Public-Key Encryption
|
|
- Rebecca Robertson
- 5 years ago
- Views:
Transcription
1 Public-Key Encryption Glorianna Jagfeld & Rahiel Kasim University of Amsterdam 10 March 2016 Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
2 Warmup: crossword puzzle! Please solve the puzzle on our own. After you are done, check your solutions with your neighbor. Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
3 Warmup: crossword puzzle! Please solve the puzzle on our own. After you are done, check your solutions with your neighbor. Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
4 Outline 1 Definitions of Security for Public-Key Encryption 2 Hybrid Encryption and KEM/DEM 3 CDH/DDH-Based Encryption: ElGamal 4 RSA Encryption Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
5 Table of Contents 1 Definitions of Security for Public-Key Encryption 2 Hybrid Encryption and KEM/DEM 3 CDH/DDH-Based Encryption: ElGamal 4 RSA Encryption Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
6 Definitions of Security for Public-Key Encryption True or False? There are perfectly secure public-key encryption schemes. Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
7 Definitions of Security for Public-Key Encryption True or False? There are perfectly secure public-key encryption schemes. False! An unbounded adversary given the public key and a ciphertext c Enc pk (m) can always determine m Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
8 Definitions of Security for Public-Key Encryption ˆ Public-key encryption scheme Π = (Gen, Enc, Dec): Algorithm Input Output Gen 1 n (pk, sk) Enc pk, m c Enc pk (m) Dec sk, c m := Dec sk (c) (pk, sk) : Pr[Dec sk (Enc pk (m)) = m] = 1 negl(n) Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
9 Definitions of Security for Public-Key Encryption ˆ Public-key encryption scheme Π = (Gen, Enc, Dec): Algorithm Input Output Gen 1 n (pk, sk) Enc pk, m c Enc pk (m) Dec sk, c m := Dec sk (c) (pk, sk) : Pr[Dec sk (Enc pk (m)) = m] = 1 negl(n) ˆ For any public-key encryption scheme Π these three definitions of security are equivalent: Π is EAV-secure (1) Π is CPA-secure (2) Π has indistinguishable multiple encryptions Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
10 Definitions of Security for Public-Key Encryption ˆ Public-key encryption scheme Π = (Gen, Enc, Dec): Algorithm Input Output Gen 1 n (pk, sk) Enc pk, m c Enc pk (m) Dec sk, c m := Dec sk (c) (pk, sk) : Pr[Dec sk (Enc pk (m)) = m] = 1 negl(n) ˆ For any public-key encryption scheme Π these three definitions of security are equivalent: Π is EAV-secure (1) Π is CPA-secure (2) Π has indistinguishable multiple encryptions ˆ Why is (1) the case? Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
11 Definitions of Security for Public-Key Encryption ˆ Public-key encryption scheme Π = (Gen, Enc, Dec): Algorithm Input Output Gen 1 n (pk, sk) Enc pk, m c Enc pk (m) Dec sk, c m := Dec sk (c) (pk, sk) : Pr[Dec sk (Enc pk (m)) = m] = 1 negl(n) ˆ For any public-key encryption scheme Π these three definitions of security are equivalent: Π is EAV-secure (1) Π is CPA-secure (2) Π has indistinguishable multiple encryptions ˆ Why is (1) the case? ˆ The proof of (2) is in the book, it uses a hybrid argument Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
12 CPA-secure Π has indistinguishable mult. encryptions ˆ Intuition before the proof shows that Π has indistinguishable two encryptions by going from C 0 to C 1 via C 01 Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
13 CPA-secure Π has indistinguishable mult. encryptions ˆ Intuition before the proof shows that Π has indistinguishable two encryptions by going from C 0 to C 1 via C 01 ˆ Actual proof generalizes on this idea: A makes t=t(n) queries Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
14 CPA-secure Π has indistinguishable mult. encryptions ˆ Intuition before the proof shows that Π has indistinguishable two encryptions by going from C 0 to C 1 via C 01 ˆ Actual proof generalizes on this idea: A makes t=t(n) queries ˆ Define LRpk i : returns m 0 for 0 i, m 1 for i + 1 t Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
15 CPA-secure Π has indistinguishable mult. encryptions ˆ Intuition before the proof shows that Π has indistinguishable two encryptions by going from C 0 to C 1 via C 01 ˆ Actual proof generalizes on this idea: A makes t=t(n) queries ˆ Define LRpk i : returns m 0 for 0 i, m 1 for i + 1 t Show that P r[a LRt pk(pk) = 1] P r[a LR0 pk(pk) = 1] negl(n) Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
16 CPA-secure Π has indistinguishable mult. encryptions ˆ Intuition before the proof shows that Π has indistinguishable two encryptions by going from C 0 to C 1 via C 01 ˆ Actual proof generalizes on this idea: A makes t=t(n) queries ˆ Define LR i pk : returns m 0 for 0 i, m 1 for i + 1 t Show that P r[a LRt pk(pk) = 1] P r[a LR0 pk(pk) = 1] negl(n) ˆ Create a telescoping sum: Pr[A LRt pk (pk) = 1] Pr[A LR 0 pk (pk) = 1] = Pr[A LRt pk (pk) = 1] Pr[A LR t 1 pk (pk) = 1] + Pr[A LR t 1 pk (pk) = 1]... Pr[A LR1 pk (pk) = 1] + Pr[A LR 1 pk (pk) = 1] Pr[A LR 0 pk (pk) = 1] Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
17 CPA-secure Π has indistinguishable mult. encryptions ˆ Intuition before the proof shows that Π has indistinguishable two encryptions by going from C 0 to C 1 via C 01 ˆ Actual proof generalizes on this idea: A makes t=t(n) queries ˆ Define LR i pk : returns m 0 for 0 i, m 1 for i + 1 t Show that P r[a LRt pk(pk) = 1] P r[a LR0 pk(pk) = 1] negl(n) ˆ Create a telescoping sum: Pr[A LRt pk (pk) = 1] Pr[A LR 0 pk (pk) = 1] = Pr[A LRt pk (pk) = 1] Pr[A LR t 1 pk (pk) = 1] + Pr[A LR t 1 pk (pk) = 1]... Pr[A LR1 pk (pk) = 1] + Pr[A LR 1 pk (pk) = 1] Pr[A LR 0 pk (pk) = 1] ˆ Now show that Pr[A LRi pk(pk) = 1] Pr[A LRi 1 pk (pk) = 1] negl(n) Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
18 CPA-secure Π has indistinguishable mult. encryptions Pr[A LRi pk (pk) = 1] Pr[A LR i 1 pk (pk) = 1] = Pr[A(pk, Enc pk (m 1,0 ),..., Enc pk (m i,0 ), Enc pk (m i+1,1 ),..., Enc pk (m t,1 )) = 1] Pr[A(pk, Enc pk (m 1,0 ),..., Enc pk (m i,1 ), Enc pk (m i+1,1 ),..., Enc pk (m t,1 )) = 1] Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
19 CPA-secure Π has indistinguishable mult. encryptions Pr[A LRi pk (pk) = 1] Pr[A LR i 1 pk (pk) = 1] = Pr[A(pk, Enc pk (m 1,0 ),..., Enc pk (m i,0 ), Enc pk (m i+1,1 ),..., Enc pk (m t,1 )) = 1] Pr[A(pk, Enc pk (m 1,0 ),..., Enc pk (m i,1 ), Enc pk (m i+1,1 ),..., Enc pk (m t,1 )) = 1] = Pr[A(pk, Enc pk (m i,0 )) = 1] Pr[A(pk, Enc pk (m i,1 )) = 1] Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
20 CPA-secure Π has indistinguishable mult. encryptions Pr[A LRi pk (pk) = 1] Pr[A LR i 1 pk (pk) = 1] = Pr[A(pk, Enc pk (m 1,0 ),..., Enc pk (m i,0 ), Enc pk (m i+1,1 ),..., Enc pk (m t,1 )) = 1] Pr[A(pk, Enc pk (m 1,0 ),..., Enc pk (m i,1 ), Enc pk (m i+1,1 ),..., Enc pk (m t,1 )) = 1] = Pr[A(pk, Enc pk (m i,0 )) = 1] Pr[A(pk, Enc pk (m i,1 )) = 1] negl(n) Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
21 CPA-secure Π has indistinguishable mult. encryptions Pr[A LRi pk (pk) = 1] Pr[A LR i 1 pk (pk) = 1] = Pr[A(pk, Enc pk (m 1,0 ),..., Enc pk (m i,0 ), Enc pk (m i+1,1 ),..., Enc pk (m t,1 )) = 1] Pr[A(pk, Enc pk (m 1,0 ),..., Enc pk (m i,1 ), Enc pk (m i+1,1 ),..., Enc pk (m t,1 )) = 1] = Pr[A(pk, Enc pk (m i,0 )) = 1] Pr[A(pk, Enc pk (m i,1 )) = 1] negl(n) ˆ Thus we have that Pr[A LRt pk (pk) = 1] Pr[A LR 0 pk (pk) = 1] = Pr[A LRt pk (pk) = 1] Pr[A LR t 1 pk (pk) = 1] + Pr[A LR t 1 pk (pk) = 1]... Pr[A LR1 pk (pk) = 1] + Pr[A LR 1 pk (pk) = 1] Pr[A LR 0 pk (pk) = 1] Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
22 CPA-secure Π has indistinguishable mult. encryptions Pr[A LRi pk (pk) = 1] Pr[A LR i 1 pk (pk) = 1] = Pr[A(pk, Enc pk (m 1,0 ),..., Enc pk (m i,0 ), Enc pk (m i+1,1 ),..., Enc pk (m t,1 )) = 1] Pr[A(pk, Enc pk (m 1,0 ),..., Enc pk (m i,1 ), Enc pk (m i+1,1 ),..., Enc pk (m t,1 )) = 1] = Pr[A(pk, Enc pk (m i,0 )) = 1] Pr[A(pk, Enc pk (m i,1 )) = 1] negl(n) ˆ Thus we have that Pr[A LRt pk (pk) = 1] Pr[A LR 0 pk (pk) = 1] = Pr[A LRt pk (pk) = 1] Pr[A LR t 1 pk (pk) = 1] + Pr[A LR t 1 pk (pk) = 1]... Pr[A LR1 pk (pk) = 1] + Pr[A LR 1 pk (pk) = 1] Pr[A LR 0 pk (pk) = 1] t(n) negl(n) Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
23 CPA-secure Π has indistinguishable mult. encryptions Pr[A LRi pk (pk) = 1] Pr[A LR i 1 pk (pk) = 1] = Pr[A(pk, Enc pk (m 1,0 ),..., Enc pk (m i,0 ), Enc pk (m i+1,1 ),..., Enc pk (m t,1 )) = 1] Pr[A(pk, Enc pk (m 1,0 ),..., Enc pk (m i,1 ), Enc pk (m i+1,1 ),..., Enc pk (m t,1 )) = 1] = Pr[A(pk, Enc pk (m i,0 )) = 1] Pr[A(pk, Enc pk (m i,1 )) = 1] negl(n) ˆ Thus we have that Pr[A LRt pk (pk) = 1] Pr[A LR 0 pk (pk) = 1] = Pr[A LRt pk (pk) = 1] Pr[A LR t 1 pk (pk) = 1] + Pr[A LR t 1 pk (pk) = 1]... Pr[A LR1 pk (pk) = 1] + Pr[A LR 1 pk (pk) = 1] Pr[A LR 0 pk (pk) = 1] t(n) negl(n) ˆ Where s the hybrid argument? Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
24 Table of Contents 1 Definitions of Security for Public-Key Encryption 2 Hybrid Encryption and KEM/DEM 3 CDH/DDH-Based Encryption: ElGamal 4 RSA Encryption Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
25 Hybrid Encryption and KEM/DEM True or False? To yield a CPA-secure hybrid encryption scheme, one must combine a CCA-secure KEM with a private-key encryption scheme that is at least CPA-secure. Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
26 Hybrid Encryption and KEM/DEM True or False? To yield a CPA-secure hybrid encryption scheme, one must combine a CCA-secure KEM with a private-key encryption scheme that is at least CPA-secure. False! The KEM needs only to be CPA-secure and the private-key encryption scheme even only EAV-secure. Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
27 Hybrid Encryption and KEM/DEM Please find a general outline for a proof of the following theorem: If Π is a CPA-secure KEM and Π is an EAV-secure private-key encryption scheme, then Π hy as in the construction below is a CPA-secure public-key encryption scheme. Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
28 Hybrid Encryption and KEM/DEM: Solution ˆ We need to prove (pk, c, Enc k (m 0)) c (pk, c, Enc k (m 1)) Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
29 Hybrid Encryption and KEM/DEM: Solution ˆ We need to prove (pk, c, Enc k (m 0)) c (pk, c, Enc k (m 1)) ˆ CPA-security of Π gives us and (pk, c, Enc k (m 0)) c (pk, c, Enc k (m 0)) (1) (pk, c, Enc k (m 1)) c (pk, c, Enc k (m 1)) (2) Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
30 Hybrid Encryption and KEM/DEM: Solution ˆ We need to prove (pk, c, Enc k (m 0)) c (pk, c, Enc k (m 1)) ˆ CPA-security of Π gives us and (pk, c, Enc k (m 0)) c (pk, c, Enc k (m 0)) (1) (pk, c, Enc k (m 1)) c (pk, c, Enc k (m 1)) (2) ˆ By EAV-security of Π we know Enc k (m 0) c Enc k (m 1) for a uniform k, so (pk, c, Enc k (m 0)) c (pk, c, Enc k (m 1)) (3) Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
31 Hybrid Encryption and KEM/DEM: Solution ˆ We need to prove (pk, c, Enc k (m 0)) c (pk, c, Enc k (m 1)) ˆ CPA-security of Π gives us and (pk, c, Enc k (m 0)) c (pk, c, Enc k (m 0)) (1) (pk, c, Enc k (m 1)) c (pk, c, Enc k (m 1)) (2) ˆ By EAV-security of Π we know Enc k (m 0) c Enc k (m 1) for a uniform k, so ˆ Combining (1-3) we get (pk, c, Enc k (m 0)) c (pk, c, Enc k (m 1)) (3) (pk, c, Enc k (m 0)) security of Π by transitivity (pk, c, Enc k (m 1)) security of Π (pk, c, Enc k (m 0)) (pk, c, Enc k (m 1)) security of Π Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
32 Table of Contents 1 Definitions of Security for Public-Key Encryption 2 Hybrid Encryption and KEM/DEM 3 CDH/DDH-Based Encryption: ElGamal 4 RSA Encryption Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
33 CDH/DDH-Based Encryption True or False? It is more likely that the DDH assumption is true than the CDH. Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
34 CDH/DDH-Based Encryption True or False? It is more likely that the DDH assumption is true than the CDH. True! The DDH is a strictly weaker assumption than the CDH. Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
35 CDH/DDH-Based Encryption: ElGamal Encryption Lemma (11.15) Let G be a finite group, and let m G be arbitrary. Then choosing uniform k G and setting k := k m gives the same distribution for k as choosing uniform k G. Put differently, for any ĝ G we have P r[k m = ĝ] = 1/ G, where the probability is taken over uniform choice of k G. Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
36 CDH/DDH-Based Encryption: ElGamal Encryption Lemma (11.15) Let G be a finite group, and let m G be arbitrary. Then choosing uniform k G and setting k := k m gives the same distribution for k as choosing uniform k G. Put differently, for any ĝ G we have P r[k m = ĝ] = 1/ G, where the probability is taken over uniform choice of k G. Proof. P r[k m = ĝ] = P r[k = ĝ m 1 ] = 1/ G Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
37 CDH/DDH-Based Encryption: ElGamal Encryption Construction (11.16, page 401) ˆ Gen: on input 1 n run G(1 n ) to obtain (G, q, g). Then choose a uniform x Z q and compute h := g x. The public key is G, q, g, h and the private key is G, q, g, x. The message space is G. ˆ Enc: on input a public key pk = G, q, g, h and a message m G, choose a uniform y Z q and output the ciphertext: g y, h y m. ˆ Dec: on input a private key sk = G, q, g, x and a ciphertext c 1, c 2, output ˆm := c 2 /c x 1 Show that decryption succeeds. Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
38 Elgamal Encryption Gone Wrong Bob uses ElGamal encryption to communicate with Eve in some group g, i.e. he encrypts m as r = g y, c = h y a m. Eve s public parameters are: q = 8237, g = 3, and h a = He didn t pass the introduction to cryptology course and doesn t understand public-key crypto, so he uses the same nonce y for all his messages m 1, m 2, m 3,... You happen to know that he is kind of predictable and always sends Hi in his first message, which gets represented as m 1 = = 190. You observe the following ciphertexts: (r 1, c 1 ) = (7830, 4537), (r 2, c 2 ) = (7830, 361). Recover m Adapted from exam Introduction to Cryptology exercise 6 TU/e, Tanja Lange. Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
39 Solution: Elgamal Encryption Gone Wrong ˆ c 1 = h y a m 1 = h y a 190 = 4537 mod 8237 Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
40 Solution: Elgamal Encryption Gone Wrong ˆ c 1 = h y a m 1 = h y a 190 = 4537 mod 8237 ˆ Inverse of 190 mod q: 1 = ˆ h y a = = 7784 mod 8237 Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
41 Solution: Elgamal Encryption Gone Wrong ˆ c 1 = h y a m 1 = h y a 190 = 4537 mod 8237 ˆ Inverse of 190 mod q: 1 = ˆ h y a = = 7784 mod 8237 ˆ Inverse of h a : 1 = ˆ m 2 = = 2342 mod 8237 Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
42 Solution: Elgamal Encryption Gone Wrong ˆ c 1 = h y a m 1 = h y a 190 = 4537 mod 8237 ˆ Inverse of 190 mod q: 1 = ˆ h y a = = 7784 mod 8237 ˆ Inverse of h a : 1 = ˆ m 2 = = 2342 mod 8237 ˆ 2342 = EVE Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
43 CPA-Security of ElGamal and the DDH Let G be an algorithm generating a cyclic group G of known order q and a generator g for G. It is shown in Theorem that ElGamal with G is CPA-secure if the DDH problem is hard with respect to G. Show that this assumption is also necessary: ElGamal is CPA-secure w.r.t. G = The DDH-problem is hard w.r.t. G Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
44 Solution: CPA-Security of ElGamal and the DDH Show the contrapositive: If the DDH is not hard then ElGamal cannot be CPA secure Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
45 Solution: CPA-Security of ElGamal and the DDH Show the contrapositive: If the DDH is not hard then ElGamal cannot be CPA secure ˆ Construct an adversary A winning PubK eav A,ElGamal with probability greater negligible who uses A as subroutine who can distinguish between h log g gx log g g y = h xy given g x, g y. ˆ A submits m 0 = 1 (the neutral element of G) and m 1 = h z for some uniform z ˆ A gets g y, c, where c = h xy m 0 = h xy 1 = h xy or c = h xy m 1 = h xy h z = h xyz ˆ Note: h xyz = h xy h z is uniform (Lemma 11.15) ˆ A gives G, q, g, h = g x, g y, c to A ˆ If A tells A that c = h xy, A outputs 0, else 1 Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
46 Solution: CPA-Security of ElGamal and the DDH Show the contrapositive: If the DDH is not hard then ElGamal cannot be CPA secure ˆ Construct an adversary A winning PubK eav A,ElGamal with probability greater negligible who uses A as subroutine who can distinguish between h log g gx log g g y = h xy given g x, g y. ˆ A submits m 0 = 1 (the neutral element of G) and m 1 = h z for some uniform z ˆ A gets g y, c, where c = h xy m 0 = h xy 1 = h xy or c = h xy m 1 = h xy h z = h xyz ˆ Note: h xyz = h xy h z is uniform (Lemma 11.15) ˆ A gives G, q, g, h = g x, g y, c to A ˆ If A tells A that c = h xy, A outputs 0, else 1 ˆ Analysis: Probability that A succeeds is greater negligible, probability that h z = h xy is negligible = probability that A wins is greater negligible Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
47 Table of Contents 1 Definitions of Security for Public-Key Encryption 2 Hybrid Encryption and KEM/DEM 3 CDH/DDH-Based Encryption: ElGamal 4 RSA Encryption Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
48 Plain RSA Encryption True or False? The following states the RSA assumption: Given (N, e, y ZN ), where N = p q for p, q prime, e > 1 and gcd(e, φ(n)) = 1, the probability that any probabilistic polynomial-time algorithm finds x ZN such that x = y mod N is negligible. True! Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
49 Plain RSA Encryption True or False? The following states the RSA assumption: Given (N, e, y ZN ), where N = p q for p, q prime, e > 1 and gcd(e, φ(n)) = 1, the probability that any probabilistic polynomial-time algorithm finds x ZN such that x = y mod N is negligible. True! Does this imply that using plain RSA to encrypt messages ZN is secure? Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
50 Plain RSA Encryption True or False? The following states the RSA assumption: Given (N, e, y ZN ), where N = p q for p, q prime, e > 1 and gcd(e, φ(n)) = 1, the probability that any probabilistic polynomial-time algorithm finds x ZN such that x = y mod N is negligible. True! Does this imply that using plain RSA to encrypt messages ZN is secure? No! It only means that it is hard to fully recover a uniform m Z N. Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
51 Plain RSA Encryption Algorithm Input Output Gen 1 n (N, e, d) = GenRSA(1 n ), pk = N, e, sk = N, d Enc pk = N, e, m ZN c := [me mod N] Dec sk = N, d, c ZN m := [c d mod N] ˆ You are given the RSA public key (N, e), where e = 23. ˆ In addition you have the message ciphertext pairs ( , c 1 ) and ( , c 2 ). ˆ You can find N, c 1, c 2 and C on the Crypto Wiki (Moodle). ˆ Recover M such that Enc(M) = C. Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
52 Malleability ˆ A scheme is malleable if, given the encryption c of some message m, it is possible to construct a ciphertext c that decrypts to an m which has a known relation to m. Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
53 Malleability ˆ A scheme is malleable if, given the encryption c of some message m, it is possible to construct a ciphertext c that decrypts to an m which has a known relation to m. ˆ So what does non-malleability imply? Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
54 Malleability ˆ A scheme is malleable if, given the encryption c of some message m, it is possible to construct a ciphertext c that decrypts to an m which has a known relation to m. ˆ So what does non-malleability imply? ˆ Plain RSA is not CPA-secure, but ensures that a uniform m Z N cannot be recovered given c = [me mod N] and N, e. Show that not even this holds if an attacker can perform a CCA. Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
55 Malleability ˆ A scheme is malleable if, given the encryption c of some message m, it is possible to construct a ciphertext c that decrypts to an m which has a known relation to m. ˆ So what does non-malleability imply? ˆ Plain RSA is not CPA-secure, but ensures that a uniform m Z N cannot be recovered given c = [me mod N] and N, e. Show that not even this holds if an attacker can perform a CCA. ˆ Solution: Given c = [m e mod N], construct c := [2 e c mod N] = [2 e m e mod N] = [(2m) e mod N] Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24
Relaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack
Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Indian Statistical Institute Kolkata January 14, 2012 Outline 1 Definitions Encryption Scheme IND-CPA IND-CCA IND-CCVA
More informationLecture 15: Public Key Encryption: I
CSE 594 : Modern Cryptography 03/28/2017 Lecture 15: Public Key Encryption: I Instructor: Omkant Pandey Scribe: Arun Ramachandran, Parkavi Sundaresan 1 Setting In Public-key Encryption (PKE), key used
More informationChapter 11 : Private-Key Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 1 Chapter 11 Public-Key Encryption Apologies: all numbering
More informationApplied Cryptography and Computer Security CSE 664 Spring 2018
Applied Cryptography and Computer Security Lecture 13: Public-Key Cryptography and RSA Department of Computer Science and Engineering University at Buffalo 1 Public-Key Cryptography What we already know
More informationSecurity of Cryptosystems
Security of Cryptosystems Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Symmetric key cryptosystem m M 0 c Enc sk (m) sk Gen c sk m Dec sk (c) A randomised key generation algorithm outputs
More informationHomework 3: Solution
Homework 3: Solution March 28, 2013 Thanks to Sachin Vasant and Xianrui Meng for contributing their solutions. Exercise 1 We construct an adversary A + that does the following to win the CPA game: 1. Select
More informationCS408 Cryptography & Internet Security
CS408 Cryptography & Internet Security Lectures 16, 17: Security of RSA El Gamal Cryptosystem Announcement Final exam will be on May 11, 2015 between 11:30am 2:00pm in FMH 319 http://www.njit.edu/registrar/exams/finalexams.php
More informationRelaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack
Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar Pandey, Santanu Sarkar and Mahavir Prasad Jhanwar CR Rao AIMSCS Hyderabad November 2, 2012 Outline 1 Definitions
More informationCryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1
Cryptography CS 555 Topic 11: Encryption Modes and CCA Security CS555 Spring 2012/Topic 11 1 Outline and Readings Outline Encryption modes CCA security Readings: Katz and Lindell: 3.6.4, 3.7 CS555 Spring
More informationCSC 5930/9010 Modern Cryptography: Public Key Cryptography
CSC 5930/9010 Modern Cryptography: Public Key Cryptography Professor Henry Carter Fall 2018 Recap Number theory provides useful tools for manipulating integers and primes modulo a large value Abstract
More informationPaper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage
1 Announcements Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage 2 Recap and Overview Previous lecture: Symmetric key
More informationCS 395T. Formal Model for Secure Key Exchange
CS 395T Formal Model for Secure Key Exchange Main Idea: Compositionality Protocols don t run in a vacuum Security protocols are typically used as building blocks in a larger secure system For example,
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 4 Markus Bläser, Saarland University Message authentication How can you be sure that a message has not been modified? Encyrption is not
More informationMessage Authentication ( 消息认证 )
Message Authentication ( 消息认证 ) Sheng Zhong Yuan Zhang Computer Science and Technology Department Nanjing University 2017 Fall Sheng Zhong, Yuan Zhang (CS@NJU) Message Authentication ( 消息认证 ) 2017 Fall
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationEncryption from the Diffie-Hellman assumption. Eike Kiltz
Encryption from the Diffie-Hellman assumption Eike Kiltz Elliptic curve public-key crypto Key-agreement Signatures Encryption Diffie-Hellman 76 passive security ElGamal 84 passive security Hybrid DH (ECDH)
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationMTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov October 31, 2005 Abstract Standard security assumptions (IND-CPA, IND- CCA) are explained. A number of cryptosystems
More informationSECURE AND ANONYMOUS HYBRID ENCRYPTION FROM CODING THEORY
SECURE AND ANONYMOUS HYBRID ENCRYPTION FROM CODING THEORY Edoardo Persichetti University of Warsaw 06 June 2013 (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 1 / 20 Part I PRELIMINARIES
More informationBrief Introduction to Provable Security
Brief Introduction to Provable Security Michel Abdalla Département d Informatique, École normale supérieure michel.abdalla@ens.fr http://www.di.ens.fr/users/mabdalla 1 Introduction The primary goal of
More informationCSC 5930/9010 Modern Cryptography: Digital Signatures
CSC 5930/9010 Modern Cryptography: Digital Signatures Professor Henry Carter Fall 2018 Recap Implemented public key schemes in practice commonly encapsulate a symmetric key for the rest of encryption KEM/DEM
More informationIND-CCA2 secure cryptosystems, Dan Bogdanov
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee 1 Overview Notion of indistinguishability The Cramer-Shoup cryptosystem Newer results
More informationCryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security
Cryptography CS 555 Topic 8: Modes of Encryption, The Penguin and CCA security 1 Reminder: Homework 1 Due on Friday at the beginning of class Please typeset your solutions 2 Recap Pseudorandom Functions
More informationRSA Cryptography in the Textbook and in the Field. Gregory Quenell
RSA Cryptography in the Textbook and in the Field Gregory Quenell 1 In the beginning... 2 In the beginning... Diffie and Hellman 1976: A one-way function can be used to pass secret information over an insecure
More informationIntroduction to Cryptography. Lecture 3
Introduction to Cryptography Lecture 3 Benny Pinkas March 6, 2011 Introduction to Cryptography, Benny Pinkas page 1 Pseudo-random generator seed s (random, s =n) Pseudo-random generator G Deterministic
More informationLecture 3.4: Public Key Cryptography IV
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2012 Nitesh Saxena Course Administration HW1 submitted Trouble with BB Trying to check with BB support HW1 solution will be posted very soon
More informationIntroduction to Cryptography Lecture 7
Introduction to Cryptography Lecture 7 El Gamal Encryption RSA Encryption Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing
More informationCRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS
CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs NYU NY Area Crypto Reading Group Continuous Leakage Resilience (CLR): A Brief History
More informationComputer Security CS 526
Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes CS555 Topic 4 1 Readings for This Lecture Required reading from wikipedia Block Cipher Ciphertext Indistinguishability
More informationBlock ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 74 Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways
More informationLecture 18 - Chosen Ciphertext Security
Lecture 18 - Chosen Ciphertext Security Boaz Barak November 21, 2005 Public key encryption We now go back to public key encryption. As we saw in the case of private key encryption, CPA security is not
More informationCryptography. Lecture 03
Cryptography Lecture 03 Recap Consider the following Encryption Schemes: 1. Shift Cipher: Crackable. Keyspace has only 26 elements. 2. Affine Cipher: Crackable. Keyspace has only 312 elements. 3. Vig Cipher:
More informationAdvanced Cryptography 1st Semester Symmetric Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 22th 2007 1 / 58 Last Time (I) Security Notions Cyclic Groups Hard Problems One-way IND-CPA,
More informationHomomorphic Encryption
Homomorphic Encryption Travis Mayberry Cloud Computing Cloud Computing Cloud Computing Cloud Computing Cloud Computing Northeastern saves money on infrastructure and gets the benefit of redundancy and
More informationIf DDH is secure then ElGamal is also secure w.r.t IND-CPA
CS 6903 Modern Cryptography May 5th, 2011 Lecture 12 Instructor:Nitesh Saxena Recap of the previous lecture Scribe:Orcun Berkem, Turki Turki, Preetham Deshikachar Shrinivas The ElGamal encryption scheme
More informationCS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong
CS573 Data Privacy and Security Cryptographic Primitives and Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationSecure Multiparty Computation
CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationMTAT Cryptology II. Commitment Schemes. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Commitment Schemes Sven Laur University of Tartu Formal Syntax m M 0 (c,d) Com pk (m) pk Canonical use case Gen c d pk m Open pk (c,d) A randomised key generation algorithm Gen
More informationGroup-based Proxy Re-encryption Scheme Secure against Chosen Ciphertext Attack
International Journal of Network Security, Vol.8, No., PP.266 270, May 2009 266 Group-based Proxy Re-encryption Scheme Secure against Chosen Ciphertext Attack Chunbo Ma and Jun Ao (Corresponding author:
More information2 Secure Communication in Private Key Setting
CSA E0 235: Cryptography January 11, 2016 Instructor: Arpita Patra Scribe for Lecture 2 Submitted by: Jayam Modi 1 Discrete Probability Background Probability Distribution -A probability distribution over
More informationGoals of Modern Cryptography
Goals of Modern Cryptography Providing information security: Data Privacy Data Integrity and Authenticity in various computational settings. Data Privacy M Alice Bob The goal is to ensure that the adversary
More informationThe Cramer-Shoup Encryption Scheme is Plaintext Aware in the Standard Model
The Cramer-Shoup Encryption Scheme is Plaintext Aware in the Standard Model Alexander W. Dent Royal Holloway, University of London Egham, Surrey, TW20 0EX, U.K. a.dent@rhul.ac.uk Abstract. In this paper
More informationAuthenticated encryption
Authenticated encryption Mac forgery game M {} k R 0,1 s m t M M {m } t mac k (m ) Repeat as many times as the adversary wants (m, t) Wins if m M verify m, t = 1 Mac forgery game Allow the adversary to
More informationLecture 20: Public-key Encryption & Hybrid Encryption. Public-key Encryption
Lecture 20: & Hybrid Encryption Lecture 20: & Hybrid Encryption Overview Suppose there is a 2-round Key-Agreement protocol. This means that there exists a protocol where Bob sends the first message m B
More informationLecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model
CMSC 858K Advanced Topics in Cryptography March 11, 2004 Lecturer: Jonathan Katz Lecture 14 Scribe(s): Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze 1 A Note on Adaptively-Secure NIZK A close look
More informationIntroduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell
Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell 1 Cryptography Merriam-Webster Online Dictionary: 1. secret writing 2. the enciphering and deciphering
More informationIntroduction to Public-Key Cryptography
Introduction to Public-Key Cryptography Nadia Heninger University of Pennsylvania June 11, 2018 We stand today on the brink of a revolution in cryptography. Diffie and Hellman, 1976 Symmetric cryptography
More informationLecture 8. 1 Some More Security Definitions for Encryption Schemes
U.C. Berkeley CS276: Cryptography Lecture 8 Professor David Wagner February 9, 2006 Lecture 8 1 Some More Security Definitions for Encryption Schemes 1.1 Real-or-random (rr) security Real-or-random security,
More informationCryptography. Andreas Hülsing. 6 September 2016
Cryptography Andreas Hülsing 6 September 2016 1 / 21 Announcements Homepage: http: //www.hyperelliptic.org/tanja/teaching/crypto16/ Lecture is recorded First row might be on recordings. Anything organizational:
More informationPrivate Web Search with Malicious Adversaries
Private Web Search with Malicious Adversaries Yehuda Lindell Erez Waisbard March 24, 20 Abstract Web search has become an integral part of our lives and we use it daily for business and pleasure. Unfortunately,
More informationStrong Privacy for RFID Systems from Plaintext-Aware Encryption
Strong Privacy for RFID Systems from Plaintext-Aware Encryption Khaled Ouafi and Serge Vaudenay ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE http://lasec.epfl.ch/ supported by the ECRYPT project SV strong
More informationA CCA2 Secure PKE Based on McEliece Assumptions in the Standard Model
A CCA2 Secure PKE Based on McEliece Assumptions in the Standard Model Jörn Müller-Quade European Institute for System Security KIT, Karlsruhe, Germany 04/23/09 Session ID: CRYP301 Session Classification:
More informationIntroduction to Cryptography Lecture 7
Introduction to Cryptography Lecture 7 Public-Key Encryption: El-Gamal, RSA Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing
More informationINDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator
INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator EXAMINATION ( Mid Semester ) SEMESTER ( Spring ) Roll Number Section Name Subject Number C S 6 0 0 8 8 Subject Name Foundations
More informationChosen-Ciphertext Security (II)
Chosen-Ciphertext Security (II) CS 601.442/642 Modern Cryptography Fall 2018 S 601.442/642 Modern Cryptography Chosen-Ciphertext Security (II) Fall 2018 1 / 13 Recall: Chosen-Ciphertext Attacks (CCA) Adversary
More informationEfficient chosen ciphertext secure PKE scheme with short ciphertext
Efficient chosen ciphertext secure PKE scheme with short ciphertext Xianhui Lu 1, Xuejia Lai 2, Dake He 1, Guomin Li 1 Email:lu xianhui@gmail.com 1:School of Information Science & Technology, SWJTU, Chengdu,
More informationThe ElGamal Public- key System
Online Cryptography Course Dan Boneh Public key encryp3on from Diffie- Hellman The ElGamal Public- key System Recap: public key encryp3on: (Gen, E, D) Gen pk sk m c c m E D Recap: public- key encryp3on
More informationInformation Security CS526
Information CS 526 Topic 3 Ciphers and Cipher : Stream Ciphers, Block Ciphers, Perfect Secrecy, and IND-CPA 1 Announcements HW1 is out, due on Sept 10 Start early, late policy is 3 total late days for
More informationCryptography. Lecture 12. Arpita Patra
Cryptography Lecture 12 Arpita Patra Digital Signatures q In PK setting, privacy is provided by PKE q Integrity/authenticity is provided by digital signatures (counterpart of MACs in PK world) q Definition:
More informationCryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39
Cryptography 2017 Lecture 4 Attacks against Block Ciphers Introduction to Public Key Cryptography November 14, 2017 1 / 39 What have seen? What are we discussing today? What is coming later? Lecture 3
More informationPublic-Key Cryptography
Computer Security Spring 2008 Public-Key Cryptography Aggelos Kiayias University of Connecticut A paradox Classic cryptography (ciphers etc.) Alice and Bob share a short private key using a secure channel.
More informationPublic-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7
Public-Key Cryptography Professor Yanmin Gong Week 3: Sep. 7 Outline Key exchange and Diffie-Hellman protocol Mathematical backgrounds for modular arithmetic RSA Digital Signatures Key management Problem:
More informationLecture 02: Historical Encryption Schemes. Lecture 02: Historical Encryption Schemes
What is Encryption Parties involved: Alice: The Sender Bob: The Receiver Eve: The Eavesdropper Aim of Encryption Alice wants to send a message to Bob The message should remain hidden from Eve What distinguishes
More informationCSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018
CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring 2018 5 and 6 February 2018 Identification schemes are mechanisms for Alice to prove her identity to Bob They comprise a setup
More informationISA 562: Information Security, Theory and Practice. Lecture 1
ISA 562: Information Security, Theory and Practice Lecture 1 1 Encryption schemes 1.1 The semantics of an encryption scheme. A symmetric key encryption scheme allows two parties that share a secret key
More informationLecture 1: Perfect Security
CS 290G (Fall 2014) Introduction to Cryptography Oct 2nd, 2014 Instructor: Rachel Lin 1 Recap Lecture 1: Perfect Security Scribe: John Retterer-Moore Last class, we introduced modern cryptography and gave
More informationLecture 8: Cryptography in the presence of local/public randomness
Randomness in Cryptography Febuary 25, 2013 Lecture 8: Cryptography in the presence of local/public randomness Lecturer: Yevgeniy Dodis Scribe: Hamidreza Jahanjou So far we have only considered weak randomness
More informationBlock cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75
Block cipher modes Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 75 Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 76 Block cipher modes Block ciphers (like
More informationDefinitions and Notations
Chapter 2 Definitions and Notations In this chapter, we present definitions and notation. We start with the definition of public key encryption schemes and their security models. This forms the basis of
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 31 October 2017
Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 31 October 2017 Name : TU/e student number : Exercise 1 2 3 4 5 6 total points Notes: Please hand in this sheet at the end of the exam.
More informationWeak adaptive chosen ciphertext secure hybrid encryption scheme
Weak adaptive chosen ciphertext secure hybrid encryption scheme Xianhui Lu 1, Xuejia Lai 2, Dake He 1, Guomin Li 1 Email:luxianhui@gmail.com 1:School of Information Science & Technology, SWJTU, Chengdu,
More informationA New Framework for Efficient Password-Based Authenticated Key Exchange
A New Framework for Efficient Password-Based Authenticated Key Exchange Adam Groce Jonathan Katz Abstract Protocols for password-based authenticated key exchange (PAKE) allow two users who share only a
More informationLecture 07: Private-key Encryption. Private-key Encryption
Lecture 07: Three algorithms Key Generation: Generate the secret key sk Encryption: Given the secret key sk and a message m, it outputs the cipher-text c (Note that the encryption algorithm can be a randomized
More informationINDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator
INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator EXAMINATION ( End Semester ) SEMESTER ( Spring ) Roll Number Section Name Subject Number C S 6 0 0 8 8 Subject Name Foundations
More informationIntroduction to Cryptography. Lecture 3
Introduction to Cryptography Lecture 3 Benny Pinkas March 6, 2011 Introduction to Cryptography, Benny Pinkas page 1 Pseudo-random generator seed s (random, s =n) Pseudo-random generator G Deterministic
More information1 Defining Message authentication
ISA 562: Information Security, Theory and Practice Lecture 3 1 Defining Message authentication 1.1 Defining MAC schemes In the last lecture we saw that, even if our data is encrypted, a clever adversary
More informationLecture 10, Zero Knowledge Proofs, Secure Computation
CS 4501-6501 Topics in Cryptography 30 Mar 2018 Lecture 10, Zero Knowledge Proofs, Secure Computation Lecturer: Mahmoody Scribe: Bella Vice-Van Heyde, Derrick Blakely, Bobby Andris 1 Introduction Last
More informationA Designer s Guide to KEMs. Errata List
A Designer s Guide to KEMs Alexander W. Dent Information Security Group, Royal Holloway, University of London, Egham Hill, Egham, Surrey, U.K. alex@fermat.ma.rhul.ac.uk http://www.isg.rhul.ac.uk/~alex/
More informationCode-Based Cryptography McEliece Cryptosystem
Code-Based Cryptography McEliece Cryptosystem I. Márquez-Corbella 0 2. McEliece Cryptosystem 1. Formal Definition 2. Security-Reduction Proof 3. McEliece Assumptions 4. Notions of Security 5. Critical
More informationComputational Security, Stream and Block Cipher Functions
Computational Security, Stream and Block Cipher Functions 18 March 2019 Lecture 3 Most Slides Credits: Steve Zdancewic (UPenn) 18 March 2019 SE 425: Communication and Information Security 1 Topics for
More informationLecture10. 1 Semantically secure PKE
0368.4162: Introduction to Cryptography Ran Canetti 05 January 2009 Lecture10 Fall 2008 Scribes:O.Singer,M.Shaked Topics for today Public-Key Encryption Public Key Infrastructure (PKI) Authenticated Key
More informationAn Efficient ID-KEM Based On The Sakai Kasahara Key Construction
An Efficient ID-KEM Based On The Sakai Kasahara Key Construction L. Chen 1, Z. Cheng 2, J. Malone Lee 3, and N.P. Smart 3 1 Hewlett-Packard Laboratories, Filton Road, Stoke Gifford, Bristol, BS34 8QZ,
More informationSymmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University
Symmetric-Key Cryptography Part 1 Tom Shrimpton Portland State University Building a privacy-providing primitive I want my communication with Bob to be private -- Alice What kind of communication? SMS?
More informationPublic Key Cryptography and the RSA Cryptosystem
Public Key Cryptography and the RSA Cryptosystem Two people, say Alice and Bob, would like to exchange secret messages; however, Eve is eavesdropping: One technique would be to use an encryption technique
More informationGeneric Transformation of a CCA2-Secure Public-Key Encryption Scheme to an eck-secure Key Exchange Protocol in the Standard Model
Generic Transformation of a CCA2-Secure Public-Key Encryption Scheme to an eck-secure Key Exchange Protocol in the Standard Model Janaka Alawatugoda Department of Computer Engineering University of Peradeniya,
More informationRSA. Public Key CryptoSystem
RSA Public Key CryptoSystem DIFFIE AND HELLMAN (76) NEW DIRECTIONS IN CRYPTOGRAPHY Split the Bob s secret key K to two parts: K E, to be used for encrypting messages to Bob. K D, to be used for decrypting
More informationMcEliece Cryptosystem in real life: security and implementation
McEliece Cryptosystem in real life: security and implementation SECRET - INRIA Rocq. Some numbers! scheme key gen enc cycle dec cycle Ntru 203983313 894427 1617090 RSA1-1024 188582730 225593 6240622 RSA1-2048
More informationTuesday, January 17, 17. Crypto - mini lecture 1
Crypto - mini lecture 1 Cryptography Symmetric key cryptography (secret key crypto): sender and receiver keys identical Asymmetric key cryptography (public key crypto): encryption key public, decryption
More informationLecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24
Assume encryption and decryption use the same key. Will discuss how to distribute key to all parties later Symmetric ciphers unusable for authentication of sender Lecturers: Mark D. Ryan and David Galindo.
More information21 Software Obfuscation
21 Software Obfuscation Let us stop and think of the notions we have seen in cryptography. We have seen that under reasonable computational assumptions (such as LWE) we can achieve the following: CPA secure
More informationOblivious Signature-Based Envelope
Oblivious Signature-Based Envelope Ninghui Li Department of Computer Sciences and CERIAS Purdue University 656 Oval Dr, West Lafayette, IN 47907-2086 ninghui@cs.purdue.edu Wenliang Du Department of Electrical
More informationSolutions to exam in Cryptography December 17, 2013
CHALMERS TEKNISKA HÖGSKOLA Datavetenskap Daniel Hedin DIT250/TDA351 Solutions to exam in Cryptography December 17, 2013 Hash functions 1. A cryptographic hash function is a deterministic function that
More informationInformation Security
SE 4472b Information Security Week 2-2 Some Formal Security Notions Aleksander Essex Fall 2015 Formalizing Security As we saw, classical ciphers leak information: Caeser/Vigenere leaks letter frequency
More informationImplementation of 5PM(5ecure Pattern Matching) on Android Platform
Implementation of 5PM(5ecure Pattern Matching) on Android Platform Overview - Main Objective: Search for a pattern on the server securely The answer at the end -> either YES it is found or NO it is not
More informationAn Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem
An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem Mihir Bellare, Alexandra Boldyreva and Adriana Palacio Dept. of Computer Science & Engineering, University of California, San
More informationLeakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter
Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter Baodong Qin and Shengli Liu Shanghai Jiao Tong University ASIACRYPT 2013 Dec 5, Bangalore,
More informationLecture 7.1: Private-key Encryption. Lecture 7.1: Private-key Encryption
Private-key Encryption Alice and Bob share a secret s {0, 1} n Private-key Encryption Alice and Bob share a secret s {0, 1} n Encryption and Decryption algorithms are efficient Private-key Encryption Alice
More informationProofs for Key Establishment Protocols
Information Security Institute Queensland University of Technology December 2007 Outline Key Establishment 1 Key Establishment 2 3 4 Purpose of key establishment Two or more networked parties wish to establish
More informationTopology-Hiding Computation on all Graphs
Topology-Hiding Computation on all Graphs Adi Akavia Rio LaVigne Tal Moran June 5, 2017 Abstract A distributed computation in which nodes are connected by a partial communication graph is called topology-hiding
More informationCSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography
CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography Outline 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography
More information