More crypto and security
|
|
- Tyler Waters
- 5 years ago
- Views:
Transcription
1 More crypto and security CSE 199, Projects/Research Individual enrollment Projects / research, individual or small group Implementation or theoretical Weekly one-on-one meetings, no lectures Course grade based on project report and presentation Mihir Bellare UCSD 1
2 More crypto and security CSE 207 Graduate introduction to cryptography Focus on provable-security Material overlaps with 107 but changes in focus as above Mihir Bellare UCSD 2
3 Security courses CSE 127, Savage / Shacham Undergraduate introduction to security Systems issues CSE 227, Savage/Shacham Graduate introduction to security Mihir Bellare UCSD 3
4 Advanced courses CSE 208 is a Topics course whose content varies from year to year. Some past topics: Program obfuscation Pairing-based cryptography Lattices in cryptography Zero-knowledge Electronic payments Mihir Bellare UCSD 4
5 Grad school? MS: 2 years PhD: 5+ years, research-orientated You can consider a PhD if you enjoy research: solving new problems, exploring the unknown. An MS is to gain expertise. Mihir Bellare UCSD 5
6 PhD application process Applications for Fall due in previous winter PhD students are usually fully funded through fellowships, RA-ships and TA-ships. Admission to top schools is very competitive but there are niche schools that are excellent in specific areas To get admitted to a good program you need a high GPA, strong recommendation letters and a convincing statement of purpose. Best of all: accomplished research! Mihir Bellare UCSD 6
7 APPLICATIONS AND PROTOCOLS Mihir Bellare UCSD 7
8 Some applications and protocols Internet Casino Commitment Shared coin flips Threshold cryptography Forward security Program obfuscation Zero-knowledge Certified Electronic voting Auctions Identity-based encryption Functional encryption Fully-homomorphic encryption Searchable encryption Oblivious transfer Garbling schemes Secure computation Group signatures Aggregate signatures Mihir Bellare UCSD 8
9 Internet Casino: Protocol G1 Player Casino $1, G T, d T $ {1, 2,..., 100} if G = T then d $200 else d $0 Would you play? Expected value of d is $200( ) = $2 > $1 so probability theory says that the player will earn money by playing. Mihir Bellare UCSD 9
10 Problem: Casino can cheat Player $1, G T, d Casino T $ {1, 2,..., 100}\{G} d $0 Mihir Bellare UCSD 10
11 Internet Casino: Protocol G2 Player $1 Casino T G d T $ {1, 2,..., 100} if G = T then d $200 else d $0 But now player can always win by setting G = T. No casino would do this! Mihir Bellare UCSD 11
12 Internet Casino problem Player and Casino need to exchange G, T so that Casino cannot choose T as a function of G. Player cannot choose G as a function of T. How do we resolve this Catch-22 situation? Mihir Bellare UCSD 12
13 Internet Casino: Protocol G3 Player $1, T G Casino T $ {1, 2,..., 100} d G G if G = T then d $200 else d $0 is a locked safe containing a piece of paper with G written on it. is a key to open the safe. Mihir Bellare UCSD 13
14 Internet Casino: Protocol G3 Player $1, T G Casino T $ {1, 2,..., 100} d G G if G = T then d $200 else d $0 Casino cannot choose T as a function of G because, without the key, it cannot see G. Player cannot choose G as a function of T because, by putting it in the safe, she is committed to it in the first move. Mihir Bellare UCSD 14
15 Internet Casino Protocol using cryptography Player K $ {0, 1} 128 C H(K G) C T Casino T $ {1, 2,..., 100} G, K d if (H(K G) = C and G =T ) then d $99 else d $0 Here H is a cryptographic hash function. More generally one can use a primitive called a committment scheme. Mihir Bellare UCSD 15
16 Commitment Schemes A commitment scheme CS = (P, C, V) is a triple of algorithms P π M C C K V 0/1 Parameter generation algorithm P is run once by a trusted party to produce public parameters π. In Internet Casino M Data being commited G C K Commital Decommital key Mihir Bellare UCSD 16
17 Security properties Hiding: A commital C generated via (C, K) $ C(π, M) should not reveal information about M. = C does not reveal M. Binding: It should be hard to find C, M 0, M 1, K 0, K 1 such that M 0 M 1 but V(π, C, M 0, K 0 ) = V(π, C, M 1, K 1 ) = 1. K 0 C M 0 K 1 C M 1 Mihir Bellare UCSD 17
18 Internet Casino Protocol using a commitment scheme Player (C, K) $ C(π, G) C T Casino T $ {1, 2,..., 100} G, K d if (V(π, C, G, K) = 1 and G =T ) then d $99 else d $0 Mihir Bellare UCSD 18
19 Hiding Formally Let CS = (P, C, V) be a commitment scheme and A an adversary. Game HIDE CS procedure Initialize π $ P; b $ {0, 1} return π procedure LR(M 0, M 1 ) (C, K) $ C(π, M b ) return C procedure Finalize(b ) return (b = b ) The hiding-advantage of A is [ ] Adv hide CS (A) = 2 Pr HIDE A CS true 1. Mihir Bellare UCSD 19
20 Binding Formally Let CS = (P, C, V) be a commitment scheme and A an adversary. Game BIND CS procedure Initialize π $ P return π procedure Finalize(C, M 0, M 1, K 0, K 1 ) v 0 V(π, C, M 0, K 0 ) v 1 V(π, C, M 1, K 1 ) return (v 0 = v 1 = 1 and M 0 M 1 ) The binding-advantage of A is [ ] Adv bind CS (A) = Pr BIND A CS true. Mihir Bellare UCSD 20
21 Commitment from symmetric encryption Let SE = (K, E, D) be an IND-CPA-secure symmetric encryption scheme and let CS = (P, C, V) be the commitment scheme where P returns π = ε and Alg C(π, M) K $ K; C $ E K (M) return (C, K) Alg V(π, C, M, K) if D K (C) = M then return 1 else return 0 Is this secure? Mihir Bellare UCSD 21
22 Commitment from symmetric encryption Let SE = (K, E, D) be an IND-CPA-secure symmetric encryption scheme and let CS = (P, C, V) be the commitment scheme where P returns π = ε and Alg C(π, M) K $ K; C $ E K (M) return (C, K) Alg V(π, C, M, K) if D K (C) = M then return 1 else return 0 Is this secure? It is certainly hiding. But need not be binding: it may be possible to find C, M 0, M 1, K 0, K 1 such that D K0 (C) = M 0 and D K1 (C) = M 1 For example this is easy when SE is CBC$ encryption. Mihir Bellare UCSD 22
23 Commitment from public key encryption Let AE = (K, E, D) be an IND-CPA-secure asymmetric encryption scheme and let CS = (P, C, V) be the commitment scheme where Alg P (pk, sk) $ K π pk return π Alg C(pk, M) K $ {0, 1} k C E pk (M; K) return (C, K) Alg V(pk, C, M, K) if E pk (M; K) = C then return 1 else return 0 E pk (M; K) means encryption of M with coins K. Mihir Bellare UCSD 23
24 Commitment from public key encryption Let AE = (K, E, D) be an IND-CPA-secure asymmetric encryption scheme and let CS = (P, C, V) be the commitment scheme where Alg P (pk, sk) $ K π pk return π Alg C(pk, M) K $ {0, 1} k C E pk (M; K) return (C, K) Alg V(pk, C, M, K) if E pk (M; K) = C then return 1 else return 0 E pk (M; K) means encryption of M with coins K. Certainly hiding. Binding too since C has only one decryption relative to pk, namely M = D sk (C). Mihir Bellare UCSD 24
25 Commitment from hashing Let H be a hash function and CS = (P, C, V) the commitment scheme where P returns π = ε and Alg C(π, M) C H(M); K M return (C, K) Alg V(π, C, M, K) return (C = H(M) and M = K) This is Mihir Bellare UCSD 25
26 Commitment from hashing Let H be a hash function and CS = (P, C, V) the commitment scheme where P returns π = ε and Alg C(π, M) C H(M); K M return (C, K) Alg V(π, C, M, K) return (C = H(M) and M = K) This is Binding if H is collision-resistant. But not hiding. For example in the Internet Casino M = G {1,..., 100} so given C = H(M) the casino can recover M via for i = 1,..., 100 do if H(i) = C then return i Mihir Bellare UCSD 26
27 Commitment from hashing A better scheme is CS = (P, C, V) where P returns π = ε and Alg C(π, M) K $ {0, 1} 128 C H(K M) return (C, K) Alg V H (π, C, M, K) return (H(K M) = C) Mihir Bellare UCSD 27
28 Commitment schemes usage Commitment schemes are very broadly and widely used across all kinds of protocol design and in particular to construct zero-knowledge proofs. Mihir Bellare UCSD 28
29 Flipping a common coin Alice and Bob are getting divorced They want to decide who keeps the Lexus They aggree to flip a coin, but Alice is in NY and Bob is in LA Protocol CF1: Alice Bob c $ {0, 1} c Mihir Bellare UCSD 29
30 Flipping a common coin Alice and Bob are getting divorced They want to decide who keeps the Lexus They aggree to flip a coin, but Alice is in NY and Bob is in LA Protocol CF1: Alice Bob c $ {0, 1} c Bob is not too smart but he doesn t like it... Can you help them out? Mihir Bellare UCSD 30
31 Protocol CF2 Let CS = (P, C, V) be a commitment scheme. Alice Bob a $ {0, 1} (C, K) $ C(π, a) C b $ {0, 1} b a, K if V(π, C, a, K) = 1 then c a b c a b else c c is the common coin. Neither party can control it. Mihir Bellare UCSD 31
32 Protocol CF3: Concrete instantiation of CF2 Alice Bob a $ {0, 1} ; K $ {0, 1} 128 C H(K a) C b $ {0, 1} b a, K if H(K a) = C then c a b c a b else c c is the common coin. Neither party can control it. H is a cryptographic hash function. Mihir Bellare UCSD 32
33 Secure summation Suppose we have n parties 1,..., n Party i has an integer x i The parties want to know the value of f (x 1,.., x n ) = x x n Mihir Bellare UCSD 33
34 Secure summation Suppose we have n parties 1,..., n Party i has an integer x i The parties want to know the value of f (x 1,.., x n ) = x x n Easy: Let Party i send x i to party 1 (2 i n) Party 1 computes f (x 1,.., x n ) = x x n and broadcasts it Mihir Bellare UCSD 34
35 Secure summation Suppose we have n parties 1,..., n Party i has an integer x i The parties want to know the value of f (x 1,.., x n ) = x x n Easy: Let Party i send x i to party 1 (2 i n) Party 1 computes f (x 1,.., x n ) = x x n and broadcasts it What they don t like about this: Party 1 now knows everyone s values Privacy constraint: Party i does not wish to reveal x i Mihir Bellare UCSD 35
36 Secure summation Party i has input x i (1 i n). The parties want to know f (x 1,.., x n ) = x x n but do not want to reveal their inputs in the process. Scenarios: x i = score of student i on midterm exam x i = salary of employee i x i {0, 1} = vote of voter i on proposition X on ballot Mihir Bellare UCSD 36
37 The model and goal Parties i, j are connected via a secure channel (1 i, j n). Privacy and authenticity of messages sent over channel are guaranteed. The parties will exchange messages to arrive at f (x 1,..., x n ). If i j then, at the end of the protocol, party i should not know x j. For example you, as player i, enter x i into some app on your cellphone which then communicates with the cellphones of the other parties. At the end, the sum shows up on your screen. Take your phone apart and examine all memory contents and you still will not discover x j for j i. Mihir Bellare UCSD 37
38 Setup for secure communication protocol Let N be such that x 1,..., x n Z N = {0,..., N 1}. Let M = nn. Let S denote x x n. We will compute S mod M, which is just S since x x n n(n 1) < M Mihir Bellare UCSD 38
39 Protocol step 1: secret sharing For i = 1,..., n party i Picks x i,1,..., x i,n Z M at random subject to x i, x i,n x i (mod M) Sends x i,j to party j over secure channel (1 j n) x 1,1 x 1,2 x 1,3 x 1,4 x 2,1 x 2,2 x 2,3 x 2,4 x 3,1 x 3,2 x 3,3 x 3,4 x 4,1 x 4,2 x 4,3 x 4,4 x 1 x 2 x 3 x 4 Observation: x i,j is a random number unrelated to x i so party j has no information about x i (i j) Mihir Bellare UCSD 39
40 Protocol step 2,3: Column sums and conclusion x 1,1 x 1,2 x 1,3 x 1,4 x 2,1 x 2,2 x 2,3 x 2,4 x 3,1 x 3,2 x 3,3 x 3,4 x 4,1 x 4,2 x 4,3 x 4,4 C 1 C 2 C 3 C 4 x 1 x 2 x 3 x 4 For j = 1,..., n party j Computes C j = (x 1,j + x 2,j x n,j ) mod M Sends C j to party i (1 i n) Observation: S (C C n ) (mod M). So each party can compute S (C C n ) mod M Mihir Bellare UCSD 40
41 Security of the protocol x 1,1 x 1,2 x 1,3 x 1,4 x 2,1 x 2,2 x 2,3 x 2,4 x 3,1 x 3,2 x 3,3 x 3,4 x 4,1 x 4,2 x 4,3 x 4,4 c 1 c 2 c 3 c 4 x 1 x 2 x 3 x 4 At end of protocol, party 1 knows (1) x 1, and the first-row entries of the matrix (2) the sum S = x 1 + x 2 + x 3 + x 4 (3) c 1, c 2, c 3, c 4 (4) the first column entries x 1,1, x 2,1, x 3,1, x 4,1. Claims: Party 1 learn nothing about x 4 Even if parties 1, 2 pool their information, they learn nothing about x 4... Mihir Bellare UCSD 41
42 Secure summation project Project: Analyze and prove secure the summation protocol: (1) Give a game based definition of privacy (2) Prove that the protocol meets it. Mihir Bellare UCSD 42
43 Secure Computation Parties 1,..., n Party i has private input x i They want to compute f (x 1,..., x n ) Fact: For any function f, there is a n/2 - private protocol to compute it. A protocol is t-private if any t parties, getting together, cannot figure out anything about the input of the other parties other than implied by the value of f (x 1,..., x n ). The protocol views f as a circuit (program) and computes it gate (instruction) by gate (instruction). Enormous body of research. Mihir Bellare UCSD 43
44 Zero-Knowledge Proofs [GMR] A zero-knowledge (ZK) proof allows you to Convince Bob your claim is true Without revealing anything beyond that For example: You claim to have Bob is What is not revealed A solution to the homework Another student The solution problem The password for this account The server The password A proof that P NP The Clay Institute The proof Mihir Bellare UCSD 44
APPLICATIONS AND PROTOCOLS. Mihir Bellare UCSD 1
APPLICATIONS AND PROTOCOLS Mihir Bellare UCSD 1 Some applications and protocols Internet Casino Commitment Shared coin flips Threshold cryptography Forward security Program obfuscation Zero-knowledge Certified
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationComputer Security CS 426 Lecture 35. CS426 Fall 2010/Lecture 35 1
Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs 1 Readings for This Lecture Optional: Haveli and Micali: Practical and Privably-Secure Commitment Schemes from Collision-Free Hashing
More informationCrypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))
Introduction (Mihir Bellare Text/Notes: http://cseweb.ucsd.edu/users/mihir/cse207/) Cryptography provides: Data Privacy Data Integrity and Authenticity Crypto-systems all around us ATM machines Remote
More informationCS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong
CS573 Data Privacy and Security Cryptographic Primitives and Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationLecture 10, Zero Knowledge Proofs, Secure Computation
CS 4501-6501 Topics in Cryptography 30 Mar 2018 Lecture 10, Zero Knowledge Proofs, Secure Computation Lecturer: Mahmoody Scribe: Bella Vice-Van Heyde, Derrick Blakely, Bobby Andris 1 Introduction Last
More informationHomework 2 CS161 Computer Security, Spring 2008 Assigned 2/13/08 Due 2/25/08
Homework 2 CS161 Computer Security, Spring 2008 Assigned 2/13/08 Due 2/25/08 1. Signatures and Attacks Recall that to use the ElGamal signature scheme, Alice randomly selects her private signing key x
More informationIntroduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell
Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell 1 Cryptography Merriam-Webster Online Dictionary: 1. secret writing 2. the enciphering and deciphering
More informationNotes for Lecture 24
U.C. Berkeley CS276: Cryptography Handout N24 Luca Trevisan April 21, 2009 Notes for Lecture 24 Scribed by Milosh Drezgich, posted May 11, 2009 Summary Today we introduce the notion of zero knowledge proof
More informationSecure Multiparty Computation
CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationCPSC 467b: Cryptography and Computer Security
Outline ZKIP Other IP CPSC 467b: Cryptography and Computer Security Lecture 19 Michael J. Fischer Department of Computer Science Yale University March 31, 2010 Michael J. Fischer CPSC 467b, Lecture 19
More informationFoundations of Cryptography CS Shweta Agrawal
Foundations of Cryptography CS 6111 Shweta Agrawal Course Information 4-5 homeworks (20% total) A midsem (25%) A major (35%) A project (20%) Attendance required as per institute policy Challenge questions
More informationStudy Guide for the Final Exam
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Handout #22 Professor M. J. Fischer April 30, 2005 1 Exam Coverage Study Guide for the Final Exam The final
More informationCS 161 Computer Security
Raluca Popa Spring 2018 CS 161 Computer Security Homework 2 Due: Wednesday, February 14, at 11:59pm Instructions. This homework is due Wednesday, February 14, at 11:59pm. No late homeworks will be accepted.
More informationCS Computer Networks 1: Authentication
CS 3251- Computer Networks 1: Authentication Professor Patrick Traynor 4/14/11 Lecture 25 Announcements Homework 3 is due next class. Submit via T-Square or in person. Project 3 has been graded. Scores
More informationNotes for Lecture 14
COS 533: Advanced Cryptography Lecture 14 (November 6, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Fermi Ma Notes for Lecture 14 1 Applications of Pairings 1.1 Recap Consider a bilinear e
More informationE-cash. Cryptography. Professor: Marius Zimand. e-cash. Benefits of cash: anonymous. difficult to copy. divisible (you can get change)
Cryptography E-cash Professor: Marius Zimand e-cash Benefits of cash: anonymous difficult to copy divisible (you can get change) easily transferable There are several protocols for e-cash. We will discuss
More informationLecture 7 - Applied Cryptography
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Lecture 7 - Applied Cryptography CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger
More informationCSE 127: Computer Security Cryptography. Kirill Levchenko
CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017 Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified
More informationCrypto Background & Concepts SGX Software Attestation
CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 Lecture 4b Slide deck extracted from Kamran s tutorial on SGX, presented during ECE 6095 Spring 2017 on Secure Computation and Storage, a precursor to this course
More informationInformation Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1
Information Security message M one-way hash fingerprint f = H(M) 4/19/2006 Information Security 1 Outline and Reading Digital signatures Definition RSA signature and verification One-way hash functions
More informationIdentification Schemes
Identification Schemes Lecture Outline Identification schemes passwords one-time passwords challenge-response zero knowledge proof protocols Authentication Data source authentication (message authentication):
More informationINSE 6110 Midterm LAST NAME FIRST NAME. Fall 2016 Duration: 80 minutes ID NUMBER. QUESTION Total GRADE. Notes:
A INSE 6110 Midterm Fall 2016 Duration: 80 minutes LAST NAME FIRST NAME ID NUMBER QUESTION 1 2 3 4 Total GRADE Notes: 1) Calculator (non-programming) allowed, nothing else permitted 2) Each page contains
More informationCryptography. Andreas Hülsing. 6 September 2016
Cryptography Andreas Hülsing 6 September 2016 1 / 21 Announcements Homepage: http: //www.hyperelliptic.org/tanja/teaching/crypto16/ Lecture is recorded First row might be on recordings. Anything organizational:
More informationCS 161 Computer Security
Popa & Wagner Spring 2016 CS 161 Computer Security Midterm 2 Problem 1 True or False (10 points) Circle True or False. Do not justify your answer. (a) True or False : It is safe (IND-CPA-secure) to encrypt
More informationCS 161 Computer Security
Popa & Wagner Spring 2016 CS 161 Computer Security Midterm 2 Print your name:, (last) (first) I am aware of the Berkeley Campus Code of Student Conduct and acknowledge that academic misconduct will be
More informationAn Overview of Secure Multiparty Computation
An Overview of Secure Multiparty Computation T. E. Bjørstad The Selmer Center Department of Informatics University of Bergen Norway Prøveforelesning for PhD-graden 2010-02-11 Outline Background 1 Background
More information9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng Basic concepts in cryptography systems Secret cryptography Public cryptography 1 2 Encryption/Decryption Cryptanalysis
More informationOverview of Cryptography
18739A: Foundations of Security and Privacy Overview of Cryptography Anupam Datta CMU Fall 2007-08 Is Cryptography A tremendous tool The basis for many security mechanisms Is not The solution to all security
More informationRemote E-Voting System
Remote E-Voting System Crypto2-Spring 2013 Benjamin Kaiser Jacob Shedd Jeremy White Phases Initialization Registration Voting Verifying Activities Trusted Authority (TA) distributes 4 keys to Registrar,
More informationUNIT - IV Cryptographic Hash Function 31.1
UNIT - IV Cryptographic Hash Function 31.1 31-11 SECURITY SERVICES Network security can provide five services. Four of these services are related to the message exchanged using the network. The fifth service
More informationCryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Outline Basic concepts in cryptography systems Secret key cryptography Public key cryptography Hash functions 2 Encryption/Decryption
More informationSymmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University
Symmetric-Key Cryptography Part 1 Tom Shrimpton Portland State University Building a privacy-providing primitive I want my communication with Bob to be private -- Alice What kind of communication? SMS?
More information1 A Tale of Two Lovers
CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Dec. 12, 2006 Lecture Notes 19 (expanded): Secure Two-Party Computation Recommended Reading. Goldreich Volume II 7.2.2, 7.3.2, 7.3.3.
More informationIntroduction to Cryptography. Lecture 6
Introduction to Cryptography Lecture 6 Benny Pinkas page 1 1 Data Integrity, Message Authentication Risk: an active adversary might change messages exchanged between Alice and Bob M Alice M M M Bob Eve
More informationSecure Multiparty Computation
Secure Multiparty Computation Li Xiong CS573 Data Privacy and Security Outline Secure multiparty computation Problem and security definitions Basic cryptographic tools and general constructions Yao s Millionnare
More informationDawn Song
1 Secret-Sharing & Zero-knowledge Proof Dawn Song dawnsong@cs.berkeley.edu Review DH key exchange protocol Password authentication protocol Random number generation 2 Lessons Learned Seeds must be unpredictable
More informationICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification
ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification Hossen Asiful Mustafa Introduction Entity Authentication is a technique designed to let one party prove the identity of another
More informationMTAT Cryptology II. Commitment Schemes. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Commitment Schemes Sven Laur University of Tartu Formal Syntax m M 0 (c,d) Com pk (m) pk Canonical use case Gen c d pk m Open pk (c,d) A randomised key generation algorithm Gen
More informationFair exchange and non-repudiation protocols
Fair exchange and non-repudiation protocols Levente Buttyán Laboratory of Cryptography and System Security (CrySyS) Budapest University of Technology and Economics buttyan@crysys.hu 2010 Levente Buttyán
More informationCryptography. and Network Security. Lecture 0. Manoj Prabhakaran. IIT Bombay
Cryptography and Network Security Lecture 0 Manoj Prabhakaran IIT Bombay Security In this course: Cryptography as used in network security Humans, Societies, The World Network Hardware OS Libraries Programs
More informationBrief Introduction to Provable Security
Brief Introduction to Provable Security Michel Abdalla Département d Informatique, École normale supérieure michel.abdalla@ens.fr http://www.di.ens.fr/users/mabdalla 1 Introduction The primary goal of
More informationSecure Multiparty Computation: Introduction. Ran Cohen (Tel Aviv University)
Secure Multiparty Computation: Introduction Ran Cohen (Tel Aviv University) Scenario 1: Private Dating Alice and Bob meet at a pub If both of them want to date together they will find out If Alice doesn
More informationCryptographic Hash Functions
ECE458 Winter 2013 Cryptographic Hash Functions Dan Boneh (Mods by Vijay Ganesh) Previous Lectures: What we have covered so far in cryptography! One-time Pad! Definition of perfect security! Block and
More informationElements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy
Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy Homework 2 Due: Friday, 10/28/2016 at 11:55pm PT Will be posted on
More informationCryptography Today. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 44
Cryptography Today Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 About the Course Regular classes with worksheets so you can work with some concrete examples (every Friday at 1pm).
More informationCryptographic hash functions and MACs
Cryptographic hash functions and MACs Myrto Arapinis School of Informatics University of Edinburgh October 05, 2017 1 / 21 Introduction Encryption confidentiality against eavesdropping 2 / 21 Introduction
More informationSecurity of Cryptosystems
Security of Cryptosystems Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Symmetric key cryptosystem m M 0 c Enc sk (m) sk Gen c sk m Dec sk (c) A randomised key generation algorithm outputs
More informationCS3235 Seventh set of lecture slides
CS3235 Seventh set of lecture slides Hugh Anderson National University of Singapore School of Computing October, 2007 Hugh Anderson CS3235 Seventh set of lecture slides 1 Warp 9... Outline 1 Public Key
More informationComputer Security Spring 2010 Paxson/Wagner HW 4. Due Thursday April 15, 5:00pm
CS 161 Computer Security Spring 2010 Paxson/Wagner HW 4 Due Thursday April 15, 5:00pm Instructions: Submit your solution by Thursday, April 15, 5:00pm electronically. Write up your answers in either PDF
More informationSecure Multi-Party Computation. Lecture 13
Secure Multi-Party Computation Lecture 13 Must We Trust? Can we have an auction without an auctioneer?! Declared winning bid should be correct Only the winner and winning bid should be revealed Using data
More informationCS408 Cryptography & Internet Security
CS408 Cryptography & Internet Security Lectures 16, 17: Security of RSA El Gamal Cryptosystem Announcement Final exam will be on May 11, 2015 between 11:30am 2:00pm in FMH 319 http://www.njit.edu/registrar/exams/finalexams.php
More informationOther Topics in Cryptography. Truong Tuan Anh
Other Topics in Cryptography Truong Tuan Anh 2 Outline Public-key cryptosystem Cryptographic hash functions Signature schemes Public-Key Cryptography Truong Tuan Anh CSE-HCMUT 4 Outline Public-key cryptosystem
More informationYuval Ishai Technion
Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Yuval Ishai Technion 1 Zero-knowledge proofs for NP [GMR85,GMW86] Bar-Ilan University Computational MPC with no honest
More informationIntroduction to Cryptology ENEE 459E/CMSC 498R. Lecture 1 1/26/2017
Introduction to Cryptology ENEE 459E/CMSC 498R Lecture 1 1/26/2017 Syllabus Highlights Best way to contact me is via email: danadach@ece.umd.edu My office hours; Thurs 3:00-4:00pm, Friday, 12:00-1pm in
More informationIntroduction to Cryptography in Blockchain Technology. December 23, 2018
Introduction to Cryptography in Blockchain Technology December 23, 2018 What is cryptography? The practice of developing protocols that prevent third parties from viewing private data. Modern cryptography
More informationINDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator
INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator EXAMINATION ( End Semester ) SEMESTER ( Spring ) Roll Number Section Name Subject Number C S 6 0 0 8 8 Subject Name Foundations
More informationCryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III
Cryptography III Public-Key Cryptography Digital Signatures 2/1/18 Cryptography III 1 Public Key Cryptography 2/1/18 Cryptography III 2 Key pair Public key: shared with everyone Secret key: kept secret,
More informationCSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography
CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography Outline 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Chapter 1: Overview What is Cryptography? Cryptography is the study of
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor Identification (User Authentication) Fiat-Shamir Scheme Lecture 12 Tel-Aviv University 4 January 2010 Model and Major Issues Alice wishes to prove to Bob
More informationOutline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA
CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography 1. Introduction 2. RSA Outline 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography
More informationCryptography: More Primitives
Design and Analysis of Algorithms May 8, 2015 Massachusetts Institute of Technology 6.046J/18.410J Profs. Erik Demaine, Srini Devadas and Nancy Lynch Recitation 11 Cryptography: More Primitives 1 Digital
More informationBitcoin, Security for Cloud & Big Data
Bitcoin, Security for Cloud & Big Data CS 161: Computer Security Prof. David Wagner April 18, 2013 Bitcoin Public, distributed, peer-to-peer, hash-chained audit log of all transactions ( block chain ).
More information1 Identification protocols
ISA 562: Information Security, Theory and Practice Lecture 4 1 Identification protocols Now that we know how to authenticate messages using MACs, a natural question is, how can we use MACs to prove that
More informationCryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu
More informationLecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422
Lecture 18 Message Integrity Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422 Cryptography is the study/practice of techniques for secure communication,
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 4, 2017 CPSC 467, Lecture 11 1/39 ElGamal Cryptosystem Message Integrity and Authenticity Message authentication codes
More informationCSE484 Final Study Guide
CSE484 Final Study Guide Winter 2013 NOTE: This study guide presents a list of ideas and topics that the TAs find useful to know, and may not represent all the topics that could appear on the final exam.
More informationECEN 5022 Cryptography
Introduction University of Colorado Spring 2008 Historically, cryptography is the science and study of secret writing (Greek: kryptos = hidden, graphein = to write). Modern cryptography also includes such
More informationDigital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2
Digital Signatures KG November 3, 2017 Contents 1 Introduction 1 2 Digital Signatures 2 3 Hash Functions 3 3.1 Attacks.................................... 4 3.2 Compression Functions............................
More informationSolution to Problem Set 8
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Handout #24 Felipe Saint-Jean and Michael Fischer December 13, 2005 Solution to Problem Set 8 In the problems
More informationOutline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)
Outline AIT 682: Network and Systems Security 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard Topic 5.2 Public Key Cryptography Instructor: Dr. Kun Sun 2 Public Key
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Michael J. Fischer Lecture 4 September 11, 2017 CPSC 467, Lecture 4 1/23 Analyzing Confidentiality of Cryptosystems Secret ballot elections Information protection Adversaries
More informationDistributed ID-based Signature Using Tamper-Resistant Module
, pp.13-18 http://dx.doi.org/10.14257/astl.2013.29.03 Distributed ID-based Signature Using Tamper-Resistant Module Shinsaku Kiyomoto, Tsukasa Ishiguro, and Yutaka Miyake KDDI R & D Laboratories Inc., 2-1-15,
More informationPublic-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7
Public-Key Cryptography Professor Yanmin Gong Week 3: Sep. 7 Outline Key exchange and Diffie-Hellman protocol Mathematical backgrounds for modular arithmetic RSA Digital Signatures Key management Problem:
More informationDigital Signatures. Cole Watson
Digital Signatures Cole Watson Opening Activity Dr. Cusack owns a lockbox, padlock, and keys. The padlock is private and unique to him. The keys are public and they can only open Dr. Cusack s lockbox.
More informationSecuring Distributed Computation via Trusted Quorums. Yan Michalevsky, Valeria Nikolaenko, Dan Boneh
Securing Distributed Computation via Trusted Quorums Yan Michalevsky, Valeria Nikolaenko, Dan Boneh Setting Distributed computation over data contributed by users Communication through a central party
More informationCSC 5930/9010 Modern Cryptography: Digital Signatures
CSC 5930/9010 Modern Cryptography: Digital Signatures Professor Henry Carter Fall 2018 Recap Implemented public key schemes in practice commonly encapsulate a symmetric key for the rest of encryption KEM/DEM
More informationUses of Cryptography
Uses of Cryptography What can we use cryptography for? Lots of things Secrecy Authentication Prevention of alteration Page 1 Cryptography and Secrecy Pretty obvious Only those knowing the proper keys can
More informationComputational Security, Stream and Block Cipher Functions
Computational Security, Stream and Block Cipher Functions 18 March 2019 Lecture 3 Most Slides Credits: Steve Zdancewic (UPenn) 18 March 2019 SE 425: Communication and Information Security 1 Topics for
More informationComputer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS
More informationBasic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline
CSC/ECE 574 Computer and Network Security Topic 2. Introduction to Cryptography 1 Outline Basic Crypto Concepts and Definitions Some Early (Breakable) Cryptosystems Key Issues 2 Basic Concepts and Definitions
More informationHOST Cryptography I ECE 525. Cryptography Handbook of Applied Cryptography &
Cryptography Handbook of Applied Cryptography & http://cseweb.ucsd.edu/users/mihir/cse207/ Brief History: Proliferation of computers and communication systems in 1960s brought with it a demand to protect
More informationZero Knowledge Protocol
Akash Patel (SJSU) Zero Knowledge Protocol Zero knowledge proof or protocol is method in which a party A can prove that given statement X is certainly true to party B without revealing any additional information
More informationGoals of Modern Cryptography
Goals of Modern Cryptography Providing information security: Data Privacy Data Integrity and Authenticity in various computational settings. Data Privacy M Alice Bob The goal is to ensure that the adversary
More informationISA 562: Information Security, Theory and Practice. Lecture 1
ISA 562: Information Security, Theory and Practice Lecture 1 1 Encryption schemes 1.1 The semantics of an encryption scheme. A symmetric key encryption scheme allows two parties that share a secret key
More informationNature Sunday Academy Lesson Plan
Title Computer Security Description: Nature Sunday Academy Lesson Plan 2013-14 The objective of the lesson plan aims to help students to understand the general goals of security, the essential concerns
More informationPrivacy Enhancing Technologies CSE 701 Fall 2017
Privacy Enhancing Technologies Lecture 2: Anonymity Applications Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Anonymous communication mixes, anonymizing proxies,
More informationCS61A Lecture #39: Cryptography
Announcements: CS61A Lecture #39: Cryptography Homework 13 is up: due Monday. Homework 14 will be judging the contest. HKN surveys on Friday: 7.5 bonus points for filling out their survey on Friday (yes,
More informationHomework 3: Solution
Homework 3: Solution March 28, 2013 Thanks to Sachin Vasant and Xianrui Meng for contributing their solutions. Exercise 1 We construct an adversary A + that does the following to win the CPA game: 1. Select
More informationHomework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.
Homework 2: Symmetric Crypto February 17, 2015 Submission policy. information: This assignment MUST be submitted as a PDF via websubmit and MUST include the following 1. List of collaborators 2. List of
More information===============================================================================
We have looked at how to use public key crypto (mixed with just the right amount of trust) for a website to authenticate itself to a user's browser. What about when Alice needs to authenticate herself
More informationChapter 11 Message Integrity and Message Authentication
Chapter 11 Message Integrity and Message Authentication Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 11.1 Chapter 11 Objectives To define message integrity
More informationEncryption 2. Tom Chothia Computer Security: Lecture 3
Encryption 2 Tom Chothia Computer Security: Lecture 3 This Lecture Counter Mode (CTR) enryption Diffie Helleman key exchange Public Key Encryption RSA Signing Combining public and symmetric key encryption
More informationMTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov October 31, 2005 Abstract Standard security assumptions (IND-CPA, IND- CCA) are explained. A number of cryptosystems
More informationAnonymous Credentials: How to show credentials without compromising privacy. Melissa Chase Microsoft Research
Anonymous Credentials: How to show credentials without compromising privacy Melissa Chase Microsoft Research Credentials: Motivation ID cards Sometimes used for other uses E.g. prove you re over 21, or
More informationKey Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings
Key Exchange References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings Outlines Primitives Root Discrete Logarithm Diffie-Hellman ElGamal Shamir s Three Pass
More informationCRYPTOGRAPHIC PROTOCOLS: PRACTICAL REVOCATION AND KEY ROTATION
#RSAC SESSION ID: CRYP-W04 CRYPTOGRAPHIC PROTOCOLS: PRACTICAL REVOCATION AND KEY ROTATION Adam Shull Recent Ph.D. Graduate Indiana University Access revocation on the cloud #RSAC sk sk Enc Pub Sym pk k
More information