CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS
|
|
- Stephany Lawrence
- 5 years ago
- Views:
Transcription
1 CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs NYU NY Area Crypto Reading Group
2 Continuous Leakage Resilience (CLR): A Brief History Initial results [BKKV10]: Show feasibility of CLR signatures. Under non-standard, non-black-box assumption on hash functions. Uses PCP (short CS proofs). Not practical. This Work: First constructions of CLR primitives (Signatures, ID schemes, Key Agreement) under standard assumptions. Linear assumption in bilinear groups. Efficient/practical schemes. Leakage up to ½ of the secret key. Follow-up results of [BKKV10]: CLR Encryption, IBE. Same assumption as our work. Also leads to alternate const. of signatures (slightly worse leakage).
3 This Talk Basic Primitive: CLR One-Way Relation. Signatures/ID schemes/aka follow from the techniques of prior works [KV09, ADW09, DHLW10].
4 Main Technical Problem: CLR One-Way Relation sk KeyGen() generates (pk, sk) pairs. Relation R tests if (pk, sk) are valid. pk (pk, sk) Ã KeyGen() R(pk, sk)=1 Basic One-Wayness: Given pk, can t find sk* s.t. R(pk, sk*) = 1.
5 Main Technical Problem: CLR One-Way Relation sk Rerand(sk) pk KeyGen() generates (pk, sk) pairs. Relation R tests if (pk, sk) are valid. Rerand(sk) refreshes the secret key. Can refresh arbitrarily many times. Rerand R(pk, sk)=1
6 Main Technical Problem: CLR One-Way Relation sk Rerand(sk) pk KeyGen() generates (pk, sk) pairs. Relation R tests if (pk, sk) are valid. Rerand(sk) refreshes the secret key. Can refresh arbitrarily many times. Rerand Rerand Rerand
7 Main Technical Problem: CLR One-Way Relation sk Security Adversary gets pk. Can ask for up to L bits of information about sk. What s the first L bit of SHA-1(sk)? pk
8 Main Technical Problem: CLR One-Way Relation sk Security Adversary gets pk. Can ask for up to L bits of information about sk. Key is refreshed. pk
9 Main Technical Problem: CLR One-Way Relation pk Security Adversary gets pk. Can ask for up to L bits of information about sk. Key is refreshed. Wins if R(pk, sk*) = 1. sk* =
10 Difficulty of Constructing CLR-OWR In a reduction, need to know many valid secret-keys in full. Nevertheless, need to solve some hard problem given a valid forgery by the adversary. Hope: forgery of different type then secret-keys we know. Adversary gets unbounded amount of information in total. Why can t it learn the type?
11 Outline of Construction 1. General strategy to handle continuous leakage. Reduce continuous leakage to overall-bounded leakage. 2. Construction from (special) PKE/NIZK. 3. Instantiate components based on linear assumption.
12 Strategy for CLR-OWR All possible sk bad Valid for pk good For each public-key pk: Valid: { sk : R(pk, sk) = 1}. Good ½ Valid Bad = Valid \ Good Can sample pk along with: samg : Samples sk 2 Good. samb : Samples sk 2 Bad. dk : isgood(sk, dk) = 0/1. Re-randomize inside Good. Rerand(sk) ¼ Sample(samG) conditioned on pk, samg, sk.
13 Strategy for CLR-OWR good bad Security Hardness of Good Keys: Given pk, samb, find sk* s.t. isgood(sk*, dk) = 1. Hardness of Bad Keys: Given pk, samg, find sk* s.t. isgood(sk*, dk) = 0. L-Leakage-Indistinguishability: Adv. gets pk, samg, samb. Challenger randomly chooses {good, bad} key sk. Adv. gets L bits of leakage on sk. Wins if produces sk* in the same category as sk. (Cannot correlate category of sk* with sk.)
14 Strategy for CLR-OWR Leakage Indistinguishable Relation (LIR) good bad Hardness of Good Keys: Security Leakage is not continuous! Given pk, samb, find sk* s.t. isgood(sk*, dk) = 1. Hardness of Bad Keys: Given pk, samg, find sk* s.t. isgood(sk*, dk) = 0. L-Leakage-Indistinguishability: Adv. gets pk, samg, samb. Challenger randomly chooses {good, bad} key sk. Adv. gets L bits of leakage on sk. Wins if produces sk* in the same category as sk. (Cannot correlate category of sk* with sk.)
15 1. LIR ) CLR-OWR Claim: An L-LIR is a L-CLR-OWR Proof: During attack, adversary only sees random good keys. Forgery must be a good key by hardness of bad keys. One-by-one, switch good keys for bad keys. Pr[forged key is good] does not decrease by L-Leakage-Ind.. Adversary only sees bad keys. Yet forgery is good. Contradicts hardness of good keys.
16 1. LIR ) CLR-OWR Claim: An L-LIR is a L-CLR-OWR Proof: During attack, adversary only sees random good keys. Forgery must be a good key by hardness of bad keys. One-by-one, switch good keys for bad keys. Pr[forged key is good] does not decrease by L-Leakage-Ind.. Adversary only sees bad keys. Yet forgery is good. Contradicts hardness of good keys.
17 1. LIR ) CLR-OWR Claim: An L-LIR is a L-CLR-OWR Proof: During attack, adversary only sees random good keys. Forgery must be a good key by hardness of bad keys. One-by-one, switch good keys for bad keys. Pr[forged key is good] does not decrease by L-Leakage-Ind.. Adversary only sees bad keys. Yet forgery is good. Contradicts hardness of good keys.
18 1. LIR ) CLR-OWR Claim: An L-LIR is a L-CLR-OWR Proof: During attack, adversary only sees random good keys. Forgery must be a good key by hardness of bad keys. One-by-one, switch good keys for bad keys. Pr[forged key is good] does not decrease by L-Leakage-Ind.. Adversary only sees bad keys. Yet forgery is good. Contradicts hardness of good keys.
19 Outline of Construction 1. General strategy to handle continuous leakage. Reduce continuous leakage to one-time leakage. 2. Construction from (special) PKE/NIZK. 3. Instantiate components based on DDH/K-Linear.
20 Constructing LIR Let E 1, E 2 be two PKE and be a NIZK argument-system. The LIR scheme samples: pk = (CRS, pk 1, pk 2, c 1 ) where c 1 = Enc pk1 (m;r) for rand m. Secret-keys have form sk = (c 2, ¼). Valid sk: ¼ proves that (c 1, c 2 ) encrypt same message. Good sk: (c 1, c 2 ) actually encrypt the same message. Sample good keys with samg = (m, r). Sample bad keys with samb = TD (simulation trap-door). Distinguish good/bad with dk = (sk 1, sk 2 )
21 Constructing LIR Re-randomization. Hardness of Good Keys. Hardness of Bad Keys. L-Leakage-Indistinguishability.
22 Constructing LIR (Hardness) pk = (CRS, pk 1, pk 2, c 1 ) sk = (c 2, ¼). samg = (m, r), samb = TD, dk = (sk 1, sk 2 ) Valid sk: ¼ proves that (c 1, c 2 ) encrypt same message. Good sk: (c 1, c 2 ) actually encrypt same message. Hardness of Good Keys. Follows if E 1 is Semantically-Secure (or even one-way). Hardness of Bad Keys. Follows by the soundness of the NIZK.
23 Constructing LIR Re-randomization. Hardness of Good Keys. Hardness of Bad Keys. L-Leakage-Indistinguishability.
24 Constructing LIR (Re-randomization) pk = (CRS, pk 1, pk 2, c 1 ) sk = (c 2, ¼). To re-randomize sk = (c 2, ¼) need to: Re-randomize the ciphertext c 2. (same message, fresh rand.) Update the NIZK proof ¼ (new statement, fresh rand).
25 Constructing LIR (Re-randomization) pk = (CRS, pk 1, pk 2, c 1 ) sk = (c 2, ¼). Assume E 1, E 2, are homomorphic over some groups. Hom. Encryption: Enc(m; r) + Enc(m ; r ) = Enc(m + m ; r + r ). Hom. Language: x 2 L, x 2 L ) x + x 2 L. Hom. NIZK for Hom. Language. If ¼, ¼ are proofs of x, x then ¼ + ¼ is a proof of x+x. Notion of re-randomizable/malleable proofs defined by [BCC+09]. Language (c 1, c 2 ) encrypt the same message is homomorphic. Notice (c 1, c 2 + Enc(0;r)) = (c 1, c 2 ) + (Enc(0;0), Enc(0;r) ).
26 Constructing LIR Re-randomization. (If E 1, E 2, are homomorphic ) Hardness of Good Keys. Hardness of Bad Keys. L-Leakage-Indistinguishability.
27 Constructing LIR (Leakage Ind.) pk = (CRS, pk 1, pk 2, c 1 ) sk = (c 2, ¼). To get L-leakage-indistinguishability, need security for E 2. L-Leakage-of-Ciphertext Non-Malleability (L-LoC-NM): Given L bits of leakage on ctext c can t produce related ctext c*. Adversary gets pk. Chooses m 0, m 1. Challenger chooses b à {0,1}. Sets c = Enc(m b ). Adversary gets L bits of leakage on ciphertext c. Adversary makes 1 decryption query on any c*. Wins if guesses b. LoC-NM security is weaker the non-malleability (L = m ) and stronger than semantic-security. But we need LoC-NM + homomoprhic schemes! Is it possible?
28 Constructing LIR Re-randomization. (If E 1, E 2, are homomorphic ) Hardness of Good Keys. Hardness of Bad Keys. L-Leakage-Indistinguishability. (If E 2 is L-LoC-NM)
29 Outline of Construction 1. General strategy to handle continuous leakage. Reduce continuous leakage to one-time leakage. 2. Construction from (special) PKE/NIZK. 3. Instantiate components based on DDH/K-Linear.
30 Homomorphic NIZKs Groth-Sahai NIZKs are homomorphic for systems of equations over prime-order groups (with a pairing). Influenced by work of [BCC+09] on re-randomizable proofs. Secure under K-linear assumptions for any K 1. 1-linear = DDH. Can only hold for asymmetric pairings (two base groups are different). 2-linear can hold for symmetric and asymmetric pairings. K-linear assumption gets weaker as K grows.
31 Homomorphic Encryption For E 1, use ElGamal (generalized to K-linear). For E 2, use Cramer-Shoup-Lite Encryption (generalized). Cramer-Shoup-Lite: Only CCA-1 secure. Is homomorphic. Enc(m;r) = (g r, h r, (f 0 ) r m, (f 1 ) r ) In general, CCA-1 security does not imply L-LoC-NM. But proof technique extends to show L-LoC-NM for L ¼ ¼ c. Can generalize scheme to get L-LoC-NM for L ¼ (1-²) c. Enc(m;r) = (g r, h r, (f 0 ) r m, (f 1 ) r, (f 2 ) r, (f 3 ) r, ).
32 Summary of CLR-OWR Construct L-CLR-OWR based on the K-linear assumption. Practical Efficiency : Constant number of group elements, group operations. Relative leakage L/ sk ¼ 1/(K+1). 1/2 for DDH, 1/3 for 2-linear. Leads to Signatures with same leakage/efficiency. [BKKV10]: CLR OWR/Sigs/Enc with L/ sk ¼ 1/(2K). Recently improved by [DW10] to 1/K (e.g. ¼ 1 for DDH).
33 Thank you! eprint Report 2010/196 (many extensions)
IND-CCA2 secure cryptosystems, Dan Bogdanov
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee 1 Overview Notion of indistinguishability The Cramer-Shoup cryptosystem Newer results
More informationRelaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack
Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Indian Statistical Institute Kolkata January 14, 2012 Outline 1 Definitions Encryption Scheme IND-CPA IND-CCA IND-CCVA
More informationMTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov October 31, 2005 Abstract Standard security assumptions (IND-CPA, IND- CCA) are explained. A number of cryptosystems
More informationLeakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter
Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter Baodong Qin and Shengli Liu Shanghai Jiao Tong University ASIACRYPT 2013 Dec 5, Bangalore,
More informationLecture 8: Cryptography in the presence of local/public randomness
Randomness in Cryptography Febuary 25, 2013 Lecture 8: Cryptography in the presence of local/public randomness Lecturer: Yevgeniy Dodis Scribe: Hamidreza Jahanjou So far we have only considered weak randomness
More informationA CCA2 Secure PKE Based on McEliece Assumptions in the Standard Model
A CCA2 Secure PKE Based on McEliece Assumptions in the Standard Model Jörn Müller-Quade European Institute for System Security KIT, Karlsruhe, Germany 04/23/09 Session ID: CRYP301 Session Classification:
More informationAuthenticated encryption
Authenticated encryption Mac forgery game M {} k R 0,1 s m t M M {m } t mac k (m ) Repeat as many times as the adversary wants (m, t) Wins if m M verify m, t = 1 Mac forgery game Allow the adversary to
More informationSecurity of Cryptosystems
Security of Cryptosystems Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Symmetric key cryptosystem m M 0 c Enc sk (m) sk Gen c sk m Dec sk (c) A randomised key generation algorithm outputs
More informationEncryption from the Diffie-Hellman assumption. Eike Kiltz
Encryption from the Diffie-Hellman assumption Eike Kiltz Elliptic curve public-key crypto Key-agreement Signatures Encryption Diffie-Hellman 76 passive security ElGamal 84 passive security Hybrid DH (ECDH)
More informationA public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks
A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks Jan Camenisch 1, Nishanth Chandran 2, and Victor Shoup 3 1 IBM Research, work funded
More informationIntroduction to Security Reduction
springer.com Computer Science : Data Structures, Cryptology and Information Theory Springer 1st edition Printed book Hardcover Printed book Hardcover ISBN 978-3-319-93048-0 Ca. $ 109,00 Planned Discount
More informationSECURE AND ANONYMOUS HYBRID ENCRYPTION FROM CODING THEORY
SECURE AND ANONYMOUS HYBRID ENCRYPTION FROM CODING THEORY Edoardo Persichetti University of Warsaw 06 June 2013 (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 1 / 20 Part I PRELIMINARIES
More informationEfficient Round Optimal Blind Signatures
Efficient Round Optimal Blind Signatures Sanjam Garg IBM T.J. Watson Divya Gupta UCLA Complexity Leveraging Highly theoretical tool Used to obtain feasibility results Gives inefficient constructions Is
More informationMTAT Cryptology II. Commitment Schemes. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Commitment Schemes Sven Laur University of Tartu Formal Syntax m M 0 (c,d) Com pk (m) pk Canonical use case Gen c d pk m Open pk (c,d) A randomised key generation algorithm Gen
More informationLecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model
CMSC 858K Advanced Topics in Cryptography March 11, 2004 Lecturer: Jonathan Katz Lecture 14 Scribe(s): Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze 1 A Note on Adaptively-Secure NIZK A close look
More informationDefinitions and Notations
Chapter 2 Definitions and Notations In this chapter, we present definitions and notation. We start with the definition of public key encryption schemes and their security models. This forms the basis of
More informationCS 395T. Formal Model for Secure Key Exchange
CS 395T Formal Model for Secure Key Exchange Main Idea: Compositionality Protocols don t run in a vacuum Security protocols are typically used as building blocks in a larger secure system For example,
More informationIf DDH is secure then ElGamal is also secure w.r.t IND-CPA
CS 6903 Modern Cryptography May 5th, 2011 Lecture 12 Instructor:Nitesh Saxena Recap of the previous lecture Scribe:Orcun Berkem, Turki Turki, Preetham Deshikachar Shrinivas The ElGamal encryption scheme
More informationPublic-Key Encryption
Public-Key Encryption Glorianna Jagfeld & Rahiel Kasim University of Amsterdam 10 March 2016 Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March 2016 1 / 24 Warmup: crossword puzzle! Please
More informationLecture 15: Public Key Encryption: I
CSE 594 : Modern Cryptography 03/28/2017 Lecture 15: Public Key Encryption: I Instructor: Omkant Pandey Scribe: Arun Ramachandran, Parkavi Sundaresan 1 Setting In Public-key Encryption (PKE), key used
More informationStructure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials
W I S S E N T E C H N I K L E I D E N S C H A F T IAIK Structure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials Christian Hanser and Daniel Slamanig, IAIK,
More informationCS408 Cryptography & Internet Security
CS408 Cryptography & Internet Security Lectures 16, 17: Security of RSA El Gamal Cryptosystem Announcement Final exam will be on May 11, 2015 between 11:30am 2:00pm in FMH 319 http://www.njit.edu/registrar/exams/finalexams.php
More informationBrief Introduction to Provable Security
Brief Introduction to Provable Security Michel Abdalla Département d Informatique, École normale supérieure michel.abdalla@ens.fr http://www.di.ens.fr/users/mabdalla 1 Introduction The primary goal of
More informationFunctional Encryption: Deterministic to Randomized Functions from Simple Assumptions. Shashank Agrawal and David J. Wu
Functional Encryption: Deterministic to Randomized Functions from Simple Assumptions Shashank Agrawal and David J. Wu Public-Key Functional Encryption [BSW11, O N10] x f(x) Keys are associated with deterministic
More informationOn the Application of Generic CCA-Secure Transformations to Proxy Re-Encryption
D. Nuñez, I. Agudo, and J. Lopez, On the Application of Generic CCA-Secure Transformations to Proxy Re-Encryption, Security and Communication Networks, vol. 9, pp. 1769-1785, 2016. http://doi.org/10.1002/sec.1434
More informationRelaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack
Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar Pandey, Santanu Sarkar and Mahavir Prasad Jhanwar CR Rao AIMSCS Hyderabad November 2, 2012 Outline 1 Definitions
More informationTimed-Release Certificateless Encryption
Timed-Release Certificateless Encryption Toru Oshikiri Graduate School of Engineering Tokyo Denki University Tokyo, Japan Taiichi Saito Tokyo Denki University Tokyo, Japan Abstract Timed-Release Encryption(TRE)
More informationLecture 3.4: Public Key Cryptography IV
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2012 Nitesh Saxena Course Administration HW1 submitted Trouble with BB Trying to check with BB support HW1 solution will be posted very soon
More informationCryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1
Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography CS555 Spring 2012/Topic 16 1 Outline and Readings Outline Private key management between two parties Key management
More informationCode-Based Cryptography McEliece Cryptosystem
Code-Based Cryptography McEliece Cryptosystem I. Márquez-Corbella 0 2. McEliece Cryptosystem 1. Formal Definition 2. Security-Reduction Proof 3. McEliece Assumptions 4. Notions of Security 5. Critical
More informationIntroduction to Cryptography Lecture 7
Introduction to Cryptography Lecture 7 Public-Key Encryption: El-Gamal, RSA Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing
More informationBlock ciphers, stream ciphers
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Jan 31, 2018 Announcements Project 1 is out, due Feb 14 midnight Recall: Block cipher A
More informationDefining Encryption. Lecture 2. Simulation & Indistinguishability
Defining Encryption Lecture 2 Simulation & Indistinguishability Roadmap First, Symmetric Key Encryption Defining the problem We ll do it elaborately, so that it will be easy to see different levels of
More informationAdvanced Cryptography 1st Semester Symmetric Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 22th 2007 1 / 58 Last Time (I) Security Notions Cyclic Groups Hard Problems One-way IND-CPA,
More informationIntroduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell
Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell 1 Cryptography Merriam-Webster Online Dictionary: 1. secret writing 2. the enciphering and deciphering
More informationInformation Security
SE 4472b Information Security Week 2-2 Some Formal Security Notions Aleksander Essex Fall 2015 Formalizing Security As we saw, classical ciphers leak information: Caeser/Vigenere leaks letter frequency
More informationIntroduction to Cryptography Lecture 7
Introduction to Cryptography Lecture 7 El Gamal Encryption RSA Encryption Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing
More informationTightly Secure Signatures and Public- Key Encryp8on
Tightly Secure Signatures and Public- Key Encryp8on Dennis Ho
More informationCryptography. Andreas Hülsing. 6 September 2016
Cryptography Andreas Hülsing 6 September 2016 1 / 21 Announcements Homepage: http: //www.hyperelliptic.org/tanja/teaching/crypto16/ Lecture is recorded First row might be on recordings. Anything organizational:
More informationNew Approach to Practical Leakage-Resilient Public-Key Cryptography
New Approach to Practical Leakage-Resilient Public-Key Cryptography Suvradip Chakraborty 1, Janaka Alawatugoda 2, and C. Pandu Rangan 1 1 Computer Science and Engineering Department, Science and Engineering
More informationCS 6903 Modern Cryptography February 14th, Lecture 4: Instructor: Nitesh Saxena Scribe: Neil Stewart, Chaya Pradip Vavilala
CS 6903 Modern Cryptography February 14th, 2008 Lecture 4: Instructor: Nitesh Saxena Scribe: Neil Stewart, Chaya Pradip Vavilala Definition 1 (Indistinguishability (IND-G)) IND-G is a notion that was defined
More informationFORMALIZING GROUP BLIND SIGNATURES... PRACTICAL CONSTRUCTIONS WITHOUT RANDOM ORACLES. Essam Ghadafi ACISP 2013
FORMALIZING GROUP BLIND SIGNATURES AND PRACTICAL CONSTRUCTIONS WITHOUT RANDOM ORACLES Essam Ghadafi ghadafi@cs.bris.ac.uk University of Bristol ACISP 2013 FORMALIZING GROUP BLIND SIGNATURES... OUTLINE
More informationStateful Key Encapsulation Mechanism
Stateful Key Encapsulation Mechanism Peng Yang, 1 Rui Zhang, 2 Kanta Matsuura 1 and Hideki Imai 2 The concept of stateful encryption was introduced to reduce computation cost of conventional public key
More informationPlaintext Awareness via Key Registration
Plaintext Awareness via Key Registration Jonathan Herzog CIS, TOC, CSAIL, MIT Plaintext Awareness via Key Registration p.1/38 Context of this work Originates from work on Dolev-Yao (DY) model Symbolic
More informationChosen-Ciphertext Security (II)
Chosen-Ciphertext Security (II) CS 601.442/642 Modern Cryptography Fall 2018 S 601.442/642 Modern Cryptography Chosen-Ciphertext Security (II) Fall 2018 1 / 13 Recall: Chosen-Ciphertext Attacks (CCA) Adversary
More informationInteractive Encryption and Message Authentication
Interactive Encryption and Message Authentication Yevgeniy Dodis 1 and Dario Fiore 2 1 Department of Computer Science, New York University, USA dodis@cs.nyu.edu 2 IMDEA Software Institute, Madrid, Spain
More informationNotion Of Security. February 18, 2009
Notion Of Security Dibyendu Mallik Sabyasachi Karati February 18, 2009 1 Introduction. In this chapter we compare the relative strengths of various notion of security for public key encryption. We want
More informationApplication to More Efficient Obfuscation
Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Program Obfuscation [BGIRSVY01, GGHRSW13] Indistinguishability obfuscation (io)
More informationSecurely Combining Public-Key Cryptosystems
Securely Combining Public-Key Cryptosystems Stuart Haber Benny Pinkas STAR Lab, Intertrust Tech. 821 Alexander Road Princeton, NJ 08540 {stuart,bpinkas}@intertrust.com Abstract It is a maxim of sound computer-security
More informationCryptographic Primitives and Protocols for MANETs. Jonathan Katz University of Maryland
Cryptographic Primitives and Protocols for MANETs Jonathan Katz University of Maryland Fundamental problem(s) How to achieve secure message authentication / transmission in MANETs, when: Severe resource
More informationLecture10. 1 Semantically secure PKE
0368.4162: Introduction to Cryptography Ran Canetti 05 January 2009 Lecture10 Fall 2008 Scribes:O.Singer,M.Shaked Topics for today Public-Key Encryption Public Key Infrastructure (PKI) Authenticated Key
More informationLecture 18 - Chosen Ciphertext Security
Lecture 18 - Chosen Ciphertext Security Boaz Barak November 21, 2005 Public key encryption We now go back to public key encryption. As we saw in the case of private key encryption, CPA security is not
More informationCryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1
Cryptography CS 555 Topic 11: Encryption Modes and CCA Security CS555 Spring 2012/Topic 11 1 Outline and Readings Outline Encryption modes CCA security Readings: Katz and Lindell: 3.6.4, 3.7 CS555 Spring
More informationHomework 3: Solution
Homework 3: Solution March 28, 2013 Thanks to Sachin Vasant and Xianrui Meng for contributing their solutions. Exercise 1 We construct an adversary A + that does the following to win the CPA game: 1. Select
More informationNotes for Lecture 14
COS 533: Advanced Cryptography Lecture 14 (November 6, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Fermi Ma Notes for Lecture 14 1 Applications of Pairings 1.1 Recap Consider a bilinear e
More informationMulti-Theorem Preprocessing NIZKs from Lattices
Multi-Theorem Preprocessing NIZKs from Lattices Sam Kim and David J. Wu Stanford University Soundness: x L, P Pr P, V (x) = accept = 0 No prover can convince honest verifier of false statement Proof Systems
More informationOn the Security of a Certificateless Public-Key Encryption
On the Security of a Certificateless Public-Key Encryption Zhenfeng Zhang, Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing 100080,
More informationSecurity of Identity Based Encryption - A Different Perspective
Security of Identity Based Encryption - A Different Perspective Priyanka Bose and Dipanjan Das priyanka@cs.ucsb.edu,dipanjan@cs.ucsb.edu Department of Computer Science University of California Santa Barbara
More informationProofs for Key Establishment Protocols
Information Security Institute Queensland University of Technology December 2007 Outline Key Establishment 1 Key Establishment 2 3 4 Purpose of key establishment Two or more networked parties wish to establish
More informationHash Proof Systems and Password Protocols
Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David Pointcheval CNRS, Ecole normale supe rieure/psl & INRIA 8th BIU Winter School Key Exchange February 2018 CNRS/ENS/PSL/INRIA
More informationSTRONGER SECURITY NOTIONS FOR DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES AND MORE EFFICIENT CONSTRUCTIONS
STRONGER SECURITY NOTIONS FOR DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES AND MORE EFFICIENT CONSTRUCTIONS Essam Ghadafi University College London e.ghadafi@ucl.ac.uk CT-RSA 2015 STRONGER SECURITY
More informationInformation Security CS526
Information CS 526 Topic 3 Ciphers and Cipher : Stream Ciphers, Block Ciphers, Perfect Secrecy, and IND-CPA 1 Announcements HW1 is out, due on Sept 10 Start early, late policy is 3 total late days for
More informationInter-domain Identity-based Proxy Re-encryption
Inter-domain Identity-based Proxy Re-encryption Qiang Tang, Pieter Hartel, Willem Jonker Faculty of EWI, University of Twente, the Netherlands {q.tang, pieter.hartel, jonker}@utwente.nl August 19, 2008
More informationRelations between robustness and RKA security under public-key encryption
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2016 Relations between robustness and RKA security
More informationPublic-Key Cryptography
Computer Security Spring 2008 Public-Key Cryptography Aggelos Kiayias University of Connecticut A paradox Classic cryptography (ciphers etc.) Alice and Bob share a short private key using a secure channel.
More informationContinuous After-the-fact Leakage-Resilient Key Exchange (full version)
Continuous After-the-fact Leakage-Resilient Key Exchange (full version) Janaka Alawatugoda 1 Colin Boyd 3 Douglas Stebila 1,2 1 School of Electrical Engineering and Computer Science, Queensland University
More informationGeneric Transformation of a CCA2-Secure Public-Key Encryption Scheme to an eck-secure Key Exchange Protocol in the Standard Model
Generic Transformation of a CCA2-Secure Public-Key Encryption Scheme to an eck-secure Key Exchange Protocol in the Standard Model Janaka Alawatugoda Department of Computer Engineering University of Peradeniya,
More informationCryptography. Lecture 12. Arpita Patra
Cryptography Lecture 12 Arpita Patra Digital Signatures q In PK setting, privacy is provided by PKE q Integrity/authenticity is provided by digital signatures (counterpart of MACs in PK world) q Definition:
More informationPlaintext-Checkable Encryption
This paper appears in Orr Dunkelman, editor, CT-RSA 2012, Springer-Verlag LNCS 7178, 332 348, 2012. Plaintext-Checkable Encryption Sébastien Canard 1, Georg Fuchsbauer 2, Aline Gouget 3, and Fabien Laguillaumie
More informationGroup-based Proxy Re-encryption Scheme Secure against Chosen Ciphertext Attack
International Journal of Network Security, Vol.8, No., PP.266 270, May 2009 266 Group-based Proxy Re-encryption Scheme Secure against Chosen Ciphertext Attack Chunbo Ma and Jun Ao (Corresponding author:
More informationBlock ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016
Block ciphers CS 161: Computer Security Prof. Raluca Ada Popa February 26, 2016 Announcements Last time Syntax of encryption: Keygen, Enc, Dec Security definition for known plaintext attack: attacker provides
More informationWhat Can Be Proved About Security?
What Can Be Proved About Security? Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in Centre for Artificial Intelligence and Robotics Bengaluru 23 rd
More informationSecurity Analysis and Modification of ID-Based Encryption with Equality Test from ACISP 2017
Security Analysis and Modification of ID-Based Encryption with Equality Test from ACISP 2017 Hyung Tae Lee 1, Huaxiong Wang 2, Kai Zhang 3, 4 1 Chonbuk National University, Republic of Korea 2 Nanyang
More informationAutomated Security Proofs with Sequences of Games
Automated Security Proofs with Sequences of Games Bruno Blanchet and David Pointcheval CNRS, Département d Informatique, École Normale Supérieure October 2006 Proofs of cryptographic protocols There are
More informationBetter 2-round adaptive MPC
Better 2-round adaptive MPC Ran Canetti, Oxana Poburinnaya TAU and BU BU Adaptive Security of MPC Adaptive corruptions: adversary adversary can decide can decide who to who corrupt to corrupt adaptively
More informationLecture 20: Public-key Encryption & Hybrid Encryption. Public-key Encryption
Lecture 20: & Hybrid Encryption Lecture 20: & Hybrid Encryption Overview Suppose there is a 2-round Key-Agreement protocol. This means that there exists a protocol where Bob sends the first message m B
More informationLaconic Zero Knowledge to. Akshay Degwekar (MIT)
Laconic Zero Knowledge to Public Key Cryptography Akshay Degwekar (MIT) Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78, Goldwasser-Micali82] sk pk Public Key Encryption ct = Enc
More informationUpgrading to Functional Encryption
Upgrading to Functional Encryption Saikrishna Badrinarayanan Dakshita Khurana Amit Sahai Brent Waters Abstract The notion of Functional Encryption (FE) has recently emerged as a strong primitive with several
More informationEfficient chosen ciphertext secure PKE scheme with short ciphertext
Efficient chosen ciphertext secure PKE scheme with short ciphertext Xianhui Lu 1, Xuejia Lai 2, Dake He 1, Guomin Li 1 Email:lu xianhui@gmail.com 1:School of Information Science & Technology, SWJTU, Chengdu,
More informationOAEP 3-Round A Generic and Secure Asymmetric Encryption Padding. Asiacrypt '04 Jeju Island - Korea
OAEP 3-Round A Generic and Secure Asymmetric Encryption Padding Duong Hieu Phan ENS France David Pointcheval CNRS-ENS France Asiacrypt '04 Jeju Island - Korea December 6 th 2004 Summary Asymmetric Encryption
More informationComputer Security CS 526
Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes CS555 Topic 4 1 Readings for This Lecture Required reading from wikipedia Block Cipher Ciphertext Indistinguishability
More informationA Closer Look at Anonymity and Robustness in Encryption Schemes
A Closer Look at Anonymity and Robustness in Encryption Schemes Payman Mohassel Computer Science Department, University of Calgary pmohasse@cpsc.ucalgary.ca Abstract. In this work, we take a closer look
More informationDecentralized Traceable Attribute-Based Signatures
Decentralized Traceable Attribute-Based Signatures Ali El Kaafarani 1, Essam Ghadafi 2, and Dalia Khader 3 1 University of Bath, UK 2 University of Bristol, UK 3 Interdisciplinary Centre for Security,
More informationConcrete Security of Symmetric-Key Encryption
Concrete Security of Symmetric-Key Encryption Breno de Medeiros Department of Computer Science Florida State University Concrete Security of Symmetric-Key Encryption p.1 Security of Encryption The gold
More informationPublic key encryption: definitions and security
Online Cryptography Course Public Key Encryption from trapdoor permutations Public key encryption: definitions and security Public key encryption Bob: generates (PK, SK) and gives PK to Alice Alice Bob
More informationThe Cramer-Shoup Encryption Scheme is Plaintext Aware in the Standard Model
The Cramer-Shoup Encryption Scheme is Plaintext Aware in the Standard Model Alexander W. Dent Royal Holloway, University of London Egham, Surrey, TW20 0EX, U.K. a.dent@rhul.ac.uk Abstract. In this paper
More informationPlaintext-Checkable Encryption
Plaintext-Checkable Encryption Sébastien Canard, Georg Fuchsbauer, Aline Gouget, Fabien Laguillaumie To cite this version: Sébastien Canard, Georg Fuchsbauer, Aline Gouget, Fabien Laguillaumie. Plaintext-Checkable
More informationEfficient Compilers for After-the-Fact Leakage: from CPA to CCA-2 secure PKE to AKE
Efficient Compilers for After-the-Fact Leakage: from CPA to CCA-2 secure PKE to AKE Suvradip Chakraborty 1, Goutam Paul 2 and C. Pandu Rangan 1 1 Department of Computer Science and Engineering, Indian
More informationThe ElGamal Public- key System
Online Cryptography Course Dan Boneh Public key encryp3on from Diffie- Hellman The ElGamal Public- key System Recap: public key encryp3on: (Gen, E, D) Gen pk sk m c c m E D Recap: public- key encryp3on
More informationKey-Evolution Schemes Resilient to Space Bounded Leakage
Key-Evolution Schemes Resilient to Space Bounded Leakage Stefan Dziembowski Tomasz Kazana Daniel Wichs Main contribution We propose a secure scheme for deterministic key-evolution Properties: leakage-resilient
More informationThreshold Cryptosystems from Threshold Fully Homomorphic Encryption
Threshold Cryptosystems from Threshold Fully Homomorphic Encryption Sam Kim Stanford University Joint work with Dan Boneh, Rosario Gennaro, Steven Goldfeder, Aayush Jain, Peter M. R. Rasmussen, and Amit
More informationHomomorphic Encryption
Homomorphic Encryption Travis Mayberry Cloud Computing Cloud Computing Cloud Computing Cloud Computing Cloud Computing Northeastern saves money on infrastructure and gets the benefit of redundancy and
More informationCryptography: More Primitives
Design and Analysis of Algorithms May 8, 2015 Massachusetts Institute of Technology 6.046J/18.410J Profs. Erik Demaine, Srini Devadas and Nancy Lynch Recitation 11 Cryptography: More Primitives 1 Digital
More informationOn Protecting Cryptographic Keys Against Continual Leakage
On Protecting Cryptographic Keys Against Continual Leakage Ali Juma Yevgeniy Vahlis University of Toronto {ajuma,evahlis}@cs.toronto.edu April 13, 2010 Abstract Side-channel attacks have often proven to
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationCS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong
CS573 Data Privacy and Security Cryptographic Primitives and Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationLeakage-Resilient Symmetric Cryptography (Overview of the ERC Project CRASH, part II)
Leakage-Resilient Symmetric Cryptography (Overview of the ERC Project CRASH, part II) François-Xavier Standaert UCL Crypto Group, Belgium INDOCRYPT, December 2016 Outline Introduction Natural PRGs/PRFs
More informationImproved Efficiency for CCA-Secure Cryptosystems Built Using Identity-Based Encryption
Improved Efficiency for CCA-Secure Cryptosystems Built Using Identity-Based Encryption Dan Boneh 1 and Jonathan Katz 2 1 Computer Science Department, Stanford University, Stanford CA 94305 dabo@cs.stanford.edu
More informationShort Paper On the Generic Hardness of DDH-II
Short Paper On the Generic Hardness of DDH-II Ivan Damgård, Carmit Hazay, Angela Zottarel Abstract. The well known Decisional Diffie-Hellman assumption states that given g, g a and g b, for random a, b,
More informationWeak adaptive chosen ciphertext secure hybrid encryption scheme
Weak adaptive chosen ciphertext secure hybrid encryption scheme Xianhui Lu 1, Xuejia Lai 2, Dake He 1, Guomin Li 1 Email:luxianhui@gmail.com 1:School of Information Science & Technology, SWJTU, Chengdu,
More information