Short Paper On the Generic Hardness of DDH-II
|
|
- Norman Whitehead
- 5 years ago
- Views:
Transcription
1 Short Paper On the Generic Hardness of DDH-II Ivan Damgård, Carmit Hazay, Angela Zottarel Abstract. The well known Decisional Diffie-Hellman assumption states that given g, g a and g b, for random a, b, the element g ab is pseudo-random. Canetti in [Can97] introduced a variant of this assumption in which b is still random but a is drawn according to some well-spread distribution. In this paper we prove that his assumption holds in the generic group model and demonstrate its broad applicability in the context of leakage resilient cryptography. 1 Introduction The well known Decisional Diffie-Hellman (DDH) hardness assumption states that given two random group elements g a, g b from a prime order group G, such that g is a generator, it is hard to distinguish g ab from a uniform element in G. This assumption lies in the heart of the security proofs of many cryptographic primitives, most notable the Diffie-Hellman public-key exchange [DH76], ElGamal public-key encryption scheme [Gam85] and Cramer-Shoup cryptosystem [CS98]. It further has many flavors, such as the bilinear [BF01], the linear [BBS04] and the n-linear variants [Sha07,HK07]. In this paper we study the DDH-II assumption which was introduced by Canetti [Can97] for the purpose of obfuscation. The DDH-II assumption states that given a prime order group G and g, g a, g b, where a is drawn from a certain (not necessarily uniform) distribution, with sufficient min-entropy, whereas b is picked uniformly at random, g ab is indistinguishable from a uniform element in G. Our contribution is twofold: (1) we first present a proof of hardness for DDH-II in the generic group model. (2) We discuss new applications in the area of leakage resilient cryptography for which DDH-II is useful. We believe that studying this assumption will enable to explore and simplify the proofs of many cryptographic constructions. Security in the Generic Group Model. Whenever a new assumption is introduced, the first question that is naturally raised is whether this assumption is meaningful or not. Saying differently, can we really be sure that the underlying problem is hard to solve? Clearly, a positive answer would imply a solution to the famous P = N P. The generic group model [Sho97] allows precisely to avoid this catch. In this model, the adversary is restricted to perform just some basic operations (e.g., multiplications and inversions) on given group elements, without exploiting any a priori information about the group internal structure. A proof of hardness in the generic group model does not mean that a problem is hard in the real world, precisely because there is no way from stopping the adversary to use his knowledge about eventual properties of the group. Nevertheless, such a proof can give some evidence regarding the real hardness of an assumption since the only way now to break the assumption is to exploit its special properties and design in a specific group. In general, the generic group model has proven to be a precious tool in investigating new assumptions, and has been used in many different scenarios to establish their meaningfulness; see [Sho97,MW98,Sma01,Den06,Che06,BW07,Wat12] for just few examples. Leakage Resilient Cryptography. Until very recently most of the security proofs were carried out in the so called black-box model [SV98]. In this model, the adversary is only allowed to observe the input/output behavior of the underlying primitive, without having access to the secret state of
2 the system. Unfortunately, physical implementations turned out to be non black-box and various side-channel attacks were proven to compromise severely the integrity of the secret key, rendering vain the security of the system. See [Koc96,BDL97,BS97,KJJ99,QS01] for some examples. Therefore, in the recent years, a significant body of research has been dedicated to new models, more adequate for real world attacks, and the field called leakage resilient cryptography has been initiated. Typically, the leakage obtained by the attacker is formalized by a function h applied on the secret key sk. It is definitely inevitable to restrict the leakage function is some way and, to this end, several different security models have been proposed [CLW06,MR04,AGV09,NS09,DGK + 10]. Amongst these there is a model that restricts the output length of the leakage function (bounded leakage), a model that assumes some residual high min-entropy with respect to the secret key condition on the leakage (entropy-bounded leakage) or a model that assumes that the secret state leaks only during the actual computations (only computational). Known solutions against side-channel attacks range from secret and public-key basic primitives such as encryption and digital signatures, to a wide range of multiparty functionalities (see [MR04,DP08,AGV09,ADW09,DKL09,NS09,FKPR10,DHLAW10,LRW11] and within for additional citations). All these theoretic solutions try to cope with the physical problems rising from weak implementations of cryptographic schemes proven secure in an ideal model. Although leakage resilient cryptography substantially uses theoretic tools, we must keep in mind that the main goal of this recent field is enabling security and privacy in the real world, thus we believe that this work is relevant in the perspective of achieving important tasks as secure storage, implementation of cryptographic primitives in small devices and generally for establishing electronic commerce using cryptographic tools. Applications. In light of the above discussion, we point out that the description of DDH-II structure suggests that it might be useful in the context of leakage resilient cryptography. Let us further elaborate regarding concrete leakage resilient applications that can benefit from this assumption: 1. In the context of leakage resilient secure computation, Damgård et al. introduced in [DHP11] the indistinguishability for k-sources (k-ind) assumption, another variant of DDH that is implied by the DDH-II assumption. Their goal was to design leakage resilient oblivious transfer relying on this hardness assumption. On one hand our result supports the meaningfulness of the security reduction given in [DHP11], as we prove that DDH-II is generically hard to solve. On the other hand, the work of Damgård et al. shows that Canetti s assumption, as well as k-ind assumption, are promising tools for leakage resilient cryptography and can be useful to design particular leakage resilient secure protocols. 2. Another interesting application for the DDH-II assumption is related with leakage resilient public-key encryption schemes (PKE). This question has been studied intensively lately by the cryptographic community [AGV09,BG10,BKKV10,DHLAW10,DGK + 10,NS09]. Nevertheless, almost all of these works solve the leakage resilient PKE problem with the following restrictions applied to the basic semantically secure game [GM82]: (1) leakage is allowed only from the secret key and (2) only prior to the computation of the challenge ciphertext. Two exceptions are the work by Halevi and Lin [HL11] that introduced a new after-the-fact definition where the adversary is allowed to obtain leakage from the secret key even after seeing the challenge, but whose security holds only for plaintexts with sufficiently high min-entropy. Another example is the recent work by Namiki et al. [NTY11] that shows how to construct public-key encryption 2
3 schemes allowing partial leakage from the randomness used by the encryption algorithm; see for more references within [NTY11] regarding papers that examine encryption schemes with non-uniform randomness. In both cases the constructions use randomness extractors. The DDH-II assumption allows us to focus our attention on the later problem of concerning leakage from the randomness. Specifically, consider the ElGamal PKE of which security relies on the DDH assumption. Then, viewing the non-uniform distribution, that originally was considered as side-information about the secret key, as leakage applied to the randomness, it is possible to run the same semantically secure game reduced to the hardness DDH-II. This is carried out due to the symmetry in this assumption. Notice that we can use DDH-II only in the context where we have leakage either from the secret key or from the randomness, but not from both. Nevertheless, it enables to obtain (perhaps, for the first time) a leakage resilient PKE without using any extractors. For settings in which leakage is viewed as a function of the entire secret state (that is, secret key and randomness), we point to the work of Bitansky et al. [BCH12] that demonstrates how leakage from the randomness and the secret key can be seen under a broader point of view. Namely, a public key scheme is defined using a two-party functionality and the leakage is considered as a weaker variant of passive corruption. In particular, they show a tight connection between this very general modeling of leakage and non-committing encryption (used for obtaining adaptively secure communication channels), hinting that building efficient encryption schemes tolerating leakage from both the secret key and randomness may need to rely on stronger tools. Therefore, it is worth studying the scenario where leakage is obtained only from the randomness. Moreover, as [NTY11] points out, dealing with leakage from the randomness is a very delicate and challenging task in itself. In fact, Namiki s et al. work is in a particular KEM/DEM framework that simulates the so-called split model of [DF11], where the internal state is divided into two parts, each handling a different memory part and leaking independently from the other one. In this particular case, DDH-II assumption would fit very easily in the model and would avoid the use of randomness extractors. A different attempt to study the security of ElGamal in the context of leakage resilient cryptography was proposed in [KP10]. This paper considers leakage from the secret key and proves security in the generic group model. We notice that relying on the DDH-II assumption it would be easy to achieve the same security notion for ElGamal. This would be a improvement over the [KP10] PKE, that is constructed over bilinear groups. 3. Finally, the deep connection between DDH-II and the standard Diffie-Hellman assumption suggests that we could also exploit the properties of Canetti s variant for key-exchange protocols. This primitive has its roots in the seminal work of Diffie and Hellman [DH76] and since then has been studied extensively. Given the above structure of DDH-II, the key-exchange [DH76] protocol can be studied in an environment where the secret exponent of one of the end users is compromised. In particular, in the same fashion as before, hardness of DDH-II can imply the security of this protocol in the presence of leakage. Authenticated key agreement, a closely related but stronger primitive, was studied in the leakage resilient setting in [DHLAW10,ADW09,KV09]. These constructions rely on leakage resilient building blocks such as signatures and obtain security against active adversaries. Organization. Our paper contains in Section 2 some basic notions and definitions. In Section 3 we introduce the proof of our main theorem. 3
4 2 Basic Notations For the sake of completeness, we introduce some basic notations and definitions. For a set S we write x S to denote that x is sampled uniformly from S. We use negl to denote a negligible function f : N R, namely a function f such that, for any polynomial p( ) and large enough n, f(n) 1/p(n). 2.1 The ElGamal PKE The El Gamal encryption scheme is a PKE which operates on a cyclic group G of prime order p. Let g denote a random generator in G, then the public and secret keys are G, p, g, h and G, p, g, x where x F p and h = g x. A message m G is encrypted by choosing y F p and the ciphertext is g y, h y m. A ciphertext c = α, β is decrypted as m = β/α x. We use the property that given y = log g α one can reconstruct m = β/h y and hence a party encrypting m can prove knowledge of m by proving knowledge of y. 2.2 Hardness Assumptions Before giving the formal definition of DDH-II, we recall the DDH assumption. Definition 1. Let G be a cyclic group of prime order p. Let g be a generator of G. The Decisional Diffie-Hellman Assumption holds if, for every PPT algorithm A: Pr[A(g, g a, g b, g ab ) = 1] Pr[A(g, g a, g b, g c ) = 1] negl(k) where the probability is taken over the random choice of a, b, c F p. In the following, we specify first Canetti s definition ([Can97]) of well-spread distribution. Definition 2. A distribution ensemble X = {X k } k N is well spread if for any polynomial p( ) and large enough k the maximum probability of an element is smaller than 1/p(k), i.e. max x (Pr[X k = x]) 1/p(k). Definition 3. Let G be a cyclic group of prime order p. Let g be a generator of G. The DDH Assumption II (DDH-II) holds if, for every PPT algorithm A: Pr[A(g, g a, g b, g ab ) = 1] Pr[A(g, g a, g b, g c ) = 1] negl(k) where a is drawn from a well-spread distribution over F p and b, c F p. 3 The Main Theorem In this section we prove our main theorem. Theorem 1. The DDH-II assumption holds in the generic group model. 4
5 Proof. Let A be a polynomial-time generic group adversary. As usual, the generic group model is implemented by choosing a random encoding σ : G {0, 1} m. Normally, instead of working directly with group elements, A takes as input their image under σ. This way, all A can test is string equality. A is also given access to an oracle computing group operation and inversion: taking σ(g 1 ), σ(g 2 ) and returning σ(g 1 g 2 ), similarly for inversion. Finally, we can assume that A submits to the oracle only encodings of elements it had previously received. This is because we can choose m large enough so that the probability of choosing a string that is also in the image of σ is negligible. We consider an algorithm B playing the following game with A. Algorithm B chooses 5 bit strings σ 0,..., σ 4 uniformly in {0, 1} m. Internally, B keeps track of the encoded elements using polynomials in the ring F q [X, Y, T 0, T 1 ] To maintain consistency with the bit strings given to A, B creates a lists L of pairs (F, σ) where F is a polynomial in the ring specified above and σ is the encoding of a group element. The polynomial F represents the exponent of the encoded element. Initially, L is set to {(1, σ 0 ), (X, σ 1 ), (Y, σ 2 ), (T 0, σ 3 ), (T 1, σ 4 )}. Algorithm B starts the game providing A with σ 0,..., σ 4. The simulation of the oracles goes as follows: Group action: Given two strings σ i, σ j relative to elements in G, B recovers the corresponding polynomials F i and F j and computes F i + F j. If F i + F j is already in L, B returns to A the corresponding bit string; otherwise it returns a uniform element σ in {0, 1} m and stores (F i + F j, σ) in L. Inversion: Given an element σ in G, B recovers its internal representation F and computes F. If the polynomial F is already in L, B returns the corresponding bit string; otherwise it returns a uniform string σ and stores ( F, σ) in L. After A queried the oracles, it outputs a bit b. At this point, B chooses a bit b and uniform values x, y, s in F q and sets X = x, Y = y, T b = xy and T 1 b = s. If the simulation provided by B is consistent, it reveals nothing about b. This means that the probability of A guessing the correct value for b is 1/2. The only way in which the simulation could be inconsistent is if, after we choose value for X, Y, T 0, T 1, two different polynomials in L happen to produce the same value. First, we prove that A is unable to cause such a collision on its own. Notice that the substitutions operated in the formal variables are all independent except for T b. Hence, A can cause a collision only producing a multiple of XY. Anyway, notice that L is initially populated with polynomials of degree at most one and that both the group operation and the inversion oracle don t increase the degree of the polynomial. Thus, all polynomials contained in L have degree at most one. This is enough to conclude that A cannot purposely produce a collision. It remains to prove that the probability of a collision happening due to a unlucky choice of values is negligible. In other words, we have to bound the probability that two distinct F i, F j in L evaluate to the same value after the substitution, namely F i (x, y, s) F j (x, y, s) = 0. This reduces to bound the probability of hitting a zero of F i F j. 5
6 Recall the the Schwartz Zippel lemma says that, if f is a degree d polynomial in F p [X 1,..., X n ] and S F p then Pr[f(x 1,..., x n ) = 0] d S where x 1,..., x n are chosen uniformly from S. Now, let H (X ) = log (max x (Pr[X k = x])) be the min-entropy of the distribution ensemble X = {X k } k N. Then, given fixed x 2,..., x n F p Pr [f(x, x 2,..., x n ) = 0] x X d 2 H (X ) Going back to our case, we have that Pr [(F j F i )(x, y, s) = 0] = Pr [(F j F i )(x, Y, S) Y = y, S = s]pr[y = y, S = s] x X x X y,s F p y,s y,s 1 = Pr x X 2 H (X ) = max (Pr[X k = x]) x 1 Pr[Y = y, S = s] 2H (X ) Since by assumption the distribution X is well-spread, we have that, for any polynomial p and large enough k, the probability of a collision is less or equal than 1/p(k), which means precisely that the probability of a collision is negligible. This concludes the proof of the theorem. 4 Future Directions The particular form of the DDH-II assumption implies that it can be possible to release some partial information about the exponent and still being able to prove security. This assumption seems to have much potential but also must be employed carefully. For instance, it is important to note that standard hybrid arguments do not immediately hold here as in the standard setting (without considering leakage). We thus propose to further study this assumption and in particular to examine its benefits in leakage resilient cryptography. Specifically, it would be very interesting to show a construction of a PKE scheme that allows leakage from the randomness before, as well as after, the challenge ciphertext is produced. The DDH- II assumption takes one step in this direction as it enables to obtain leakage from the randomness of the challenge ciphertext (but not from the secret key) when instantiating the PKE with ElGamal. In addition, we suggest to examine another variant of DDH, also proposed by Canetti [Can97], where instead of handing g a, the adversary sees f(a) for some uninvertible function. This assumption could be useful in the auxiliary input leakage setting. References [ADW09] Joël Alwen, Yevgeniy Dodis, and Daniel Wichs. Leakage-resilient public-key cryptography in the bounded-retrieval model. In CRYPTO, pages 36 54,
7 [AGV09] Adi Akavia, Shafi Goldwasser, and Vinod Vaikuntanathan. Simultaneous hardcore bits and cryptography against memory attacks. In TCC, pages , [BBS04] Dan Boneh, Xavier Boyen, and Hovav Shacham. Short group signatures. In CRYPTO, pages 41 55, [BCH12] Nir Bitansky, Ran Canetti, and Shai Halevi. Leakage-tolerant interactive protocols. In TCC, pages , [BDL97] Dan Boneh, Richard A. DeMillo, and Richard J. Lipton. On the importance of checking cryptographic protocols for faults (extended abstract). In EUROCRYPT, pages 37 51, [BF01] Dan Boneh and Matthew K. Franklin. Identity-based encryption from the weil pairing. In CRYPTO, pages , [BG10] Zvika Brakerski and Shafi Goldwasser. Circular and leakage resilient public-key encryption under subgroup indistinguishability - (or: Quadratic residuosity strikes back). In CRYPTO, pages 1 20, [BKKV10] Zvika Brakerski, Yael Tauman Kalai, Jonathan Katz, and Vinod Vaikuntanathan. Overcoming the hole in the bucket: Public-key cryptography resilient to continual memory leakage. In FOCS, pages , [BS97] Eli Biham and Adi Shamir. Differential fault analysis of secret key cryptosystems. In CRYPTO, pages , [BW07] Xavier Boyen and Brent Waters. Full-domain subgroup hiding and constant-size group signatures. In Public Key Cryptography, pages 1 15, [Can97] Ran Canetti. Towards realizing random oracles: Hash functions that hide all partial information. In CRYPTO, pages , [Che06] Jung Hee Cheon. Security analysis of the strong diffie-hellman problem. In EUROCRYPT, pages 1 11, [CLW06] Giovanni Di Crescenzo, Richard J. Lipton, and Shabsi Walfish. Perfectly secure password protocols in the bounded retrieval model. In TCC, pages , [CS98] Ronald Cramer and Victor Shoup. A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In CRYPTO, pages 13 25, [Den06] Alexander W. Dent. The hardness of the dhk problem in the generic group model. IACR Cryptology eprint Archive, 2006:156, [DF11] Stefan Dziembowski and Sebastian Faust. Leakage-resilient cryptography from the inner-product extractor. In ASIACRYPT, pages , [DGK + 10] Yevgeniy Dodis, Shafi Goldwasser, Yael Tauman Kalai, Chris Peikert, and Vinod Vaikuntanathan. Public-key encryption schemes with auxiliary inputs. In TCC, pages , [DH76] Whitfield Diffie and Martin E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, 22(6): , [DHLAW10] Yevgeniy Dodis, Kristiyan Haralambiev, Adriana López-Alt, and Daniel Wichs. Efficient public-key cryptography in the presence of key leakage. In ASIACRYPT, pages , [DHP11] Ivan Damgård, Carmit Hazay, and Arpita Patra. Leakage resilient secure two-party computation. IACR Cryptology eprint Archive, 2011:256, [DKL09] Yevgeniy Dodis, Yael Tauman Kalai, and Shachar Lovett. On cryptography with auxiliary input. In STOC, pages , [DP08] Stefan Dziembowski and Krzysztof Pietrzak. Leakage-resilient cryptography. In FOCS, pages , [FKPR10] Sebastian Faust, Eike Kiltz, Krzysztof Pietrzak, and Guy N. Rothblum. Leakage-resilient signatures. In [Gam85] TCC, pages , Taher El Gamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory, 31(4): , [GM82] Shafi Goldwasser and Silvio Micali. Probabilistic encryption and how to play mental poker keeping secret all partial information. In STOC, pages , [HK07] Dennis Hofheinz and Eike Kiltz. Secure hybrid encryption from weakened key encapsulation. In CRYPTO, pages , [HL11] Shai Halevi and Huijia Lin. After-the-fact leakage in public-key encryption. In TCC, pages , [KJJ99] Paul C. Kocher, Joshua Jaffe, and Benjamin Jun. Differential power analysis. In CRYPTO, pages , [Koc96] Paul C. Kocher. Timing attacks on implementations of diffie-hellman, rsa, dss, and other systems. In CRYPTO, pages ,
8 [KP10] Eike Kiltz and Krzysztof Pietrzak. Leakage resilient elgamal encryption. In ASIACRYPT, pages , [KV09] Jonathan Katz and Vinod Vaikuntanathan. Signature schemes with bounded leakage resilience. In ASIACRYPT, pages , [LRW11] Allison B. Lewko, Yannis Rouselakis, and Brent Waters. Achieving leakage resilience through dual system encryption. In TCC, pages 70 88, [MR04] Silvio Micali and Leonid Reyzin. Physically observable cryptography (extended abstract). In TCC, pages , [MW98] Ueli M. Maurer and Stefan Wolf. Lower bounds on generic algorithms in groups. In EUROCRYPT, pages 72 84, [NS09] Moni Naor and Gil Segev. Public-key cryptosystems resilient to key leakage. IACR Cryptology eprint Archive, 2009:105, [NTY11] Hitoshi Namiki, Keisuke Tanaka, and Kenji Yasunaga. Randomness leakage in the kem/dem framework. In ProvSec, pages , [QS01] Jean-Jacques Quisquater and David Samyde. Electromagnetic analysis (ema): Measures and countermeasures for smart cards. In E-smart, pages , [Sha07] Hovav Shacham. A cramer-shoup encryption scheme from the linear assumption and from progressively weaker linear variants. IACR Cryptology eprint Archive, 2007:74, [Sho97] Victor Shoup. Lower bounds for discrete logarithms and related problems. In EUROCRYPT, pages , [Sma01] Nigel P. Smart. The exact security of ecies in the generic group model. In IMA Int. Conf., pages 73 84, [SV98] Claus-Peter Schnorr and Serge Vaudenay. The black-box model for cryptographic primitives. J. Cryptology, 11(2): , [Wat12] Brent Waters. Functional encryption for regular languages. In CRYPTO, pages ,
Brief Introduction to Provable Security
Brief Introduction to Provable Security Michel Abdalla Département d Informatique, École normale supérieure michel.abdalla@ens.fr http://www.di.ens.fr/users/mabdalla 1 Introduction The primary goal of
More informationLecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model
CMSC 858K Advanced Topics in Cryptography March 11, 2004 Lecturer: Jonathan Katz Lecture 14 Scribe(s): Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze 1 A Note on Adaptively-Secure NIZK A close look
More informationThesis Proposal. Feng-Hao Liu. September 5, 2012
Thesis Proposal Feng-Hao Liu September 5, 2012 Abstract My research interests center around the area of error-tolerant cryptography. In cryptography, our goal is to design protocols that withstand malicious
More informationMTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov October 31, 2005 Abstract Standard security assumptions (IND-CPA, IND- CCA) are explained. A number of cryptosystems
More informationCRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS
CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs NYU NY Area Crypto Reading Group Continuous Leakage Resilience (CLR): A Brief History
More informationOn Protecting Cryptographic Keys Against Continual Leakage
On Protecting Cryptographic Keys Against Continual Leakage Ali Juma Yevgeniy Vahlis University of Toronto {ajuma,evahlis}@cs.toronto.edu April 13, 2010 Abstract Side-channel attacks have often proven to
More informationEncryption from the Diffie-Hellman assumption. Eike Kiltz
Encryption from the Diffie-Hellman assumption Eike Kiltz Elliptic curve public-key crypto Key-agreement Signatures Encryption Diffie-Hellman 76 passive security ElGamal 84 passive security Hybrid DH (ECDH)
More informationContinuous After-the-fact Leakage-Resilient Key Exchange (full version)
Continuous After-the-fact Leakage-Resilient Key Exchange (full version) Janaka Alawatugoda 1 Colin Boyd 3 Douglas Stebila 1,2 1 School of Electrical Engineering and Computer Science, Queensland University
More informationParallel Repetition for Leakage Resilience Amplification Revisited
Parallel Repetition for Leakage Resilience Amplification Revisited Abhishek Jain 1 and Krzysztof Pietrzak 2 1 UCLA, abhishek@cs.ucla.edu 2 CWI, Amsterdam, pietrzak@cwi.nl Abstract. If a cryptographic primitive
More informationBounded-Collusion IBE from Key Homomorphism
Bounded-Collusion IBE from Key Homomorphism Shafi Goldwasser 1, Allison Lewko 2, and David A. Wilson 3 1 MIT CSAIL and Weizmann Institute shafi@csail.mit.edu 2 UT Austin alewko@cs.utexas.edu 3 MIT CSAIL
More informationCS408 Cryptography & Internet Security
CS408 Cryptography & Internet Security Lectures 16, 17: Security of RSA El Gamal Cryptosystem Announcement Final exam will be on May 11, 2015 between 11:30am 2:00pm in FMH 319 http://www.njit.edu/registrar/exams/finalexams.php
More informationIND-CCA2 secure cryptosystems, Dan Bogdanov
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee 1 Overview Notion of indistinguishability The Cramer-Shoup cryptosystem Newer results
More informationImprovement of Camenisch-Neven-Shelat Oblivious Transfer Scheme
Improvement of Camenisch-Neven-Shelat Oblivious Transfer Scheme Zhengjun Cao and Hanyue Cao Department of Mathematics, Shanghai University, Shanghai, China caozhj@shu.edu.cn Abstract. In 2007, Camenisch,
More informationFully Secure Anonymous HIBE with Short Ciphertexts
Fully Secure Anonymous HIBE with Short Ciphertexts Angelo De Caro Vincenzo Iovino Giuseppe Persiano Dipartimento di Informatica ed Applicazioni, Università di Salerno, 84084 Fisciano (SA), Italy. {decaro,iovino,giuper}@dia.unisa.it
More informationOn the Security of a Certificateless Public-Key Encryption
On the Security of a Certificateless Public-Key Encryption Zhenfeng Zhang, Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing 100080,
More informationMulti-authority attribute based encryption with honest-but-curious central authority
Proceedings of the 10th International Conference on Computational and Mathematical Methods in Science and Engineering, CMMSE 2010 27 30 June 2010. Multi-authority attribute based encryption with honest-but-curious
More informationA public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks
A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks Jan Camenisch 1, Nishanth Chandran 2, and Victor Shoup 3 1 IBM Research, work funded
More informationLeakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter
Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter Baodong Qin and Shengli Liu Shanghai Jiao Tong University ASIACRYPT 2013 Dec 5, Bangalore,
More informationAchieving Leakage Resilience through Dual System Encryption
Achieving Leakage Resilience through Dual System Encryption Allison Lewko, Yannis Rouselakis, and Brent Waters The University of Texas at Austin {alewko,jrous,bwaters}@cs.utexas.edu Abstract. In this work,
More informationAttribute-based encryption with encryption and decryption outsourcing
Edith Cowan University Research Online Australian Information Security Management Conference Conferences, Symposia and Campus Events 2014 Attribute-based encryption with encryption and decryption outsourcing
More informationFunctional Encryption and its Impact on Cryptography
Functional Encryption and its Impact on Cryptography Hoeteck Wee ENS, Paris, France Abstract. Functional encryption is a novel paradigm for public-key encryption that enables both fine-grained access control
More informationTools for Computing on Encrypted Data
Tools for Computing on Encrypted Data Scribe: Pratyush Mishra September 29, 2015 1 Introduction Usually when analyzing computation of encrypted data, we would like to have three properties: 1. Security:
More informationIntroduction to Cryptography Lecture 7
Introduction to Cryptography Lecture 7 El Gamal Encryption RSA Encryption Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing
More informationIntroduction to Cryptography Lecture 7
Introduction to Cryptography Lecture 7 Public-Key Encryption: El-Gamal, RSA Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing
More informationImproved Efficiency for CCA-Secure Cryptosystems Built Using Identity-Based Encryption
Improved Efficiency for CCA-Secure Cryptosystems Built Using Identity-Based Encryption Dan Boneh 1 and Jonathan Katz 2 1 Computer Science Department, Stanford University, Stanford CA 94305 dabo@cs.stanford.edu
More informationAdaptively Secure Computation with Partial Erasures
Adaptively Secure Computation with Partial Erasures Carmit Hazay Yehuda Lindell Arpita Patra Abstract Adaptive security is a strong corruption model that captures hacking attacks where an external attacker
More informationIntroduction to Security Reduction
springer.com Computer Science : Data Structures, Cryptology and Information Theory Springer 1st edition Printed book Hardcover Printed book Hardcover ISBN 978-3-319-93048-0 Ca. $ 109,00 Planned Discount
More informationProtocols for Authenticated Oblivious Transfer
Protocols for Authenticated Oblivious Transfer Mehrad Jaberi, Hamid Mala Department of Computer Engineering University of Isfahan Isfahan, Iran mehrad.jaberi@eng.ui.ac.ir, h.mala@eng.ui.ac.ir Abstract
More informationHash Proof Systems and Password Protocols
Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David Pointcheval CNRS, Ecole normale supe rieure/psl & INRIA 8th BIU Winter School Key Exchange February 2018 CNRS/ENS/PSL/INRIA
More informationAn IBE Scheme to Exchange Authenticated Secret Keys
An IBE Scheme to Exchange Authenticated Secret Keys Waldyr Dias Benits Júnior 1, Routo Terada (Advisor) 1 1 Instituto de Matemática e Estatística Universidade de São Paulo R. do Matão, 1010 Cidade Universitária
More informationSecure Multiparty Computation
CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationEfficient chosen ciphertext secure PKE scheme with short ciphertext
Efficient chosen ciphertext secure PKE scheme with short ciphertext Xianhui Lu 1, Xuejia Lai 2, Dake He 1, Guomin Li 1 Email:lu xianhui@gmail.com 1:School of Information Science & Technology, SWJTU, Chengdu,
More informationREMOVE KEY ESCROW FROM THE IDENTITY-BASED ENCRYPTION SYSTEM
REMOVE KEY ESCROW FROM THE IDENTITY-BASED ENCRYPTION SYSTEM Zhaohui Cheng, Richard Comley Luminita Vasiu School of Computing Science, Middlesex University White Hart Lane, London N17 8HR, United Kingdom
More informationSecurely Combining Public-Key Cryptosystems
Securely Combining Public-Key Cryptosystems Stuart Haber Benny Pinkas STAR Lab, Intertrust Tech. 821 Alexander Road Princeton, NJ 08540 {stuart,bpinkas}@intertrust.com Abstract It is a maxim of sound computer-security
More informationLeakage-Resilient Zero Knowledge
Leakage-Resilient Zero Knowledge Sanjam Garg, Abhishek Jain, and Amit Sahai UCLA {sanjamg,abhishek,sahai}@cs.ucla.edu Abstract. In this paper, we initiate a study of zero knowledge proof systems in the
More informationGeneric Transformation of a CCA2-Secure Public-Key Encryption Scheme to an eck-secure Key Exchange Protocol in the Standard Model
Generic Transformation of a CCA2-Secure Public-Key Encryption Scheme to an eck-secure Key Exchange Protocol in the Standard Model Janaka Alawatugoda Department of Computer Engineering University of Peradeniya,
More informationNew Public Key Cryptosystems Based on the Dependent RSA Problems
New Public Key Cryptosystems Based on the Dependent RSA Problems David Pointcheval LIENS CNRS, École Normale Supérieure, 45 rue d Ulm, 75230 Paris Cedex 05, France. David.Pointcheval@ens.fr http://www.dmi.ens.fr/
More informationDirect Chosen Ciphertext Security from Identity-Based Techniques
Updated version of a paper published in the proceedings of the 12th ACM Conference on Computer and Communications Security CCS 2005, Alexandria, VA, November 2005. Current version available from the IACR
More informationA systematic approach to eliminating the vulnerabilities in smart cards evaluation
A systematic approach to eliminating the vulnerabilities in smart cards evaluation Hongsong Shi, Jinping Gao, Chongbing Zhang hongsongshi@gmail.com China Information Technology Security Evaluation Center
More informationNew Constructions for UC Secure Computation using Tamper-proof Hardware
New Constructions for UC Secure Computation using Tamper-proof Hardware Nishanth Chandran Vipul Goyal Amit Sahai Department of Computer Science, UCLA {nishanth,vipul,sahai}@cs.ucla.edu Abstract The Universal
More informationGroup-based Proxy Re-encryption Scheme Secure against Chosen Ciphertext Attack
International Journal of Network Security, Vol.8, No., PP.266 270, May 2009 266 Group-based Proxy Re-encryption Scheme Secure against Chosen Ciphertext Attack Chunbo Ma and Jun Ao (Corresponding author:
More informationEfficient Compilers for After-the-Fact Leakage: from CPA to CCA-2 secure PKE to AKE
Efficient Compilers for After-the-Fact Leakage: from CPA to CCA-2 secure PKE to AKE Suvradip Chakraborty 1, Goutam Paul 2 and C. Pandu Rangan 1 1 Department of Computer Science and Engineering, Indian
More informationCSC 5930/9010 Modern Cryptography: Digital Signatures
CSC 5930/9010 Modern Cryptography: Digital Signatures Professor Henry Carter Fall 2018 Recap Implemented public key schemes in practice commonly encapsulate a symmetric key for the rest of encryption KEM/DEM
More informationCryptography. Lecture 12. Arpita Patra
Cryptography Lecture 12 Arpita Patra Digital Signatures q In PK setting, privacy is provided by PKE q Integrity/authenticity is provided by digital signatures (counterpart of MACs in PK world) q Definition:
More informationProgram Obfuscation with Leaky Hardware
Program Obfuscation with Leaky Hardware The MIT Faculty has made this article openly available. Please share how this access benefits you. Your story matters. Citation As Published Publisher Bitansky,
More informationStateful Key Encapsulation Mechanism
Stateful Key Encapsulation Mechanism Peng Yang, 1 Rui Zhang, 2 Kanta Matsuura 1 and Hideki Imai 2 The concept of stateful encryption was introduced to reduce computation cost of conventional public key
More informationThe Twin Diffie-Hellman Problem and Applications
An extended abstract of this paper appears in Advances in Cryptology EUROCRYPT 08, Lecture Notes in Computer Science Vol.????, N. Smart ed., Springer-Verlag, 2008. This is the full version. The Twin Diffie-Hellman
More informationLectures 4+5: The (In)Security of Encrypted Search
Lectures 4+5: The (In)Security of Encrypted Search Contents 1 Overview 1 2 Data Structures 2 3 Syntax 3 4 Security 4 4.1 Formalizing Leaky Primitives.......................... 5 1 Overview In the first
More informationAn Efficient ID-KEM Based On The Sakai Kasahara Key Construction
An Efficient ID-KEM Based On The Sakai Kasahara Key Construction L. Chen 1, Z. Cheng 2, J. Malone Lee 3, and N.P. Smart 3 1 Hewlett-Packard Laboratories, Filton Road, Stoke Gifford, Bristol, BS34 8QZ,
More informationApplied Cryptography and Computer Security CSE 664 Spring 2018
Applied Cryptography and Computer Security Lecture 13: Public-Key Cryptography and RSA Department of Computer Science and Engineering University at Buffalo 1 Public-Key Cryptography What we already know
More informationThe Cramer-Shoup Encryption Scheme is Plaintext Aware in the Standard Model
The Cramer-Shoup Encryption Scheme is Plaintext Aware in the Standard Model Alexander W. Dent Royal Holloway, University of London Egham, Surrey, TW20 0EX, U.K. a.dent@rhul.ac.uk Abstract. In this paper
More informationLecture 15: Public Key Encryption: I
CSE 594 : Modern Cryptography 03/28/2017 Lecture 15: Public Key Encryption: I Instructor: Omkant Pandey Scribe: Arun Ramachandran, Parkavi Sundaresan 1 Setting In Public-key Encryption (PKE), key used
More informationResearch Statement. Yehuda Lindell. Dept. of Computer Science Bar-Ilan University, Israel.
Research Statement Yehuda Lindell Dept. of Computer Science Bar-Ilan University, Israel. lindell@cs.biu.ac.il www.cs.biu.ac.il/ lindell July 11, 2005 The main focus of my research is the theoretical foundations
More informationCS 395T. Formal Model for Secure Key Exchange
CS 395T Formal Model for Secure Key Exchange Main Idea: Compositionality Protocols don t run in a vacuum Security protocols are typically used as building blocks in a larger secure system For example,
More informationA compact Aggregate key Cryptosystem for Data Sharing in Cloud Storage systems.
A compact Aggregate key Cryptosystem for Data Sharing in Cloud Storage systems. G Swetha M.Tech Student Dr.N.Chandra Sekhar Reddy Professor & HoD U V N Rajesh Assistant Professor Abstract Cryptography
More informationDefinitions and Notations
Chapter 2 Definitions and Notations In this chapter, we present definitions and notation. We start with the definition of public key encryption schemes and their security models. This forms the basis of
More informationA New Hierarchical ID-Based Cryptosystem and CCA-Secure PKE
A New Hierarchical ID-Based Cryptosystem and CCA-Secure PKE Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275,
More informationElements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy
Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy Homework 2 Due: Friday, 10/28/2016 at 11:55pm PT Will be posted on
More informationPublic-Key Encryption in the Bounded-Retrieval Model
Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen 1, Yevgeniy Dodis 1, Moni Naor 2, Gil Segev 2, Shabsi Walfish 3, and Daniel Wichs 1 1 New York University (NYU). New York, USA {jalwen,dodis,wichs}@cs.nyu.edu
More informationVerifiably Encrypted Signature Scheme with Threshold Adjudication
Verifiably Encrypted Signature Scheme with Threshold Adjudication M. Choudary Gorantla and Ashutosh Saxena Institute for Development and Research in Banking Technology Road No. 1, Castle Hills, Masab Tank,
More informationIntroduction to Public-Key Cryptography
Introduction to Public-Key Cryptography Nadia Heninger University of Pennsylvania June 11, 2018 We stand today on the brink of a revolution in cryptography. Diffie and Hellman, 1976 Symmetric cryptography
More informationProtecting Cryptographic Keys against Continual Leakage
Protecting Cryptographic Keys against Continual Leakage Ali Juma and Yevgeniy Vahlis Department of Computer Science, University of Toronto {ajuma,evahlis}@cs.toronto.edu Abstract. Side-channel attacks
More informationLecture 10, Zero Knowledge Proofs, Secure Computation
CS 4501-6501 Topics in Cryptography 30 Mar 2018 Lecture 10, Zero Knowledge Proofs, Secure Computation Lecturer: Mahmoody Scribe: Bella Vice-Van Heyde, Derrick Blakely, Bobby Andris 1 Introduction Last
More informationFine-Grained Data Sharing Supporting Attribute Extension in Cloud Computing
wwwijcsiorg 10 Fine-Grained Data Sharing Supporting Attribute Extension in Cloud Computing Yinghui Zhang 12 1 National Engineering Laboratory for Wireless Security Xi'an University of Posts and Telecommunications
More informationMulti-authority attribute based encryption with honest-but-curious central authority
Multi-authority attribute based encryption with honest-but-curious central authority Vladimir Božović 1, Daniel Socek 2, Rainer Steinwandt 1, and Viktória I. Villányi 1 1 Department of Mathematical Sciences,
More informationAttribute-Based Encryption. Allison Lewko, Microsoft Research
Attribute-Based Encryption Allison Lewko, Microsoft Research The Cast of Characters This talk will feature work by: Brent Waters Amit Sahai Vipul Goyal Omkant Pandey With special guest appearances by:
More informationResearch Statement. Vinod Vaikuntanathan
Research Statement Vinod Vaikuntanathan The main focus of my research is the theoretical foundations of cryptography and distributed protocols. Thanks to the impressive developments in cryptography over
More informationObfuscation (IND-CPA Security Circular Security)
Obfuscation (IND-CPA Security Circular Security) Antonio Marcedone 1, and Claudio Orlandi 2 1 Scuola Superiore di Catania, University of Catania, Italy, amarcedone@cs.au.dk 2 Aarhus University, Denmark,
More informationWeak adaptive chosen ciphertext secure hybrid encryption scheme
Weak adaptive chosen ciphertext secure hybrid encryption scheme Xianhui Lu 1, Xuejia Lai 2, Dake He 1, Guomin Li 1 Email:luxianhui@gmail.com 1:School of Information Science & Technology, SWJTU, Chengdu,
More informationModelling the Security of Key Exchange
Modelling the Security of Key Exchange Colin Boyd including joint work with Janaka Alawatugoda, Juan Gonzalez Nieto Department of Telematics, NTNU Workshop on Tools and Techniques for Security Analysis
More informationSecure Cryptographic Workflow in the Standard Model
Secure Cryptographic Workflow in the Standard Model M. Barbosa 1 and P. Farshim 2 1 Departamento de Informática, Universidade do Minho, Campus de Gualtar, 4710-057 Braga, Portugal. mbb@di.uminho.pt 2 Department
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationProvably Secure against Adaptive Chosen. Ciphertext Attack. Ronald Cramer
A Practical Public Key Cryptosystem Provably Secure against Adaptive Chosen Ciphertext Attack Ronald Cramer Institute for Theoretical Computer Science, ETH Zurich, 809 Zurich, Switzerland cramer@inf.ethz.ch
More informationMTAT Cryptology II. Commitment Schemes. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Commitment Schemes Sven Laur University of Tartu Formal Syntax m M 0 (c,d) Com pk (m) pk Canonical use case Gen c d pk m Open pk (c,d) A randomised key generation algorithm Gen
More informationSecurity Against Selective Opening Attacks
Security Against Selective Opening Attacks Rafael Dowsley June 2012 Abstract This survey will deal with the problem of selective opening attacks (SOA). We will present the known results (both possibility
More informationCertificateless Onion Routing
Certificateless Onion Routing Dario Catalano Dipartimento di Matematica e Informatica Università di Catania - Italy catalano@dmi.unict.it Dario Fiore Dipartimento di Matematica e Informatica Università
More informationBU CAS CS 538: Cryptography Lecture Notes. Fall itkis/538/
BU CAS CS 538: Cryptography Lecture Notes. Fall 2005. http://www.cs.bu.edu/ itkis/538/ Gene Itkis Boston University Computer Science Dept. 1 General One-Way and Trapdoor Functions In this section, we will
More informationSecurity of Message Authentication Codes in the Presence of Key-Dependent Messages
Designs, Codes and Cryptography manuscript No. (will be inserted by the editor) Security of Message Authentication Codes in the Presence of Key-Dependent Messages Madeline González Muñiz Rainer Steinwandt
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationCSC 5930/9010 Modern Cryptography: Public Key Cryptography
CSC 5930/9010 Modern Cryptography: Public Key Cryptography Professor Henry Carter Fall 2018 Recap Number theory provides useful tools for manipulating integers and primes modulo a large value Abstract
More informationCrypto Background & Concepts SGX Software Attestation
CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 Lecture 4b Slide deck extracted from Kamran s tutorial on SGX, presented during ECE 6095 Spring 2017 on Secure Computation and Storage, a precursor to this course
More informationAnonymizable Ring Signature Without Pairing
Anonymizable Ring Signature Without Pairing Olivier Blazy, Xavier Bultel, Pascal Lafourcade To cite this version: Olivier Blazy, Xavier Bultel, Pascal Lafourcade. Anonymizable Ring Signature Without Pairing.
More informationKey-Evolution Schemes Resilient to Space Bounded Leakage
Key-Evolution Schemes Resilient to Space Bounded Leakage Stefan Dziembowski Tomasz Kazana Daniel Wichs Main contribution We propose a secure scheme for deterministic key-evolution Properties: leakage-resilient
More informationLecture Note 05 Date:
P.Lafourcade Lecture Note 05 Date: 29.09.2009 Security models 1st Semester 2008/2009 MANGEOT Guillaume ROJAT Antoine THARAUD Jrmie Contents 1 Block Cipher Modes 2 1.1 Electronic Code Block (ECB) [Dwo01]....................
More informationProofs for Key Establishment Protocols
Information Security Institute Queensland University of Technology December 2007 Outline Key Establishment 1 Key Establishment 2 3 4 Purpose of key establishment Two or more networked parties wish to establish
More informationSecurity of Identity Based Encryption - A Different Perspective
Security of Identity Based Encryption - A Different Perspective Priyanka Bose and Dipanjan Das priyanka@cs.ucsb.edu,dipanjan@cs.ucsb.edu Department of Computer Science University of California Santa Barbara
More informationPart VI. Public-key cryptography
Part VI Public-key cryptography Drawbacks with symmetric-key cryptography Symmetric-key cryptography: Communicating parties a priori share some secret information. Secure Channel Alice Unsecured Channel
More informationSecurity of Cryptosystems
Security of Cryptosystems Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Symmetric key cryptosystem m M 0 c Enc sk (m) sk Gen c sk m Dec sk (c) A randomised key generation algorithm outputs
More informationComputer Security CS 526
Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes CS555 Topic 4 1 Readings for This Lecture Required reading from wikipedia Block Cipher Ciphertext Indistinguishability
More informationTightly-Secure Authenticated Key Exchange without NAXOS Approach Based on Decision Linear Problem
Open Access Library Journal 016, Volume 3, e3033 ISSN Online: 333-971 ISSN Print: 333-9705 Tightly-Secure Authenticated Key Exchange without NAXOS Approach Based on Decision Linear Problem Mojahed Mohamed
More informationFunction-Private Identity-Based Encryption: Hiding the Function in Functional Encryption
Function-Private Identity-Based Encryption: Hiding the Function in Functional Encryption Dan Boneh, Ananth Raghunathan, and Gil Segev Computer Science Department Stanford University, Stanford, CA 94305.
More informationCryptographic Primitives and Protocols for MANETs. Jonathan Katz University of Maryland
Cryptographic Primitives and Protocols for MANETs Jonathan Katz University of Maryland Fundamental problem(s) How to achieve secure message authentication / transmission in MANETs, when: Severe resource
More informationEfficient and Non-Malleable Proofs of Plaintext Knowledge and Applications
Efficient and Non-Malleable Proofs of Plaintext Knowledge and Applications (Extended Abstract ) Jonathan Katz Abstract We describe very efficient protocols for non-malleable (interactive) proofs of plaintext
More informationCryptography. and Network Security. Lecture 0. Manoj Prabhakaran. IIT Bombay
Cryptography and Network Security Lecture 0 Manoj Prabhakaran IIT Bombay Security In this course: Cryptography as used in network security Humans, Societies, The World Network Hardware OS Libraries Programs
More informationTracing Insider Attacks in the Context of Predicate Encryption Schemes
Tracing Insider Attacks in the Context of Predicate Encryption Schemes Jonathan Katz and Dominique Schröder University of Maryland Email: {jkatz,schroder}@cs.umd.edu Abstract In a predicate encryption
More informationCCA2-Secure Threshold Broadcast Encryption with Shorter Ciphertexts
CCA2-Secure Threshold Broadcast Encryption with Shorter Ciphertexts Vanesa Daza 1, Javier Herranz 2, az Morillo 3 and Carla Ràfols 3 1 Dept. D Enginyeria Informàtica i Matemàtiques, Universitat Rovira
More informationOn the Strength of the Concatenated Hash Combiner when All the Hash Functions are Weak
On the Strength of the Concatenated Hash Combiner when All the Hash Functions are Weak Jonathan J. Hoch and Adi Shamir Department of Computer Science and Applied Mathematics, The Weizmann Institute of
More informationRelations between Semantic Security and Anonymity in Identity Based Encryption
Relations between Semantic Security and Anonymity in Identity Based Encryption Javier Herranz 1, Fabien Laguillaumie 2, and Carla Ràfols 1 1 Dept. Matemàtica Aplicada IV, Universitat Politècnica de Catalunya,
More informationSecure Multiparty Computation
Secure Multiparty Computation Li Xiong CS573 Data Privacy and Security Outline Secure multiparty computation Problem and security definitions Basic cryptographic tools and general constructions Yao s Millionnare
More informationChaum s Designated Confirmer Signature Revisited
Chaum s Designated Confirmer Signature Revisited Jean Monnerat and Serge Vaudenay EPFL, Switzerland http://lasecwww.epfl.ch Abstract. This article revisits the original designated confirmer signature scheme
More information