Advances in Securely Outsourcing Computation
|
|
- Dominic Burke
- 5 years ago
- Views:
Transcription
1 Advances in Securely Outsourcing Computation Xiaofeng Chen December, 2017
2 Agenda Cloud Computing Verifiable Computation Secure Outsourcing of Scientific Computations Secure Outsourcing of Cryptographic Operations Verifiable Database with Updates (VDB) Future Works
3 1. Cloud Computing Cloud computing realizes the long dream of computing as a service. The users with resource-constraint devices can enjoy the unlimited computing resources in a pay-per-use manner. On-demand self-service Ubiquitous network access Location independent resource pooling Rapid resource elasticity Usage-based pricing Outsourcing 3
4 Outsourcing paradigm You want to eat a fish = You need to be a fisherman (NEVER!) You travel by air = You buy a boing 737 (NEVER!) Cloud computing facilitates outsourcing computation. Outsourcing computation paradigm: the clients with resource-constraint devices can outsource the heavy computation workloads into the cloud server. require only one round of interaction between the client and the server. Outsourcing computation also suffers from some new security challenges. secrecy checkability efficiency 4
5 Outsourcing computation architecture 5
6 Security model Who is the adversary: the untrusted server(s) Honest but curious Lazy but honest One-malicious of two untrusted program Refereed delegation of computation Fully malicious (dishonest, curious, lazy )- strongest 6
7 How to achieve secrecy? Encryption (partial solution)+ blinding Blinding can preserve some inherent property of operations. It requires different logic division and blinding techniques. FHE is inefficient and not practical for real-world applications. 7
8 How to achieve checkability? How to verify the result of a malicious server? Some programming error Intentionally send a computational indistinguishable (random) result due to financial reasons 8
9 How to achieve checkability? Three kinds of checkability (verifiability): Inversion of one way function problems: F: given y=f(x), compute x, where f is a one-way function. Verification is trivial: verification is just compute f(x)=? y 9
10 How to achieve checkability? Three kinds of checkability (verifiability): Multiple (non-colluding) servers : given the test queries to (at least two) servers, verification is trivial and equals to check whether the two outputs are equal? f(x)_1 =? f(x)_2 (This is a probabilistic algorithm!) Note: This idea is a little similar to prisoner's dilemma in game theory. 10
11 Prisoner s Dilemma A B Case 1: A (Yes); B (Yes); Both are 30 years in prison Case 2: A (No); B (No); Both set free (Best choice) Case 3: One (Yes); The other (No); Yes: 10 years; No: 50 years in prison 11
12 How to achieve checkability? Three kinds of checkability (verifiability): One malicious server: verifiable computation The server needs to provide some auxiliary proof to support result verification ( It requires different kinds of knowledge proof techniques.) 12
13 How to achieve efficiency? Verification must be efficient The (non-interactive) proof verification is efficient (esp. the 3 rd case) Computational resources, storage resources, communication resources, etc. The verification requires less resources than the computation task itself! 13
14 Research status Theoretical community: scientific computation such as matrix multiplications (inversion), quadrature, linear equations (programming), sequence comparisons Cryptographic community: wallet with observers, bilinear pairing, modular exponentiations, OABE, OABS, inversion one-way function Verifiable computation: will be given later 14
15 2. Verifiable Computation A protocol between client and the untrusted server; C: a function and some input ; S: outputs and some proof; It mainly focus on the 3 rd case of outsourcing computations Though C is resources-constrained, it is allowed to perform one-time expensive setup phase (offline; pre-computation) 15
16 Formal definitions A verifiable computation scheme VC = (KeyGen, ProGen, Compute, Verify) consists of the four algorithms defined below. 1. KeyGen f, n PK, SK : Based on the security parameter n, the randomized key generation algorithm generates a public/secret key pair for the function f. The public key is provided to the server, while the client keeps the matching secret key private. 2. ProbGen SK x σ x, τ x The problem generation algorithm uses the secret key SK to encode the function input x as a public value σ x which is given to the server, and a secret value τ x which is kept private by the client. 3. Compute PK σ x σ y Using the client s public key for f and the encoded input, the server computes an encoded version of the function s output y = f x. 4. Verify SK τ x y Using the secret key SK and the secret decoding value τ x, the verification algorithm converts the worker s encoded output into the output of the function, e.g., y = f x or output indicating that σ y does not represent the valid output of f on x. 16
17 Security properties Correct: the value and proof generated by the honest server can be always verified successfully and accepted by the client. honest server results in valid result and proof Secure: a malicious server cannot convince a verifier to accept an invalid output dishonest server results in invalid result and proof Efficient: the verification should not be involved in plenty of expensive resources (computation, storage, communication) For real-world applications Three properties of ZKP: Completeness: if the statement is true, the honest verifier (that is, one following the protocol properly) will be convinced of this fact by an honest prover. Soundness: if the statement is false, no cheating prover can convince the honest verifier that it is true, except with some small probability. Zero-knowledge: if the statement is true, no cheating verifier learns anything other than this fact. 17
18 State-of-the-art research Gennaro et al. firstly introduce and formalize the notion of verifiable computing. Crypto 10 This work is suitable for any function (will be encoded by Boolean circuit) Theoretically, no more research work is needed (totally solved!). FHE is a building block! Inefficient for practical applications. 18
19 State-of-the-art research Specific problems require specific trick to design efficient schemes. VC for very large datasets Crypto 11 Memory delegation Crypto 11 VC for large polynomials and matrix computations CCS 12 VC for multi-function TCC 12 VC for quadratic polynomials CCS 13 Making argument systems for outsourced computation practical NDSS 12 Taking proof-based verified computation a few steps closer to practicality USENIX
20 3. Secure Outsourcing of Scientific Computations It has proved it is impossible to securely outsourcing an exponential computation while locally doing only polynomial computations [1]. It is meaningful only to consider outsourcing expensive polynomial computations. Matrix multiplication Matrix inversion Large-scale system of linear equations Matrix determinant Linear programming [1] M. Abadi, J. Feigenbaum, and J. Kilian. On hiding information from an oracle. Proceedings of the 19th Annual ACM Symposium on Theory of Computing (STOC), pp ,1987. DOI: /
21 Secure outsourcing of large-scale Problem : linear equations systems To solve a large-scale system of linear equations Ax = b. due to the lack of computing resources, it is infeasible for C to carry out such expensive computation as O n ρ (2 < ρ 3) locally. outsource the computation workloads to S in pay-per-use manner. Goals : A, x, b should be privacy and protected. efficient 21
22 Secure outsourcing of large-scale linear equations systems Atallah s scheme [2] C selects a random matrix B and a random number j {1, 2,, n}. Replace the jth column of B by b, i.e. B = [B 1,, B j 1, b, B j+1,, B n ] C generates three matrices P 1, P 2, P 3 using the same method as before. C computes A = P 1 AP 1 2 and B = P 1 BP 1 3. S solve the linear system A X = B and obtains X = P 2 A 1 BP C computes X = P 2 XP 3 = A 1 B. The answer x is the jth column of X, i.e., x = X j. Note: This scheme uses the interactive matrix inversion as a building block! [2] M.J. Atallah, K.N. Pantazopoulos, J.R. Rice, and E.H. Spafford. Secure outsourcing of scientific computations. Advances in Computers. Vol. 54, pp ,2001. DOI: /s (01)80019-x. 3, 19, 20, 22, 23 22
23 Secure outsourcing of large-scale linear equations systems PK, SK = (n, (M, N, r)) I. compute: c = Ar + b d = Mc T = MAN II. compute: x = Ny r T, d y Ty = d We have: Ty = MAN N 1 x + r = MA x + r = Mc = d Advantages: One round in come-and-go manner. Since M, N are sparse matrices, the computation complexity is O n 2 locally. C can detect the misbehavior of S with the probability 1. 23
24 4. Secure Outsourcing of Cryptographic Operations By far, there are two kinds of secure and efficient numbertheoretic-based cryptographic systems. Integer-factorization-based system (RSA) Discrete-logarithm-based system (ElGamal, ECC) Require powerful but prohibitively expensive operations Exponentiation modulo a large integer (RSA, ECC) Bilinear pairings (ID-based encryption scheme, short signature scheme) Hence, we mainly focus on how to securely outsource such expensive cryptographic operations! 24
25 Secure outsourcing exponentiation Secure outsourcing of single modular exponentiation Problem: u a mod p Requirement: the inputs and outputs of outsourcing algorithm (u, a, u a ) should be protected. Secure outsourcing of simultaneous modular exponentiation Problem: u 1 a u 2 b mod p (chameleon hashing and trapdoor commitment) Requirement: the inputs and outputs of outsourcing algorithm (u 1, a, u 2, b, u 1 a u 2 b ) should be protected 25
26 Secure outsourcing of single modular exponentiation The first scheme proposed by Hohenberger et al. [3] Use random blinding factors to logically split the inputs into two random-looking pieces for two untrusted servers. Require one-time expensive computations for C in pre-processing phase. Our proposed scheme [4] Superior to [3] both in efficiency and checkability Main idea is similar to prisoner s dilemma [3] S. Hohenberger and A. Lysyanskaya. How to securely outsource cryptographic computations. Theory of Cryptography, LNCS 3378, pp , Springer, DOI: / _15. 4,5,7,30,34,35,36,38,40 [4] X. Chen, J. Li, J. Ma, Q. Tang and W. Lou. New algorithms for secure outsourcing of modular exponentiations. ESORICS, LNCS 7459, pp , Springer, DOI: / _31.3,33,35,38,39 26
27 Secure outsourcing of single Our proposed algorithm Exp: I. Setup: C create two blinding pairs (α, g α ), (β, g β ). Denote v = g α mod p and μ = g β mod p. II. Logical divisions: III. modular exponentiation v = g α u a = (vw) a = g aα w a = g β g γ w a mod p (w = u v mod p, γ = aα β mod q) u a = g β g γ w a = g β g γ w k+l = g β g γ w k w l mod p ( l = a k mod q ) Rand C obtain three pairs (t 1, g t 1), (t 2, g t 2),(t 3, g t 3). V. Check g t 2=S 1 t 2 t 1, g t 1 =S 2 t 2 t 1, g t 1 and S 1 γ t 3, g t 3 =S 2 γ t 3, g t 3 If yes, C can compute u a = μg γ w k w l If not, C outputs error! IV. Query t 2 t 1, g t 1 γ t 3, g t 3 l, w t 2 t 1, g t 1 γ t 3, g t 3 k, w g t 2, g γ, w l g t 2, g γ, w k S 1 S 2 Note: in the one-malicious model, the equation S 1 both S 1 amd S 2 produce the correct g γ! γ t 3, g t 3 =S 2 γ t 3, g t 3 implies 27
28 Comparison of the two algorithms Algorithm[3] Algorithm[4] MM 9 7 MInv Checkability Single modular exponentiation Algorithm[3] Algorithm[4] MM 9 10 MInv Checkability Simultaneous modular exponentiation 28
29 Our Recent Papers Xiaofeng Chen, Jin Li, Jianfeng Ma, Qiang Tang, Wenjing Lou, New Algorithms for Secure Outsourcing of Modular Exponentiations,IEEE Transactions on Parallel and Distributed Systems, 25(9), , Xiaofeng Chen, Jin Li, Xinyi Huang, Jingwei Li, Yang Xiang, Duncan Wong. Secure Outsourced Attribute-based Signatures. IEEE Transactions on Parallel and Distributed Systems, 25(12): , Xiaofeng Chen, Xinyi Huang, Jin Li, Jianfeng Ma, Wenjing Lou, and Duncan S. Wong, New Algorithms for Secure Outsourcing of Large-scale Systems of Linear Equations, IEEE Transactions on Information Forensics and Security, 10(1), 69-78, Xiaofeng Chen, Jin Li, Willy Susilo, Efficient Fair Conditional Payments for Outsourcing Computations, IEEE Transactions on Information Forensics and Security, 7(6), , Xiaofeng Chen, Willy Susilo, Jin Li, Duncan S Wong, Jianfeng Ma, Shaohua Tang, Qiang Tang, Efficient Algorithms for Secure Outsourcing of Bilinear Pairings, Theoretical Computer Science, 562: , Haixin Nie, Xiaofeng Chen, Jin Li, Joseph Liu, Wenjing Lou, Efficient and Verifiable Algorithm for Secure Outsourcing of Large-scale Linear Programming. AINA 2014: (Best Paper Award) Jin Li, Jingwei Li, Xiaofeng Chen, et al., Identity-based Encryption with Outsourced Revocation in Cloud Computing. IEEE Transactions on Computers, 64(2): ,
30 5. Verifiable Database (VDB) A special kind of verifiable computing (storage) Benabbas et al. proposed the notion of VDB Verifiable delegation of computation over large datasets (Crypto 11) x, v x x, v v Client Server 30
31 Static Database x ; v; Sig (v) x v, Sig (v) Client Server Sig (v) can not be forged!! 31
32 Dynamic Database (Updatable) x; v; Sig (v) Client x v, Sig (v) Server Problem: How to revoke the signature for previous data record? Paradox: If so, the client have to keep track of every change locally. Why outsourcing? If not, a malicious can utilize the previous (valid) database records and corresponding signatures to respond the current query of the client without being detected (Backward Substitution updates attack). 32
33 Verifiable Database with Updates How to design efficient VDB? Previous works requires either some non-constant size assumptions or expensive operations; q-strong Diffie-Hellman assumption re-shuffling procedures 33
34 Verifiable Database with Updates Why standard assumption is good? IF related ones: IF ; RSA; Strong-RSA; DL related ones: DL; CDH; DDH;» Bilinear pairings related ones 34
35 Benabbas-Gennaro-Vahlis Construction BGV construction is the first practical solution in the bilinear groups with composite order (Crypto 11); The solution is based on verifiable delegation of polynomials (subgroup membership assumption); It cannot support public verifiability; 35
36 Catalano-Fiore Construction The second practical construction (PKC 2013); It is based on a primitive called vector commitment; The specific constructions based on standard assumptions; Compare with BGV construction, it only uses the bilinear groups with prime order; It can support public verifiability The private key of client is not involved in the updating; Surprising it is empty! It is good or bad? 36
37 New Construction for VDB Our main contribution Catalano-Fiore Construction may suffer from the Forward Automatic Update (FAU) attack; Propose a new framework that is public verifiable and secure against FAU attack; Present a concrete construction based on Squ- CDH assumption (equals to CDH assumption) 37
38 The adversary (just as the real client) can update the database in a forward and automatic manner; Forward means that the updating is based on the latest database (new update!). We also defined Backward Substitute Update attack Automatic means that the updating can be performed at any time and any steps. V 1 FAU attack V L+1 V 0 V i V L 38
39 Why it suffers from FAU attack The secret key in Catalano-Fiore Construction is not involved in the updating. More precise, the secret key of client is empty. Why? In crypto 11 construction, secret key is used for updating and verification (thus private verifiability); Guess: no private key, verification is performed only using the public key? Thus support public verifiability. Anyone can update the database (especially the server)! 39
40 Paradox Using SK: cannot support public verifiability Not using SK: cannot resist FAU attack How to solve this paradox? SK must be used in update; Signature can be used but not enough (needs revoke?) 40
41 Our Main Idea Commitment binding technique: (After T times update ) it is difficult to forge a new BLS signature! Public key (last time) binding Public key (current) BLS signature Counter Database (current) Recursion definition for PK 41
42 Our Main Idea Commitment binding technique: (After T times update ) The definition for T = 0 (setup phase): This results in a general construction for VDB. 42
43 VDB with Incremental Updates The data record (plaintext) undergoes frequent while small (e.g., only some bits) modifications; The previous solution requires to re-compute and update the ciphertext from scratch each time; it is meaningful to seek for efficient constructions for VDB with incremental updates (Inc-VDB); re-computing and updating the ciphertext in both incremental algorithms, rather than from scratch. 43
44 Motivation File blocks Incremental cryptography m 1... m i... m n Encrypt c 1... c i... c n m 1... m' i... m n Encrypt c 1... c' i... c n m' 1... m' i... m' n Encrypt c' 1... c' i... c' n Distributed updates problem! 1. The existing incremental schemes could not solve the distributed updates problem. 2. The update algorithm of VDBs are not incremental, and the client needs to re-compute new updated token from scratch each time. 44
45 Our main contribution Introduce the notion of verifiable database with incremental updates (Inc-VDB). Propose a general Inc-VDB framework by incorporating the primitive of vector commitment and the encrypt-then-incremental MAC mode of encryption; Introduce a new property called accountability for VDB schemes. 45
46 Formal Definition of Inc-VDB Definition 4. A verifiable database scheme with incremental updates Inc VDB = (Setup, Query, Verify, Inc Update) consists of the four algorithms defined below. 1. Setup 1 k, DB : On input the security parameter k, the setup algorithm is run by the client to generate a secret key SK to be secretly stored by the client, and a public key SK that is distributed to all users (including the client itself) for verifying the proofs. 2. Query PK, x : On input an index x, the query algorithm is run by the server, and returns a pair τ = (v, π). 3. Verify(PK/SK, x, τ): The public/private verification algorithm outputs a value v if τ is correct with respect to x, and an error otherwise. 4. Inc Update(SK, x, v ): In the update algorithm, the client utilizes the secret key SK to compute a new token t x from the previous one in an incremental manner rather than computing it from scratch. Then, the client sends the pair t x, v to the server. If the token t x is valid, the server uses v to update the database record in index x, and t x to incrementally update the public key PK. 46
47 Our Main Idea 47
48 Server side efficiency: Our Main Idea The server only needs to compute π x once for the first query on index x. Incremental Signature: The client computes: Send to the server Private key of client The server compute: Private key of server 48
49 Public verifiability: Our Main Idea 1. The proof consists of the (BLS) signature of the client and opening of the vector commitment; 2. Both of them can be verified (only) with the public key; 3. The client needs not store the changes locally or revoke the signature 4. We can use a verifiable random function to achieve private verifiability. Reduce the client storage overhead: 1. The number of T x is dependent of q, it is highly undesirable when q becomes very large. 2. Apply vector commitment over commitments. 49
50 Our Recent Paper Xiaofeng Chen, Jin Li, Xinyi Huang, Jianfeng Ma, Wenjing Lou, New Publicly Verifiable Databases with Efficient Updates, IEEE Transactions on Dependable and Secure Computing, 12(5), , Xiaofeng Chen, Jin Li, Jian Weng, Jianfeng Ma, Wenjing Lou, Verifiable Computation over Large Database with Incremental Updates, ESORICS 2014, LNCS 8712, , IEEE Transactions on Computers, 65(10), ,
51 6. Future Works How do we achieve the CCA2 security for the inputs in outsourcing paradigm? Is it possible to find an efficient algorithm for securely outsourcing the cryptographic operations by only an untrusted server? How to construct efficient VDB schemes supporting all kinds of update operations? How to prove (not only detect ) the misbehavior of an untrusted server in the multiple results of outsourcing computations? 51
52 Thank you & questions? 52
MTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov October 31, 2005 Abstract Standard security assumptions (IND-CPA, IND- CCA) are explained. A number of cryptosystems
More informationContributions to pairing-based cryptography
University of Wollongong Research Online University of Wollongong Thesis Collection 1954-2016 University of Wollongong Thesis Collections 2010 Contributions to pairing-based cryptography Tsz Hon Yuen University
More informationA Mathematical Proof. Zero Knowledge Protocols. Interactive Proof System. Other Kinds of Proofs. When referring to a proof in logic we usually mean:
A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of statements. 2. Based on axioms. Zero Knowledge Protocols 3. Each statement is derived via the derivation rules.
More informationZero Knowledge Protocols. c Eli Biham - May 3, Zero Knowledge Protocols (16)
Zero Knowledge Protocols c Eli Biham - May 3, 2005 442 Zero Knowledge Protocols (16) A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of statements. 2. Based on axioms.
More informationCryptographic protocols
Cryptographic protocols Lecture 3: Zero-knowledge protocols for identification 6/16/03 (c) Jussipekka Leiwo www.ialan.com Overview of ZK Asymmetric identification techniques that do not rely on digital
More informationPublicly-verifiable proof of storage: a modular construction. Federico Giacon
Publicly-verifiable proof of storage: a modular construction Federico Giacon Ruhr-Universita t Bochum federico.giacon@rub.de 6th BunnyTN, Trent 17 December 2015 Proof of Storage Proof of Storage (PoS)
More informationLecture 10, Zero Knowledge Proofs, Secure Computation
CS 4501-6501 Topics in Cryptography 30 Mar 2018 Lecture 10, Zero Knowledge Proofs, Secure Computation Lecturer: Mahmoody Scribe: Bella Vice-Van Heyde, Derrick Blakely, Bobby Andris 1 Introduction Last
More informationIntroduction to Cryptography Lecture 7
Introduction to Cryptography Lecture 7 El Gamal Encryption RSA Encryption Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing
More informationA Novel Identity-based Group Signature Scheme from Bilinear Maps
MM Research Preprints, 250 255 MMRC, AMSS, Academia, Sinica, Beijing No. 22, December 2003 A Novel Identity-based Group Signature Scheme from Bilinear Maps Zuo-Wen Tan, Zhuo-Jun Liu 1) Abstract. We propose
More informationNotes for Lecture 24
U.C. Berkeley CS276: Cryptography Handout N24 Luca Trevisan April 21, 2009 Notes for Lecture 24 Scribed by Milosh Drezgich, posted May 11, 2009 Summary Today we introduce the notion of zero knowledge proof
More informationVerifiably Encrypted Signature Scheme with Threshold Adjudication
Verifiably Encrypted Signature Scheme with Threshold Adjudication M. Choudary Gorantla and Ashutosh Saxena Institute for Development and Research in Banking Technology Road No. 1, Castle Hills, Masab Tank,
More informationFine-Grained Data Sharing Supporting Attribute Extension in Cloud Computing
wwwijcsiorg 10 Fine-Grained Data Sharing Supporting Attribute Extension in Cloud Computing Yinghui Zhang 12 1 National Engineering Laboratory for Wireless Security Xi'an University of Posts and Telecommunications
More informationChapter 9 Public Key Cryptography. WANG YANG
Chapter 9 Public Key Cryptography WANG YANG wyang@njnet.edu.cn Content Introduction RSA Diffie-Hellman Key Exchange Introduction Public Key Cryptography plaintext encryption ciphertext decryption plaintext
More informationEfficient Private Information Retrieval
Efficient Private Information Retrieval K O N S T A N T I N O S F. N I K O L O P O U L O S T H E G R A D U A T E C E N T E R, C I T Y U N I V E R S I T Y O F N E W Y O R K K N I K O L O P O U L O S @ G
More informationOn the security of a certificateless signature scheme in the standard model
On the security of a certificateless signature scheme in the standard model Lin Cheng, Qiaoyan Wen, Zhengping Jin, Hua Zhang State Key Laboratory of Networking and Switch Technology, Beijing University
More informationDigital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2
Digital Signatures KG November 3, 2017 Contents 1 Introduction 1 2 Digital Signatures 2 3 Hash Functions 3 3.1 Attacks.................................... 4 3.2 Compression Functions............................
More informationIntroduction to Cryptography Lecture 7
Introduction to Cryptography Lecture 7 Public-Key Encryption: El-Gamal, RSA Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing
More informationImprovement of Camenisch-Neven-Shelat Oblivious Transfer Scheme
Improvement of Camenisch-Neven-Shelat Oblivious Transfer Scheme Zhengjun Cao and Hanyue Cao Department of Mathematics, Shanghai University, Shanghai, China caozhj@shu.edu.cn Abstract. In 2007, Camenisch,
More informationCSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography
CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography Outline 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography
More informationAttribute-based encryption with encryption and decryption outsourcing
Edith Cowan University Research Online Australian Information Security Management Conference Conferences, Symposia and Campus Events 2014 Attribute-based encryption with encryption and decryption outsourcing
More informationOutline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA
CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography 1. Introduction 2. RSA Outline 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography
More informationA modified eck model with stronger security for tripartite authenticated key exchange
A modified eck model with stronger security for tripartite authenticated key exchange Qingfeng Cheng, Chuangui Ma, Fushan Wei Zhengzhou Information Science and Technology Institute, Zhengzhou, 450002,
More informationSecure Multiparty Computation
CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationCSC 5930/9010 Modern Cryptography: Digital Signatures
CSC 5930/9010 Modern Cryptography: Digital Signatures Professor Henry Carter Fall 2018 Recap Implemented public key schemes in practice commonly encapsulate a symmetric key for the rest of encryption KEM/DEM
More informationResearch Statement. Yehuda Lindell. Dept. of Computer Science Bar-Ilan University, Israel.
Research Statement Yehuda Lindell Dept. of Computer Science Bar-Ilan University, Israel. lindell@cs.biu.ac.il www.cs.biu.ac.il/ lindell July 11, 2005 The main focus of my research is the theoretical foundations
More informationOutline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)
Outline AIT 682: Network and Systems Security 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard Topic 5.2 Public Key Cryptography Instructor: Dr. Kun Sun 2 Public Key
More informationPractical Threshold Signatures with Linear Secret Sharing Schemes
Practical Threshold Signatures with Linear Secret Sharing Schemes İlker Nadi Bozkurt, Kamer Kaya, Ali Aydın Selçuk Department of Computer Engineering Bilkent University Ankara, 06800, Turkey {bozkurti,kamer,selcuk}@cs.bilkent.edu.tr
More informationRelaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack
Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Indian Statistical Institute Kolkata January 14, 2012 Outline 1 Definitions Encryption Scheme IND-CPA IND-CCA IND-CCVA
More informationBrief Introduction to Provable Security
Brief Introduction to Provable Security Michel Abdalla Département d Informatique, École normale supérieure michel.abdalla@ens.fr http://www.di.ens.fr/users/mabdalla 1 Introduction The primary goal of
More informationCrypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))
Introduction (Mihir Bellare Text/Notes: http://cseweb.ucsd.edu/users/mihir/cse207/) Cryptography provides: Data Privacy Data Integrity and Authenticity Crypto-systems all around us ATM machines Remote
More informationMulti-Theorem Preprocessing NIZKs from Lattices
Multi-Theorem Preprocessing NIZKs from Lattices Sam Kim and David J. Wu Stanford University Soundness: x L, P Pr P, V (x) = accept = 0 No prover can convince honest verifier of false statement Proof Systems
More informationCryptography. Lecture 12. Arpita Patra
Cryptography Lecture 12 Arpita Patra Digital Signatures q In PK setting, privacy is provided by PKE q Integrity/authenticity is provided by digital signatures (counterpart of MACs in PK world) q Definition:
More informationPublic-Key Cryptography
Computer Security Spring 2008 Public-Key Cryptography Aggelos Kiayias University of Connecticut A paradox Classic cryptography (ciphers etc.) Alice and Bob share a short private key using a secure channel.
More informationElements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy
Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy Homework 2 Due: Friday, 10/28/2016 at 11:55pm PT Will be posted on
More informationCryptographically Secure Bloom-Filters
131 139 Cryptographically Secure Bloom-Filters Ryo Nojima, Youki Kadobayashi National Institute of Information and Communications Technology (NICT), 4-2-1 Nukuikitamachi, Koganei, Tokyo, 184-8795, Japan.
More informationOn the Security of a Certificateless Public-Key Encryption
On the Security of a Certificateless Public-Key Encryption Zhenfeng Zhang, Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing 100080,
More informationIntroduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell
Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell 1 Cryptography Merriam-Webster Online Dictionary: 1. secret writing 2. the enciphering and deciphering
More informationCS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong
CS573 Data Privacy and Security Cryptographic Primitives and Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationPublic Key Algorithms
Public Key Algorithms 1 Public Key Algorithms It is necessary to know some number theory to really understand how and why public key algorithms work Most of the public key algorithms are based on modular
More informationGroup-based Proxy Re-encryption Scheme Secure against Chosen Ciphertext Attack
International Journal of Network Security, Vol.8, No., PP.266 270, May 2009 266 Group-based Proxy Re-encryption Scheme Secure against Chosen Ciphertext Attack Chunbo Ma and Jun Ao (Corresponding author:
More informationSimple and Efficient Threshold Cryptosystem from the Gap Diffie-Hellman Group
Simple and Efficient Threshold Cryptosystem from the Gap Diffie-Hellman Group Joonsang Baek Monash University Frankston, VIC 3199, Australia Email: joonsang.baek@infotech.monash.edu.au Yuliang Zheng UNC
More informationIND-CCA2 secure cryptosystems, Dan Bogdanov
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee 1 Overview Notion of indistinguishability The Cramer-Shoup cryptosystem Newer results
More informationChapter 9. Public Key Cryptography, RSA And Key Management
Chapter 9 Public Key Cryptography, RSA And Key Management RSA by Rivest, Shamir & Adleman of MIT in 1977 The most widely used public-key cryptosystem is RSA. The difficulty of attacking RSA is based on
More informationCS408 Cryptography & Internet Security
CS408 Cryptography & Internet Security Lectures 16, 17: Security of RSA El Gamal Cryptosystem Announcement Final exam will be on May 11, 2015 between 11:30am 2:00pm in FMH 319 http://www.njit.edu/registrar/exams/finalexams.php
More informationImplementation of IBE with Outsourced Revocation technique in Cloud Computing
Implementation of IBE with Outsourced Revocation technique in Cloud Computing M.MOHANRAO, POCKLA PAVANI Assistant Professor, M.TECH STUDENT Dept of CSE,Megha Institute of Engineering & Technology For womens,edulabad,ghatkesar
More informationCryptographic Primitives and Protocols for MANETs. Jonathan Katz University of Maryland
Cryptographic Primitives and Protocols for MANETs Jonathan Katz University of Maryland Fundamental problem(s) How to achieve secure message authentication / transmission in MANETs, when: Severe resource
More informationLecture 22 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)
Lecture 22 - Oblivious Transfer (OT) and Private Information Retrieval (PIR) Boaz Barak December 8, 2005 Oblivious Transfer We are thinking of the following situation: we have a server and a client (or
More informationApplication to More Efficient Obfuscation
Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Program Obfuscation [BGIRSVY01, GGHRSW13] Indistinguishability obfuscation (io)
More informationNon-Interactive Verifiable Computing: Outsourcing Computation to Untrusted Workers
Non-Interactive Verifiable Computing: Outsourcing Computation to Untrusted Workers Rosario Gennaro Craig Gentry Bryan Parno February 1, 2010 bstract Verifiable Computation enables a computationally weak
More informationOn the Security of a Lightweight Cloud Data Auditing Scheme
On the Security of a Lightweight Cloud Data Auditing Scheme Reyhaneh Rabaninead a, Maryam Raabzadeh Asaar b, Mahmoud Ahmadian Attari a, Mohammad Reza Aref c a Department of Electrical Engineering, K. N.
More informationCryptography Today. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 44
Cryptography Today Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 About the Course Regular classes with worksheets so you can work with some concrete examples (every Friday at 1pm).
More informationSecurity Remarks on a Convertible Nominative Signature Scheme
Security Remarks on a Convertible Nominative Signature Scheme Guilin Wang and Feng Bao Institute for Infocomm Research (I 2 R) 21 Heng Mui Keng Terrace, Singapore 119613 {glwang,baofeng}@i2r.a-star.edu.sg
More informationCryptography: More Primitives
Design and Analysis of Algorithms May 8, 2015 Massachusetts Institute of Technology 6.046J/18.410J Profs. Erik Demaine, Srini Devadas and Nancy Lynch Recitation 11 Cryptography: More Primitives 1 Digital
More informationAn IBE Scheme to Exchange Authenticated Secret Keys
An IBE Scheme to Exchange Authenticated Secret Keys Waldyr Dias Benits Júnior 1, Routo Terada (Advisor) 1 1 Instituto de Matemática e Estatística Universidade de São Paulo R. do Matão, 1010 Cidade Universitária
More informationA Thesis for the Degree of Master of Science. Provably Secure Threshold Blind Signature Scheme Using Pairings
A Thesis for the Degree of Master of Science Provably Secure Threshold Blind Signature Scheme Using Pairings Vo Duc Liem School of Engineering Information and Communications University 2003 Provably Secure
More informationDAC-MACS: Effective Data Access Control for Multiauthority Cloud Storage Systems
1790 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 8, NO. 11, NOVEMBER 2013 DAC-MACS: Effective Data Access Control for Multiauthority Cloud Storage Systems Kan Yang, Associate Member,
More informationUNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering. Introduction to Cryptography ECE 597XX/697XX
UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Introduction to Cryptography ECE 597XX/697XX Part 10 Digital Signatures Israel Koren ECE597/697 Koren Part.10.1 Content of this part
More informationEfficiency Optimisation Of Tor Using Diffie-Hellman Chain
Efficiency Optimisation Of Tor Using Diffie-Hellman Chain Kun Peng Institute for Infocomm Research, Singapore dr.kun.peng@gmail.com Abstract Onion routing is the most common anonymous communication channel.
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary Introduction Stream & Block Ciphers Block Ciphers Modes (ECB,CBC,OFB) Advanced Encryption Standard (AES) Message Authentication
More informationA public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks
A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks Jan Camenisch 1, Nishanth Chandran 2, and Victor Shoup 3 1 IBM Research, work funded
More informationLecture 2 Applied Cryptography (Part 2)
Lecture 2 Applied Cryptography (Part 2) Patrick P. C. Lee Tsinghua Summer Course 2010 2-1 Roadmap Number theory Public key cryptography RSA Diffie-Hellman DSA Certificates Tsinghua Summer Course 2010 2-2
More informationIntroduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption
Introduction to Cryptography and Security Mechanisms: Unit 5 Public-Key Encryption Learning Outcomes Explain the basic principles behind public-key cryptography Recognise the fundamental problems that
More informationSecure Key-Evolving Protocols for Discrete Logarithm Schemes
Secure Key-Evolving Protocols for Discrete Logarithm Schemes Cheng-Fen Lu and ShiuhPyng Winston Shieh Computer Science and Information Engineering Department National Chiao Tung University, Taiwan 30050
More informationDigital Signatures. Sven Laur University of Tartu
Digital Signatures Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic identity,
More informationThe Exact Security of a Stateful IBE and New Compact Stateful PKE Schemes
The Exact Security of a Stateful IBE and New Compact Stateful PKE Schemes S. Sree Vivek, S. Sharmila Deva Selvi, C. Pandu Rangan Theoretical Computer Science Lab, Department of Computer Science and Engineering,
More informationKey Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings
Key Exchange References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings Outlines Primitives Root Discrete Logarithm Diffie-Hellman ElGamal Shamir s Three Pass
More informationLecture 6: ZK Continued and Proofs of Knowledge
600.641 Special Topics in Theoretical Cryptography 02/06/06 Lecture 6: ZK Continued and Proofs of Knowledge Instructor: Susan Hohenberger Scribe: Kevin Snow 1 Review / Clarification At the end of last
More informationCrypto Background & Concepts SGX Software Attestation
CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 Lecture 4b Slide deck extracted from Kamran s tutorial on SGX, presented during ECE 6095 Spring 2017 on Secure Computation and Storage, a precursor to this course
More informationCS 395T. Formal Model for Secure Key Exchange
CS 395T Formal Model for Secure Key Exchange Main Idea: Compositionality Protocols don t run in a vacuum Security protocols are typically used as building blocks in a larger secure system For example,
More informationPublic Key Cryptography
graphy CSS322: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 29 December 2011 CSS322Y11S2L07, Steve/Courses/2011/S2/CSS322/Lectures/rsa.tex,
More informationA Ring Signature Scheme with Strong Designated Verifiers to Provide Signer Anonymity
A Ring Signature Scheme with Strong Designated Verifiers to Provide Signer Anonymity Shin-Jia Hwang Department of Computer Science and Information Engineering,Tamkang University, Tamsui, Taipei Hsien,
More informationIdentification Schemes
Identification Schemes Lecture Outline Identification schemes passwords one-time passwords challenge-response zero knowledge proof protocols Authentication Data source authentication (message authentication):
More informationLecture IV : Cryptography, Fundamentals
Lecture IV : Cryptography, Fundamentals Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Computer Science Department, National Chiao Tung University Spring 2012 Basic Principles
More informationOther Topics in Cryptography. Truong Tuan Anh
Other Topics in Cryptography Truong Tuan Anh 2 Outline Public-key cryptosystem Cryptographic hash functions Signature schemes Public-Key Cryptography Truong Tuan Anh CSE-HCMUT 4 Outline Public-key cryptosystem
More informationApplied Cryptography and Computer Security CSE 664 Spring 2018
Applied Cryptography and Computer Security Lecture 13: Public-Key Cryptography and RSA Department of Computer Science and Engineering University at Buffalo 1 Public-Key Cryptography What we already know
More informationVector Commitments and their Applications
Vector Commitments and their Applications Dario Catalano 1 and Dario Fiore 2 1 Dipartimento di Matematica e Informatica, Università di Catania, Italy. catalano@dmi.unict.it 2 Max Planck Institute for Software
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 4, 2017 CPSC 467, Lecture 11 1/39 ElGamal Cryptosystem Message Integrity and Authenticity Message authentication codes
More informationMike Reiter. University of North Carolina at Chapel Hill. Proliferation of mobile devices. Proliferation of security-relevant apps using these
1 Capture-Resilient Cryptographic Devices Mike Reiter University of North Carolina at Chapel Hill Relevant Trends 2 Proliferation of mobile devices Proliferation of networking Proliferation of security-relevant
More informationIntroduction. Cambridge University Press Mathematics of Public Key Cryptography Steven D. Galbraith Excerpt More information
1 Introduction Cryptography is an interdisciplinary field of great practical importance. The subfield of public key cryptography has notable applications, such as digital signatures. The security of a
More informationAdvanced Cryptography 1st Semester Symmetric Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 22th 2007 1 / 58 Last Time (I) Security Notions Cyclic Groups Hard Problems One-way IND-CPA,
More informationSecurely Combining Public-Key Cryptosystems
Securely Combining Public-Key Cryptosystems Stuart Haber Benny Pinkas STAR Lab, Intertrust Tech. 821 Alexander Road Princeton, NJ 08540 {stuart,bpinkas}@intertrust.com Abstract It is a maxim of sound computer-security
More informationDirect Anonymous Attestation
Direct Anonymous Attestation Revisited Jan Camenisch IBM Research Zurich Joint work with Ernie Brickell, Liqun Chen, Manu Drivers, Anja Lehmann. jca@zurich.ibm.com, @JanCamenisch, ibm.biz/jancamenisch
More informationIntroduction to Security Reduction
springer.com Computer Science : Data Structures, Cryptology and Information Theory Springer 1st edition Printed book Hardcover Printed book Hardcover ISBN 978-3-319-93048-0 Ca. $ 109,00 Planned Discount
More informationCSC 5930/9010 Modern Cryptography: Public Key Cryptography
CSC 5930/9010 Modern Cryptography: Public Key Cryptography Professor Henry Carter Fall 2018 Recap Number theory provides useful tools for manipulating integers and primes modulo a large value Abstract
More informationSecurity Analysis and Modification of ID-Based Encryption with Equality Test from ACISP 2017
Security Analysis and Modification of ID-Based Encryption with Equality Test from ACISP 2017 Hyung Tae Lee 1, Huaxiong Wang 2, Kai Zhang 3, 4 1 Chonbuk National University, Republic of Korea 2 Nanyang
More informationLeakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter
Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter Baodong Qin and Shengli Liu Shanghai Jiao Tong University ASIACRYPT 2013 Dec 5, Bangalore,
More informationAnonymous Signature Schemes
Anonymous Signature Schemes Guomin Yang 1, Duncan S. Wong 1, Xiaotie Deng 1, and Huaxiong Wang 2 1 Department of Computer Science City University of Hong Kong Hong Kong, China {csyanggm,duncan,deng}@cs.cityu.edu.hk
More informationPlaintext Awareness via Key Registration
Plaintext Awareness via Key Registration Jonathan Herzog CIS, TOC, CSAIL, MIT Plaintext Awareness via Key Registration p.1/38 Context of this work Originates from work on Dolev-Yao (DY) model Symbolic
More informationarxiv: v1 [cs.cr] 17 Jun 2012
Multiparty Cloud Computation Qingji Zheng 1 and Xinwen Zhang 2 arxiv:1206.3717v1 [cs.cr] 17 Jun 2012 1 University of Texas at San Antonio, TX, USA qzheng@cs.utsa.edu 2 Huawei Research Center, Santa Clara,
More informationOptimally Efficient Multi-Party Fair Exchange and Fair Secure Multi-Party Computation
Optimally Efficient Multi-Party Fair Exchange and Fair Secure Multi-Party Computation Handan Kılınç 1 and Alptekin Küpçü 2 1 EPFL, Koç University 2 Koç University Abstract Multi-party fair exchange (MFE)
More informationSecure Modular Exponentiation Outsource With Two Untrusted Programs and Improved Checkability
JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 32, 1205-1218 (2016) Secure Modular Exponentiation Outsource With Two Untrusted Programs and Improved Checkability Guangdong Provincial Key Laboratory of
More informationHOST Cryptography I ECE 525. Cryptography Handbook of Applied Cryptography &
Cryptography Handbook of Applied Cryptography & http://cseweb.ucsd.edu/users/mihir/cse207/ Brief History: Proliferation of computers and communication systems in 1960s brought with it a demand to protect
More informationUnderstanding Cryptography by Christof Paar and Jan Pelzl. Chapter 9 Elliptic Curve Cryptography
Understanding Cryptography by Christof Paar and Jan Pelzl www.crypto-textbook.com Chapter 9 Elliptic Curve Cryptography ver. February 2nd, 2015 These slides were prepared by Tim Güneysu, Christof Paar
More informationADVANCES in NATURAL and APPLIED SCIENCES
ADVANCES in NATURAL and APPLIED SCIENCES ISSN: 1995-0772 Published BY AENSI Publication EISSN: 1998-1090 http://www.aensiweb.com/anas 2016 May 10(5): pages 223-227 Open Access Journal An Efficient Proxy
More informationCSA E0 312: Secure Computation October 14, Guest Lecture 2-3
CSA E0 312: Secure Computation October 14, 2015 Guest Lecture 2-3 Guest Instructor: C. Pandu Rangan Submitted by: Cressida Hamlet 1 Introduction Till now we have seen only semi-honest parties. From now
More informationKey Agreement Schemes
Key Agreement Schemes CSG 252 Lecture 9 November 25, 2008 Riccardo Pucella Key Establishment Problem PK cryptosystems have advantages over SK cryptosystems PKCs do not need a secure channel to establish
More informationKey Escrow free Identity-based Cryptosystem
Key Escrow free Manik Lal Das DA-IICT, Gandhinagar, India About DA-IICT and Our Group DA-IICT is a private university, located in capital of Gujarat state in India. DA-IICT offers undergraduate and postgraduate
More informationPassword Authenticated Key Exchange by Juggling
A key exchange protocol without PKI Feng Hao Centre for Computational Science University College London Security Protocols Workshop 08 Outline 1 Introduction 2 Related work 3 Our Solution 4 Evaluation
More informationRefining Computationally Sound Mech. Proofs for Kerberos
Refining Computationally Sound Mechanized Proofs for Kerberos Bruno Blanchet Aaron D. Jaggard Jesse Rao Andre Scedrov Joe-Kai Tsay 07 October 2009 Protocol exchange Meeting Partially supported by ANR,
More informationFormal Methods and Cryptography
Formal Methods and Cryptography Michael Backes 1, Birgit Pfitzmann 2, and Michael Waidner 3 1 Saarland University, Saarbrücken, Germany, backes@cs.uni-sb.de 2 IBM Research, Rueschlikon, Switzerland, bpf@zurich.ibm.com
More information