CSC 5930/9010 Modern Cryptography: Digital Signatures
|
|
- Amber Cummings
- 5 years ago
- Views:
Transcription
1 CSC 5930/9010 Modern Cryptography: Digital Signatures Professor Henry Carter Fall 2018
2 Recap Implemented public key schemes in practice commonly encapsulate a symmetric key for the rest of encryption KEM/DEM paradigm The D-H assumptions can be used to create CPA and CCA secure encryption schemes, depending on which assumption is used El Gamal, DHIES The RSA assumption can be used to encrypt uniformly random values If the message is not uniform, random padding must be applied There are numerous historical examples of encryption failures due to mis-implementation or misunderstanding of theoretical guarantees Use crypto AS DOCUMENTED and ONLY for its intended purpose
3 New Guarantees Secrecy guarantee Private-key encryption Public-key encryption Differences? Integrity/authenticity Message Authentication Codes Digital Signatures Differences?
4 Digital Signatures A user possesses two keys, a signing key (private) and a verifying key (public) Generate a signature over a message with the signing key Verify a signature using the public verifying key As long as the verifying key is trusted, the signature verifies the message
5 Differences in the public-key model Solves key management issues Like encryption Provides new guarantees Publicly verifiable and transferable Non-repudiation NOT possible in the private-key setting
6 Definition Gen: given an input 1 n, outputs a pair of keys (pk, sk) Sign: given an input sk and a message m, outputs a signature σ Vrfy: given an input pk, m, and σ, outputs a bit b such that b = 1 if the signature is valid for the given message As usual, fixed-length variants are possible
7 <latexit sha1_base64="euipeix/l8iqwi41f63mth6mwbu=">aaaeexichvnnb9naehxtqiv5auhizabgsqosxeeaqotuwgeohflof6pdtfmpnvxwu653xtwy8t/4g/wbrndnwmwssvohsafxzhjmvbdvb7kuxrbb35dqy/vbt1dw7/h3791/8hbt/dgh0wxb8ybrqyvjatmohcidk6ze47xalg0khg1g71z96awli7tat+mcexlllugez5zs/fxal/0hghgpyrysepa8x0jkqcwen0x6itffiv0qypgdciar3ckwrf0xaajmdubha0yfqlcvgrbm4ssphmumppukgveogufx1qzaatadywqlg/loc8yogcw7g4xjaqgdqthd6sthatavgy4ylwimcztgdxkovl8yo0kj4rg2zadlowosdjrzmqzd2ry0hnzlhjwozyyaad6ixvi3r+tivnoiwkcafxucter/tcqfkjynmb2cj5krxibo+axx60ywpis0gbsqyyydkmmxn8imbidfmu5xoch/hw7eqdij6zc61jnbrmbirkw0uerhqojfsf3dhzszfigzognxnhxdnyiizrhknb1dro4geftax44mdlv7f6ir3e2/l8kkjdyc+n3i5d8gclb7eek8bywppmwm4xxcf22j3wppd1wpwnmw4c1pt7++tblfmpfofvwyy07cdm57fsusilhjxkxbnpers/geqsuynl1q+ggm8jwy8zrdosm90+zihxxljblna+p0xmzvmkvevdspbfk6vwlfpklfz4usujozuhcfssiqw1i6fowxgrachzlyhyvtl01s2j1tiirtty3drhoz1aumki68ktt14ldtcine62zsvj2luoo98z55ds/0xnk73gev6x14vpat9qp2s/zr+xf9ab1r35y11pbm/zz2lp36yz/azxel</latexit> <latexit sha1_base64="euipeix/l8iqwi41f63mth6mwbu=">aaaeexichvnnb9naehxtqiv5auhizabgsqosxeeaqotuwgeohflof6pdtfmpnvxwu653xtwy8t/4g/wbrndnwmwssvohsafxzhjmvbdvb7kuxrbb35dqy/vbt1dw7/h3791/8hbt/dgh0wxb8ybrqyvjatmohcidk6ze47xalg0khg1g71z96awli7tat+mcexlllugez5zs/fxal/0hghgpyrysepa8x0jkqcwen0x6itffiv0qypgdciar3ckwrf0xaajmdubha0yfqlcvgrbm4ssphmumppukgveogufx1qzaatadywqlg/loc8yogcw7g4xjaqgdqthd6sthatavgy4ylwimcztgdxkovl8yo0kj4rg2zadlowosdjrzmqzd2ry0hnzlhjwozyyaad6ixvi3r+tivnoiwkcafxucter/tcqfkjynmb2cj5krxibo+axx60ywpis0gbsqyyydkmmxn8imbidfmu5xoch/hw7eqdij6zc61jnbrmbirkw0uerhqojfsf3dhzszfigzognxnhxdnyiizrhknb1dro4geftax44mdlv7f6ir3e2/l8kkjdyc+n3i5d8gclb7eek8bywppmwm4xxcf22j3wppd1wpwnmw4c1pt7++tblfmpfofvwyy07cdm57fsusilhjxkxbnpers/geqsuynl1q+ggm8jwy8zrdosm90+zihxxljblna+p0xmzvmkvevdspbfk6vwlfpklfz4usujozuhcfssiqw1i6fowxgrachzlyhyvtl01s2j1tiirtty3drhoz1aumki68ktt14ldtcine62zsvj2luoo98z55ds/0xnk73gev6x14vpat9qp2s/zr+xf9ab1r35y11pbm/zz2lp36yz/azxel</latexit> <latexit sha1_base64="euipeix/l8iqwi41f63mth6mwbu=">aaaeexichvnnb9naehxtqiv5auhizabgsqosxeeaqotuwgeohflof6pdtfmpnvxwu653xtwy8t/4g/wbrndnwmwssvohsafxzhjmvbdvb7kuxrbb35dqy/vbt1dw7/h3791/8hbt/dgh0wxb8ybrqyvjatmohcidk6ze47xalg0khg1g71z96awli7tat+mcexlllugez5zs/fxal/0hghgpyrysepa8x0jkqcwen0x6itffiv0qypgdciar3ckwrf0xaajmdubha0yfqlcvgrbm4ssphmumppukgveogufx1qzaatadywqlg/loc8yogcw7g4xjaqgdqthd6sthatavgy4ylwimcztgdxkovl8yo0kj4rg2zadlowosdjrzmqzd2ry0hnzlhjwozyyaad6ixvi3r+tivnoiwkcafxucter/tcqfkjynmb2cj5krxibo+axx60ywpis0gbsqyyydkmmxn8imbidfmu5xoch/hw7eqdij6zc61jnbrmbirkw0uerhqojfsf3dhzszfigzognxnhxdnyiizrhknb1dro4geftax44mdlv7f6ir3e2/l8kkjdyc+n3i5d8gclb7eek8bywppmwm4xxcf22j3wppd1wpwnmw4c1pt7++tblfmpfofvwyy07cdm57fsusilhjxkxbnpers/geqsuynl1q+ggm8jwy8zrdosm90+zihxxljblna+p0xmzvmkvevdspbfk6vwlfpklfz4usujozuhcfssiqw1i6fowxgrachzlyhyvtl01s2j1tiirtty3drhoz1aumki68ktt14ldtcine62zsvj2luoo98z55ds/0xnk73gev6x14vpat9qp2s/zr+xf9ab1r35y11pbm/zz2lp36yz/azxel</latexit> <latexit sha1_base64="euipeix/l8iqwi41f63mth6mwbu=">aaaeexichvnnb9naehxtqiv5auhizabgsqosxeeaqotuwgeohflof6pdtfmpnvxwu653xtwy8t/4g/wbrndnwmwssvohsafxzhjmvbdvb7kuxrbb35dqy/vbt1dw7/h3791/8hbt/dgh0wxb8ybrqyvjatmohcidk6ze47xalg0khg1g71z96awli7tat+mcexlllugez5zs/fxal/0hghgpyrysepa8x0jkqcwen0x6itffiv0qypgdciar3ckwrf0xaajmdubha0yfqlcvgrbm4ssphmumppukgveogufx1qzaatadywqlg/loc8yogcw7g4xjaqgdqthd6sthatavgy4ylwimcztgdxkovl8yo0kj4rg2zadlowosdjrzmqzd2ry0hnzlhjwozyyaad6ixvi3r+tivnoiwkcafxucter/tcqfkjynmb2cj5krxibo+axx60ywpis0gbsqyyydkmmxn8imbidfmu5xoch/hw7eqdij6zc61jnbrmbirkw0uerhqojfsf3dhzszfigzognxnhxdnyiizrhknb1dro4geftax44mdlv7f6ir3e2/l8kkjdyc+n3i5d8gclb7eek8bywppmwm4xxcf22j3wppd1wpwnmw4c1pt7++tblfmpfofvwyy07cdm57fsusilhjxkxbnpers/geqsuynl1q+ggm8jwy8zrdosm90+zihxxljblna+p0xmzvmkvevdspbfk6vwlfpklfz4usujozuhcfssiqw1i6fowxgrachzlyhyvtl01s2j1tiirtty3drhoz1aumki68ktt14ldtcine62zsvj2luoo98z55ds/0xnk73gev6x14vpat9qp2s/zr+xf9ab1r35y11pbm/zz2lp36yz/azxel</latexit> Sig-forge The signature experiment Sig forge A, (n) : 1. Run Gen(1 n ) to obtain (pk, sk) 2. A is given pk and oracle access to Sign sk ( ). The adversary outputs (m, ). Let Q denote the set of all queries that A asked its oracle. 3. A succeeds if and only if (1) Vrfy pk (m, ) = 1 and (2) m/2 Q A signature scheme is existentially unforgeable if, for all PPT adversaries: Pr[Sig forge A, (n) = 1] apple negl(n)
8 Hash-and-sign Recall: public-key schemes are inefficient! Rather than sign a full message, we generally sign a hash of the message Like the hash-and-mac scheme Requires an adversary to either forge the signature or find a collision in the hash
9 <latexit sha1_base64="r2hzykv9n3ag3oqxhsjso0tbovs=">aaaek3icbvpbahsxen3ybpo4t6slt30zmi2xwqq7ly0phzau6ocwupobzf2jlwe9wlppkbqjrsmhtl/t0fqchucpy+zr0zkzm1kcs2fdu/13o1ktpxm6ubvdf/b8xctxo7uvl60udmclrqu21zgzkixccyecxovcimtiivfx6ntvx92isukrczfoszexorkj4mwr1n+t2o/oiizobhybxjdulfglhvs9nmm4gukmwmaswlxhecxpmunitiemrwvdtkatkkigliuzllkhmmelmboqolxudxfa3blkymwksag4twf3gk7rwuwfw9m6gfotrdmfd+bsxdfju+yhwczzkllf2an6fonqqilwmik/ef+pfaqhwdgpj4ascuvthz3firyaqpv7dfolf06djh0tbdbyuqvsiebfz5zx764zlfmec7kxf7euhey4bmhjm2rqkan2qpepf6zqvpbcifvmci1tl9lz934uq/yfpzfiyuz1zroartsyjeekmxhmgh1xjrg/sap7rve3bwrn6vi8i5/741mws2hb1okp7liif7y/yreyc0qtaka1wmyjv7pxpmixc9adzizyc2brrl+7srknnc8yvi5lzu1np5273oqzj7j0ay4s5oyp6eleukgy3c7ephwe9/cbkef5zxothjto8okjy6wdzzexm+zs+3dpg4/t3rqu+dsblg1cxaejkkl6e+hfggyeqe7kmalgjscvwfnmghf0ileulpypmaqsq03endtclwphg1rxedio9edy8kbd8c/dveotwro3gnfb+6ardikpwxhqdc6ci4bx/lwd6na1xntb+1w7qx2duisbsznvgpvv+/efekjuzw==</latexit> <latexit sha1_base64="r2hzykv9n3ag3oqxhsjso0tbovs=">aaaek3icbvpbahsxen3ybpo4t6slt30zmi2xwqq7ly0phzau6ocwupobzf2jlwe9wlppkbqjrsmhtl/t0fqchucpy+zr0zkzm1kcs2fdu/13o1ktpxm6ubvdf/b8xctxo7uvl60udmclrqu21zgzkixccyecxovcimtiivfx6ntvx92isukrczfoszexorkj4mwr1n+t2o/oiizobhybxjdulfglhvs9nmm4gukmwmaswlxhecxpmunitiemrwvdtkatkkigliuzllkhmmelmboqolxudxfa3blkymwksag4twf3gk7rwuwfw9m6gfotrdmfd+bsxdfju+yhwczzkllf2an6fonqqilwmik/ef+pfaqhwdgpj4ascuvthz3firyaqpv7dfolf06djh0tbdbyuqvsiebfz5zx764zlfmec7kxf7euhey4bmhjm2rqkan2qpepf6zqvpbcifvmci1tl9lz934uq/yfpzfiyuz1zroartsyjeekmxhmgh1xjrg/sap7rve3bwrn6vi8i5/741mws2hb1okp7liif7y/yreyc0qtaka1wmyjv7pxpmixc9adzizyc2brrl+7srknnc8yvi5lzu1np5273oqzj7j0ay4s5oyp6eleukgy3c7ephwe9/cbkef5zxothjto8okjy6wdzzexm+zs+3dpg4/t3rqu+dsblg1cxaejkkl6e+hfggyeqe7kmalgjscvwfnmghf0ileulpypmaqsq03endtclwphg1rxedio9edy8kbd8c/dveotwro3gnfb+6ardikpwxhqdc6ci4bx/lwd6na1xntb+1w7qx2duisbsznvgpvv+/efekjuzw==</latexit> <latexit sha1_base64="r2hzykv9n3ag3oqxhsjso0tbovs=">aaaek3icbvpbahsxen3ybpo4t6slt30zmi2xwqq7ly0phzau6ocwupobzf2jlwe9wlppkbqjrsmhtl/t0fqchucpy+zr0zkzm1kcs2fdu/13o1ktpxm6ubvdf/b8xctxo7uvl60udmclrqu21zgzkixccyecxovcimtiivfx6ntvx92isukrczfoszexorkj4mwr1n+t2o/oiizobhybxjdulfglhvs9nmm4gukmwmaswlxhecxpmunitiemrwvdtkatkkigliuzllkhmmelmboqolxudxfa3blkymwksag4twf3gk7rwuwfw9m6gfotrdmfd+bsxdfju+yhwczzkllf2an6fonqqilwmik/ef+pfaqhwdgpj4ascuvthz3firyaqpv7dfolf06djh0tbdbyuqvsiebfz5zx764zlfmec7kxf7euhey4bmhjm2rqkan2qpepf6zqvpbcifvmci1tl9lz934uq/yfpzfiyuz1zroartsyjeekmxhmgh1xjrg/sap7rve3bwrn6vi8i5/741mws2hb1okp7liif7y/yreyc0qtaka1wmyjv7pxpmixc9adzizyc2brrl+7srknnc8yvi5lzu1np5273oqzj7j0ay4s5oyp6eleukgy3c7ephwe9/cbkef5zxothjto8okjy6wdzzexm+zs+3dpg4/t3rqu+dsblg1cxaejkkl6e+hfggyeqe7kmalgjscvwfnmghf0ileulpypmaqsq03endtclwphg1rxedio9edy8kbd8c/dveotwro3gnfb+6ardikpwxhqdc6ci4bx/lwd6na1xntb+1w7qx2duisbsznvgpvv+/efekjuzw==</latexit> <latexit sha1_base64="r2hzykv9n3ag3oqxhsjso0tbovs=">aaaek3icbvpbahsxen3ybpo4t6slt30zmi2xwqq7ly0phzau6ocwupobzf2jlwe9wlppkbqjrsmhtl/t0fqchucpy+zr0zkzm1kcs2fdu/13o1ktpxm6ubvdf/b8xctxo7uvl60udmclrqu21zgzkixccyecxovcimtiivfx6ntvx92isukrczfoszexorkj4mwr1n+t2o/oiizobhybxjdulfglhvs9nmm4gukmwmaswlxhecxpmunitiemrwvdtkatkkigliuzllkhmmelmboqolxudxfa3blkymwksag4twf3gk7rwuwfw9m6gfotrdmfd+bsxdfju+yhwczzkllf2an6fonqqilwmik/ef+pfaqhwdgpj4ascuvthz3firyaqpv7dfolf06djh0tbdbyuqvsiebfz5zx764zlfmec7kxf7euhey4bmhjm2rqkan2qpepf6zqvpbcifvmci1tl9lz934uq/yfpzfiyuz1zroartsyjeekmxhmgh1xjrg/sap7rve3bwrn6vi8i5/741mws2hb1okp7liif7y/yreyc0qtaka1wmyjv7pxpmixc9adzizyc2brrl+7srknnc8yvi5lzu1np5273oqzj7j0ay4s5oyp6eleukgy3c7ephwe9/cbkef5zxothjto8okjy6wdzzexm+zs+3dpg4/t3rqu+dsblg1cxaejkkl6e+hfggyeqe7kmalgjscvwfnmghf0ileulpypmaqsq03endtclwphg1rxedio9edy8kbd8c/dveotwro3gnfb+6ardikpwxhqdc6ci4bx/lwd6na1xntb+1w7qx2duisbsznvgpvv+/efekjuzw==</latexit> Hash-and-sign Let =(Gen, Sign, V rfy) be a signature scheme for messages of length `(n), and let H = (Gen, H) be a hash function with output length `(n). Construct the signature scheme 0 as follows: Gen 0 : on input 1 n,rungen(1 n ) to obtain (pk, sk) and run Gen H (1 n )to obtain s. Thepublickeyishpk, si and the private key is hsk, si Sign 0 : on input hsk, si and m, output Sign sk (H s (m)). Vrfy 0 : on input hpk, si, m,, output Vrfy pk (H s (m), ) Think about the proof of security on your own
10 RSA-based signatures The RSA problem can be used in a similar way to encryption to sign a message Intuition: reverse the roles of the keys The basic scheme follows naturally But, like encryption, is NOT provably secure
11 <latexit sha1_base64="4i1kw5bs2cvubvpd0zczd/8c24a=">aaadvhicdvlbbtnaehviocxcwnjkzusmskqoismdkbkowam8okrqjq0uj9v6pxzw2yvlxueeqh/cj/e3rj2lmjsstnlrzjkzz2cntdntptp5w6m69+4/odh8whv0+mntz0fhzwda5rnfplvczvch0cizxl5hhunvmiericflcpqlyf/omnnmyqszt3ekscjzzcgxnnr9xpnzhq14x1h+pp/kqyhandajzojghwzm5rom/jk9whbiwuscgrtsn97uggkvpw+8hihpy9lcavlj6bugy+vatmejtq+mahuaysw9xmklsavr02sdxbst8pazcloca9pgbzzihcmutcarsqderitbbeym7inha/la3dlldtzty5fsnrcuvw6wlm0sqad3ayziheegvasni6+91h1k8fy/umvllratwcrdkvy9yhfs24evx2bhuolqc1bgmxlfh9u77u554c7wv6durm6z/c+difi0fygn5utrod9jzwhbmsmolz4t15gsoiujdi2urkaelco9uohxnhjbrdj7pyeyertiqytwcxfapibmondzrxbfbpib+p1ouu4kjv02inneresxlbcxdknhcwsizzj1cnrcmkknxd0tjamktbcp4omyxinobj9qy8oozt8d1f0w6lz9i3906yefv0m8df46r5yg4zvvnbpnm3pm9b1adavnarf61v3oru7ufutqtbkqeefshxf2d1btjlc=</latexit> <latexit sha1_base64="4i1kw5bs2cvubvpd0zczd/8c24a=">aaadvhicdvlbbtnaehviocxcwnjkzusmskqoismdkbkowam8okrqjq0uj9v6pxzw2yvlxueeqh/cj/e3rj2lmjsstnlrzjkzz2cntdntptp5w6m69+4/odh8whv0+mntz0fhzwda5rnfplvczvch0cizxl5hhunvmiericflcpqlyf/omnnmyqszt3ekscjzzcgxnnr9xpnzhq14x1h+pp/kqyhandajzojghwzm5rom/jk9whbiwuscgrtsn97uggkvpw+8hihpy9lcavlj6bugy+vatmejtq+mahuaysw9xmklsavr02sdxbst8pazcloca9pgbzzihcmutcarsqderitbbeym7inha/la3dlldtzty5fsnrcuvw6wlm0sqad3ayziheegvasni6+91h1k8fy/umvllratwcrdkvy9yhfs24evx2bhuolqc1bgmxlfh9u77u554c7wv6durm6z/c+difi0fygn5utrod9jzwhbmsmolz4t15gsoiujdi2urkaelco9uohxnhjbrdj7pyeyertiqytwcxfapibmondzrxbfbpib+p1ouu4kjv02inneresxlbcxdknhcwsizzj1cnrcmkknxd0tjamktbcp4omyxinobj9qy8oozt8d1f0w6lz9i3906yefv0m8df46r5yg4zvvnbpnm3pm9b1adavnarf61v3oru7ufutqtbkqeefshxf2d1btjlc=</latexit> <latexit sha1_base64="4i1kw5bs2cvubvpd0zczd/8c24a=">aaadvhicdvlbbtnaehviocxcwnjkzusmskqoismdkbkowam8okrqjq0uj9v6pxzw2yvlxueeqh/cj/e3rj2lmjsstnlrzjkzz2cntdntptp5w6m69+4/odh8whv0+mntz0fhzwda5rnfplvczvch0cizxl5hhunvmiericflcpqlyf/omnnmyqszt3ekscjzzcgxnnr9xpnzhq14x1h+pp/kqyhandajzojghwzm5rom/jk9whbiwuscgrtsn97uggkvpw+8hihpy9lcavlj6bugy+vatmejtq+mahuaysw9xmklsavr02sdxbst8pazcloca9pgbzzihcmutcarsqderitbbeym7inha/la3dlldtzty5fsnrcuvw6wlm0sqad3ayziheegvasni6+91h1k8fy/umvllratwcrdkvy9yhfs24evx2bhuolqc1bgmxlfh9u77u554c7wv6durm6z/c+difi0fygn5utrod9jzwhbmsmolz4t15gsoiujdi2urkaelco9uohxnhjbrdj7pyeyertiqytwcxfapibmondzrxbfbpib+p1ouu4kjv02inneresxlbcxdknhcwsizzj1cnrcmkknxd0tjamktbcp4omyxinobj9qy8oozt8d1f0w6lz9i3906yefv0m8df46r5yg4zvvnbpnm3pm9b1adavnarf61v3oru7ufutqtbkqeefshxf2d1btjlc=</latexit> <latexit sha1_base64="4i1kw5bs2cvubvpd0zczd/8c24a=">aaadvhicdvlbbtnaehviocxcwnjkzusmskqoismdkbkowam8okrqjq0uj9v6pxzw2yvlxueeqh/cj/e3rj2lmjsstnlrzjkzz2cntdntptp5w6m69+4/odh8whv0+mntz0fhzwda5rnfplvczvch0cizxl5hhunvmiericflcpqlyf/omnnmyqszt3ekscjzzcgxnnr9xpnzhq14x1h+pp/kqyhandajzojghwzm5rom/jk9whbiwuscgrtsn97uggkvpw+8hihpy9lcavlj6bugy+vatmejtq+mahuaysw9xmklsavr02sdxbst8pazcloca9pgbzzihcmutcarsqderitbbeym7inha/la3dlldtzty5fsnrcuvw6wlm0sqad3ayziheegvasni6+91h1k8fy/umvllratwcrdkvy9yhfs24evx2bhuolqc1bgmxlfh9u77u554c7wv6durm6z/c+difi0fygn5utrod9jzwhbmsmolz4t15gsoiujdi2urkaelco9uohxnhjbrdj7pyeyertiqytwcxfapibmondzrxbfbpib+p1ouu4kjv02inneresxlbcxdknhcwsizzj1cnrcmkknxd0tjamktbcp4omyxinobj9qy8oozt8d1f0w6lz9i3906yefv0m8df46r5yg4zvvnbpnm3pm9b1adavnarf61v3oru7ufutqtbkqeefshxf2d1btjlc=</latexit> Plain RSA Signatures Let GenRSA be as in the previous text: Gen 0 : on input 1 n,rungenrsa(1 n ) to obtain (N,e,d). The public key is hn,ei and the private key is hn,di Sign 0 : on input hn,di and m, output := [m d mod N]. Vrfy 0 : on input hn,ei, m,, output 1 i m =[ e mod N]
12 Problems As in the encryption case, the RSA problem applies to uniform messages, not arbitrary messages No-message attacks: Choose a random signature and compute the corresponding message Two-message attacks: for an arbitrary message m, obtain signatures for m 1 and m 2 such that m = m 1 x m 2 The product of the signatures is valid for m
13 Solution: Hashing Recall: padding the message to produce a roughly uniform input solved the issues with plain-rsa Here, we don't need to necessarily reverse the signing process, just verify correctness We can use a full-domain hash to map messages uniformly onto the domain of the RSA function
14 <latexit sha1_base64="8+ijqawux9jtk0gzf8nzncddpvg=">aaaehnicdvnlb9naehytocw8wjhygvej0iqk4l5akzbaonadqgp9ijip1uuxs6q9a+2uc8hkl+akd34nn8qv/gxi7dzufytz+jt7ztcz346dlbhgdjp/fmr1gzdvls7dbty5e+/+g+wvh4dg5zrjavej0scbm5giiqdw2aspm40sdri8ck5fl/dhz6inuhlfjjlspyywihkcwqqdrcz8fysw3dco3+9turagmancgh0iknczulkbi59st+ehgatzciup+izjhl+ikvwz2wulks3lscsbslcfopcz2szf1lywclrggym7zz0wyavcnbcnsf+wyonecdjfeqgdrp8wgscijc3xfxabyxdaljhjfq8jhzmyyw4zyji2ockiuakubm4bgyixvmtgbnfblzotzx8p1shxih5aprx6ch7k7daiig/jezlyd8syjknovmhyng2+j+jlk1/xsdw2m5ijkrctlhfxyqd7enrbzxrtefi5fcjo351lh+po9f/pmsmtsfswetun7lg3uuszktrqiqlhgpmidr9loh/fk+xvtrtthbgkvclydaznlzzm0q8vz1oulifmmj7xywy/iksft8q1ya1mjj+yghsejuvr9itqu8fwlcihrertjy1u0fmzbuungaubmcsnmjfvyub1d73cri/6rwuwsj4pfovjuxtl2kmonhkbjagwrgx1cnzinoowfo4lslkv/xinlmskimn04+jq8zbiou+yuvfb4ubbi/xuy3xz1dtejeex88rpop7z3nl0tp1d58dhnax9qx2tfat/r/+o/6z/mlbrc9ocr86fu//9d3cwsuu=</latexit> <latexit sha1_base64="8+ijqawux9jtk0gzf8nzncddpvg=">aaaehnicdvnlb9naehytocw8wjhygvej0iqk4l5akzbaonadqgp9ijip1uuxs6q9a+2uc8hkl+akd34nn8qv/gxi7dzufytz+jt7ztcz346dlbhgdjp/fmr1gzdvls7dbty5e+/+g+wvh4dg5zrjavej0scbm5giiqdw2aspm40sdri8ck5fl/dhz6inuhlfjjlspyywihkcwqqdrcz8fysw3dco3+9turagmancgh0iknczulkbi59st+ehgatzciup+izjhl+ikvwz2wulks3lscsbslcfopcz2szf1lywclrggym7zz0wyavcnbcnsf+wyonecdjfeqgdrp8wgscijc3xfxabyxdaljhjfq8jhzmyyw4zyji2ockiuakubm4bgyixvmtgbnfblzotzx8p1shxih5aprx6ch7k7daiig/jezlyd8syjknovmhyng2+j+jlk1/xsdw2m5ijkrctlhfxyqd7enrbzxrtefi5fcjo351lh+po9f/pmsmtsfswetun7lg3uuszktrqiqlhgpmidr9loh/fk+xvtrtthbgkvclydaznlzzm0q8vz1oulifmmj7xywy/iksft8q1ya1mjj+yghsejuvr9itqu8fwlcihrertjy1u0fmzbuungaubmcsnmjfvyub1d73cri/6rwuwsj4pfovjuxtl2kmonhkbjagwrgx1cnzinoowfo4lslkv/xinlmskimn04+jq8zbiou+yuvfb4ubbi/xuy3xz1dtejeex88rpop7z3nl0tp1d58dhnax9qx2tfat/r/+o/6z/mlbrc9ocr86fu//9d3cwsuu=</latexit> <latexit sha1_base64="8+ijqawux9jtk0gzf8nzncddpvg=">aaaehnicdvnlb9naehytocw8wjhygvej0iqk4l5akzbaonadqgp9ijip1uuxs6q9a+2uc8hkl+akd34nn8qv/gxi7dzufytz+jt7ztcz346dlbhgdjp/fmr1gzdvls7dbty5e+/+g+wvh4dg5zrjavej0scbm5giiqdw2aspm40sdri8ck5fl/dhz6inuhlfjjlspyywihkcwqqdrcz8fysw3dco3+9turagmancgh0iknczulkbi59st+ehgatzciup+izjhl+ikvwz2wulks3lscsbslcfopcz2szf1lywclrggym7zz0wyavcnbcnsf+wyonecdjfeqgdrp8wgscijc3xfxabyxdaljhjfq8jhzmyyw4zyji2ockiuakubm4bgyixvmtgbnfblzotzx8p1shxih5aprx6ch7k7daiig/jezlyd8syjknovmhyng2+j+jlk1/xsdw2m5ijkrctlhfxyqd7enrbzxrtefi5fcjo351lh+po9f/pmsmtsfswetun7lg3uuszktrqiqlhgpmidr9loh/fk+xvtrtthbgkvclydaznlzzm0q8vz1oulifmmj7xywy/iksft8q1ya1mjj+yghsejuvr9itqu8fwlcihrertjy1u0fmzbuungaubmcsnmjfvyub1d73cri/6rwuwsj4pfovjuxtl2kmonhkbjagwrgx1cnzinoowfo4lslkv/xinlmskimn04+jq8zbiou+yuvfb4ubbi/xuy3xz1dtejeex88rpop7z3nl0tp1d58dhnax9qx2tfat/r/+o/6z/mlbrc9ocr86fu//9d3cwsuu=</latexit> <latexit sha1_base64="8+ijqawux9jtk0gzf8nzncddpvg=">aaaehnicdvnlb9naehytocw8wjhygvej0iqk4l5akzbaonadqgp9ijip1uuxs6q9a+2uc8hkl+akd34nn8qv/gxi7dzufytz+jt7ztcz346dlbhgdjp/fmr1gzdvls7dbty5e+/+g+wvh4dg5zrjavej0scbm5giiqdw2aspm40sdri8ck5fl/dhz6inuhlfjjlspyywihkcwqqdrcz8fysw3dco3+9turagmancgh0iknczulkbi59st+ehgatzciup+izjhl+ikvwz2wulks3lscsbslcfopcz2szf1lywclrggym7zz0wyavcnbcnsf+wyonecdjfeqgdrp8wgscijc3xfxabyxdaljhjfq8jhzmyyw4zyji2ockiuakubm4bgyixvmtgbnfblzotzx8p1shxih5aprx6ch7k7daiig/jezlyd8syjknovmhyng2+j+jlk1/xsdw2m5ijkrctlhfxyqd7enrbzxrtefi5fcjo351lh+po9f/pmsmtsfswetun7lg3uuszktrqiqlhgpmidr9loh/fk+xvtrtthbgkvclydaznlzzm0q8vz1oulifmmj7xywy/iksft8q1ya1mjj+yghsejuvr9itqu8fwlcihrertjy1u0fmzbuungaubmcsnmjfvyub1d73cri/6rwuwsj4pfovjuxtl2kmonhkbjagwrgx1cnzinoowfo4lslkv/xinlmskimn04+jq8zbiou+yuvfb4ubbi/xuy3xz1dtejeex88rpop7z3nl0tp1d58dhnax9qx2tfat/r/+o/6z/mlbrc9ocr86fu//9d3cwsuu=</latexit> RSA-FDH Let GenRSA be as in the previous text: Gen 0 : on input 1 n,rungenrsa(1 n ) to obtain (N,e,d). The public key is hn,ei and the private key is hn,di. As part of generation, a function H : {0, 1}! Z n is specified. Sign 0 : on input hn,di and m, output := [H(m) d mod N]. Vrfy 0 : on input hn,ei, m,, output 1 i H(m) =[ e mod N]
15 Security Intuition No-message attack: hard to go backwards from a signature to a message Solved if the hash is preimage-resistant Two-message attack: need to remove "multiplicative relations" \_( )_/ Hard to find collisions in general Collision-resistant
16 Random Oracles We don't have an H for which we can prove security of RSA-FDH! If we assume H is modeled as a random oracle that maps inputs uniformly onto Z n *, we can prove security This requires a new proofing technique that we have not covered
17 What is it? The random oracle model is a proof technique that treats a hash function as a publicly accessible, truly random function This means that, along with any oracles associated with a security game, there is an additional oracle H( ) that may be queried For our reductions, in addition to simulating the game oracles for an internal adversary, we must also simulate H (and use it to glean information from the internal A)
18 Important Caveats The random oracle model is a proof technique, not a cryptographic assumption We cannot instantiate a random oracle since a real adversary may always examine the code of H There are schemes that can be shown secure in the R.O. model that cannot be securely instantiated No matter how the R.O. is constructed Why use this if it doesn't map to a real-world scheme? Some proof is better than no proof
19 Use in proofs Three properties of H(): If x has not been queried, the value H(x) can be assumed to be uniformly random to the observer Extractability: if an internal adversary queries H(x), the external adversary can see x Programmability: the external adversary may set the value for H(x) as long as the value is correctly distributed As an internal adversary queries H, the external adversary maintains a mapping of x to H(x) and generates the outputs "on-the-fly" A polynomial adversary will only query H() a polynomial number of times
20 Example: modeling a c-r hash as a RO An adversary is given oracle access to H The adversary succeed if it outputs distinct x, x' that collide in H Probability of success can be divided into cases where A queries x' to H and A doesn't query x' In the first case, we have the birthday-bound for whether or not A finds a collision In the second case, we have a uniform guess
21 Example: modeling a PRG as a RO Premise: negligible function such that a distinguisher with oracle access can't distinguish Break success probability into two categories: x queried or not x is queried with negligible probability since no information about x is given and q << l in When x is not queried, H(x) is a uniform, independent string, just like y
22 RSA-FDH proof Intuition: we need to build a reduction that can solve the RSA-problem using an adversary attacking RSA-FDH and with access to a RO modeling the FDH We "program" the RO with an instance of the external RSA problem When A forges a signature, if it forges on the programmed query, we can win the RSA game
23 Proof Build modified Sig-forge experiments
24 Proof Build the (modified) reduction
25 Proof Justify that the probability of success is the standard probability divided by q(n) Substitute to bound using RSA assumption
26 In practice: RSA PKCS #1 v. 2.1 The standard includes a "salted" version of RSA-FDH The hash function cannot be instantiated with an off-theshelf hash, as these typically output values that are too small (do not cover the full domain) Typically instantiated with repeated invocations of a cryptographic hash
27 Discrete-log signatures In general, the DL-problem is less amenable to signature schemes than RSA These signatures are commonly constructed from identification schemes An identification scheme can be converted into a signature scheme using a standard transformation
28 Schnorr ID Scheme Goal: given a prover P with a secret value x, the verifier V needs to verify that P holds x (without learning x) The Schnorr ID scheme uses two group exponentiations to verify possession of x
29 Fiat-Shamir Transform The Fiat-Shamir transformation binds a message to the identity I in and Identity scheme using a hash The first two rounds are computed by a signer, the verification is computed by the verifier Can be proven secure if the hash is modeled as a random oracle
30 Fiat-Shamir Let (Gen id, P 1, P 2, V be an identification scheme. scheme as: Construct a signature Gen 0 : on input 1 n,rungen id (1 n ) to obtain pk, sk. Thepublickeyspecifies a set of possible challenges pk. As part of generation, a function H : {0, 1}! pk is specified. Sign 0 : on input sk and m, 1. Compute (I,st) P 1 (sk). 2. Compute r := H(I,m). 3. Compute s := P 2 (sk, st, r). Output (r, s). Vrfy 0 : on input pk, m, (r, s), compute I := V(pk, r, s) and output 1 i H(I,m)=r
31 DSA and ECDSA A commonly deployed signature scheme is the Digital Signature Algorithm (and the elliptic-curve variant) Works similarly to the Schnorr signature scheme but computes the challenge using two random values instead of one Note that the transform used for DSA is not identical to Fiat-Shamir, but the reasoning behind security is similar
32 Recap Digital signatures provide message authenticity and integrity in the public-key setting As well as public verifiability and non-repudiation Definitions of security mirror the MAC definitions And still do not capture attacks like replays RSA-FDH provides a secure digital signature if the fulldomain hash is modeled as a random oracle RO proofs provide some assurance of correct construction but do not map to a traditionally secure proof based on reasonable assumptions
33 Next Time... Katz & Lindell Chapter Remember, you need to read it BEFORE you come to class! Homework problems available on the course webpage 33
CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure
CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure Professor Henry Carter Fall 2018 Recap Digital signatures provide message authenticity and integrity in the public-key setting As well as public
More informationCSC 5930/9010 Modern Cryptography: Cryptographic Hashing
CSC 5930/9010 Modern Cryptography: Cryptographic Hashing Professor Henry Carter Fall 2018 Recap Message integrity guarantees that a message has not been modified by an adversary Definition requires that
More informationReminder: Homework 4. Due: Friday at the beginning of class
Reminder: Homework 4 Due: Friday at the beginning of class 1 Cryptography CS 555 Topic 33: Digital Signatures Part 2 2 Recap El-Gamal/RSA-OAEP Digital Signatures Similarities and differences with MACs
More informationCSC 5930/9010 Modern Cryptography: Public Key Cryptography
CSC 5930/9010 Modern Cryptography: Public Key Cryptography Professor Henry Carter Fall 2018 Recap Number theory provides useful tools for manipulating integers and primes modulo a large value Abstract
More informationCS 495 Cryptography Lecture 6
CS 495 Cryptography Lecture 6 Dr. Mohammad Nabil Alaggan malaggan@fci.helwan.edu.eg Helwan University Faculty of Computers and Information CS 495 Fall 2014 http://piazza.com/fci_helwan_university/fall2014/cs495
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 4 Markus Bläser, Saarland University Message authentication How can you be sure that a message has not been modified? Encyrption is not
More informationPaper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage
1 Announcements Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage 2 Recap and Overview Previous lecture: Symmetric key
More informationDigital Signatures. Sven Laur University of Tartu
Digital Signatures Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic identity,
More informationCryptography. Lecture 12. Arpita Patra
Cryptography Lecture 12 Arpita Patra Digital Signatures q In PK setting, privacy is provided by PKE q Integrity/authenticity is provided by digital signatures (counterpart of MACs in PK world) q Definition:
More information1 Defining Message authentication
ISA 562: Information Security, Theory and Practice Lecture 3 1 Defining Message authentication 1.1 Defining MAC schemes In the last lecture we saw that, even if our data is encrypted, a clever adversary
More informationLecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model
CMSC 858K Advanced Topics in Cryptography March 11, 2004 Lecturer: Jonathan Katz Lecture 14 Scribe(s): Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze 1 A Note on Adaptively-Secure NIZK A close look
More informationOverview of Cryptography
18739A: Foundations of Security and Privacy Overview of Cryptography Anupam Datta CMU Fall 2007-08 Is Cryptography A tremendous tool The basis for many security mechanisms Is not The solution to all security
More informationLecture 10, Zero Knowledge Proofs, Secure Computation
CS 4501-6501 Topics in Cryptography 30 Mar 2018 Lecture 10, Zero Knowledge Proofs, Secure Computation Lecturer: Mahmoody Scribe: Bella Vice-Van Heyde, Derrick Blakely, Bobby Andris 1 Introduction Last
More informationMessage Authentication ( 消息认证 )
Message Authentication ( 消息认证 ) Sheng Zhong Yuan Zhang Computer Science and Technology Department Nanjing University 2017 Fall Sheng Zhong, Yuan Zhang (CS@NJU) Message Authentication ( 消息认证 ) 2017 Fall
More informationDigital Signatures. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 54
Digital Signatures Ali El Kaafarani Mathematical Institute Oxford University 1 of 54 Outline 1 Definitions 2 Factoring Based Signatures 3 Dlog Based Signatures 4 Hash-Based Signatures 5 Certificates 6
More informationCryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III
Cryptography III Public-Key Cryptography Digital Signatures 2/1/18 Cryptography III 1 Public Key Cryptography 2/1/18 Cryptography III 2 Key pair Public key: shared with everyone Secret key: kept secret,
More informationCryptography: More Primitives
Design and Analysis of Algorithms May 8, 2015 Massachusetts Institute of Technology 6.046J/18.410J Profs. Erik Demaine, Srini Devadas and Nancy Lynch Recitation 11 Cryptography: More Primitives 1 Digital
More informationDigital Signatures. Luke Anderson. 7 th April University Of Sydney.
Digital Signatures Luke Anderson luke@lukeanderson.com.au 7 th April 2017 University Of Sydney Overview 1. Digital Signatures 1.1 Background 1.2 Basic Operation 1.3 Attack Models Replay Naïve RSA 2. PKCS#1
More informationLecture 3.4: Public Key Cryptography IV
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2012 Nitesh Saxena Course Administration HW1 submitted Trouble with BB Trying to check with BB support HW1 solution will be posted very soon
More informationCryptographic protocols
Cryptographic protocols Lecture 3: Zero-knowledge protocols for identification 6/16/03 (c) Jussipekka Leiwo www.ialan.com Overview of ZK Asymmetric identification techniques that do not rely on digital
More informationIntroduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell
Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell 1 Cryptography Merriam-Webster Online Dictionary: 1. secret writing 2. the enciphering and deciphering
More informationCOMS W4995 Introduction to Cryptography November 13, Lecture 21: Multiple Use Signature Schemes
COMS W4995 Introduction to Cryptography November 13, 2003 Lecture 21: Multiple Use Signature Schemes Lecturer: Tal Malkin Scribes: M. Niccolai, M. Raibert Summary In this lecture, we use the one time secure
More informationIntroduction to Cryptography Lecture 10
Introduction to Cryptography Lecture 10 Digital signatures, Public Key Infrastructure (PKI) Benny Pinkas January 1, 2012 page 1 Non Repudiation Prevent signer from denying that it signed the message I.e.,
More informationCryptographic Hash Functions
ECE458 Winter 2013 Cryptographic Hash Functions Dan Boneh (Mods by Vijay Ganesh) Previous Lectures: What we have covered so far in cryptography! One-time Pad! Definition of perfect security! Block and
More informationApplied Cryptography and Computer Security CSE 664 Spring 2018
Applied Cryptography and Computer Security Lecture 13: Public-Key Cryptography and RSA Department of Computer Science and Engineering University at Buffalo 1 Public-Key Cryptography What we already know
More informationCryptography V: Digital Signatures
Cryptography V: Digital Signatures Computer Security Lecture 12 David Aspinall School of Informatics University of Edinburgh 19th February 2009 Outline Basics Constructing signature schemes Security of
More informationComputer Security CS 526
Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes CS555 Topic 4 1 Readings for This Lecture Required reading from wikipedia Block Cipher Ciphertext Indistinguishability
More informationElements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy
Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy Homework 2 Due: Friday, 10/28/2016 at 11:55pm PT Will be posted on
More informationLecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422
Lecture 18 Message Integrity Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422 Cryptography is the study/practice of techniques for secure communication,
More informationCryptography V: Digital Signatures
Cryptography V: Digital Signatures Computer Security Lecture 10 David Aspinall School of Informatics University of Edinburgh 10th February 2011 Outline Basics Constructing signature schemes Security of
More informationINDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator
INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator EXAMINATION ( End Semester ) SEMESTER ( Spring ) Roll Number Section Name Subject Number C S 6 0 0 8 8 Subject Name Foundations
More informationChapter 11 : Private-Key Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 1 Chapter 11 Public-Key Encryption Apologies: all numbering
More informationMTAT Cryptology II. Entity Authentication. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Entity Authentication Sven Laur University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie?
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationMessage authentication codes
Message authentication codes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction security of MAC Constructions block cipher
More informationFurther Analysis of a Proposed Hash-Based Signature Standard
Further Analysis of a Proposed Hash-Based Signature Standard Scott Fluhrer Cisco Systems, USA sfluhrer@cisco.com Abstract. We analyze the concrete security of a hash-based signature scheme described in
More informationCryptography Today. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 44
Cryptography Today Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 About the Course Regular classes with worksheets so you can work with some concrete examples (every Friday at 1pm).
More informationIntroduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms
Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms Egemen K. Çetinkaya Egemen K. Çetinkaya Department of Electrical & Computer Engineering Missouri University of
More informationLecture 8 - Message Authentication Codes
Lecture 8 - Message Authentication Codes Benny Applebaum, Boaz Barak October 12, 2007 Data integrity Until now we ve only been interested in protecting secrecy of data. However, in many cases what we care
More informationOn the Security of a Certificateless Public-Key Encryption
On the Security of a Certificateless Public-Key Encryption Zhenfeng Zhang, Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing 100080,
More informationChapter 12 : Digital Signature Schemes
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 12 : Digital Signature Schemes 1 Chapter 12 Digital Signature Schemes Apologies: all numbering
More informationLecture 18 - Chosen Ciphertext Security
Lecture 18 - Chosen Ciphertext Security Boaz Barak November 21, 2005 Public key encryption We now go back to public key encryption. As we saw in the case of private key encryption, CPA security is not
More informationCS408 Cryptography & Internet Security
CS408 Cryptography & Internet Security Lectures 16, 17: Security of RSA El Gamal Cryptosystem Announcement Final exam will be on May 11, 2015 between 11:30am 2:00pm in FMH 319 http://www.njit.edu/registrar/exams/finalexams.php
More informationLecture 4: Authentication and Hashing
Lecture 4: Authentication and Hashing Introduction to Modern Cryptography 1 Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 1 These slides are based on Benny Chor s slides. Some Changes in Grading
More informationLecture 8: Cryptography in the presence of local/public randomness
Randomness in Cryptography Febuary 25, 2013 Lecture 8: Cryptography in the presence of local/public randomness Lecturer: Yevgeniy Dodis Scribe: Hamidreza Jahanjou So far we have only considered weak randomness
More informationFeedback Week 4 - Problem Set
4/26/13 Homework Feedback Introduction to Cryptography Feedback Week 4 - Problem Set You submitted this homework on Mon 17 Dec 2012 11:40 PM GMT +0000. You got a score of 10.00 out of 10.00. Question 1
More informationAuthenticated encryption
Authenticated encryption Mac forgery game M {} k R 0,1 s m t M M {m } t mac k (m ) Repeat as many times as the adversary wants (m, t) Wins if m M verify m, t = 1 Mac forgery game Allow the adversary to
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationDigital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2
Digital Signatures KG November 3, 2017 Contents 1 Introduction 1 2 Digital Signatures 2 3 Hash Functions 3 3.1 Attacks.................................... 4 3.2 Compression Functions............................
More informationZERO KNOWLEDGE UNDENIABLE SIGNATURE SCHEME OVER SEMIGROUP ACTION PROBLEM
ITALIAN JOURNAL OF PURE AND APPLIED MATHEMATICS N. 38 2017 (45 53) 45 ZERO KNOWLEDGE UNDENIABLE SIGNATURE SCHEME OVER SEMIGROUP ACTION PROBLEM Neha Goel Department of Mathematics University of Delhi Delhi
More informationHomework 3: Solution
Homework 3: Solution March 28, 2013 Thanks to Sachin Vasant and Xianrui Meng for contributing their solutions. Exercise 1 We construct an adversary A + that does the following to win the CPA game: 1. Select
More informationMTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov October 31, 2005 Abstract Standard security assumptions (IND-CPA, IND- CCA) are explained. A number of cryptosystems
More informationThe most important development from the work on public-key cryptography is the digital signature. Message authentication protects two parties who
1 The most important development from the work on public-key cryptography is the digital signature. Message authentication protects two parties who exchange messages from any third party. However, it does
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Chapter 1: Overview What is Cryptography? Cryptography is the study of
More informationCSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography
CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography Outline 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography
More informationIND-CCA2 secure cryptosystems, Dan Bogdanov
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee 1 Overview Notion of indistinguishability The Cramer-Shoup cryptosystem Newer results
More informationSymmetric Encryption 2: Integrity
http://wwmsite.wpengine.com/wp-content/uploads/2011/12/integrity-lion-300x222.jpg Symmetric Encryption 2: Integrity With material from Dave Levin, Jon Katz, David Brumley 1 Summing up (so far) Computational
More informationIntroduction. Cambridge University Press Mathematics of Public Key Cryptography Steven D. Galbraith Excerpt More information
1 Introduction Cryptography is an interdisciplinary field of great practical importance. The subfield of public key cryptography has notable applications, such as digital signatures. The security of a
More informationSpring 2010: CS419 Computer Security
Spring 2010: CS419 Computer Security MAC, HMAC, Hash functions and DSA Vinod Ganapathy Lecture 6 Message Authentication message authentication is concerned with: protecting the integrity of a message validating
More informationSecurely Combining Public-Key Cryptosystems
Securely Combining Public-Key Cryptosystems Stuart Haber Benny Pinkas STAR Lab, Intertrust Tech. 821 Alexander Road Princeton, NJ 08540 {stuart,bpinkas}@intertrust.com Abstract It is a maxim of sound computer-security
More informationSecurity Requirements
Message Authentication and Hash Functions CSCI 454/554 Security Requirements disclosure traffic analysis masquerade content modification sequence modification timing modification source repudiation destination
More informationOutline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA
CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography 1. Introduction 2. RSA Outline 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography
More informationImproved Efficiency for CCA-Secure Cryptosystems Built Using Identity-Based Encryption
Improved Efficiency for CCA-Secure Cryptosystems Built Using Identity-Based Encryption Dan Boneh 1 and Jonathan Katz 2 1 Computer Science Department, Stanford University, Stanford CA 94305 dabo@cs.stanford.edu
More informationCS408 Cryptography & Internet Security
CS408 Cryptography & Internet Security Lecture 18: Cryptographic hash functions, Message authentication codes Functions Definition Given two sets, X and Y, a function f : X Y (from set X to set Y), is
More informationConcrete cryptographic security in F*
Concrete cryptographic security in F* crypto hash (SHA3) INT-CMA encrypt then-mac Auth. encryption Secure RPC some some some adversary attack attack symmetric encryption (AES). IND-CMA, CCA2 secure channels
More informationSecure digital certificates with a blockchain protocol
Secure digital certificates with a blockchain protocol Federico Pintore 1 Trento, 10 th February 2017 1 University of Trento Federico Pintore Blockchain and innovative applications Trento, 10 th February
More informationOutline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)
Outline AIT 682: Network and Systems Security 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard Topic 5.2 Public Key Cryptography Instructor: Dr. Kun Sun 2 Public Key
More informationCryptographic Primitives and Protocols for MANETs. Jonathan Katz University of Maryland
Cryptographic Primitives and Protocols for MANETs Jonathan Katz University of Maryland Fundamental problem(s) How to achieve secure message authentication / transmission in MANETs, when: Severe resource
More informationAutomated Security Proofs with Sequences of Games
Automated Security Proofs with Sequences of Games Bruno Blanchet and David Pointcheval CNRS, Département d Informatique, École Normale Supérieure October 2006 Proofs of cryptographic protocols There are
More informationPart VI. Public-key cryptography
Part VI Public-key cryptography Drawbacks with symmetric-key cryptography Symmetric-key cryptography: Communicating parties a priori share some secret information. Secure Channel Alice Unsecured Channel
More informationStudy Guide for the Final Exam
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Handout #22 Professor M. J. Fischer April 30, 2005 1 Exam Coverage Study Guide for the Final Exam The final
More informationTechnological foundation
Technological foundation Carte à puce et Java Card 2010-2011 Jean-Louis Lanet Jean-louis.lanet@unilim.fr Cryptology Authentication Secure upload Agenda Cryptology Cryptography / Cryptanalysis, Smart Cards
More informationIntroduction to Public-Key Cryptography
Introduction to Public-Key Cryptography Nadia Heninger University of Pennsylvania June 11, 2018 We stand today on the brink of a revolution in cryptography. Diffie and Hellman, 1976 Symmetric cryptography
More informationComputer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 10r. Recitation assignment & concept review Paul Krzyzanowski Rutgers University Spring 2018 April 3, 2018 CS 419 2018 Paul Krzyzanowski 1 1. What is a necessary condition for perfect
More informationCryptographically Secure Bloom-Filters
131 139 Cryptographically Secure Bloom-Filters Ryo Nojima, Youki Kadobayashi National Institute of Information and Communications Technology (NICT), 4-2-1 Nukuikitamachi, Koganei, Tokyo, 184-8795, Japan.
More informationWhite-box Cryptomania
White-box Cryptomania Pascal Paillier CryptoExperts ECRYPT NET Workshop on Crypto for the Cloud & Implementation Paris, June 27-28 2017 Overview 1 What is white-box crypto? 2 White-box compilers for signatures
More informationAttribute-based encryption with encryption and decryption outsourcing
Edith Cowan University Research Online Australian Information Security Management Conference Conferences, Symposia and Campus Events 2014 Attribute-based encryption with encryption and decryption outsourcing
More informationIf DDH is secure then ElGamal is also secure w.r.t IND-CPA
CS 6903 Modern Cryptography May 5th, 2011 Lecture 12 Instructor:Nitesh Saxena Recap of the previous lecture Scribe:Orcun Berkem, Turki Turki, Preetham Deshikachar Shrinivas The ElGamal encryption scheme
More informationApplied cryptography
Applied cryptography Electronic Cash Andreas Hülsing 29 November 2016 1 / 61 Classical Cash - Life Cycle Mint produces money (coins / bank notes) Sent to bank User withdraws money (reduces account balance)
More informationNotes for Lecture 21. From One-Time Signatures to Fully Secure Signatures
U.C. Berkeley CS276: Cryptography Handout N21 Luca Trevisan April 7, 2009 Notes for Lecture 21 Scribed by Anand Bhaskar, posted May 1, 2009 Summary Today we show how to construct an inefficient (but efficiently
More informationAppendix A: Introduction to cryptographic algorithms and protocols
Security and Cooperation in Wireless Networks http://secowinet.epfl.ch/ Appendix A: Introduction to cryptographic algorithms and protocols 2007 Levente Buttyán and Jean-Pierre Hubaux symmetric and asymmetric
More informationHomework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.
Homework 2: Symmetric Crypto February 17, 2015 Submission policy. information: This assignment MUST be submitted as a PDF via websubmit and MUST include the following 1. List of collaborators 2. List of
More informationSolutions to exam in Cryptography December 17, 2013
CHALMERS TEKNISKA HÖGSKOLA Datavetenskap Daniel Hedin DIT250/TDA351 Solutions to exam in Cryptography December 17, 2013 Hash functions 1. A cryptographic hash function is a deterministic function that
More informationDigital Signatures 1
Digital Signatures 1 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants of the ElGamal Signature Scheme The Digital Signature Algorithm
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.
CS355: Cryptography Lecture 17: X509. PGP. Authentication protocols. Key establishment. Public Keys and Trust Public Key:P A Secret key: S A Public Key:P B Secret key: S B How are public keys stored How
More informationPublic-Key Cryptography
Computer Security Spring 2008 Public-Key Cryptography Aggelos Kiayias University of Connecticut A paradox Classic cryptography (ciphers etc.) Alice and Bob share a short private key using a secure channel.
More informationProofs for Key Establishment Protocols
Information Security Institute Queensland University of Technology December 2007 Outline Key Establishment 1 Key Establishment 2 3 4 Purpose of key establishment Two or more networked parties wish to establish
More informationPublic-Key Encryption
Public-Key Encryption Glorianna Jagfeld & Rahiel Kasim University of Amsterdam 10 March 2016 Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March 2016 1 / 24 Warmup: crossword puzzle! Please
More informationCryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39
Cryptography 2017 Lecture 4 Attacks against Block Ciphers Introduction to Public Key Cryptography November 14, 2017 1 / 39 What have seen? What are we discussing today? What is coming later? Lecture 3
More informationISA 562: Information Security, Theory and Practice. Lecture 1
ISA 562: Information Security, Theory and Practice Lecture 1 1 Encryption schemes 1.1 The semantics of an encryption scheme. A symmetric key encryption scheme allows two parties that share a secret key
More informationInformation Security CS526
Information CS 526 Topic 3 Ciphers and Cipher : Stream Ciphers, Block Ciphers, Perfect Secrecy, and IND-CPA 1 Announcements HW1 is out, due on Sept 10 Start early, late policy is 3 total late days for
More informationALIKE: Authenticated Lightweight Key Exchange. Sandrine Agagliate, GEMALTO Security Labs
ALIKE: Authenticated Lightweight Key Exchange Sandrine Agagliate, GEMALTO Security Labs Outline: Context Description of ALIKE Generic description Full specification Security properties Chip Unforgeability
More informationAPPLICATIONS AND PROTOCOLS. Mihir Bellare UCSD 1
APPLICATIONS AND PROTOCOLS Mihir Bellare UCSD 1 Some applications and protocols Internet Casino Commitment Shared coin flips Threshold cryptography Forward security Program obfuscation Zero-knowledge Certified
More informationWhat Can Be Proved About Security?
What Can Be Proved About Security? Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in Centre for Artificial Intelligence and Robotics Bengaluru 23 rd
More informationCS 395T. Formal Model for Secure Key Exchange
CS 395T Formal Model for Secure Key Exchange Main Idea: Compositionality Protocols don t run in a vacuum Security protocols are typically used as building blocks in a larger secure system For example,
More informationCSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018
CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring 2018 5 and 6 February 2018 Identification schemes are mechanisms for Alice to prove her identity to Bob They comprise a setup
More informationLecture 15: Public Key Encryption: I
CSE 594 : Modern Cryptography 03/28/2017 Lecture 15: Public Key Encryption: I Instructor: Omkant Pandey Scribe: Arun Ramachandran, Parkavi Sundaresan 1 Setting In Public-key Encryption (PKE), key used
More informationDigital Signature. Raj Jain
Digital Signature Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-14/
More informationIntroduction to Cryptography Lecture 7
Introduction to Cryptography Lecture 7 El Gamal Encryption RSA Encryption Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing
More informationDistributed ID-based Signature Using Tamper-Resistant Module
, pp.13-18 http://dx.doi.org/10.14257/astl.2013.29.03 Distributed ID-based Signature Using Tamper-Resistant Module Shinsaku Kiyomoto, Tsukasa Ishiguro, and Yutaka Miyake KDDI R & D Laboratories Inc., 2-1-15,
More information