Efficient Cryptography from Hard Learning Problems
|
|
- Charla Cook
- 5 years ago
- Views:
Transcription
1 Efficient Cryptography from Hard Learning Problems SOFSEM 2012 January 26th
2 Outline What this Talk is About Provable Security, Exemplified using LPN based Cryptosystems. 1 Ad-Hoc vs. Provable Security. 2 The Learning Parity with Noise (LPN) Problem. 3 PRG from LPN. 4 Encryption from LPN. 5 Secret-Key Authentication from LPN. 6 Some Open Problems.
3 Cryptography in the Old Days Cryptography secret communication Used by military & governments Cryptographers guided by intuition and experience. Schemes usually broken within short time. Cat & mouse game between cryptographers and cryptanalysts.
4 Modern Cryptography applications ATMs, wireless authentication, Internet-banking, e-voting,... tools public-key crypto, zero-knowledge, multiparty-computation,... technique crypto was put on a solid theoretical basis: provable security.
5 Provable Security 1 Define Breaking the Cryptosystem. 2 Construct Cryptosystem. 3 Prove Cryptosystem Secure.
6 Provable Security 1 Define Breaking the Cryptosystem. Example: Digital Signatures key 2 Construct Cryptosystem. 3 Prove Cryptosystem Secure.
7 Provable Security 1 Define Breaking the Cryptosystem. Example: Digital Signatures key 2 Construct Cryptosystem. 3 Prove Cryptosystem Secure.
8 Provable Security 1 Define Breaking the Cryptosystem. Example: Digital Signatures key 2 Construct Cryptosystem. 3 Prove Cryptosystem Secure.
9 Provable Security 1 Define Breaking the Cryptosystem. Example: Digital Signatures key 2 Construct Cryptosystem. 3 Prove Cryptosystem Secure.
10 Provable Security 1 Define Breaking the Cryptosystem. Example: Digital Signatures key 2 Construct Cryptosystem. 3 Prove Cryptosystem Secure.
11 Provable Security 1 Define Breaking the Cryptosystem. Example: Digital Signatures key 2 Construct Cryptosystem. 3 Prove Cryptosystem Secure.
12 Provable Security 1 Define Breaking the Cryptosystem. Example: Digital Signatures? key breaks scheme if? is a valid signature for a new message. 2 Construct Cryptosystem. 3 Prove Cryptosystem Secure.
13 Provable Security 1 Define Breaking the Cryptosystem. Example: Digital Signatures? key breaks scheme if? is a valid signature for a new message. 2 Construct Cryptosystem. 3 Prove Cryptosystem Secure. Theorem No efficient adversary who breaks the scheme exists
14 Provable Security 1 Define Breaking the Cryptosystem. Example: Digital Signatures? key breaks scheme if? is a valid signature for a new message. 2 Construct Cryptosystem. 3 Prove Cryptosystem Secure. Theorem No efficient adversary who breaks the scheme exists if (factoring, SVP,...) is hard.
15 Ad-Hoc Constructions: AES Block-Cipher AES: {0,1} 128 {0,1} 128 {0,1} 128 AES(k,.) indistinguishable from random for random k?
16 What is done in Practice Secret-Key Crypto Ad-Hoc Building Block (e.g. AES block-cipher.) Provably Secure modes (e.g. CBC for encryption/authentication.) Public-Key Crypto Provably Secure underlying assumption DL, Factoring...(but become more and more exotic in literature...) Often additional heuristics (e.g. Random oracle.)
17 The Provable Security Mantra Practical Efficiency OR Provable Security
18 The Provable Security Mantra Practical Efficiency OR Provable Security Secret-Key Crypto Ad-Hoc Building Block (e.g. AES block-cipher.)
19 The Provable Security Mantra Practical Efficiency OR Provable Security Secret-Key Crypto Ad-Hoc Building Block (e.g. AES block-cipher.) Provably Secure (LPN assumption)
20 The Provable Security Mantra Practical Efficiency OR Provable Security Secret-Key Crypto Ad-Hoc Building Block (e.g. AES block-cipher.) Provably Secure (LPN assumption) Schemes for particular tasks (identification) which outperform best ad-hoc solutions in particular settings (RFIDs where randomness is cheap and gates are expensive.)
21 Learning Parity with Noise (LPN)
22 The Learning Parity with Noise Assumption s Z n 2, 0 < τ < 0.5
23 The Learning Parity with Noise Assumption s Z n 2, 0 < τ < 0.5 r 1 Z n 2 e 1 Ber τ
24 The Learning Parity with Noise Assumption s Z n 2, 0 < τ < 0.5 r 1, r 1,s +e 1 r 1 Z n 2 e 1 Ber τ
25 The Learning Parity with Noise Assumption s Z n 2, 0 < τ < 0.5 r 1, r 1,s +e 1 r 2, r 2,s +e 2. r 2 Z n 2 e 2 Ber τ
26 The Learning Parity with Noise Assumption s Z n 2, 0 < τ < 0.5 r 1, r 1,s +e 1 r 2, r 2,s +e 2. r 2 Z n 2 e 2 Ber τ (q,n,τ) LPN assumption (Search Version) Hard to find s. (q, n, τ) LPN assumption (Decisional Version) Hard to distinguish outputs from uniformly random.
27 Hardness of LPN (Search) LPN equivalent to decoding random linear codes. Search & decision polynomially equivalent. Best (quantum) algorithms run in time Θ(2 n/logn ).
28 PRG from LPN
29 PRG from LPN Definition (Pseudorandom Generator (PRG)) G : Z n 2 Zm 2 is a PRG if m > n (stretching) and G(U n) is computationally indistinguishable from U m (pseudorandom).
30 PRG from LPN Definition (Pseudorandom Generator (PRG)) G : Z n 2 Zm 2 is a PRG if m > n (stretching) and G(U n) is computationally indistinguishable from U m (pseudorandom). PRG from LPN A Z m l 2 s Z l 2 e Ber m τ A, A.s e pseudorandom assuming (τ, l)-lpn.
31 PRG from LPN Definition (Pseudorandom Generator (PRG)) G : Z n 2 Zm 2 is a PRG if m > n (stretching) and G(U n) is computationally indistinguishable from U m (pseudorandom). PRG from LPN A Z m l 2 s Z l 2 e Ber m τ A, A.s e pseudorandom assuming (τ, l)-lpn. G(A,s,e) A,A.s e
32 PRG from LPN Definition (Pseudorandom Generator (PRG)) G : Z n 2 Zm 2 is a PRG if m > n (stretching) and G(U n) is computationally indistinguishable from U m (pseudorandom). PRG from LPN A Z m l 2 s Z l 2 e Ber m τ A, A.s e pseudorandom assuming (τ, l)-lpn. G(A,s,e) A,A.s e G(A,s,r) A,A.s e where r used to sample e. Shrinking: need r < m l. H(r) H(e) = h(τ)m h(τ) = τ logτ (1 τ)log(1 τ) < 1 r h(τ)m < m l for sufficiently large m.
33 PRG from LPN Definition (Pseudorandom Generator (PRG)) G : Z n 2 Zm 2 is a PRG if m > n (stretching) and G(U n) is computationally indistinguishable from U m (pseudorandom). PRG from LPN A Z m l 2 s Z l 2 e Ber m τ A, A.s e pseudorandom assuming (τ, l)-lpn. G(A,s,e) A,A.s e G(A,s,r) A,A.s e where r used to sample e. Shrinking: need r < m l. H(r) H(e) = h(τ)m h(τ) = τ logτ (1 τ)log(1 τ) < 1 r h(τ)m < m l for sufficiently large m. G A (s,r) A.s e where r used to sample e.
34 Encryption from LPN
35 Encryption from LPN PRG gives efficient stream-cipher stateful encryption. Definition (CPA-Secure Encryption Scheme) Pair of Algorithms Enc, Dec (Correctness) For every key s and message m Dec(s,Enc(s,m)) = m (Security) Enc(s,m 0 ) indistinguishable from Enc(s,m 1 ). s m s
36 Encryption from LPN PRG gives efficient stream-cipher stateful encryption. Definition (CPA-Secure Encryption Scheme) Pair of Algorithms Enc, Dec (Correctness) For every key s and message m Dec(s,Enc(s,m)) = m (Security) Enc(s,m 0 ) indistinguishable from Enc(s,m 1 ). s c s c Enc(s,m) m Dec(s,c)
37 Encryption from LPN PRG gives efficient stream-cipher stateful encryption. Definition (CPA-Secure Encryption Scheme) Pair of Algorithms Enc, Dec (Correctness) For every key s and message m Dec(s,Enc(s,m)) = m (Security) Enc(s,m 0 ) indistinguishable from Enc(s,m 1 ). s c s c R,R T s e m R T s e m
38 Encryption from LPN PRG gives efficient stream-cipher stateful encryption. Definition (CPA-Secure Encryption Scheme) Pair of Algorithms Enc, Dec (Correctness) For every key s and message m Dec(s,Enc(s,m)) = m (Security) Enc(s,m 0 ) indistinguishable from Enc(s,m 1 ). s c s c R,R T s e m R T s e m R T s
39 Encryption from LPN PRG gives efficient stream-cipher stateful encryption. Definition (CPA-Secure Encryption Scheme) Pair of Algorithms Enc, Dec (Correctness) For every key s and message m Dec(s,Enc(s,m)) = m (Security) Enc(s,m 0 ) indistinguishable from Enc(s,m 1 ). s c s c R,R T s e m ///////e m R R T s /////// T s
40 Encryption from LPN PRG gives efficient stream-cipher stateful encryption. Definition (CPA-Secure Encryption Scheme) Pair of Algorithms Enc, Dec (Correctness) For every key s and message m Dec(s,Enc(s,m)) = m (Security) Enc(s,m 0 ) indistinguishable from Enc(s,m 1 ). s c s c R,R T s e C(m) Error Correcting Code (C,D) ///////e C(m) R R T s /////// T s m D(C(m) e)
41 Authentication Protocols
42 Authentication Protocols Secret Key s prover P(s) verifier V(s)
43 Authentication Protocols prover P(s) verifier V(s) accept/reject
44 Authentication Protocols prover P(s) verifier V(s) accept Correctness : V(s) accepts if interacting with P(s)
45 Authentication Protocols prover P(s) A verifier V(s) Security : V(s) rejects if interacting with A reject
46 Authentication Protocols prover P(s) verifier V(s) s Security : V(s) rejects if interacting with A
47 Authentication Protocols prover P(s) A verifier V(s) s Security : V(s) rejects if interacting with A
48 Authentication Protocols prover P(s) A verifier V(s) Passive Security 1st phase: A can observe transcripts.
49 Authentication Protocols prover P(s) A verifier V(s) reject Passive Security 1st phase: A can observe transcripts. 2nd phase: V(s) rejects if interacting with A.
50 Authentication Protocols prover P(s) A verifier V(s) Active Security 1st phase: A interacts with P(s).
51 Authentication Protocols prover P(s) A verifier V(s) reject Active Security 1st phase: A interacts with P(s). 2nd phase: V(s) rejects if interacting with A.
52 Authentication Using a Block Cipher (e.g. AES) prover P(s) verifier V(s) 1
53 Authentication Using a Block Cipher (e.g. AES) prover P(s) verifier V(s) challenge 1
54 Authentication Using a Block Cipher (e.g. AES) prover P(s) verifier V(s) AES(s, challenge) 1
55 Authentication Using a Block Cipher (e.g. AES) prover P(s) verifier V(s) AES(s, challenge) What if block ciphers are not an option? 1
56 Authentication Using a Block Cipher (e.g. AES) prover P(s) verifier V(s) AES(s, challenge) What if block ciphers are not an option? 1
57 Authentication Using a Block Cipher (e.g. AES) prover P(s) verifier V(s) RFID 1 tags: 1k-10k gates, 200-2k for security. AES 5k gates. 1 Radio-Frequency IDentification
58 Authentication Using a Block Cipher (e.g. AES) prover P(s) verifier V(s) RFID 1 tags: 1k-10k gates, 200-2k for security. AES 5k gates. 1 Radio-Frequency IDentification
59 If AES is not an Option...
60 If AES is not an Option... Lightweight block ciphers: Keeloq, Present,...
61 If AES is not an Option... Lightweight block ciphers: Keeloq, Present,...
62 If AES is not an Option... Lightweight block ciphers: Keeloq, Present,... Provably Secure (LPN Based) Authentication Schemes. [HB 01],[JW 05],[ACPS 09],[KSS 10],...
63 Authentication from LPN
64 The HB protocol [Hopper and Blum AC 01] τ = 0.1 s Z l 2 P(s) e Ber τ z := a,s e a z V(s) a Z l 2 accept if a,s z = 0 }{{} e
65 The HB protocol [Hopper and Blum AC 01] τ = 0.1 s Z l 2 P(s) e Ber τ z := a,s e a z V(s) a Z l 2 accept if a,s z = 0 }{{} e Secure against passive attacks from LPN. to proof
66 The HB protocol [Hopper and Blum AC 01] τ = 0.1 s Z l 2 P(s) e Ber τ z := a,s e a z V(s) a Z l 2 accept if a,s z = 0 }{{} e Secure against passive attacks from LPN. to proof Correctness error 0.1. Soundness error negl.
67 The HB protocol [Hopper and Blum AC 01] τ = 0.1 s Z l 2 P(s) e Ber τ z := a,s e a z V(s) a Z l 2 accept if a,s z = 0 }{{} e Secure against passive attacks from LPN. to proof Correctness error 0.1. Soundness error negl. Can be amplified repeating n times Errors become 2 Θ(n).
68 The HB protocol [Hopper and Blum AC 01] τ = 0.1 s Z l 2 P(s) e Ber τ z := a,s e a z V(s) a Z l 2 accept if a,s z = 0 }{{} e Secure against passive attacks from LPN. to proof Correctness error 0.1. Soundness error negl. Can be amplified repeating n times Errors become 2 Θ(n). Not secure against active attacks: 1 ask for a,s e i (for several i) majority is a,s w.h.p.. 2 recover s from a j,s (j = 1,...,l) using Gaussian elimination.
69 The HB + protocol [Juels and Weis Crypto 05] τ = 0.1 s,s Z l 2 P(s,s) V(s,s) a a Z l 2 e Ber τ z := a,s e z accept if a,s z = 0
70 The HB + protocol [Juels and Weis Crypto 05] τ = 0.1 s,s Z l 2 P(s,s) b Z l 2 e Ber τ z := b,s a,s e b a z V(s,s) a Z l 2 accept if b,s a,s z = 0 Secure against active attacks. to proof
71 The HB + protocol [Juels and Weis Crypto 05] τ = 0.1 s,s Z l 2 P(s,s) b Z l 2 e Ber τ z := b,s a,s e b a z V(s,s) a Z l 2 accept if b,s a,s z = 0 Secure against active attacks. to proof Can be amplified by repetition [KS 06].
72 HB Round Optimal (2 Rounds). Tight reduction: LPN ε-hard HB ε-secure. Passive security. HB+ Active Security. 3 Rounds (Prover must be stateful). Loose reduction: LPN ε-hard HB ε-secure. Reduction not Quantum (No Cloning Theorem.)
73 HB Round Optimal (2 Rounds). Tight reduction: LPN ε-hard HB ε-secure. Passive security. HB+ Active Security. 3 Rounds (Prover must be stateful). Loose reduction: LPN ε-hard HB ε-secure. Reduction not Quantum (No Cloning Theorem.) a 0 z 0 a 1 z 1
74 HB Round Optimal (2 Rounds). Tight reduction: LPN ε-hard HB ε-secure. Passive security. HB+ Active Security. 3 Rounds (Prover must be stateful). Loose reduction: LPN ε-hard HB ε-secure. Reduction not Quantum (No Cloning Theorem.) a 0 z 0 a 1? z 1
75 1 Nicholas J. Hopper, Manuel BlumSecure Human Identification Protocols. ASIACRYPT Ari Juels, Stephen A. Weis.Authenticating Pervasive Devices with Human Protocols. CRYPTO Jonathan Katz, Ji Sun Shin.Parallel and Concurrent Security of the HB and HB+ Protocols. EUROCRYPT Éric Levieil, Pierre-Alain Fouque.An Improved LPN Algorithm. SCN Henri Gilbert, Matt Robshaw, Herve Sibert.An Active Attack Against HB+ - A Provably Secure Lightweight Authentication Protocol. Cryptology eprint Archive. 6 Jonathan Katz, Adam Smith.Analyzing the HB and HB+ Protocols in the Large Error Case. Cryptology eprint Archive. 7 Julien Bringer, Hervé Chabanne, Emmanuelle Dottax.HB++.a Lightweight Authentication Protocol Secure against Some Attacks. SecPerU Jonathan Katz.Efficient Cryptographic Protocols Based on the Hardness of Learning Parity with Noise. IMA Int. Conf Jorge Munilla, Alberto Peinado.HB-MP.A further step in the HB-family of lightweight authentication protocols. Computer Networks 51(9) (2007) 10 Dang Nguyen Duc, Kwangjo Kim.Securing HB+ against GRS Man-in-the-Middle Attack. Proc. Of SCIS 2007, Abstracts pp.123, Jan , 2007, Sasebo, Japan. 11 Henri Gilbert, Matthew J. B. Robshaw, Yannick Seurin.HB#.Increasing the Security and Efficiency of HB+. EUROCRYPT Henri Gilbert, Matthew J. B. Robshaw, Yannick Seurin.Good Variants of HB+ Are Hard to Find. Financial Cryptography Henri Gilbert, Matthew J. B. Robshaw, Yannick Seurin.How to Encrypt with the LPN Problem. ICALP (2) Julien Bringer, Herv Chabanne.Trusted-HB.A Low-Cost Version of HB+ Secure Against Man-in-the-Middle Attacks. IEEE Transactions on Information Theory 54(9) (2008). 15 Khaled Ouafi, Raphael Overbeck, Serge Vaudenay.On the Security of HB# against a Man-in-the-Middle Attack. ASIACRYPT Zbigniew Golebiewski, Krzysztof Majcher, Filip Zagorski, Marcin Zawada.Practical Attacks on HB and HB+ Protocols. Cryptology eprint Archive. 17 Xuefei Leng, Keith Mayes, Konstantinos Markantonakis.HB-MP+ Protocol.An Improvement on the HB-MP Protocol. IEEE International Conference on RFID, 2008 April Dmitry Frumkin, Adi Shamir.Un-Trusted-HB.Security Vulnerabilities of Trusted-HB. Cryptology eprint Archive.
76 New Authentication Protocol Active Security. Round Optimal (2 Rounds). Tight (Quantum) Reduction.
77 Subset LPN Subspace LWE, K.Pietrzak, TCC 2012.
78 LPN s Z m 2
79 LPN s Z m 2 r Z m 2 e Ber τ
80 LPN s Z m 2 r, r,s +e r Z m 2 e Ber τ
81 Subset LPN s Z m 2 n m v Z m 2, v 1 = n
82 Subset LPN s Z m 2 n m v Z m 2, v 1 = n r, r,s v +e r Z n 2 e Ber τ m = 6,n = 3 s = v = s v = 0 0 1
83 Subset LPN s Z m 2 n m v Z m 2, v 1 = n r, r,s v +e (m,n,τ) Subset LPN Assumption Hard to distinguish outputs from uniform.
84 Subset LPN s Z m 2 n m v Z m 2, v 1 = n r, r,s v +e (m,n,τ) Subset LPN Assumption Hard to distinguish outputs from uniform. (m,n,τ) Subset LPN (n,τ) LPN.
85 Subset LPN s Z m 2 n m v Z m 2, v 1 = n r, r,s v +e (m,n,τ) Subset LPN Assumption Hard to distinguish outputs from uniform. (m,n,τ) Subset LPN (n,τ) LPN. Theorem (n,τ) LPN (m,n d,τ) Subset LPN (2 d = negl)
86 Authentication from Subset LPN
87 P(s) HB and Friends a a,s e V(s) P(s) New Approach v a, a,s v e V(s)
88 P(s) HB and Friends a a,s e V(s) a Z l 2 P(s) a Z l 2 New Approach v a, a,s v e V(s)
89 Active Security in Two Rounds to proof τ = 0.1 P(s) a Z l 2 e Ber τ z := a,s v e s Z 2l 2 v a,z V(s) v Z 2l 2, v 1 = l accept if a,s v z 1 0.2n }{{} e
90 Active Security in Two Rounds to proof τ = 0.1 s Z 2l 2 n : # of repetitions. P(s) A Z l n 2 e Ber n τ z := A T s v e v A,z V(s) v Z 2l 2, v 1 = l accept if A T s v z 1 0.2n }{{} e and rank(a) = n
91 Active Security of New Protocol to protocol If who breaks active security, then Subset LPN is not hard.
92 Active Security of New Protocol to protocol If s Z l 2 who breaks active security, then Subset LPN is not hard. 1st Phase of Active Attack Simulates P(s)
93 Active Security of New Protocol to protocol If who breaks active security, then Subset LPN is not hard. s Z l 2 1st Phase of Active Attack Simulates P(s) v
94 Active Security of New Protocol to protocol If who breaks active security, then Subset LPN is not hard. s Z l 2 v 1st Phase of Active Attack Simulates P(s) v
95 Active Security of New Protocol to protocol If who breaks active security, then Subset LPN is not hard. s Z l 2 v A,A T s v e 1st Phase of Active Attack Simulates P(s) v
96 Active Security of New Protocol to protocol If s Z l 2 who breaks active security, then Subset LPN is not hard. v A,A T s v e 1st Phase of Active Attack Simulates P(s) v A,A T s v e
97 Active Security of New Protocol to protocol If s Z l 2 who breaks active security, then Subset LPN is not hard. v A,A T s v e 2nd Phase of Active Attack Simulates V(s) v A,A T s v e
98 Active Security of New Protocol to protocol If s Z l 2 who breaks active security, then Subset LPN is not hard. v A,A T s v e 2nd Phase of Active Attack Simulates V(s) v A,A T s v e v
99 Active Security of New Protocol to protocol If s Z l 2 who breaks active security, then Subset LPN is not hard. v A,A T s v e 2nd Phase of Active Attack Simulates V(s) v A,A T s v e v A,A T s v e
100 Active Security of New Protocol to protocol If s Z l 2 who breaks active security, then Subset LPN is not hard. v A,A T s v e 2nd Phase of Active Attack Simulates V(s) v A,A T s v e v A,A T s v e If e Ber n τ simulation of P(s) perfect e 1 0.2n. If e uniform s hidden e uniform e 1 0.5n.
101 Active Security of New Protocol to protocol If s Z l 2 who breaks active security, then Subset LPN is not hard. v A,A T s v e 2nd Phase of Active Attack Simulates V(s) v A,A T s v e v A,A T s v e If e Ber n τ simulation of P(s) perfect e 1 0.2n. If e uniform s hidden e uniform e 1 0.5n. But... can t compute e 1 from A,A T s v e.
102 Active Security of New Protocol to protocol If s Z l 2 who breaks active security, then Subset LPN is not hard. v A,A T s v e 2nd Phase of Active Attack Simulates V(s) v A,A T s v e v A,A T s v e If e Ber n τ simulation of P(s) perfect e 1 0.2n. If e uniform s hidden e uniform e 1 0.5n. But... can t compute e 1 from A,A T s v e. Simulate protocol for key ŝ Z 2l 2 such that ŝ v known ŝ v = s
103 Length of LPN secret l 500 # Repetitions n 160 Efficiency Keysize 4l = 2000 bits Communication 2ln 20kb Computation (small multiple of) ln.
104 Length of LPN secret l 500 # Repetitions n 160 Efficiency Keysize 4l = 2000c bits Communication 2ln 20kb/c Computation (small multiple of) ln. Communication vs. Keysize tradeoff c {1,...,n}.
105 Length of LPN secret l 500 # Repetitions n 160 Efficiency Keysize 4l = 2000c bits Communication 2ln 20kb/c Computation (small multiple of) ln. Communication vs. Keysize tradeoff c {1,...,n}. Protocol with Communication & Key-size l and computation l log l from Field-LPN (FSE 2012, with S.Heyse, E.Kiltz, V.Lyubashevsky, C.Paar) First prototype implemented.
106 Questions?
Computer Security CS 526
Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes CS555 Topic 4 1 Readings for This Lecture Required reading from wikipedia Block Cipher Ciphertext Indistinguishability
More informationCryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1
Cryptography CS 555 Topic 11: Encryption Modes and CCA Security CS555 Spring 2012/Topic 11 1 Outline and Readings Outline Encryption modes CCA security Readings: Katz and Lindell: 3.6.4, 3.7 CS555 Spring
More informationUsing HB Family of Protocols for Privacy-Preserving Authentication of RFID Tags in a Population
Using HB Family of Protocols for Privacy-Preserving Authentication of RFID Tags in a Population Tzipora Halevi 1, Nitesh Saxena 1, Shai Halevi 2 1 Polytechnic Institue of New York University, 2 IBM T.
More informationAuthenticating Pervasive Devices with Human Protocols
Authenticating Pervasive Devices with Human Protocols Presented by Xiaokun Mu Paper Authors: Ari Juels RSA Laboratories Stephen A. Weis Massachusetts Institute of Technology Authentication Problems It
More informationInformation Security CS526
Information CS 526 Topic 3 Ciphers and Cipher : Stream Ciphers, Block Ciphers, Perfect Secrecy, and IND-CPA 1 Announcements HW1 is out, due on Sept 10 Start early, late policy is 3 total late days for
More informationCSC 5930/9010 Modern Cryptography: Public Key Cryptography
CSC 5930/9010 Modern Cryptography: Public Key Cryptography Professor Henry Carter Fall 2018 Recap Number theory provides useful tools for manipulating integers and primes modulo a large value Abstract
More informationIND-CCA2 secure cryptosystems, Dan Bogdanov
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee 1 Overview Notion of indistinguishability The Cramer-Shoup cryptosystem Newer results
More information1 Achieving IND-CPA security
ISA 562: Information Security, Theory and Practice Lecture 2 1 Achieving IND-CPA security 1.1 Pseudorandom numbers, and stateful encryption As we saw last time, the OTP is perfectly secure, but it forces
More informationCSC 5930/9010 Modern Cryptography: Digital Signatures
CSC 5930/9010 Modern Cryptography: Digital Signatures Professor Henry Carter Fall 2018 Recap Implemented public key schemes in practice commonly encapsulate a symmetric key for the rest of encryption KEM/DEM
More informationCSC 5930/9010 Modern Cryptography: Cryptographic Hashing
CSC 5930/9010 Modern Cryptography: Cryptographic Hashing Professor Henry Carter Fall 2018 Recap Message integrity guarantees that a message has not been modified by an adversary Definition requires that
More informationCryptography Today. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 44
Cryptography Today Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 About the Course Regular classes with worksheets so you can work with some concrete examples (every Friday at 1pm).
More informationWhat Can Be Proved About Security?
What Can Be Proved About Security? Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in Centre for Artificial Intelligence and Robotics Bengaluru 23 rd
More informationUltra-Lightweight Cryptography
Ultra-Lightweight Cryptography F.-X. Standaert UCL Crypto Group European brokerage event, Cryptography Paris, September 2016 Outline Introduction Symmetric cryptography Hardware implementations Software
More informationMTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov October 31, 2005 Abstract Standard security assumptions (IND-CPA, IND- CCA) are explained. A number of cryptosystems
More informationCSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018
CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring 2018 5 and 6 February 2018 Identification schemes are mechanisms for Alice to prove her identity to Bob They comprise a setup
More informationBrief Introduction to Provable Security
Brief Introduction to Provable Security Michel Abdalla Département d Informatique, École normale supérieure michel.abdalla@ens.fr http://www.di.ens.fr/users/mabdalla 1 Introduction The primary goal of
More informationAuthenticated encryption
Authenticated encryption Mac forgery game M {} k R 0,1 s m t M M {m } t mac k (m ) Repeat as many times as the adversary wants (m, t) Wins if m M verify m, t = 1 Mac forgery game Allow the adversary to
More informationLightweight Privacy Preserving Authentication for RFID Using a Stream Cipher
Lightweight Privacy Preserving Authentication for RFID Using a Stream Cipher Olivier Billet, Jonathan Etrog, and Henri Gilbert Orange Labs RFID systems tags readers back end many types of systems system
More informationStrong Privacy for RFID Systems from Plaintext-Aware Encryption
Strong Privacy for RFID Systems from Plaintext-Aware Encryption Khaled Ouafi and Serge Vaudenay ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE http://lasec.epfl.ch/ supported by the ECRYPT project SV strong
More informationR-MAC A lightwheight authentication protocol for RFID Tags
R-MAC A lightwheight authentication protocol for RFID Tags Ahmad Khoureich Ka Dept. of Computer Science, Université Alioune Diop de Bambey, Sénégal, ahmadkhoureich.ka@uadb.edu.sn Abstract. Nowadays, RFID
More informationPrivate-Key Encryption
Private-Key Encryption Ali El Kaafarani Mathematical Institute Oxford University 1 of 50 Outline 1 Block Ciphers 2 The Data Encryption Standard (DES) 3 The Advanced Encryption Standard (AES) 4 Attacks
More informationsymmetric cryptography s642 computer security adam everspaugh
symmetric cryptography s642 adam everspaugh ace@cs.wisc.edu computer security Announcement Midterm next week: Monday, March 7 (in-class) Midterm Review session Friday: March 4 (here, normal class time)
More informationCryptographic protocols
Cryptographic protocols Lecture 3: Zero-knowledge protocols for identification 6/16/03 (c) Jussipekka Leiwo www.ialan.com Overview of ZK Asymmetric identification techniques that do not rely on digital
More informationGroup Key Establishment Protocols
Group Key Establishment Protocols Ruxandra F. Olimid EBSIS Summer School on Distributed Event Based Systems and Related Topics 2016 July 14, 2016 Sinaia, Romania Outline 1. Context and Motivation 2. Classifications
More informationPrivacy through Noise: A Design Space for Private Identification
Privacy through Noise: A Design Space for Private Identification Karsten Nohl University of Virginia nohl@cs.virginia.edu Abstract. To protect privacy in large systems, users must be able to authenticate
More information2 Secure Communication in Private Key Setting
CSA E0 235: Cryptography January 11, 2016 Instructor: Arpita Patra Scribe for Lecture 2 Submitted by: Jayam Modi 1 Discrete Probability Background Probability Distribution -A probability distribution over
More informationRFID Authentication: Security, Privacy and the Real World
RFID Authentication: Security, Privacy and the Real World ESC 2013 Jens Hermans KU Leuven - COSIC 15 January 2013 Introduction Cryptography in Daily Life RFID Introduction Cryptography in Daily Life Security
More informationEC500. Design of Secure and Reliable Hardware. Lecture 1 & 2
EC500 Design of Secure and Reliable Hardware Lecture 1 & 2 Mark Karpovsky January 17 th, 2013 1 Security Errors injected by the attacker (active attacks) Reliability Errors injected by random sources e.g.
More informationPublic-Key Cryptography
Computer Security Spring 2008 Public-Key Cryptography Aggelos Kiayias University of Connecticut A paradox Classic cryptography (ciphers etc.) Alice and Bob share a short private key using a secure channel.
More informationLightweight Cryptography for RFID Systems
Lightweight Cryptography for RFID Systems Guang Gong Department of Electrical and Computer Engineering University of Waterloo CANADA G. Gong (University of Waterloo)
More informationIntroduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell
Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell 1 Cryptography Merriam-Webster Online Dictionary: 1. secret writing 2. the enciphering and deciphering
More informationGoals of Modern Cryptography
Goals of Modern Cryptography Providing information security: Data Privacy Data Integrity and Authenticity in various computational settings. Data Privacy M Alice Bob The goal is to ensure that the adversary
More informationF-HB+: A Scalable Authentication Protocol for Low-Cost RFID Systems
F-HB+: A Scalable Authentication Protocol for Low-Cost RFID Systems O'Neill, M., & Cao, X. (2011). F-HB+: A Scalable Authentication Protocol for Low-Cost RFID Systems. In C. Turcu (Ed.), Current Trends
More informationPaper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage
1 Announcements Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage 2 Recap and Overview Previous lecture: Symmetric key
More informationCode-Based Cryptography McEliece Cryptosystem
Code-Based Cryptography McEliece Cryptosystem I. Márquez-Corbella 0 2. McEliece Cryptosystem 1. Formal Definition 2. Security-Reduction Proof 3. McEliece Assumptions 4. Notions of Security 5. Critical
More informationT Cryptography and Data Security
T-79.159 Cryptography and Data Security Lecture 10: 10.1 Random number generation 10.2 Key management - Distribution of symmetric keys - Management of public keys Kaufman et al: Ch 11.6; 9.7-9; Stallings:
More informationCryptology complementary. Symmetric modes of operation
Cryptology complementary Symmetric modes of operation Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 05 03 Symmetric modes 2018 05 03
More informationCryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1
Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography CS555 Spring 2012/Topic 16 1 Outline and Readings Outline Private key management between two parties Key management
More informationPseudorandomness and Cryptographic Applications
Pseudorandomness and Cryptographic Applications Michael Luby PRINCETON UNIVERSITY PRESS PRINCETON, NEW JERSEY Overview and Usage Guide Mini-Courses Acknowledgments ix xiii xv Preliminaries 3 Introduction
More informationLecture 1: Perfect Security
CS 290G (Fall 2014) Introduction to Cryptography Oct 2nd, 2014 Instructor: Rachel Lin 1 Recap Lecture 1: Perfect Security Scribe: John Retterer-Moore Last class, we introduced modern cryptography and gave
More information1-7 Attacks on Cryptosystems
1-7 Attacks on Cryptosystems In the present era, not only business but almost all the aspects of human life are driven by information. Hence, it has become imperative to protect useful information from
More informationIntroduction to Cryptography. Lecture 3
Introduction to Cryptography Lecture 3 Benny Pinkas March 6, 2011 Introduction to Cryptography, Benny Pinkas page 1 Pseudo-random generator seed s (random, s =n) Pseudo-random generator G Deterministic
More informationIdentification Schemes
Identification Schemes Lecture Outline Identification schemes passwords one-time passwords challenge-response zero knowledge proof protocols Authentication Data source authentication (message authentication):
More informationCryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi
Cryptographic Primitives A brief introduction Ragesh Jaiswal CSE, IIT Delhi Cryptography: Introduction Throughout most of history: Cryptography = art of secret writing Secure communication M M = D K (C)
More informationResearch Statement. Yehuda Lindell. Dept. of Computer Science Bar-Ilan University, Israel.
Research Statement Yehuda Lindell Dept. of Computer Science Bar-Ilan University, Israel. lindell@cs.biu.ac.il www.cs.biu.ac.il/ lindell July 11, 2005 The main focus of my research is the theoretical foundations
More informationProofs for Key Establishment Protocols
Information Security Institute Queensland University of Technology December 2007 Outline Key Establishment 1 Key Establishment 2 3 4 Purpose of key establishment Two or more networked parties wish to establish
More informationLecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model
CMSC 858K Advanced Topics in Cryptography March 11, 2004 Lecturer: Jonathan Katz Lecture 14 Scribe(s): Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze 1 A Note on Adaptively-Secure NIZK A close look
More informationCryptographic Primitives and Protocols for MANETs. Jonathan Katz University of Maryland
Cryptographic Primitives and Protocols for MANETs Jonathan Katz University of Maryland Fundamental problem(s) How to achieve secure message authentication / transmission in MANETs, when: Severe resource
More informationAdvanced Cryptography 1st Semester Symmetric Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 22th 2007 1 / 58 Last Time (I) Security Notions Cyclic Groups Hard Problems One-way IND-CPA,
More informationDistributed ID-based Signature Using Tamper-Resistant Module
, pp.13-18 http://dx.doi.org/10.14257/astl.2013.29.03 Distributed ID-based Signature Using Tamper-Resistant Module Shinsaku Kiyomoto, Tsukasa Ishiguro, and Yutaka Miyake KDDI R & D Laboratories Inc., 2-1-15,
More informationIntroduction to Cryptography. Lecture 2. Benny Pinkas. Perfect Cipher. Perfect Ciphers. Size of key space
Perfect Cipher Introduction to Cryptography Lecture 2 Benny Pinkas What type of security would we like to achieve? Given C, the adversary has no idea what M is Impossible since adversary might have a-priori
More informationHomework 3: Solution
Homework 3: Solution March 28, 2013 Thanks to Sachin Vasant and Xianrui Meng for contributing their solutions. Exercise 1 We construct an adversary A + that does the following to win the CPA game: 1. Select
More informationProtocol for Privacy Protection in IoT
Security Analysis of Fan et al. Lightweight RFID Authentication Protocol for Privacy Protection in IoT Seyed Farhad Aghili and Hamid Mala Department of Information Technology Engineering, Faculty of Computer
More information: Practical Cryptographic Systems March 25, Midterm
650.445: Practical Cryptographic Systems March 25, 2010 Instructor: Matthew Green Midterm Name: As with any exam, please do not collaborate or otherwise share information with any other person. You are
More informationT Cryptography and Data Security
T-79.4501 Cryptography and Data Security Lecture 10: 10.1 Random number generation 10.2 Key management - Distribution of symmetric keys - Management of public keys Stallings: Ch 7.4; 7.3; 10.1 1 The Use
More informationCS 6903: Modern Cryptography Spring 2011
Lecture 1: Introduction CS 6903: Modern Cryptography Spring 2011 Nitesh Saxena NYU-Poly Outline Administrative Stuff Introductory Technical Stuff Some Pointers Course Web Page http://isis.poly.edu/courses/cs6903-s11
More informationCSE 127: Computer Security Cryptography. Kirill Levchenko
CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017 Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified
More informationLecture 8: Cryptography in the presence of local/public randomness
Randomness in Cryptography Febuary 25, 2013 Lecture 8: Cryptography in the presence of local/public randomness Lecturer: Yevgeniy Dodis Scribe: Hamidreza Jahanjou So far we have only considered weak randomness
More informationGrouping-Proof Protocol for RFID Tags: Security Definition and Scalable Construction
Scalable Grouping-proof Protocol for RFID Tags Grouping-Proof Protocol for RFID Tags: Security Definition and Scalable Construction Dang Nguyen Duc Department of Information and Communications Engineering,
More informationSecurity Models: Proofs, Protocols and Certification
Security Models: Proofs, Protocols and Certification Florent Autrau - Yassine Lakhnech - Jean-Louis Roch Master-2 Security, Cryptology and Coding of Information Systems ENSIMAG/Grenoble-INP UJF Grenoble
More informationScalable Grouping-proof Protocol for RFID Tags
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More informationAutomated Analysis and Synthesis of Modes of Operation and Authenticated Encryption Schemes
Automated Analysis and Synthesis of Modes of Operation and Authenticated Encryption Schemes Alex J. Malozemoff University of Maryland Joint work with Matthew Green, Viet Tung Hoang, and Jonathan Katz Presented
More informationBlock ciphers, stream ciphers
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Jan 31, 2018 Announcements Project 1 is out, due Feb 14 midnight Recall: Block cipher A
More informationCS 395T. Formal Model for Secure Key Exchange
CS 395T Formal Model for Secure Key Exchange Main Idea: Compositionality Protocols don t run in a vacuum Security protocols are typically used as building blocks in a larger secure system For example,
More informationCS408 Cryptography & Internet Security
CS408 Cryptography & Internet Security Lectures 16, 17: Security of RSA El Gamal Cryptosystem Announcement Final exam will be on May 11, 2015 between 11:30am 2:00pm in FMH 319 http://www.njit.edu/registrar/exams/finalexams.php
More informationBlock ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016
Block ciphers CS 161: Computer Security Prof. Raluca Ada Popa February 26, 2016 Announcements Last time Syntax of encryption: Keygen, Enc, Dec Security definition for known plaintext attack: attacker provides
More informationSymmetric Cryptography
CSE 484 (Winter 2010) Symmetric Cryptography Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials...
More informationCS 495 Cryptography Lecture 6
CS 495 Cryptography Lecture 6 Dr. Mohammad Nabil Alaggan malaggan@fci.helwan.edu.eg Helwan University Faculty of Computers and Information CS 495 Fall 2014 http://piazza.com/fci_helwan_university/fall2014/cs495
More informationFoundations of Cryptography CS Shweta Agrawal
Foundations of Cryptography CS 6111 Shweta Agrawal Course Information 4-5 homeworks (20% total) A midsem (25%) A major (35%) A project (20%) Attendance required as per institute policy Challenge questions
More informationA CCA2 Secure PKE Based on McEliece Assumptions in the Standard Model
A CCA2 Secure PKE Based on McEliece Assumptions in the Standard Model Jörn Müller-Quade European Institute for System Security KIT, Karlsruhe, Germany 04/23/09 Session ID: CRYP301 Session Classification:
More informationSymmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University
Symmetric-Key Cryptography Part 1 Tom Shrimpton Portland State University Building a privacy-providing primitive I want my communication with Bob to be private -- Alice What kind of communication? SMS?
More informationComputational Security, Stream and Block Cipher Functions
Computational Security, Stream and Block Cipher Functions 18 March 2019 Lecture 3 Most Slides Credits: Steve Zdancewic (UPenn) 18 March 2019 SE 425: Communication and Information Security 1 Topics for
More informationLecture 5. Constructions of Block ciphers. Winter 2018 CS 485/585 Introduction to Cryptography
1 Winter 2018 CS 485/585 Introduction to Cryptography Lecture 5 Portland State University Jan. 23, 2018 Lecturer: Fang Song Draft note. Version: January 25, 2018. Email fang.song@pdx.edu for comments and
More informationGreat Theoretical Ideas in Computer Science. Lecture 27: Cryptography
15-251 Great Theoretical Ideas in Computer Science Lecture 27: Cryptography What is cryptography about? Adversary Eavesdropper I will cut his throat I will cut his throat What is cryptography about? loru23n8uladjkfb!#@
More informationFeedback Week 4 - Problem Set
4/26/13 Homework Feedback Introduction to Cryptography Feedback Week 4 - Problem Set You submitted this homework on Mon 17 Dec 2012 11:40 PM GMT +0000. You got a score of 10.00 out of 10.00. Question 1
More informationSummary on Crypto Primitives and Protocols
Summary on Crypto Primitives and Protocols Levente Buttyán CrySyS Lab, BME www.crysys.hu 2015 Levente Buttyán Basic model of cryptography sender key data ENCODING attacker e.g.: message spatial distance
More informationChapter 3 : Private-Key Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 3 : Private-Key Encryption 1 Private-Key Encryption 3.1 Computational Security 3.1.1 The
More informationSymmetric Crypto MAC. Pierre-Alain Fouque
Symmetric Crypto MAC Pierre-Alain Fouque Message Authentication Code (MAC) Warning: Encryption does not provide integrity Eg: CTR mode ensures confidentiality if the blockcipher used is secure. However,
More informationCryptographically Secure Bloom-Filters
131 139 Cryptographically Secure Bloom-Filters Ryo Nojima, Youki Kadobayashi National Institute of Information and Communications Technology (NICT), 4-2-1 Nukuikitamachi, Koganei, Tokyo, 184-8795, Japan.
More informationLaconic Zero Knowledge to. Akshay Degwekar (MIT)
Laconic Zero Knowledge to Public Key Cryptography Akshay Degwekar (MIT) Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78, Goldwasser-Micali82] sk pk Public Key Encryption ct = Enc
More informationCryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security
Cryptography CS 555 Topic 8: Modes of Encryption, The Penguin and CCA security 1 Reminder: Homework 1 Due on Friday at the beginning of class Please typeset your solutions 2 Recap Pseudorandom Functions
More informationTwo Formal Views of Authenticated Group Diffie-Hellman Key Exchange
Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange E. Bresson 1, O. Chevassut 2,3, O. Pereira 2, D. Pointcheval 1 and J.-J. Quisquater 2 1 Ecole Normale Supérieure, 75230 Paris Cedex 05,
More informationRelated-key Attacks on Triple-DES and DESX Variants
Related-key Attacks on Triple-DES and DESX Variants Raphael C.-W. han Department of Engineering, Swinburne Sarawak Institute of Technology, 1st Floor, State Complex, 93576 Kuching, Malaysia rphan@swinburne.edu.my
More informationAnalysing the Molva and Di Pietro Private RFID Authentication Scheme
Proceedings - NN - RFIDSec08 Analysing the Molva and Di Pietro Private RFID Authentication Scheme Mate Soos INRIA Rhône-Alpes Abstract. The private RFID authentication scheme by Molva and Di Pietro uses
More informationEfficient Compilers for Authenticated Group Key Exchange
Efficient Compilers for Authenticated Group Key Exchange Qiang Tang and Chris J. Mitchell Information Security Group, Royal Holloway, University of London Egham, Surrey TW20 0EX, UK {qiang.tang, c.mitchell}@rhul.ac.uk
More informationMTAT Cryptology II. Entity Authentication. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Entity Authentication Sven Laur University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie?
More informationCOMP4109 : Applied Cryptography
COMP4109 : Applied Cryptography Fall 2013 M. Jason Hinek Carleton University Applied Cryptography Day 8 (and maybe 9) secret-key primitives Message Authentication Codes Pseudorandom number generators 2
More informationMTAT Cryptology II. Commitment Schemes. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Commitment Schemes Sven Laur University of Tartu Formal Syntax m M 0 (c,d) Com pk (m) pk Canonical use case Gen c d pk m Open pk (c,d) A randomised key generation algorithm Gen
More informationLow-Cost Untraceable Authentication Protocols for RFID
Low-Cost Untraceable Authentication Protocols for RFID [Extended and corrected version] ABSTRACT Yong Ki Lee EE EmSec University of California Los Angeles, CA, USA yklee93@kg21.net Dave Singelée IBBT COSIC
More informationNarrow-Bicliques: Cryptanalysis of Full IDEA. Gaetan Leurent, University of Luxembourg Christian Rechberger, DTU MAT
Narrow-Bicliques: Cryptanalysis of Full IDEA Dmitry Khovratovich, h Microsoft Research Gaetan Leurent, University of Luxembourg Christian Rechberger, DTU MAT Cryptanalysis 101 Differential attacks Linear
More informationALIKE: Authenticated Lightweight Key Exchange. Sandrine Agagliate, GEMALTO Security Labs
ALIKE: Authenticated Lightweight Key Exchange Sandrine Agagliate, GEMALTO Security Labs Outline: Context Description of ALIKE Generic description Full specification Security properties Chip Unforgeability
More informationHumanAUT Secure Human Identification Protocols
HumanAUT Secure Human Identification Protocols Adam Bender Manuel Blum Nick Hopper The ALADDIN Center Carnegie Mellon University What is HumanAUT?! HumanAUT stands for Human AUThentication " Authentication:
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 4 Markus Bläser, Saarland University Message authentication How can you be sure that a message has not been modified? Encyrption is not
More informationOVE EDFORS ELECTRICAL AND INFORMATION TECHNOLOGY
1 Information Transmission Chapter 6 Cryptology OVE EDFORS ELECTRICAL AND INFORMATION TECHNOLOGY Learning outcomes After this lecture the student should undertand what cryptology is and how it is used,
More informationDigital Signatures. Sven Laur University of Tartu
Digital Signatures Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic identity,
More informationpage 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas
Introduction to Cryptography Lecture 3 Benny Pinkas page 1 1 Pseudo-random generator Pseudo-random generator seed output s G G(s) (random, s =n) Deterministic function of s, publicly known G(s) = 2n Distinguisher
More informationCryptography. Andreas Hülsing. 6 September 2016
Cryptography Andreas Hülsing 6 September 2016 1 / 21 Announcements Homepage: http: //www.hyperelliptic.org/tanja/teaching/crypto16/ Lecture is recorded First row might be on recordings. Anything organizational:
More informationBob k. Alice. CS 558 Lecture Deck(c) = c k. Continuation of Encryption
CS 558 Lecture 1-26-2017 Continuation of Encryption Review: Schemes - how we do encryption and/or decryption Definition of what it means to be secure(sometimes use to analyze a system) Proof that the scheme
More informationCryptography CS 555. Topic 1: Course Overview & What is Cryptography
Cryptography CS 555 Topic 1: Course Overview & What is Cryptography 1 Administrative Note Professor Blocki is traveling and will be back on Wednesday. E-mail: jblocki@purdue.edu Thanks to Professor Spafford
More information2.1 Basic Cryptography Concepts
ENEE739B Fall 2005 Part 2 Secure Media Communications 2.1 Basic Cryptography Concepts Min Wu Electrical and Computer Engineering University of Maryland, College Park Outline: Basic Security/Crypto Concepts
More information