Shoup IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland sho@zurich.ibm.com February 13, 2001 Abstract This document should
More informationContinuous After-the-fact Leakage-Resilient Key Exchange (full version)
Continuous After-the-fact Leakage-Resilient Key Exchange (full version) Janaka Alawatugoda 1 Colin Boyd 3 Douglas Stebila 1,2 1 School of Electrical Engineering and Computer Science, Queensland University
More information