Encryption from the Diffie-Hellman assumption. Eike Kiltz
|
|
- Chester Goodwin
- 6 years ago
- Views:
Transcription
1 Encryption from the Diffie-Hellman assumption Eike Kiltz
2 Elliptic curve public-key crypto Key-agreement Signatures Encryption Diffie-Hellman 76 passive security ElGamal 84 passive security Hybrid DH (ECDH) MQV active security Hybrid ElGamal (ECIES) active security
3 Security of Hybrid ElGamal Only few people know Breaking Solving strong Hybrid ElGamal Diffie-Hellman problem in CCA (active) Even in the random-oracle model! Problem 1: Strong DH problem? Computational Diffie-Hellman (CDH) given access to Decisional Diffie-Hellman (DDH) oracle Interactive assumption (or pairings) Problem 2: Random oracle model?
4 This talk: Encryption from standard Diffie-Hellman assumptions Twin Hybrid ElGamal encryption Security from (standard) CDH problem in the ROM Simple and generic trick Encryption without ROM (if time) Based on Hashed DDH DH Key-agreement: same picture!
5 More generally HK07 PKE (HDDH) Twin ElGamal (DH) Waters IBE (DH) Hybrid ElGamal (Strong DH) BB short signatures (strong q-bdhi) Gentry s IBE, (q-babbxyz) weaker assumptions/model stronger
6 ElGamal encryption
7 Security? Indistinguishability (IND-CPA): Ciphertexts do not reveal any information about plaintext. Indistinguishability against chosen-ciphertext attacks (IND-CCA): As IND-CPA, but the adversary is allowed to ask arbitrary decryption queries.
8 Diffie-Hellman Assumptions G = prime-order group, g = generator DH g (g x,g y ) := g xy Diffie-Hellman Assumption Given g,x,y, computing DH g (X,Y) is hard Diffie-Hellman predicate DHP g (X,Y,Z) := DH g (X,Y) = Z {0,1}
9 Hybrid ElGamal Encryption Alice wants to encrypt M to Bob Alice pick random y Y = g y, K = H(Y, X y ) c = K M K = H(Y, Y x ) M = K -1 c Bob PK: X=g x SK: x
10 Security of ElGamal Assume H is random oracle Then: Hybrid ElGamal IND-CPA secure Diffie-Hellman assumption But not IND-CCA secure!
11 Hybrid ElGamal Encryption Alice wants to encrypt M to Bob Alice pick random y Y = g y, K = H(Y, X y ) c = E K (M) H: G {0,1} k hash function K = H(Y, Y x ) M = D K (c) (E,D) is symmetric cipher (AES) Bob PK: X=g x SK: x
12 Hybrid ElGamal Encryption pk: X=g x, H (random IND-CCA oracle), security? sk: x Encrypt(pk,M): pick random y Y=g y, K=H(Y,X y ), c=e K (M) Ciphertext is (Y,c) Decrypt(sk,(Y,c)): K=H(Y,Y x ), M=D K (c)
13 What a decryption query reveals (Y,Z) G 2 DHP g (X,Y,Z)=? G = prime-order group, g = generator CCA adversary pick random M c :=E H(Z) (M) conclude: Y x = Z M =M PK=X Dec(Y, c) M CCA experiment SK: x PK: X =g x K = H(Y x ) M = D K (c)
14 Security under DH? PK = (g,x) one decryption query reveals DHP g (X,Y,Z) for arbitrary tuples (Y,Z) G 2 No IND-CCA security under DH Stronger assumption: strong DH assumption
15 Hierarchy of DH assumptions Diffie-Hellman (DH) Assumption Given g,x,y, computing DH g (X,Y) is hard Strong Diffie-Hellman (SDH) Assumption Given g,x,y, computing DH g (X,Y) with access to DHP g (X,.,.) oracle is hard (Gap Diffie-Hellman Assumption) DH g (X,Y) with access to DHP g (.,.,.) oracle is hard Assumptions: strong Strong/Gap DH weak DLP/DH well-studied un-studied
16 Security of Hybrid ElGamal Assume H is random oracle (E,D) is CCA secure symmetric cipher Then: Hybrid ElGamal CCA secure [ABR01] Strong Diffie-Hellman assumption
17 Twin ElGamal (Cash, K., Shoup 08) Encryption from Diffie-Hellman CRYPTO 2007
18 Twinning Diffie-Hellman Twin Diffie-Hellman Assumption (2DH) Strong 2DH Assumption (interactive) Theorem: strong is weak: DH Strong 2DH Applications: Twin ElGamal Twin Diffie-Hellman Key-exchange Twin Boneh-Franklin IBE,
19 Twin Diffie-Hellman Assumption 2DH g (X1,X2,Y) := ( DH g (X1,Y), DH g (X2,Y) ) Twin Diffie-Hellman Assumption (2DH): Given X1,X2,Y computing 2DH g (X1,X2,Y) is hard 2DHP g (X1,X2,U,V 1,V 2 ) := 2DH g (X1,X2,U) = (V 1,V 2 ) Strong 2DH assumption: Given X1,X2,Y computing 2DH g (X1,X2,Y) is hard even given access to 2DHP g (X1,X2,.,.,.) oracle
20 DH strong 2DH Theorem: DH assumption holds if and only if strong 2DH assumption holds clear :
21 Proof: DH strong 2DH DH adversary pick random r, s. X2 := g r X1 s (X1,Y) (X1,X2,Y) strong 2DH (Z 1,Z 2 ) Z adversary 1 (U,V 1,V 2 ) 2DHP g (X1,X2,U,V 1,V 2 ) = U x1 =V 1 U x2 =V 2 How to simulate 2DHP queries without knowing secret x1=log g (X1),x2=log g (X2)? = DH g (X1,Y)
22 Correct answer 2DH Oracle Simulation 2DHP(X1,X2,U,V 1,V 2 ) = 1 2DH g (X1,X2,U)=(V 1,V 2 ) Idea: simulated answer U x1 =V 1 and U x2 =V 2 SIM(X1,X2,U,V 1,V 2 ) = 1 U r V 1s =V 2 Trapdoor lemma: Conditioned on any fixed X2 = g r X1 s : 2DHP = SIM with prob. 1-1/ G (over r,s).
23 Proof of Trapdoor Lemma 2DHP(X1,X2,U,V 1,V 2 ): U x1 = V 1 and U x2 = V 2 SIM (X1,X2,U,V 1,V 2 ): U r V 1 s = V 2 where X2 := g r X1 s (x2 = r+x1s) If 2DHP outputs 1: V 2 = U x2 = U r +x1 s = U r V 1 s SIM outputs 1
24 Proof of Trapdoor Lemma 2DHP(X1,X2,U,V 1,V 2 ): U x1 = V 1 and U x2 = V 2 SIM (X1,X2,U,V 1,V 2 ): U r V 1 s = V 2 where X2 := g r X1 s (x2 = r+x1s) If 2DHP outputs 0: case 1: U x2 = V 2 and U x1 V 1 V 2 = U x2 = U r +x1 s U r V 1 s SIM outputs 0
25 Proof of Trapdoor Lemma 2DHP(X1,X2,U,V 1,V 2 ): U x1 = V 1 and U x2 = V 2 SIM (X1,X2,U,V 1,V 2 ): U r V 1 s = V 2 where X2 := g r X1 s (x2 = r+x1s) If 2DHP outputs 0: case 2: U x2 V 2 V 2 = U r V s 1 (V 2 /U x2 ) 1/s =V 1 /U x1 1 SIM outputs 0 with prob 1-1/ G
26 Trapdoor lemma: simulation almost perfect! Proof: DH strong 2DH AdvDH AdvS2DH Q/ G (Q = #2DHP adversary queries) q.e.d. pick random r, s. X2 := g r X1 s (X1,Y) (X1,X2,Y) strong 2DH (Z 1,Z 2 ) Z adversary 1 = DH g (X1,Y) (U,V 1,V 2 ) 2DHP g (X1,X2,U,V 1,V 2 ) := U r V 1s =V 2
27 Hybrid ElGamal scheme Secret key: x1, x2 Public key: X1=g x1, X2=g x2, H (r.o.) Encrypt: Y=g y, K=H(Y, X1 y, X2 y ), c=e K (M) Ciphertext is (Y,c) G {0,1} M Decrypt: K=H(Y, Y x1,y x2 ), M=D K (c)
28 Twin Hybrid ElGamal scheme Secret key: x1, x2 Public key: X1=g x1, X2=g x2, H (r.o.) Encrypt: Y=g y, K=H(Y, X1 y, X2 y ), c=e K (M) Ciphertext is (Y,c) G {0,1} M Decrypt: K=H(Y, Y x1,y x2 ), M=D K (c)
29 Security of Twin Hybrid ElGamal Assume H is random oracle (E,D) is CCA secure symmetric cipher Then: Twin ElGamal CCA secure same as [ABR01] Strong Twin Diffie- Hellman assumption Diffie-Hellman assumption
30 Efficiency? Key Size (pk, sk) Encrypt Decrypt Assumption ElGamal (1,1) 2 exp 1 exp Strong DH Twin ElGamal (2,2) 3 exp 1 exp DH
31 More applications of twinning.
32 Twinning Boneh and Franklin Strong Bilinear DH (BDH) assumption: Boneh-Franklin IBE [BF01] is CCA secure [LQ05] Theorem: Strong 2BDH assumption BDH Twin Boneh-Franklin: redundancy-free IBE CCA security BDH assumption Also works for Kasahara-Sakai [KS01],
33 More twinning Non-interactive key exchange [DH76] PAKE [AP05, ] Diffie-Hellman self-corrector [Shoup01] More generally: Technique to upgrade schemes based on strong DH type assumption to schemes based on DH type assumption
34 Discussion: ROM Proofs for (Twin) ElGamal are in ROM ROM is not sound [CGH98] OAEP/RSA-FDH provable unprovable [DOP05,B07,KP09, ] Cramer-Shoup, Security based on Decisional Diffie-Hellman assumption (DDH) CDH in the ROM vs. DDH in the SM????
35 Alternatives to CS/KD? Cash, K., Shoup 08: Standard-model encryption from CDH Impractical (uses Goldreich-Levin) Hofheinz, K. 09: Practical standard-model encryption from Factoring Hofheinz-K. 07 Standard-model encryption from Hashed DDH DDH Hashed DDH CDH Relatively practical
36 Decision DH Assumptions Decision DH Assumption (DDH): Distinguishing (X,Y,DH g (X,Y)) from (X,Y,Z) is hard Hashed Decision DH Assumption (HDDH): H : G {0,1} n = hash function Distinguishing ( X,Y,H(DH g (X,Y)) ) from ( X,Y,Z ) is hard Remarks: DDH Hashed DDH CDH if H is a RO: CDH = HDDH
37 HK 07 encryption Secret key: Public key: Encrypt: Decrypt: x1, x2, w Z=g z, X1=g x1, X2=g x2 Y 1 =g y, Y 2 =(X1 [Y 1] X2) y, K=H(Z y ), c=e K (M) Ciphertext is (Y 1, Y 2, c) Reject if Y 2 K=H(Y 1z ), M=D K (c) Y 1 x1 [y 1 ] + x2 [Y1] = binary repr. of Y 1
38 Security of HK07 Assume (E,D) is authenticated symmetric encryption Then: HK07 CCA secure Hashed Diffie-Hellman assumption
39 Efficiency? Key Size (pk, sk) Encrypt Decrypt Assumption Ciphertext overhead ElGamal (1,1) 2 exp 1 exp SDH (RO) G +mac Twin ElGamal (2,2) 3 exp 1 exp DH (RO) G +mac HK07 (2,2) 3 exp 1 exp HDDH (SM) 2 G +mac
40 Conclusions Standard ECC system: Hybrid ElGamal (ECIES) IND-CCA security Strong DH assumption (ROM) Alternative 1: Hybrid Twin ElGamal IND-CCA security DH assumption (ROM) Price: one exp. in encryption + one element in PK Alternative 2: HK 07 encryption IND-CCA security HDDH assumption (standard model) CDH assumption (ROM) Price: one more element in ciphertext
41 Open problems: from strong to weak Twin ElGamal DH HK07 PKE HDDH Sigs w/o ROM from DLP, CDH, factoring,.? Hybrid ElGamal Strong DH BB short signatures strong q-bdhi Gentry s IBE q-abbxyz IBE, HIBE,? weaker assumptions/model stronger
42 Thank you! Main references [ABR01]:M. Abdalla, M. Bellare, P. Rogaway: The Oracle Diffie-Hellman Assumptions and an Analysis of DHIES. CT-RSA [CHK07]: D. Cash, E. Kiltz, V. Shoup: The Twin Diffie-Hellman Problem and Applications. EUROCRYPT 2008 & J. of Cryptology [HK07]: D. Hofheinz, E. Kiltz: Secure Hybrid Encryption from Weakened Key Encapsulation. CRYPTO 2007
The Twin Diffie-Hellman Problem and Applications
An extended abstract of this paper appears in Advances in Cryptology EUROCRYPT 08, Lecture Notes in Computer Science Vol.????, N. Smart ed., Springer-Verlag, 2008. This is the full version. The Twin Diffie-Hellman
More informationEfficient chosen ciphertext secure PKE scheme with short ciphertext
Efficient chosen ciphertext secure PKE scheme with short ciphertext Xianhui Lu 1, Xuejia Lai 2, Dake He 1, Guomin Li 1 Email:lu xianhui@gmail.com 1:School of Information Science & Technology, SWJTU, Chengdu,
More informationThe Twin Diffie-Hellman Problem and Applications
The Twin Diffie-Hellman Problem and Applications David Cash, Eike Kiltz, and Victor Shoup Abstract. We propose a new computational problem called the twin Diffie-Hellman problem. This problem is closely
More informationIND-CCA2 secure cryptosystems, Dan Bogdanov
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee 1 Overview Notion of indistinguishability The Cramer-Shoup cryptosystem Newer results
More informationThe ElGamal Public- key System
Online Cryptography Course Dan Boneh Public key encryp3on from Diffie- Hellman The ElGamal Public- key System Recap: public key encryp3on: (Gen, E, D) Gen pk sk m c c m E D Recap: public- key encryp3on
More informationBrief Introduction to Provable Security
Brief Introduction to Provable Security Michel Abdalla Département d Informatique, École normale supérieure michel.abdalla@ens.fr http://www.di.ens.fr/users/mabdalla 1 Introduction The primary goal of
More informationWeak adaptive chosen ciphertext secure hybrid encryption scheme
Weak adaptive chosen ciphertext secure hybrid encryption scheme Xianhui Lu 1, Xuejia Lai 2, Dake He 1, Guomin Li 1 Email:luxianhui@gmail.com 1:School of Information Science & Technology, SWJTU, Chengdu,
More informationREMOVE KEY ESCROW FROM THE IDENTITY-BASED ENCRYPTION SYSTEM
REMOVE KEY ESCROW FROM THE IDENTITY-BASED ENCRYPTION SYSTEM Zhaohui Cheng, Richard Comley Luminita Vasiu School of Computing Science, Middlesex University White Hart Lane, London N17 8HR, United Kingdom
More informationIntroduction to Cryptography Lecture 7
Introduction to Cryptography Lecture 7 El Gamal Encryption RSA Encryption Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing
More informationSecurity of Cryptosystems
Security of Cryptosystems Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Symmetric key cryptosystem m M 0 c Enc sk (m) sk Gen c sk m Dec sk (c) A randomised key generation algorithm outputs
More informationMTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov October 31, 2005 Abstract Standard security assumptions (IND-CPA, IND- CCA) are explained. A number of cryptosystems
More informationRelaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack
Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Indian Statistical Institute Kolkata January 14, 2012 Outline 1 Definitions Encryption Scheme IND-CPA IND-CCA IND-CCVA
More informationLecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model
CMSC 858K Advanced Topics in Cryptography March 11, 2004 Lecturer: Jonathan Katz Lecture 14 Scribe(s): Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze 1 A Note on Adaptively-Secure NIZK A close look
More informationIntroduction to Security Reduction
springer.com Computer Science : Data Structures, Cryptology and Information Theory Springer 1st edition Printed book Hardcover Printed book Hardcover ISBN 978-3-319-93048-0 Ca. $ 109,00 Planned Discount
More informationA public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks
A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks Jan Camenisch 1, Nishanth Chandran 2, and Victor Shoup 3 1 IBM Research, work funded
More informationA New Hierarchical ID-Based Cryptosystem and CCA-Secure PKE
A New Hierarchical ID-Based Cryptosystem and CCA-Secure PKE Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275,
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationRemove Key Escrow from The Identity-Based Encryption System
Remove Key Escrow from The Identity-Based Encryption System Zhaohui Cheng@mdx.ac.uk Abstract Key escrow is an inherent property in the current proposed Identity- Based Encryption (IBE) systems. However
More informationCS408 Cryptography & Internet Security
CS408 Cryptography & Internet Security Lectures 16, 17: Security of RSA El Gamal Cryptosystem Announcement Final exam will be on May 11, 2015 between 11:30am 2:00pm in FMH 319 http://www.njit.edu/registrar/exams/finalexams.php
More informationCertificateless Onion Routing
Certificateless Onion Routing Dario Catalano Dipartimento di Matematica e Informatica Università di Catania - Italy catalano@dmi.unict.it Dario Fiore Dipartimento di Matematica e Informatica Università
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationAn Efficient ID-KEM Based On The Sakai Kasahara Key Construction
An Efficient ID-KEM Based On The Sakai Kasahara Key Construction L. Chen 1, Z. Cheng 2, J. Malone Lee 3, and N.P. Smart 3 1 Hewlett-Packard Laboratories, Filton Road, Stoke Gifford, Bristol, BS34 8QZ,
More informationIntroduction to Cryptography Lecture 7
Introduction to Cryptography Lecture 7 Public-Key Encryption: El-Gamal, RSA Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing
More informationLecture 15: Public Key Encryption: I
CSE 594 : Modern Cryptography 03/28/2017 Lecture 15: Public Key Encryption: I Instructor: Omkant Pandey Scribe: Arun Ramachandran, Parkavi Sundaresan 1 Setting In Public-key Encryption (PKE), key used
More informationCS 395T. Formal Model for Secure Key Exchange
CS 395T Formal Model for Secure Key Exchange Main Idea: Compositionality Protocols don t run in a vacuum Security protocols are typically used as building blocks in a larger secure system For example,
More informationSimple and Efficient Threshold Cryptosystem from the Gap Diffie-Hellman Group
Simple and Efficient Threshold Cryptosystem from the Gap Diffie-Hellman Group Joonsang Baek Monash University Frankston, VIC 3199, Australia Email: joonsang.baek@infotech.monash.edu.au Yuliang Zheng UNC
More informationStateful Key Encapsulation Mechanism
Stateful Key Encapsulation Mechanism Peng Yang, 1 Rui Zhang, 2 Kanta Matsuura 1 and Hideki Imai 2 The concept of stateful encryption was introduced to reduce computation cost of conventional public key
More informationCryptography. Andreas Hülsing. 6 September 2016
Cryptography Andreas Hülsing 6 September 2016 1 / 21 Announcements Homepage: http: //www.hyperelliptic.org/tanja/teaching/crypto16/ Lecture is recorded First row might be on recordings. Anything organizational:
More informationDirect Chosen Ciphertext Security from Identity-Based Techniques
Updated version of a paper published in the proceedings of the 12th ACM Conference on Computer and Communications Security CCS 2005, Alexandria, VA, November 2005. Current version available from the IACR
More informationGeneric Transformation of a CCA2-Secure Public-Key Encryption Scheme to an eck-secure Key Exchange Protocol in the Standard Model
Generic Transformation of a CCA2-Secure Public-Key Encryption Scheme to an eck-secure Key Exchange Protocol in the Standard Model Janaka Alawatugoda Department of Computer Engineering University of Peradeniya,
More informationCRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS
CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs NYU NY Area Crypto Reading Group Continuous Leakage Resilience (CLR): A Brief History
More informationPublic-Key Encryption
Public-Key Encryption Glorianna Jagfeld & Rahiel Kasim University of Amsterdam 10 March 2016 Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March 2016 1 / 24 Warmup: crossword puzzle! Please
More informationMiniature CCA2 PK Encryption : Tight Security Without Redundancy
Longer version of an extended abstract to be published in Advances in Cryptology ASIACRYPT 2007, Springer-Verlag, 2007. Available online from: http://www.cs.stanford.edu/ xb/asiacrypt07/ Miniature CCA2
More informationAn IBE Scheme to Exchange Authenticated Secret Keys
An IBE Scheme to Exchange Authenticated Secret Keys Waldyr Dias Benits Júnior 1, Routo Terada (Advisor) 1 1 Instituto de Matemática e Estatística Universidade de São Paulo R. do Matão, 1010 Cidade Universitária
More informationThe Exact Security of a Stateful IBE and New Compact Stateful PKE Schemes
The Exact Security of a Stateful IBE and New Compact Stateful PKE Schemes S. Sree Vivek, S. Sharmila Deva Selvi, C. Pandu Rangan Theoretical Computer Science Lab, Department of Computer Science and Engineering,
More informationAdvanced Cryptography 1st Semester Symmetric Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 22th 2007 1 / 58 Last Time (I) Security Notions Cyclic Groups Hard Problems One-way IND-CPA,
More informationIntroduction to Cryptography. Lecture 6
Introduction to Cryptography Lecture 6 Benny Pinkas page 1 1 Data Integrity, Message Authentication Risk: an active adversary might change messages exchanged between Alice and Bob M Alice M M M Bob Eve
More informationOn the Security of a Certificateless Public-Key Encryption
On the Security of a Certificateless Public-Key Encryption Zhenfeng Zhang, Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing 100080,
More informationIntroduction to Public-Key Cryptography
Introduction to Public-Key Cryptography Nadia Heninger University of Pennsylvania June 11, 2018 We stand today on the brink of a revolution in cryptography. Diffie and Hellman, 1976 Symmetric cryptography
More informationPSEC{3: Provably Secure Elliptic Curve. Encryption Scheme { V3. (Submission to P1363a)
PSEC{3: Provably Secure Elliptic Curve Encryption Scheme { V3 (Submission to P1363a) Tatsuaki Okamoto 1 and David Pointcheval 2 1 NTT Labs, 1-1 Hikarinooka, Yokosuka-shi 239-847 Japan. E-mail: okamoto@isl.ntt.co.jp.
More informationInter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing
Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing Tsai, Hong-Bin Chiu, Yun-Peng Lei, Chin-Laung Dept. of Electrical Engineering National Taiwan University July 10,
More informationIf DDH is secure then ElGamal is also secure w.r.t IND-CPA
CS 6903 Modern Cryptography May 5th, 2011 Lecture 12 Instructor:Nitesh Saxena Recap of the previous lecture Scribe:Orcun Berkem, Turki Turki, Preetham Deshikachar Shrinivas The ElGamal encryption scheme
More informationCSC 5930/9010 Modern Cryptography: Public Key Cryptography
CSC 5930/9010 Modern Cryptography: Public Key Cryptography Professor Henry Carter Fall 2018 Recap Number theory provides useful tools for manipulating integers and primes modulo a large value Abstract
More informationCryptographic Systems
CPSC 426/526 Cryptographic Systems Ennan Zhai Computer Science Department Yale University Recall: Lec-10 In lec-10, we learned: - Consistency models - Two-phase commit - Consensus - Paxos Lecture Roadmap
More informationCryptography. Lecture 12. Arpita Patra
Cryptography Lecture 12 Arpita Patra Digital Signatures q In PK setting, privacy is provided by PKE q Integrity/authenticity is provided by digital signatures (counterpart of MACs in PK world) q Definition:
More informationPublic-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7
Public-Key Cryptography Professor Yanmin Gong Week 3: Sep. 7 Outline Key exchange and Diffie-Hellman protocol Mathematical backgrounds for modular arithmetic RSA Digital Signatures Key management Problem:
More informationImproved Efficiency for CCA-Secure Cryptosystems Built Using Identity-Based Encryption
Improved Efficiency for CCA-Secure Cryptosystems Built Using Identity-Based Encryption Dan Boneh 1 and Jonathan Katz 2 1 Computer Science Department, Stanford University, Stanford CA 94305 dabo@cs.stanford.edu
More informationRSA. Public Key CryptoSystem
RSA Public Key CryptoSystem DIFFIE AND HELLMAN (76) NEW DIRECTIONS IN CRYPTOGRAPHY Split the Bob s secret key K to two parts: K E, to be used for encrypting messages to Bob. K D, to be used for decrypting
More informationIdentity Based Encryption: An Overview
IBE Overview p. 1/6 Identity Based Encryption: An Overview Palash Sarkar Indian Statistical Institute IBE Overview p. 2/6 Structure of Presentation Conceptual overview and motivation. Some technical details.
More informationIdentity-Based Cryptography
Tutorial on Dr. Associate Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur http://cse.iitkgp.ac.in/ abhij/ June 29, 2017 Short Term Course on Introduction
More informationApplied Cryptography and Computer Security CSE 664 Spring 2018
Applied Cryptography and Computer Security Lecture 13: Public-Key Cryptography and RSA Department of Computer Science and Engineering University at Buffalo 1 Public-Key Cryptography What we already know
More informationSecure Cryptographic Workflow in the Standard Model
Secure Cryptographic Workflow in the Standard Model M. Barbosa 1 and P. Farshim 2 1 Departamento de Informática, Universidade do Minho, Campus de Gualtar, 4710-057 Braga, Portugal. mbb@di.uminho.pt 2 Department
More informationRandom Oracle Reducibility
Random Oracle Reducibility Paul Baecher and Marc Fischlin Darmstadt University of Technology, Germany www.minicrypt.de Abstract. We discuss a reduction notion relating the random oracles in two cryptographic
More informationEncryption 2. Tom Chothia Computer Security: Lecture 3
Encryption 2 Tom Chothia Computer Security: Lecture 3 This Lecture Counter Mode (CTR) enryption Diffie Helleman key exchange Public Key Encryption RSA Signing Combining public and symmetric key encryption
More informationSECURE AND ANONYMOUS HYBRID ENCRYPTION FROM CODING THEORY
SECURE AND ANONYMOUS HYBRID ENCRYPTION FROM CODING THEORY Edoardo Persichetti University of Warsaw 06 June 2013 (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 1 / 20 Part I PRELIMINARIES
More informationNotes for Lecture 14
COS 533: Advanced Cryptography Lecture 14 (November 6, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Fermi Ma Notes for Lecture 14 1 Applications of Pairings 1.1 Recap Consider a bilinear e
More informationCryptographic Hash Functions
ECE458 Winter 2013 Cryptographic Hash Functions Dan Boneh (Mods by Vijay Ganesh) Previous Lectures: What we have covered so far in cryptography! One-time Pad! Definition of perfect security! Block and
More informationSecure Conjunctive Keyword Searches For Unstructured Text
Secure Conjunctive Keyword Searches For Unstructured Text Florian Kerschbaum SAP Research Karlsruhe, Germany Email: florian.kerschbaum@sap.com Abstract There are a number of searchable encryption schemes
More informationNon-Interactive Key Exchange
Non-Interactive Key Exchange Eduarda S.V. Freire 1,, Dennis Hofheinz 2,, Eike Kiltz 3,, and Kenneth G. Paterson 1, 1 Royal Holloway, University of London 2 Karlsruhe Institute of Technology 3 Ruhr-Universität
More informationGroup-based Proxy Re-encryption Scheme Secure against Chosen Ciphertext Attack
International Journal of Network Security, Vol.8, No., PP.266 270, May 2009 266 Group-based Proxy Re-encryption Scheme Secure against Chosen Ciphertext Attack Chunbo Ma and Jun Ao (Corresponding author:
More informationRFID Authentication: Security, Privacy and the Real World
RFID Authentication: Security, Privacy and the Real World ESC 2013 Jens Hermans KU Leuven - COSIC 15 January 2013 Introduction Cryptography in Daily Life RFID Introduction Cryptography in Daily Life Security
More informationCryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1
Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography CS555 Spring 2012/Topic 16 1 Outline and Readings Outline Private key management between two parties Key management
More informationCSC/ECE 774 Advanced Network Security
Computer Science CSC/ECE 774 Advanced Network Security Topic 2. Network Security Primitives CSC/ECE 774 Dr. Peng Ning 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange;
More informationPublic-Key Cryptography
Computer Security Spring 2008 Public-Key Cryptography Aggelos Kiayias University of Connecticut A paradox Classic cryptography (ciphers etc.) Alice and Bob share a short private key using a secure channel.
More informationRealizing Stateful Public Key Encryption in Wireless Sensor Network
Realizing Stateful Public Key Encryption in Wireless Sensor Network Joonsang Baek, Han Chiang Tan, Jianying Zhou and Jun Wen Wong Abstract In this paper, we present our implementation of a stateful public
More informationOblivious Signature-Based Envelope
Oblivious Signature-Based Envelope Ninghui Li Department of Computer Sciences and CERIAS Purdue University 656 Oval Dr, West Lafayette, IN 47907-2086 ninghui@cs.purdue.edu Wenliang Du Department of Electrical
More informationPublic key encryption: definitions and security
Online Cryptography Course Public Key Encryption from trapdoor permutations Public key encryption: definitions and security Public key encryption Bob: generates (PK, SK) and gives PK to Alice Alice Bob
More informationSymmetric Encryption 2: Integrity
http://wwmsite.wpengine.com/wp-content/uploads/2011/12/integrity-lion-300x222.jpg Symmetric Encryption 2: Integrity With material from Dave Levin, Jon Katz, David Brumley 1 Summing up (so far) Computational
More informationEfficient Re-Keyed Encryption Schemes for Secure Communications
I J E E E C International Journal of Electrical, Electronics ISSN No. (Online): 2277-2626 and Computer Engineering 3(2): 132-137(2014) Efficient Re-Keyed Encryption Schemes for Secure Communications Md
More informationAsymmetric Primitives. (public key encryptions and digital signatures)
Asymmetric Primitives (public key encryptions and digital signatures) An informal, yet instructive account of asymmetric primitives Timeline of the invention of public-key cryptography 1970-1974 British
More informationHash Proof Systems and Password Protocols
Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David Pointcheval CNRS, Ecole normale supe rieure/psl & INRIA 8th BIU Winter School Key Exchange February 2018 CNRS/ENS/PSL/INRIA
More informationAn Efficient Certificateless Proxy Re-Encryption Scheme without Pairing
An Efficient Certificateless Proxy Re-Encryption Scheme without Pairing Presented By: Arinjita Paul Authors: S. Sharmila Deva Selvi, Arinjita Paul, C. Pandu Rangan TCS Lab, Department of CSE, IIT Madras.
More informationLecture Note 05 Date:
P.Lafourcade Lecture Note 05 Date: 29.09.2009 Security models 1st Semester 2008/2009 MANGEOT Guillaume ROJAT Antoine THARAUD Jrmie Contents 1 Block Cipher Modes 2 1.1 Electronic Code Block (ECB) [Dwo01]....................
More informationPublic-Key Encryption, Key Exchange, Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 7
Public-Key Encryption, Key Exchange, Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 7 David Cash University of Chicago Plan 1. Security of RSA 2. Key Exchange, Diffie-Hellman 3. Begin digital
More informationAn Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem
An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem Mihir Bellare, Alexandra Boldyreva and Adriana Palacio Dept. of Computer Science & Engineering, University of California, San
More informationIdentity-Based Encryption from the Weil Pairing
Identity-Based Encryption from the Weil Pairing Dan Boneh 1 and Matt Franklin 2 1 Computer Science Department, Stanford University, Stanford CA 94305-9045 dabo@cs.stanford.edu 2 Computer Science Department,
More informationA Designer s Guide to KEMs. Errata List
A Designer s Guide to KEMs Alexander W. Dent Information Security Group, Royal Holloway, University of London, Egham Hill, Egham, Surrey, U.K. alex@fermat.ma.rhul.ac.uk http://www.isg.rhul.ac.uk/~alex/
More informationCSC 774 Network Security
CSC 774 Network Security Topic 2. Review of Cryptographic Techniques CSC 774 Dr. Peng Ning 1 Outline Encryption/Decryption Digital signatures Hash functions Pseudo random functions Key exchange/agreement/distribution
More informationOther Topics in Cryptography. Truong Tuan Anh
Other Topics in Cryptography Truong Tuan Anh 2 Outline Public-key cryptosystem Cryptographic hash functions Signature schemes Public-Key Cryptography Truong Tuan Anh CSE-HCMUT 4 Outline Public-key cryptosystem
More informationPrivacy, Discovery, and Authentication for the Internet of Things
Privacy, Discovery, and Authentication for the Internet of Things David J. Wu Ankur Taly Asim Shankar Dan Boneh Stanford University Google Google Stanford University The Internet of Things (IoT) Lots of
More informationChosen-Ciphertext Security from Tag-Based Encryption
Chosen-Ciphertext Security from Tag-Based Encryption Eike Kiltz 1 CWI Amsterdam The Netherlands kiltz@cwi.nl http://kiltz.net Abstract. One of the celebrated applications of Identity-Based Encryption (IBE)
More informationCSE 127: Computer Security Cryptography. Kirill Levchenko
CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017 Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified
More informationReducing security overhead for mobile networks
University of Wollongong Research Online Faculty of Informatics - Papers (Archive) Faculty of Engineering and Information Sciences 2005 Reducing security overhead for mobile networks Fangguo Zhang Sun
More informationConstructing Certificateless Encryption and ID-Based Encryption from ID-Based Key Agreement
Constructing Certificateless Encryption and ID-Based Encryption from ID-Based Key Agreement D. Fiore 1, R. Gennaro 2, and N.P. Smart 3 1 Dipartimento di Matematica e Informatica, Universita di Catania,
More informationOverview. Recall Basic Idea. CSC 580 Cryptography and Computer Security. March 9, 2017
CSC 580 Cryptography and Computer Security Public Key Cryptography - Ideas and RSA (Related to parts of Chapters 9 and 10) March 9, 2017 Overview Today: HW 7 quiz Public Key Algorithms - ideas, math, and
More informationA Closer Look at Anonymity and Robustness in Encryption Schemes
A Closer Look at Anonymity and Robustness in Encryption Schemes Payman Mohassel Computer Science Department, University of Calgary pmohasse@cpsc.ucalgary.ca Abstract. In this work, we take a closer look
More informationOAEP 3-Round A Generic and Secure Asymmetric Encryption Padding. Asiacrypt '04 Jeju Island - Korea
OAEP 3-Round A Generic and Secure Asymmetric Encryption Padding Duong Hieu Phan ENS France David Pointcheval CNRS-ENS France Asiacrypt '04 Jeju Island - Korea December 6 th 2004 Summary Asymmetric Encryption
More informationHierarchical Identity-Based Online/Offline Encryption
University of Wollongong Research Online Faculty of Informatics - Papers Archive Faculty of Engineering and Information Sciences 2008 Hierarchical Identity-Based Online/Offline Encryption Zhongren Liu
More informationConstructing Efficient PAKE Protocols from Identity-Based KEM/DEM
Constructing Efficient PAKE Protocols from Identity-Based KEM/DEM Kyu Young Choi 1, Jihoon Cho 1, Jung Yeon Hwang 2, and Taekyoung Kwon 3 1 Samsung SDS, Inc., Seoul, Korea {ky12.choi,jihoon1.cho}@samsung.com
More informationHomomorphic Encryption
Homomorphic Encryption Travis Mayberry Cloud Computing Cloud Computing Cloud Computing Cloud Computing Cloud Computing Northeastern saves money on infrastructure and gets the benefit of redundancy and
More informationTuesday, January 17, 17. Crypto - mini lecture 1
Crypto - mini lecture 1 Cryptography Symmetric key cryptography (secret key crypto): sender and receiver keys identical Asymmetric key cryptography (public key crypto): encryption key public, decryption
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary Introduction Stream & Block Ciphers Block Ciphers Modes (ECB,CBC,OFB) Advanced Encryption Standard (AES) Message Authentication
More informationGrenzen der Kryptographie
Microsoft Research Grenzen der Kryptographie Dieter Gollmann Microsoft Research 1 Summary Crypto does not solve security problems Crypto transforms security problems Typically, the new problems relate
More informationPart VI. Public-key cryptography
Part VI Public-key cryptography Drawbacks with symmetric-key cryptography Symmetric-key cryptography: Communicating parties a priori share some secret information. Secure Channel Alice Unsecured Channel
More informationTrustworthy Computing under Identity-Based Encryption
Trustworthy Computing under Identity-Based Encryption Shabaaz Shaik 1, M.Srikanth Yadav 2 1 Asst.Professor, Dept.of IT, R.K College of Engineering, A.P., India. 2 Assoc.Professor & Head, Dept.of CSE, R.K
More informationSecurity Analysis and Modification of ID-Based Encryption with Equality Test from ACISP 2017
Security Analysis and Modification of ID-Based Encryption with Equality Test from ACISP 2017 Hyung Tae Lee 1, Huaxiong Wang 2, Kai Zhang 3, 4 1 Chonbuk National University, Republic of Korea 2 Nanyang
More informationLecture 20: Public-key Encryption & Hybrid Encryption. Public-key Encryption
Lecture 20: & Hybrid Encryption Lecture 20: & Hybrid Encryption Overview Suppose there is a 2-round Key-Agreement protocol. This means that there exists a protocol where Bob sends the first message m B
More informationRandomness Extractors. Secure Communication in Practice. Lecture 17
Randomness Extractors. Secure Communication in Practice Lecture 17 11:00-12:30 What is MPC? Manoj Monday 2:00-3:00 Zero Knowledge Muthu 3:30-5:00 Garbled Circuits Arpita Yuval Ishai Technion & UCLA 9:00-10:30
More informationCryptographically Secure Bloom-Filters
131 139 Cryptographically Secure Bloom-Filters Ryo Nojima, Youki Kadobayashi National Institute of Information and Communications Technology (NICT), 4-2-1 Nukuikitamachi, Koganei, Tokyo, 184-8795, Japan.
More informationHash Functions, Public-Key Encryption CMSC 23200/33250, Autumn 2018, Lecture 6
Hash Functions, Public-Key Encryption CMSC 23200/33250, Autumn 2018, Lecture 6 David Cash University of Chicago Plan 1. A few points about hash functions 2. Introducing Public-Key Encryption 3. Math for
More information