Functional Encryption: Deterministic to Randomized Functions from Simple Assumptions. Shashank Agrawal and David J. Wu
|
|
- Felicia Wiggins
- 6 years ago
- Views:
Transcription
1 Functional Encryption: Deterministic to Randomized Functions from Simple Assumptions Shashank Agrawal and David J. Wu
2 Public-Key Functional Encryption [BSW11, O N10] x f(x) Keys are associated with deterministic functions f sk f m sk f Decrypt(sk f, ct m ) f(m)
3 Public-Key Functional Encryption [BSW11, O N10] Setup 1 λ : Outputs (msk, mpk) KeyGen(msk, f): Outputs decryption key sk f Encrypt mpk, m : Outputs ciphertext ct m Decrypt(sk f, ct m ): Outputs f m
4 Public-Key Functional Encryption [BSW11, O N10] Setup 1 λ : Outputs (msk, mpk) KeyGen(msk, f): Outputs decryption key sk f Encrypt mpk, m : Outputs ciphertext ct m Deterministic function f Decrypt(sk f, ct m ): Outputs f m
5 Functional Encryption for Randomized Functionalities (rfe) [GJKS15] r x f(x ; r) But what if f is randomized? Many interesting functions are randomized
6 Application 1: Proxy Re-Encryption personal Alice Alice work Mail server has functional key to re-encrypt message under secretary s public key Secretary
7 Application 2: Auditing an Encrypted Database Encrypted database of records r 1 r 2 r 3 r 4 r 5 r 6 r 2 r 6 Sample a random subset to audit
8 Does Public-Key rfe Exist? io [GJKS15] General- Purpose rfe (selectively secure)
9 Public-Key Functional Encryption [BSW11, O N10] Can be instantiated from a wide range of assumptions PKE / LWE [SS10, GVW12,GKPVZ13, ] Bounded- Collusion FE Multilinear Maps / io [GGHRSW13, GGHZ16, Wat15, ] General- Purpose FE
10 The State of (Public-Key) Functional Encryption Deterministic functionalities [SS10, GVW12, ] Randomized functionalities PKE [GGHRSW13, GGHZ16, ] Multilinear Maps / io Bounded- Collusion FE General- Purpose FE io [GJKS15] General- Purpose rfe Generally adaptively secure Selectively secure
11 The State of (Public-Key) Functional Encryption Deterministic functionalities Randomized functionalities Bounded- PKEDoes extending FE to support Collusion FE randomized functionalities GeneraliO Purpose rfe Multilinear General- Maps / io Purpose FE require much stronger tools? Adaptively secure Selectively secure
12 Our Main Result General-purpose FE for deterministic functionalities Number Theory (e.g., DDH, RSA) General-purpose FE for randomized functionalities Implication: randomized FE is not much more difficult to construct than standard FE.
13 Defining rfe
14 Deterministic functionalities Defining Correctness for FE m Decrypt(sk f, ct m ) f(m) sk f
15 Defining Correctness for rfe [GJKS15] Randomized functionalities m Decrypt(sk f, ct m ) f(m; r) sk f m Decrypt(sk f, ct m ) f(m ; r ) sk f Different ciphertexts Same function key Independent draws from output distribution
16 Defining Correctness for rfe [GJKS15] Randomized functionalities m Decrypt(sk f, ct m ) f(m; r) sk f m Decrypt(sk f, ct m ) f (m; r ) sk f Same ciphertexts Different function keys Independent draws from output distribution
17 Simulation-Based Security (Informally) f m msk sk f m Real World: honestly generated ciphertexts and secret keys f f(m) m sk f Ideal World: simulated ciphertexts and secret keys
18 Public-Key Functional Encryption [BSW11, O N10] Simulation-based notion of security: msk mpk f??? mpk f f KeyGen(msk, f) sk f m m f 1 m,, f q1 (m) Encrypt(mpk, m) ct m f f f, f(m) Real World KeyGen(msk, f) sk f Ideal World
19 Public-Key Functional Encryption [BSW11, O N10] Selective security: adversary first commits to challenge msk m??? m ε mpk mpk Encrypt(mpk, m) ct m f f f, f(m) KeyGen(msk, f) sk f Real World Ideal World
20 msk Simulation-based notion of security: mpk f KeyGen(msk, f) m Security for rfe Function f is a randomized function mpk f f sk f m f 1 m,, f q1 (m) Encrypt(mpk, m) ct m Real World f KeyGen(msk, f) Each function evaluated using freshly sampled randomness f f, f(m) sk f Ideal World
21 The Case for Malicious Encrypters Encrypted database of records r 1 r 2 r 3 r 4 r 5 r 6 What if encrypter (bank) is adversarial? r 2 r 6 Sample a random subset to audit
22 The Case for Malicious Encrypters Randomized functionalities m Decrypt(sk f, ct m ) f(m; r) sk f m Decrypt(sk f, ct m ) f(m ; r) sk f Dishonest encrypters can construct bad ciphertexts such that decryption produces correlated outputs
23 Capturing Dishonest Encrypters Give the adversary access to a decryption oracle (a CCA like definition) [GJKS15] msk ct, f sk f KeyGen(msk, f) m Decrypt(sk f, ct) m ct, f ct
24 Capturing Dishonest Encrypters Simulator sees ciphertext and can make a single query to an ideal evaluation oracle O f Give the adversary access to a decryption oracle (a CCA like definition) [GJKS15] msk ct, f sk f KeyGen(msk, f) m Decrypt(sk f, ct) m ct, f ct
25 Capturing Dishonest Encrypters Simulator sees ciphertext and can make a single query to an ideal evaluation oracle O f Give the adversary access to a decryption oracle (a CCA like definition) [GJKS15] msk ct, f ct, f ct sk f KeyGen(msk, f) m Decrypt(sk f, ct) m f(x) x
26 Capturing Dishonest Encrypters Simulator sees ciphertext and can make a single query to an ideal evaluation oracle O f Give the adversary access to a decryption oracle (a CCA like definition) [GJKS15] msk ct, f ct, f ct sk f KeyGen(msk, f) m Decrypt(sk f, ct) Ideal evaluation oracle O m f takes an input x and outputs random draw from output distribution f(x) f(x) x
27 Capturing Dishonest Encrypters Give the adversary access to a decryption oracle (a CCA like definition) [GJKS15] msk ct, f ct, f ct sk f KeyGen(msk, f) m Decrypt(sk f, ct) m f(x) x Note: in ideal world, distinguisher always sees a function evaluation using uniform randomness
28 Capturing Dishonest Encrypters Give the adversary access to a decryption oracle (a CCA like definition) [GJKS15] msk ct, f ct, f ct sk f KeyGen(msk, f) m Decrypt(sk f, ct) m f(x) x Notion also well-defined in deterministic setting and is easily achieved by attaching a NIZK to ciphertext
29 Capturing Dishonest Encrypters This work: Extend security model to allow adversary to submit multiple ciphertexts (rules out adversary s ability to construct correlated ciphertexts) msk ct i i [n], f sk f KeyGen(msk, f) m i Decrypt(sk f, ct i ) m 1,, m n
30 Capturing Dishonest Encrypters This work: Extend security model to allow adversary to submit multiple ciphertexts (rules out adversary s ability to construct correlated ciphertexts) msk ct i i [n], f sk f KeyGen(msk, f) m i Decrypt(sk f, ct i ) m 1,, m n Same decryption key used for all decryptions in real distribution
31 Capturing Dishonest Encrypters This work: Extend security model to allow adversary to submit multiple ciphertexts (rules out adversary s ability to construct correlated ciphertexts) msk ct i i [n], f ct i i [n], f ct i i [n] sk f KeyGen(msk, f) m i Decrypt(sk f, ct i ) m 1,, m n Same decryption key used for all decryptions in real distribution f x i i [n] x i i [n]
32 Capturing Dishonest Encrypters msk This work: Extend security model to allow adversary to submit multiple ciphertexts (rules out adversary s ability to construct correlated ciphertexts) ct i i [n], f sk f KeyGen(msk, f) m i Decrypt(sk f, ct i ) m 1,, m n Same decryption key used for all decryptions in real distribution Ideal evaluation oracle O f takes vector of inputs x i and for each input, outputs random draw ct i i [n], f ct i i [n] f x i from f(x i ) i [n] x i i [n]
33 Capturing Dishonest Encrypters msk This work: Extend security model to allow adversary to submit multiple ciphertexts (rules out adversary s ability to construct correlated ciphertexts) ct i i [n], f sk f KeyGen(msk, f) m i Decrypt(sk f, ct i ) m 1,, m n Impose admissibility criterion to rule out cases where adversary submits same ct i i [n], f ct i i [n] f x i ciphertext twice i [n] x i i [n]
34 Our Generic Transformation
35 Starting Point: Derandomization x r Randomized functionality x Derandomized functionality f(x ; r) f x; PRF k, x k Starting point: construct derandomized function where randomness for f derived from outputs of a PRF
36 Starting Point: Derandomization x r Randomized functionality x Derandomized functionality f(x ; r) f x; PRF k, x k Randomized function f Derandomized function g k : g k x = f x, PRF k, x
37 Starting Point: Derandomization x r Randomized functionality x Derandomized functionality f(x ; r) f x; PRF k, x Randomized function f k PRF key embedded inside g k Derandomized function g k : g k x = f x, PRF k, x
38 Starting Point: Derandomization rfe. KeyGen(msk, f) k R K But in publickey setting, keys do not hide the function! FE. KeyGen(msk, g k ) sk gk g k x = f x, PRF k, x
39 Starting Point: Derandomization rfe. KeyGen(msk, f) k R K Given sk gk, adversary can learn the PRF key k FE. KeyGen(msk, g k ) sk gk g k x = f x, PRF k, x
40 How to Hide the Key? Key idea: functional encryption provides message-hiding, so place part of the key in the ciphertext PRF key k Secret-share the PRF key k 1 k 2 Key share in ciphertext Key share in function key
41 How to Hide the Key? Key idea: functional encryption provides message-hiding, so place part of the key in the ciphertext rfe. Encrypt(mpk, m) k 1 R K FE. Encrypt mpk, m, k 1 (m, k 1 )
42 How to Hide the Key? Key idea: functional encryption provides message-hiding, so place part of the key in the ciphertext rfe. KeyGen(msk, f) k 2 R K Some operation to combine shares of key g k2 m, k 1 = f(m ; PRF(k 1 k 2, m) FE. KeyGen msk, g k2 sk gk 2
43 How to Hide the Key? Key idea: functional encryption provides message-hiding, so place part of the key in the ciphertext rfe. KeyGen(msk, f) Security now relies on related-key security for PRFs k 2 R K g k2 m, k 1 = f(m ; PRF(k 1 k 2, m) FE. KeyGen msk, g k2 sk gk 2
44 Why Related-Key Security? Challenge ciphertext: Secret key queries: sk gk 2 Chosen by adversary sk gk2 (m, k 1 ) Chosen by challenger Adversary sees and Adversary knows m, k 2 and k 2 and outputs still look random! f m ; PRF k 1 k 2, m f(m ; PRF k 1 k 2, m )
45 Security Against Dishonest Encrypters Encrypter has a lot of flexibility in constructing ciphertexts: rfe. Encrypt(mpk, m) k 1 R K Encrypter can choose the keyshare Cannot influence output distribution due to RKA-security FE. Encrypt mpk, m, k 1 (m, k 1 ) Encrypter can choose the randomness Potentially problematic
46 Security Against Dishonest Encrypters Encrypter has a lot of flexibility in constructing ciphertexts: FE. Encrypt mpk, m, k 1 (m, k 1 ) (m, k 1 ) Run encryption algorithm twice with different randomness Two distinct FE ciphertexts encrypting the same message
47 Security Against Dishonest Encrypters Encrypter has a lot of flexibility in constructing ciphertexts: (m, k 1 ) (m, k 1 ) Decryption in real world: always produces same output Decryption in ideal world: always produces independent outputs Encrypter has too much freedom in constructing ciphertexts
48 Applying Deterministic Encryption Key observation: honestly generated ciphertexts have high entropy Should be random PRF key high entropy! (m, k 1 ) Derive encryption randomness from k 1 and include a NIZK argument that ciphertext is well-formed
49 Putting the Pieces Together rfe. Encrypt(mpk, m) k 1 R K FE. Encrypt mpk, m, k 1 ; h(k 1 ) NIZK argument of knowledge of (m, k 1 ) that explains ciphertext π Randomness for FE encryption derived from deterministic function on k 1 (e.g., a PRG)
50 Putting the Pieces Together rfe. Encrypt(mpk, m) k 1 R K Ciphertext is a deterministic function of m, k 1 so for any distinct pairs (m, k 1 ), (m, k 1 ), outputs of PRF uniform and independently distributed by RKA-security FE. Encrypt mpk, m, k 1 ; h(k 1 ) π
51 Our Transformation in a Nutshell Simulationsecure FE NIZK arguments DDH + RSA RKAsecure PRF deterministic encryption Security properties of underlying FE scheme is preserved (e.g., adaptive security) Simulationsecure rfe
52 The State of (Public-Key) Functional Encryption Deterministic functionalities [SS10, GVW12, ] Randomized functionalities PKE [GGHRSW13, GGHZ16, ] Multilinear Maps / io Bounded- Collusion FE General- Purpose FE io [GJKS15] General- Purpose rfe Generally adaptively secure Selectively secure
53 The State of (Public-Key) Functional Encryption [SS10, GVW12, ] Number-theoretic assumptions PKE [GGHRSW13, GGHZ16, ] Multilinear Maps / io Bounded- Collusion FE General- Purpose FE Bounded- Collusion rfe General- Purpose rfe Adaptively secure against malicious encrypters! This work
54 Open Questions More direct / efficient constructions of rfe for simpler classes of functionalities (e.g., sampling from a database)? Generic construction of rfe from FE without making additional assumptions? Connections between rfe and other primitives (e.g., various flavors of obfuscation)?
55 Questions?
Access Control Encryption for General Policies from Standard Assumptions
Access Control Encryption for General Policies from Standard Assumptions Sam Kim Stanford University skim13@cs.stanford.edu David J. Wu Stanford University dwu4@cs.stanford.edu Abstract Functional encryption
More informationUnbounded Inner Product Functional Encryption from Bilinear Maps ASIACRYPT 2018
Unbounded Inner Product Functional Encryption from Bilinear Maps ASIACRYPT 2018 Junichi Tomida (NTT), Katsuyuki Takashima (Mitsubishi Electric) Functional Encryption[OʼNeill10, BSW11] msk Bob f(x) sk f
More informationApplication to More Efficient Obfuscation
Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Program Obfuscation [BGIRSVY01, GGHRSW13] Indistinguishability obfuscation (io)
More informationMulti-Theorem Preprocessing NIZKs from Lattices
Multi-Theorem Preprocessing NIZKs from Lattices Sam Kim and David J. Wu Stanford University Soundness: x L, P Pr P, V (x) = accept = 0 No prover can convince honest verifier of false statement Proof Systems
More informationLeakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter
Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter Baodong Qin and Shengli Liu Shanghai Jiao Tong University ASIACRYPT 2013 Dec 5, Bangalore,
More informationA Punctured Programming Approach to Adaptively Secure Functional Encryption
A Punctured Programming Approach to Adaptively Secure Functional Encryption Brent Waters University of Texas at Austin bwaters@cs.utexas.edu Abstract We propose the first construction for achieving adaptively
More informationSemi-Adaptive Security and Bundling Functionalities Made Generic and Easy
Semi-Adaptive Security and Bundling Functionalities Made Generic and Easy Rishab Goyal rgoyal@cs.utexas.edu Venkata Koppula kvenkata@cs.utexas.edu Brent Waters bwaters@cs.utexas.edu Abstract Semi-adaptive
More informationCRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS
CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs NYU NY Area Crypto Reading Group Continuous Leakage Resilience (CLR): A Brief History
More informationFoundations of Cryptography CS Shweta Agrawal
Foundations of Cryptography CS 6111 Shweta Agrawal Course Information 4-5 homeworks (20% total) A midsem (25%) A major (35%) A project (20%) Attendance required as per institute policy Challenge questions
More informationCryptographic Agents: Towards a Unified Theory of Computing on Encrypted Data
Cryptographic Agents: Towards a Unified Theory of Computing on Encrypted Data Shashank Agrawal 1, Shweta Agrawal 2, and Manoj Prabhakaran 1 University of Illinois Urbana-Champaign {sagrawl2,mmp}@illinois.edu
More informationSecurity Analysis and Modification of ID-Based Encryption with Equality Test from ACISP 2017
Security Analysis and Modification of ID-Based Encryption with Equality Test from ACISP 2017 Hyung Tae Lee 1, Huaxiong Wang 2, Kai Zhang 3, 4 1 Chonbuk National University, Republic of Korea 2 Nanyang
More informationUpgrading to Functional Encryption
Upgrading to Functional Encryption Saikrishna Badrinarayanan Dakshita Khurana Amit Sahai Brent Waters Abstract The notion of Functional Encryption (FE) has recently emerged as a strong primitive with several
More informationFrom Selective to Adaptive Security in Functional Encryption
From Selective to Adaptive Security in Functional Encryption Prabhanjan Ananth 1, Zvika Brakerski 2, Gil Segev 3, and Vinod Vaikuntanathan 4 1 University of California, Los Angeles, USA. 2 Weizmann Institute
More informationNotes for Lecture 14
COS 533: Advanced Cryptography Lecture 14 (November 6, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Fermi Ma Notes for Lecture 14 1 Applications of Pairings 1.1 Recap Consider a bilinear e
More informationSecurity of Cryptosystems
Security of Cryptosystems Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Symmetric key cryptosystem m M 0 c Enc sk (m) sk Gen c sk m Dec sk (c) A randomised key generation algorithm outputs
More informationCryptography. Lecture 12. Arpita Patra
Cryptography Lecture 12 Arpita Patra Digital Signatures q In PK setting, privacy is provided by PKE q Integrity/authenticity is provided by digital signatures (counterpart of MACs in PK world) q Definition:
More informationRe-encryption, functional re-encryption, and multi-hop re-encryption: A framework for achieving obfuscation-based security
Re-encryption, functional re-encryption, and multi-hop re-encryption: A framework for achieving obfuscation-based security and instantiations from lattices Nishanth Chandran 1, Melissa Chase 1, Feng-Hao
More informationFunctional Encryption from (Small) Hardware Tokens
Functional Encryption from (Small) Hardware Tokens Kai-Min Chung 1, Jonathan Katz 2, and Hong-Sheng Zhou 3 1 Academia Sinica kmchung@iis.sinica.edu.tw 2 University of Maryland jkatz@cs.umd.edu 3 Virginia
More informationModeling Random Oracles under Unpredictable Queries
Modeling Random Oracles under Unpredictable Queries Pooya Farshim 1 Arno Mittelbach 2 1 ENS, CNRS & INRIA, PSL Research University, Paris, France 2 TU Darmstadt, Germany 23rd Fast Software Encryption Nordrhein-Westfalen
More informationCryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security
Cryptography CS 555 Topic 8: Modes of Encryption, The Penguin and CCA security 1 Reminder: Homework 1 Due on Friday at the beginning of class Please typeset your solutions 2 Recap Pseudorandom Functions
More informationLecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model
CMSC 858K Advanced Topics in Cryptography March 11, 2004 Lecturer: Jonathan Katz Lecture 14 Scribe(s): Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze 1 A Note on Adaptively-Secure NIZK A close look
More informationOn the Relationship between Functional Encryption, Obfuscation, and Fully Homomorphic Encryption
On the Relationship between Functional Encryption, Obfuscation, and Fully Homomorphic Encryption Joël Alwen 1, Manuel Barbosa 2, Pooya Farshim 3, Rosario Gennaro 4, S. Dov Gordon 5, Stefano Tessaro 6,7,
More information1 Achieving IND-CPA security
ISA 562: Information Security, Theory and Practice Lecture 2 1 Achieving IND-CPA security 1.1 Pseudorandom numbers, and stateful encryption As we saw last time, the OTP is perfectly secure, but it forces
More informationWhat Can Be Proved About Security?
What Can Be Proved About Security? Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in Centre for Artificial Intelligence and Robotics Bengaluru 23 rd
More informationAn Efficient Certificateless Proxy Re-Encryption Scheme without Pairing
An Efficient Certificateless Proxy Re-Encryption Scheme without Pairing Presented By: Arinjita Paul Authors: S. Sharmila Deva Selvi, Arinjita Paul, C. Pandu Rangan TCS Lab, Department of CSE, IIT Madras.
More informationFunctional Signatures and Pseudorandom Functions
Functional Signatures and Pseudorandom Functions The MIT Faculty has made this article openly available. Please share how this access benefits you. Your story matters. Citation As Published Publisher Boyle,
More informationThreshold Cryptosystems from Threshold Fully Homomorphic Encryption
Threshold Cryptosystems from Threshold Fully Homomorphic Encryption Sam Kim Stanford University Joint work with Dan Boneh, Rosario Gennaro, Steven Goldfeder, Aayush Jain, Peter M. R. Rasmussen, and Amit
More informationSECURE AND ANONYMOUS HYBRID ENCRYPTION FROM CODING THEORY
SECURE AND ANONYMOUS HYBRID ENCRYPTION FROM CODING THEORY Edoardo Persichetti University of Warsaw 06 June 2013 (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 1 / 20 Part I PRELIMINARIES
More informationIntroduction to Cryptography. Lecture 3
Introduction to Cryptography Lecture 3 Benny Pinkas March 6, 2011 Introduction to Cryptography, Benny Pinkas page 1 Pseudo-random generator seed s (random, s =n) Pseudo-random generator G Deterministic
More informationA CCA2 Secure PKE Based on McEliece Assumptions in the Standard Model
A CCA2 Secure PKE Based on McEliece Assumptions in the Standard Model Jörn Müller-Quade European Institute for System Security KIT, Karlsruhe, Germany 04/23/09 Session ID: CRYP301 Session Classification:
More informationIron: Functional encryption using Intel SGX
Iron: Functional encryption using Intel SGX Sergey Gorbunov University of Waterloo Joint work with Ben Fisch, Dhinakaran Vinayagamurthy, Dan Boneh. Motivation DNA_A DB = Database of DNA sequences DNA_B
More informationNotes for Lecture 5. 2 Non-interactive vs. Interactive Key Exchange
COS 597C: Recent Developments in Program Obfuscation Lecture 5 (9/29/16) Lecturer: Mark Zhandry Princeton University Scribe: Fermi Ma Notes for Lecture 5 1 Last Time Last time, we saw that we can get public
More informationFunctional Encryption from (Small) Hardware Tokens
Functional Encryption from (Small) Hardware Tokens Kai-Min Chung 1, Jonathan Katz 2, and Hong-Sheng Zhou 3 1 Academia Sinica, kmchung@iis.sinica.edu.tw 2 University of Maryland, jkatz@cs.umd.edu 3 Virginia
More informationCryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1
Cryptography CS 555 Topic 11: Encryption Modes and CCA Security CS555 Spring 2012/Topic 11 1 Outline and Readings Outline Encryption modes CCA security Readings: Katz and Lindell: 3.6.4, 3.7 CS555 Spring
More informationFrom Selective IBE to Full IBE and Selective HIBE
From Selective IBE to Full IBE and Selective HIBE Nico Döttling 1 and Sanjam Garg 2 1 Friedrich-Alexander-University Erlangen-Nürnberg 2 University of California, Berkeley Abstract. Starting with any selectively
More informationNew Approach to Practical Leakage-Resilient Public-Key Cryptography
New Approach to Practical Leakage-Resilient Public-Key Cryptography Suvradip Chakraborty 1, Janaka Alawatugoda 2, and C. Pandu Rangan 1 1 Computer Science and Engineering Department, Science and Engineering
More informationRelaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack
Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Indian Statistical Institute Kolkata January 14, 2012 Outline 1 Definitions Encryption Scheme IND-CPA IND-CCA IND-CCVA
More informationParallel Coin-Tossing and Constant-Round Secure Two-Party Computation
Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Yehuda Lindell Department of Computer Science and Applied Math, Weizmann Institute of Science, Rehovot, Israel. lindell@wisdom.weizmann.ac.il
More informationDefinitions and Notations
Chapter 2 Definitions and Notations In this chapter, we present definitions and notation. We start with the definition of public key encryption schemes and their security models. This forms the basis of
More informationIntroduction to Cryptography. Lecture 3
Introduction to Cryptography Lecture 3 Benny Pinkas March 6, 2011 Introduction to Cryptography, Benny Pinkas page 1 Pseudo-random generator seed s (random, s =n) Pseudo-random generator G Deterministic
More informationIND-CCA2 secure cryptosystems, Dan Bogdanov
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee 1 Overview Notion of indistinguishability The Cramer-Shoup cryptosystem Newer results
More informationBetter 2-round adaptive MPC
Better 2-round adaptive MPC Ran Canetti, Oxana Poburinnaya TAU and BU BU Adaptive Security of MPC Adaptive corruptions: adversary adversary can decide can decide who to who corrupt to corrupt adaptively
More informationFunction-Private Functional Encryption in the Private-Key Setting
Function-Private Functional Encryption in the Private-Key Setting Zvika Brakerski 1 and Gil Segev 2 1 Department of Computer Science and Applied Mathematics, Weizmann Institute of Science, Rehovot 76100,
More informationAttribute-Based Fully Homomorphic Encryption with a Bounded Number of Inputs
Attribute-Based Fully Homomorphic Encryption with a Bounded Number of Inputs Michael Clear and Ciarán McGoldrick School of Computer Science and Statistics, Trinity College Dublin {clearm, Ciaran.McGoldrick}@scss.tcd.ie
More informationCSC 5930/9010 Modern Cryptography: Cryptographic Hashing
CSC 5930/9010 Modern Cryptography: Cryptographic Hashing Professor Henry Carter Fall 2018 Recap Message integrity guarantees that a message has not been modified by an adversary Definition requires that
More informationAttribute-Based Encryption. Allison Lewko, Microsoft Research
Attribute-Based Encryption Allison Lewko, Microsoft Research The Cast of Characters This talk will feature work by: Brent Waters Amit Sahai Vipul Goyal Omkant Pandey With special guest appearances by:
More informationCSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018
CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring 2018 5 and 6 February 2018 Identification schemes are mechanisms for Alice to prove her identity to Bob They comprise a setup
More informationCSC 5930/9010 Modern Cryptography: Public Key Cryptography
CSC 5930/9010 Modern Cryptography: Public Key Cryptography Professor Henry Carter Fall 2018 Recap Number theory provides useful tools for manipulating integers and primes modulo a large value Abstract
More informationBrief Introduction to Provable Security
Brief Introduction to Provable Security Michel Abdalla Département d Informatique, École normale supérieure michel.abdalla@ens.fr http://www.di.ens.fr/users/mabdalla 1 Introduction The primary goal of
More informationLecture 8: Cryptography in the presence of local/public randomness
Randomness in Cryptography Febuary 25, 2013 Lecture 8: Cryptography in the presence of local/public randomness Lecturer: Yevgeniy Dodis Scribe: Hamidreza Jahanjou So far we have only considered weak randomness
More informationLecture 1: Perfect Security
CS 290G (Fall 2014) Introduction to Cryptography Oct 2nd, 2014 Instructor: Rachel Lin 1 Recap Lecture 1: Perfect Security Scribe: John Retterer-Moore Last class, we introduced modern cryptography and gave
More informationOn the Application of Generic CCA-Secure Transformations to Proxy Re-Encryption
D. Nuñez, I. Agudo, and J. Lopez, On the Application of Generic CCA-Secure Transformations to Proxy Re-Encryption, Security and Communication Networks, vol. 9, pp. 1769-1785, 2016. http://doi.org/10.1002/sec.1434
More informationLectures 4+5: The (In)Security of Encrypted Search
Lectures 4+5: The (In)Security of Encrypted Search Contents 1 Overview 1 2 Data Structures 2 3 Syntax 3 4 Security 4 4.1 Formalizing Leaky Primitives.......................... 5 1 Overview In the first
More informationCryptology complementary. Symmetric modes of operation
Cryptology complementary Symmetric modes of operation Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 05 03 Symmetric modes 2018 05 03
More informationSymmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University
Symmetric-Key Cryptography Part 1 Tom Shrimpton Portland State University Building a privacy-providing primitive I want my communication with Bob to be private -- Alice What kind of communication? SMS?
More informationAuthenticated encryption
Authenticated encryption Mac forgery game M {} k R 0,1 s m t M M {m } t mac k (m ) Repeat as many times as the adversary wants (m, t) Wins if m M verify m, t = 1 Mac forgery game Allow the adversary to
More informationLecture 15: Public Key Encryption: I
CSE 594 : Modern Cryptography 03/28/2017 Lecture 15: Public Key Encryption: I Instructor: Omkant Pandey Scribe: Arun Ramachandran, Parkavi Sundaresan 1 Setting In Public-key Encryption (PKE), key used
More informationInformation Security CS526
Information CS 526 Topic 3 Ciphers and Cipher : Stream Ciphers, Block Ciphers, Perfect Secrecy, and IND-CPA 1 Announcements HW1 is out, due on Sept 10 Start early, late policy is 3 total late days for
More informationPaper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage
1 Announcements Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage 2 Recap and Overview Previous lecture: Symmetric key
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Michael J. Fischer Lecture 4 September 11, 2017 CPSC 467, Lecture 4 1/23 Analyzing Confidentiality of Cryptosystems Secret ballot elections Information protection Adversaries
More informationLecture 10, Zero Knowledge Proofs, Secure Computation
CS 4501-6501 Topics in Cryptography 30 Mar 2018 Lecture 10, Zero Knowledge Proofs, Secure Computation Lecturer: Mahmoody Scribe: Bella Vice-Van Heyde, Derrick Blakely, Bobby Andris 1 Introduction Last
More informationConstraint hiding constrained PRF for NC1 from LWE. Ran Canetti, Yilei Chen, # Eurocrypt 2017 special edition
Constraint hiding constrained PRF for NC1 from LWE Ran Canetti, Yilei Chen, # Eurocrypt 2017 special edition 1 2 Puncture! 3 4 Puncturable/constrained PRF [Boneh, Waters 13, Kiayias, Papadopoulos, Triandopoulos,
More informationOrder-Revealing Encryption:
Order-Revealing Encryption: New Constructions, Applications and Lower Bounds Kevin Lewi and David J. Wu Stanford University Searching on Encrypted Data Searching on Encrypted Data Searching on Encrypted
More informationRandom Oracles - OAEP
Random Oracles - OAEP Anatoliy Gliberman, Dmitry Zontov, Patrick Nordahl September 23, 2004 Reading Overview There are two papers presented this week. The first paper, Random Oracles are Practical: A Paradigm
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 4 Markus Bläser, Saarland University Message authentication How can you be sure that a message has not been modified? Encyrption is not
More informationOrder-Revealing Encryption:
Order-Revealing Encryption: How to Search on Encrypted Data David Wu Stanford University based on joint works with Nathan Chenette, Kevin Lewi, and Stephen A. Weis Searching on Encrypted Data The information
More informationPrivacy, Discovery, and Authentication for the Internet of Things
Privacy, Discovery, and Authentication for the Internet of Things David J. Wu Ankur Taly Asim Shankar Dan Boneh Stanford University Google Google Stanford University The Internet of Things (IoT) Lots of
More informationFORMALIZING GROUP BLIND SIGNATURES... PRACTICAL CONSTRUCTIONS WITHOUT RANDOM ORACLES. Essam Ghadafi ACISP 2013
FORMALIZING GROUP BLIND SIGNATURES AND PRACTICAL CONSTRUCTIONS WITHOUT RANDOM ORACLES Essam Ghadafi ghadafi@cs.bris.ac.uk University of Bristol ACISP 2013 FORMALIZING GROUP BLIND SIGNATURES... OUTLINE
More informationGeneric Transformation of a CCA2-Secure Public-Key Encryption Scheme to an eck-secure Key Exchange Protocol in the Standard Model
Generic Transformation of a CCA2-Secure Public-Key Encryption Scheme to an eck-secure Key Exchange Protocol in the Standard Model Janaka Alawatugoda Department of Computer Engineering University of Peradeniya,
More informationRelations between robustness and RKA security under public-key encryption
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2016 Relations between robustness and RKA security
More informationFeedback Week 4 - Problem Set
4/26/13 Homework Feedback Introduction to Cryptography Feedback Week 4 - Problem Set You submitted this homework on Mon 17 Dec 2012 11:40 PM GMT +0000. You got a score of 10.00 out of 10.00. Question 1
More informationOptimal-Rate Non-Committing Encryption in a CRS Model
Optimal-Rate Non-Committing Encryption in a CRS Model Ran Canetti Oxana Poburinnaya Mariana Raykova May 24, 2016 Abstract Non-committing encryption (NCE) implements secure channels under adaptive corruptions
More informationAdaptively Secure Computation with Partial Erasures
Adaptively Secure Computation with Partial Erasures Carmit Hazay Yehuda Lindell Arpita Patra Abstract Adaptive security is a strong corruption model that captures hacking attacks where an external attacker
More informationPrivately Constraining and Programming PRFs, the LWE Way PKC 2018
Privately Constraining and Programming PRFs, the LWE Way Chris Peikert Sina Shiehian PKC 2018 1 / 15 Constrained Pseudorandom Functions [KPTZ 13,BW 13,BGI 14] 1 Ordinary evaluation algorithm Eval(msk,
More informationSecurity and Privacy through Modern Cryptography
Security and Privacy through Modern Cryptography David Wu Stanford University Cryptography in the 1970s How can two users who have never met before communicate securely with each other? m secrecy integrity
More informationMTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov October 31, 2005 Abstract Standard security assumptions (IND-CPA, IND- CCA) are explained. A number of cryptosystems
More informationPublic-Key Encryption in the Bounded-Retrieval Model
Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen 1, Yevgeniy Dodis 1, Moni Naor 2, Gil Segev 2, Shabsi Walfish 3, and Daniel Wichs 1 1 New York University (NYU). New York, USA {jalwen,dodis,wichs}@cs.nyu.edu
More informationSanitizable Signcryption: Sanitization over Encrypted Data (Full Version)
Sanitizable Signcryption: Sanitization over Encrypted Data (Full Version) Victoria Fehr 1 Marc Fischlin 1 Cryptoplexity, Technische Universität Darmstadt, Germany www.cryptoplexity.de victoria.fehr@cased.de
More informationCryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39
Cryptography 2017 Lecture 4 Attacks against Block Ciphers Introduction to Public Key Cryptography November 14, 2017 1 / 39 What have seen? What are we discussing today? What is coming later? Lecture 3
More informationFormal Analysis of Chaumian Mix Nets with Randomized Partial Checking
Formal Analysis of Chaumian Mix Nets with Randomized Partial Checking Ralf Küsters University of Trier, Germany kuesters@uni-trier.de Tomasz Truderung University of Trier, Germany truderung@uni-trier.de
More informationCrypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))
Introduction (Mihir Bellare Text/Notes: http://cseweb.ucsd.edu/users/mihir/cse207/) Cryptography provides: Data Privacy Data Integrity and Authenticity Crypto-systems all around us ATM machines Remote
More informationCS408 Cryptography & Internet Security
CS408 Cryptography & Internet Security Lectures 16, 17: Security of RSA El Gamal Cryptosystem Announcement Final exam will be on May 11, 2015 between 11:30am 2:00pm in FMH 319 http://www.njit.edu/registrar/exams/finalexams.php
More informationEncryption from the Diffie-Hellman assumption. Eike Kiltz
Encryption from the Diffie-Hellman assumption Eike Kiltz Elliptic curve public-key crypto Key-agreement Signatures Encryption Diffie-Hellman 76 passive security ElGamal 84 passive security Hybrid DH (ECDH)
More informationPrivacy, Discovery, and Authentication for the Internet of Things
Privacy, Discovery, and Authentication for the Internet of Things David J. Wu Ankur Taly Asim Shankar Dan Boneh Stanford University Google Google Stanford University The Internet of Things (IoT) Lots of
More informationOrder-Revealing Encryption:
Order-Revealing Encryption: How to Search on Encrypted Data Kevin Lewi and David J. Wu Stanford University Searching on Encrypted Data Searching on Encrypted Data Searching on Encrypted Data Searching
More informationHierarchical Attribute-based Signatures
Hierarchical Attribute-based Signatures Constantin-Cǎtǎlin Drǎgan, Daniel Gardham and Mark Manulis Surrey Centre for Cyber Security, University of Surrey, UK c.dragan@surrey.ac.uk, d.gardham@surrey.ac.uk,
More informationLecture 18 - Chosen Ciphertext Security
Lecture 18 - Chosen Ciphertext Security Boaz Barak November 21, 2005 Public key encryption We now go back to public key encryption. As we saw in the case of private key encryption, CPA security is not
More informationRelaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack
Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar Pandey, Santanu Sarkar and Mahavir Prasad Jhanwar CR Rao AIMSCS Hyderabad November 2, 2012 Outline 1 Definitions
More informationChosen-Ciphertext Security (II)
Chosen-Ciphertext Security (II) CS 601.442/642 Modern Cryptography Fall 2018 S 601.442/642 Modern Cryptography Chosen-Ciphertext Security (II) Fall 2018 1 / 13 Recall: Chosen-Ciphertext Attacks (CCA) Adversary
More informationRound-Optimal Password-Protected Secret Sharing and T-PAKE in the Password-Only Model
Round-Optimal Password-Protected Secret Sharing and T-PAKE in the Password-Only Model Stanislaw Jarecki 1, Aggelos Kiayias 2, and Hugo Krawczyk 3 1 University of California Irvine, stasio@ics.uci.edu 2
More informationLecture 20: Public-key Encryption & Hybrid Encryption. Public-key Encryption
Lecture 20: & Hybrid Encryption Lecture 20: & Hybrid Encryption Overview Suppose there is a 2-round Key-Agreement protocol. This means that there exists a protocol where Bob sends the first message m B
More informationImproved Efficiency for CCA-Secure Cryptosystems Built Using Identity-Based Encryption
Improved Efficiency for CCA-Secure Cryptosystems Built Using Identity-Based Encryption Dan Boneh 1 and Jonathan Katz 2 1 Computer Science Department, Stanford University, Stanford CA 94305 dabo@cs.stanford.edu
More informationLecture 8. 1 Some More Security Definitions for Encryption Schemes
U.C. Berkeley CS276: Cryptography Lecture 8 Professor David Wagner February 9, 2006 Lecture 8 1 Some More Security Definitions for Encryption Schemes 1.1 Real-or-random (rr) security Real-or-random security,
More informationStateful Key Encapsulation Mechanism
Stateful Key Encapsulation Mechanism Peng Yang, 1 Rui Zhang, 2 Kanta Matsuura 1 and Hideki Imai 2 The concept of stateful encryption was introduced to reduce computation cost of conventional public key
More information6 Pseudorandom Functions
6 Pseudorandom Functions A pseudorandom generator allows us to take a small amount of uniformly sampled bits, and amplify them into a larger amount of uniform-looking bits A PRG must run in polynomial
More informationFairness in an Unfair World: Fair Multiparty Computation from Public Bulletin Boards
Fairness in an Unfair World: Fair Multiparty Computation from Public Bulletin Boards Arka Rai Choudhuri achoud@cs.jhu.edu Johns Hopkins University Matthew Green mgreen@cs.jhu.edu Johns Hopkins University
More informationOn the Security of Group-based Proxy Re-encryption Scheme
On the Security of Group-based Proxy Re-encryption Scheme Purushothama B R 1, B B Amberker Department of Computer Science and Engineering National Institute of Technology Warangal Warangal, Andhra Pradesh-506004,
More informationLecture 3.4: Public Key Cryptography IV
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2012 Nitesh Saxena Course Administration HW1 submitted Trouble with BB Trying to check with BB support HW1 solution will be posted very soon
More informationCSC 5930/9010 Modern Cryptography: Public-Key Infrastructure
CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure Professor Henry Carter Fall 2018 Recap Digital signatures provide message authenticity and integrity in the public-key setting As well as public
More informationOrder-Revealing Encryption:
Order-Revealing Encryption: How to Search on Encrypted Data Kevin Lewi and David J. Wu Stanford University Searching on Encrypted Data The information accessed from potentially exposed accounts "may have
More information