Adaptively Secure Succinct Garbled RAM with Persistent Memory
|
|
- April Johnston
- 5 years ago
- Views:
Transcription
1 Adaptively Secure Succinct Garbled RAM with Persistent Memory Ran Canetti, Yilei Chen, Justin Holmgren, Mariana Raykova DIMACS workshop MIT Media Lab June 8~10,
2 : June 11, 2016, Boston, heavy snow. 2
3 : June 11, 2016, Boston, heavy snow. Alice finds a quasi-polynomial time algorithm for factoring. 3
4 : June 11, 2016, Boston, heavy snow. Alice finds a quasi-polynomial time algorithm for factoring. Alice 4
5 : June 11, 2016, Boston, heavy snow. Alice finds a quasi-polynomial time algorithm for factoring. : Instead of submitting to STOC, she thinks it s cool to write a program and show off to her friends. 5
6 > Factoring.hs RSA2048 6
7 > Factoring.hs RSA2048 Running time 7 hrs 34 mins = x Next question 7
8 : It is slow on her laptop (quasi-polynomial time, you know) cannot fit into a party. 8
9 : It is slow on her laptop (quasi-polynomial time, you know) cannot fit into a party. : So she turns to cloud, but clouds are big brothers 9
10 : It is slow on her laptop (quasi-polynomial time, you know) cannot fit into a party. : So she turns to cloud, but clouds are big brothers : She heard that one can delegate the computation in a way that the server learns only the output of the computation but nothing else 10
11 My friends and NSA will be shocked by the runtime without learning anything other than the output 11
12 The algorithm has huge preprocessing, stores lots of nonzero points on the Zeta function... My friends and NSA will be shocked by the runtime without learning anything other than the output 12
13 The algorithm has huge preprocessing, stores lots of nonzero points on the Zeta function... My friends and NSA will be shocked by the runtime without learning anything other than the output Wait... the audiences already know too much. 13
14 > sudo apt-get install FHE 14
15 > sudo apt-get install FHE > FHE Factoring.hs 15
16 > sudo apt-get install FHE > FHE Factoring.hs Turning the program into circuits... 16
17 > sudo apt-get install FHE > FHE Factoring.hs Turning the program into circuits... ^C 17
18 > sudo apt-get install FHE > FHE Factoring.hs Turning the program into circuits... ^C > > sudo apt-get install Yao > Yao Factoring.hs 18
19 > sudo apt-get install FHE > FHE Factoring.hs Turning the program into circuits... ^C > > sudo apt-get install Yao > Yao Factoring.hs Still turning the program into circuits... #Yao 19
20 > sudo apt-get install FHE > FHE Factoring.hs Turning the program into circuits... ^C > > sudo apt-get install Yao > Yao Factoring.hs Still turning the program into circuits... ^C^C^C^C^C^C^C > 20
21 > sudo apt-get install GRAM_Lu_Ostrovsky > GRAM_Lu_Ostrovsky Factoring.hs 21
22 > sudo apt-get install GRAM_Lu_Ostrovsky > GRAM_Lu_Ostrovsky Factoring.hs Warning: Program size as big as the running time, continue (y) or not (n) 22
23 > sudo apt-get install GRAM_Lu_Ostrovsky > GRAM_Lu_Ostrovsky Factoring.hs Warning: Program size as big as the running time, continue (y) or not (n) n > 23
24 > sudo apt-get install PRAM 24
25 > sudo apt-get install PRAM > PRAM Factoring.hs 25
26 > sudo apt-get install PRAM > PRAM Factoring.hs Done -> PRAM_Factoring 26
27 > sudo apt-get install PRAM > PRAM Factoring.hs Done -> PRAM_Factoring > PRAM_Factoring RSA
28 > sudo apt-get install PRAM > PRAM Factoring.hs Done -> PRAM_Factoring > PRAM_Factoring RSA2048 Warning: cannot adaptively choose functions or inputs, security at user s own risk, continue (y) or not (n) 28
29 > sudo apt-get install PRAM > PRAM Factoring.hs Done -> PRAM_Factoring > PRAM_Factoring RSA2048 Warning: cannot adaptively choose functions or inputs, security at user s own risk, continue (y) or not (n) n 29
30 Huge amount of preprocessed data reusable Adaptively pick integers Don t turn into circuits, don t blow up too much 30
31 Garbling/randomized encoding for RAM with persistent memory 31
32 Garbling/randomized encoding for RAM with persistent memory Gen => msk 32
33 Garbling/randomized encoding for RAM with persistent memory Gen => msk msk + D0 => G(D0) 33
34 Garbling/randomized encoding for RAM with persistent memory Gen => msk msk + D0 => G(D0) msk + P1 => G(P1) 34
35 Garbling/randomized encoding for RAM with persistent memory Gen => msk msk + D0 => G(D0) msk + P1 => G(P1) Eval G(D0) G(P1) => P1(D0) 35
36 Garbling/randomized encoding for RAM with persistent memory Gen => msk Persistency msk + D0 => G(D0) msk + P1 => G(P1) Eval G(D0) G(P1) => P1(D0) G(D1) 36
37 Garbling/randomized encoding for RAM with persistent memory Gen => msk Persistency msk + D0 => G(D0) msk + P1 => G(P1) Eval msk G(D0) + P2 G(P1) => => P1(D0) G(D1) G(P2) 37
38 Garbling/randomized encoding for RAM with persistent memory Gen => msk Persistency msk + D0 => G(D0) msk + P1 => G(P1) Eval msk Eval... G(D0) + P2 G(D1) G(P1) => => P1(D0) G(D1) G(P2) G(P2) => P2(D1) G(D2) 38
39 Garbling/randomized encoding for RAM with persistent memory D0 Succinct G(D0) P1 G(P1) 39
40 Garbling/randomized encoding for RAM with persistent memory Adaptively simulation secure?? P1(D0) 40
41 Garbling/randomized encoding for RAM with persistent memory? => G(D0)? => G(P1) G(D0) G(P1) <= P1(D0) Adaptively simulation secure G(D1) 41
42 Garbling/randomized encoding for RAM with persistent memory? => G(D0)? => G(P1) G(D0) G(P1) Adaptively simulation secure <= P1(D0) G(D1)? G(D1) P2(D1) 42
43 Garbling/randomized encoding for RAM with persistent memory? => G(D0)? => G(P1) G(D0)? G(D1) G(P1) => <= P1(D0) Adaptively simulation secure G(D1) G(P2) G(P2) <= P2(D1) G(D2) 43
44 Theorem 44
45 [Main Theorem] Adaptively secure succinct garbled RAM with persistent memory from indistinguishability obfuscation for circuits, and poly-to-1 collision-resistant hash function. 45
46 Starring 46
47 Indistinguishability Obfuscator 47
48 Indistinguishability Obfuscator for circuits Defined by [Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01] Security: io[ F0 ] io[ F1 ] if F0 and F1 have identical functionality Candidate constructions: [Garg-Gentry-Halevi-Raykova-Sahai-Waters 13], [Barak-Garg-Kalai-Paneth-Sahai 14], [Brakerski-Rothblum 14], [Pass-Seth-Telang 14], [Zimmerman 15], [Applebaum-Brakerski 15], [Ananth-Jain 15], [Bitansky-Vaikuntanathan 15], [Gentry-Gorbunov-Halevi 15], [Lin 16], Cryptanalyses: [Cheon-Han-Lee-Ryu-Stehle 15], [Coron et al 15], [Miles-Sahai-Zhandry 16],... 48
49 Poly-to-one Collision Resistant Hash function 49
50 Poly-to-one collision resistant hash functions H is collision resistant + each image has at most poly preimages. [Thm] Exists for constant c, assuming Factoring or Discrete-log is hard. 50
51 The rest of the talk: 1. The main idea of the construction. 2. The technical heart: adaptively-enforceable accumulator. 3. Wrap up, and the easiest ways to think of our scheme. 51
52 Starting point: Canetti-Holmgren s selective secure scheme. 52
53 Starting point: Canetti-Holmgren s selective secure scheme. High-level idea of the Canetti-Holmgren construction: Garble the CPU-step circuit, encrypt and authenticate the intermediate states, memories. 53
54 You never know how hard it is to use io before actually play with it. [ said Justin Holmgren, June 22, 2015, sunny ] 54
55 Starting point: Canetti-Holmgren s selective secure scheme. High-level idea of the Canetti-Holmgren construction: Garble the CPU-step circuit, encrypt and authenticate the intermediate states, memories. Canetti-Holmgren scheme details: Fixed-transcript => Fixed-access => Fixed-address => Fully secure 55
56 Starting point: Canetti-Holmgren s selective secure scheme. High-level idea of the Canetti-Holmgren construction: Garble the CPU-step circuit, encrypt and authenticate the intermediate states, memories. Canetti-Holmgren scheme details: Fixed-transcript => Fixed-access => Fixed-address => Fully secure Indistinguishable as long as transc = (q, op) are the same. [KLW-technique] 56
57 Starting point: Canetti-Holmgren s selective secure scheme. High-level idea of the Canetti-Holmgren construction: Garble the CPU-step circuit, encrypt and authenticate the intermediate states, memories. Canetti-Holmgren scheme details: Fixed-transcript => Fixed-access => Fixed-address => Fully secure Indistinguishable as long as transc = (q, op) are the same. [KLW-technique] q can be different [encrypt the state] 57
58 Starting point: Canetti-Holmgren s selective secure scheme. High-level idea of the Canetti-Holmgren construction: Garble the CPU-step circuit, encrypt and authenticate the intermediate states, memories. Canetti-Holmgren scheme details: Fixed-transcript => Fixed-access => Fixed-address => Fully secure Indistinguishable as long as transc = (q, op) are the same. [KLW-technique] q can be different [encrypt the state] Memory content can be different [encrypt the data] 58
59 Starting point: Canetti-Holmgren s selective secure scheme. High-level idea of the Canetti-Holmgren construction: Garble the CPU-step circuit, encrypt and authenticate the intermediate states, memories. Canetti-Holmgren scheme details: Fixed-transcript => Fixed-access => Fixed-address => Fully secure Indistinguishable as long as transc = (q, op) are the same. [KLW-technique] q can be different [encrypt the state] Memory content can be different [encrypt the data] Hide access pattern. [oram] 59
60 Starting point: Canetti-Holmgren s selective secure scheme. High-level idea of the Canetti-Holmgren construction: Garble the CPU-step circuit, encrypt and authenticate the intermediate states, memories. Canetti-Holmgren scheme details: Fixed-transcript => Fixed-access => Fixed-address => Fully secure Indistinguishable as long as transc = (q, op) are the same. [KLW-technique] q can be different [encrypt the state] Memory content can be different [encrypt the data] Hide access pattern. [oram] 60
61 Canetti-Holmgren (ITCS16) 61
62 Canetti-Holmgren (ITCS16) + Zoom-in the core step: 62
63 Canetti-Holmgren (ITCS16) + Zoom-in the core step: Koppula-Lewko-Waters (STOC15) (io-friendly) Iterator (io-friendly) Accumulator (io-friendly) Splittable signature 63
64 Canetti-Holmgren (ITCS16) + Zoom-in the core step: Koppula-Lewko-Waters (STOC15) (io-friendly) Iterator (io-friendly) Accumulator (io-friendly) Splittable signature Accumulator io-friendly Merkle-tree What is written in eprint 2015/
65 Canetti-Holmgren (ITCS16) + Zoom-in the core step: G(D0) in iti ali ze Koppula-Lewko-Waters (STOC15) (io-friendly) Iterator (io-friendly) Accumulator (io-friendly) Splittable signature Accumulator io-friendly Merkle-tree What is written in eprint 2015/
66 Canetti-Holmgren (ITCS16) + Zoom-in the core step: Koppula-Lewko-Waters (STOC15) (io-friendly) Iterator (io-friendly) Accumulator (io-friendly) Splittable signature in iti ali ze G(D0) Accumulator io-friendly Merkle-tree te Authentica G(Pi+1) key What is written in eprint 2015/
67 Canetti-Holmgren (ITCS16) + Zoom-in the core step: Koppula-Lewko-Waters (STOC15) (io-friendly) Iterator (io-friendly) Accumulator (io-friendly) Splittable signature in iti ali ze G(D0) Accumulator io-friendly Merkle-tree te G(Pi+1) Authentica key upda te G(Di+1) What is written in eprint 2015/
68 Canetti-Holmgren (ITCS16) + Zoom-in the core step: ++ Zoom-in the accumulator 68
69 Canetti-Holmgren (ITCS16) + Zoom-in the core step: ++ Zoom-in the accumulator Properties needed for the Accumulator - Normal property like a Merkle-tree. #Merkletree 69
70 Canetti-Holmgren (ITCS16) + Zoom-in the core step: ++ Zoom-in the accumulator Properties needed for the Accumulator - Normal property like a Merkle-tree. #Merkletree 70
71 Canetti-Holmgren (ITCS16) + Zoom-in the core step: ++ Zoom-in the accumulator Properties needed for the Accumulator - Normal property like a Merkle-tree. #Merkletree 71
72 Canetti-Holmgren (ITCS16) + Zoom-in the core step: ++ Zoom-in the accumulator Properties needed for the Accumulator - Normal property like a Merkle-tree. #Merkletree 72
73 y* Canetti-Holmgren (ITCS16) + Zoom-in the core step: ++ Zoom-in the accumulator Properties needed for the Accumulator - Normal property like a Merkle-tree. - Enforcement (io-friendly property): there s only one preimage x* of the current root value y*. x* #Merkletree 73
74 y* Canetti-Holmgren (ITCS16) + Zoom-in the core step: ++ Zoom-in the accumulator Properties needed for the Accumulator - Normal property like a Merkle-tree. - Enforcement (io-friendly property): there s only one preimage x* of the current root value y*. Impossible information theoretically. x* #Merkletree 74
75 y* Canetti-Holmgren (ITCS16) + Zoom-in the core step: ++ Zoom-in the accumulator Properties needed for the Accumulator - Normal property like a Merkle-tree. - Enforcement (io-friendly property): there s only one preimage x* of the current root value y*. Impossible information theoretically. x* KLW s computational enforcement: Normal.Gen( )->H Enforce.Gen( x*, y*)->h*, H H* #Merkletree 75
76 y* Canetti-Holmgren (ITCS16) + Zoom-in the core step: ++ Zoom-in the accumulator Properties needed for the Accumulator - Normal property like a Merkle-tree. - Enforcement (io-friendly property): there s only one preimage x* of the current root value y*. Impossible information theoretically. x* KLW s computational enforcement: Normal.Gen( )->H Enforce.Gen( x*, y*)->h*, H H* #Merkletree Alternatively: SSB hashing => [Ananth-Chen-Chung-Lin-Lin] 76
77 Selective Enforcing Adaptive Enforcing 77
78 Selective Enforcing Adaptive Enforcing x* <= Adversary 78
79 Selective Enforcing Adaptive Enforcing x* <= Adversary Gen( ) => H Enforcing(x*, y*) => H* 79
80 Selective Enforcing x* <= Adversary Adaptive Enforcing Gen( ) => H Gen( ) => H Enforcing(x*, y*) => H* 80
81 Selective Enforcing x* <= Adversary Gen( ) => H Adaptive Enforcing Gen( ) => H x* <= Adversary(H) Enforcing(x*, y*) => H* 81
82 Selective Enforcing x* <= Adversary Gen( ) => H Enforcing(x*, y*) => H* Adaptive Enforcing Gen( ) => H x* <= Adversary(H) Enforcing(x*, y*) => H* 82
83 Selective Enforcing x* <= Adversary Gen( ) => H Enforcing(x*, y*) => H* Adaptive Enforcing Gen( ) => H x* <= Adversary(H) Enforcing(x*, y*) => H* ( wait, what?) 83
84 #Mindblowing 84
85 Fact I Can separate the key 85
86 key = hk + vk in iti ali ze G(D0) Accumulator io-friendly Merkle-tree te G(Pi+1) Authentica key upda te G(Di+1) What is written in eprint 2015/
87 key = hk + vk G(D0) in iti ali ze hk Accumulator io-friendly Merkle-tree te G(Pi+1) Authentica vk key upda te hk G(Di+1) What is written in eprint 2015/
88 Adaptive Enforcing hk 88
89 Adaptive Enforcing hk x* <= Adversary( hk ) 89
90 Adaptive Enforcing hk x* <= Adversary( hk ) vk vk*(x*) 90
91 Fact II If you believe dio... 91
92 key = hk + vk Adaptive Enforcing 92
93 key = hk + Adaptive Enforcing vk hk always_hk_gen( ) -> hk := CRHF key h 93
94 key = hk + Adaptive Enforcing vk hk x* <= Adversary(H) always_hk_gen( ) -> hk := CRHF key h 94
95 key = hk + Adaptive Enforcing vk hk x* <= Adversary(H) vk always_hk_gen( ) -> hk := CRHF key h normal_vk_gen( ) -> vk vk(x,y) = dio( if h(x)=y, output 1; else: output 0 ) 95
96 key = hk + Adaptive Enforcing vk hk x* <= Adversary(H) vk always_hk_gen( vk*(x*) ) -> hk := CRHF key h normal_vk_gen( ) -> vk vk(x,y) = dio( if h(x)=y, output 1; else: output 0 ) enforce_vk_gen( x*, y* ) -> vk* vk*(x,y) = dio( if y!=y* and h(x)=y, output 1; Elseif y=y* and x=x*, output 1; Else: output 0 ) 96
97 Fact III: If you don t believe dio, can still do this with io. 97
98 From io + preimage-bounded CRHF: c-to-1 CRHF can be constructed from discrete-log or factoring 98
99 From io + preimage-bounded CRHF: c-to-1 CRHF can be constructed from discrete-log or factoring enforce_vk( x*, y* ) -> vk* vk*(x,y) = dio( if y!=y* and h(x)=y, output 1; Elseif y=y* and x=x*, output 1; Else: output 0 ) 99
100 From io + preimage-bounded CRHF: c-to-1 CRHF can be constructed from discrete-log or factoring enforce_vk( x*, y* ) -> vk* vk*(x,y) = dio( if y!=y* and h(x)=y, output 1; Elseif y=y* and x=x*, output 1; Else: output 0 ) By dio-io equivalence lemma [ Boyle-Chung-Pass 14 ]: If f1 and f2 differ only on polynomially many input-output values, and they are hard to find, then io(f1) io(f2) 100
101 From io + preimage-bounded CRHF: c-to-1 CRHF can be constructed from discrete-log or factoring enforce_vk( x*, y* ) -> vk* vk*(x,y) = dio( if y!=y* and h(x)=y, output 1; Elseif y=y* and x=x*, output 1; Else: output 0 ) From shrinking 1 bit to length-halving: Merkle-Damgaard. 101
102 Fact IV: Adaptive Enforceable Accumulator done 102
103 Rest of the upgrades: Canetti-Holmgren scheme details: Fixed-transcript => Fixed-access => Fixed-address => Fully secure Indistinguishable as long as transc = (q, op) are the same. [KLW-technique. Assume io] q can be different [encrypt the state] Memory content can be different [encrypt the data] Hide access pattern. [oram] 103
104 Rest of the upgrades: Canetti-Holmgren scheme details: Fixed-transcript => Fixed-access => Fixed-address => Fully secure Indistinguishable as long as transc = (q, op) are the same. [KLW-technique. Assume io] q can be different [encrypt the state] Memory content can be different [encrypt the data] Hide access pattern. [oram] + adaptively enforceable accumulator [ from io+dlog or factoring ] 104
105 Rest of the upgrades: Canetti-Holmgren scheme details: Fixed-transcript => Fixed-access => Fixed-address => Fully secure Indistinguishable as long as transc = (q, op) are the same. [KLW-technique. Assume io] q can be different [encrypt the state] Memory content can be different [encrypt the data] Hide access pattern. [oram] + adaptively enforceable accumulator [ from io+dlog or factoring ] Need a special property of the ORAM Strong local randomness, satisfied by Chung-Pass ORAM. With this property, can guess polynomially many addresses. 105
106 Rest of the upgrades: Canetti-Holmgren scheme details: Fixed-transcript => Fixed-access => Fixed-address => Fully secure Indistinguishable as long as transc = (q, op) are the same. [KLW-technique. Assume io] q can be different [encrypt the state] Memory content can be different [encrypt the data] Hide access pattern. [oram] + adaptively enforceable accumulator [ from io+dlog or factoring ] SS [H B ha [O ubac sh PW ek W -W ] ich Need a special property of the ORAM Strong local randomness, satisfied by Chung-Pass ORAM. With this property, can guess polynomially many addresses. s] [Ananth-Chen-Chung-Lin-Lin, eprint 2015/1082] can be viewed as accomplishing this for all the steps. 106
107 Summary Adaptively secure garbled RAM with persistent memory. Everything is succinct. Upgrading to delegation with verifiability is almost for free. Reusability is natural. New io-friendly tool: adaptively-enforceable accumulator (from io+preimage-bounded-crhf) 107
108 Scenes 108
109 109
110 > sudo apt-get install GRAM_Canetti_Holmgren 110
111 > sudo apt-get install GRAM_Canetti_Holmgren package indistinguishability_obfuscation not an accepted assumption, security at user s own risk, continue (y) or not (n) 111
112 > sudo apt-get install GRAM_Canetti_Holmgren package indistinguishability_obfuscation not an accepted assumption, security at user s own risk, continue (y) or not (n) y 112
113 > sudo apt-get install GRAM_Canetti_Holmgren package indistinguishability_obfuscation not an accepted assumption, security at user s own risk, continue (y) or not (n) y > upgrade GRAM_CCHR Done 113
114 > sudo apt-get install GRAM_Canetti_Holmgren package indistinguishability_obfuscation not an accepted assumption, security at user s own risk, continue (y) or not (n) y > upgrade GRAM_CCHR Done > NSAcloud: GRAM_CCHR_Factoring RSA
115 > sudo apt-get install GRAM_Canetti_Holmgren package indistinguishability_obfuscation not an accepted assumption, security at user s own risk, continue (y) or not (n) y > upgrade GRAM_CCHR Done > NSAcloud: GRAM_CCHR_Factoring RSA2048 Running time 1.0s = x Next question 115
Yilei Chen Craig Gentry Shai 2017
e t a d i d n a c f s o r s o e t s a y c l s a u n f a b t o p y m r a C r g o r p g n i h c n a br Yilei Chen Craig Gentry Shai Halevi @Eurocrypt 07 976, Diffie, Hellman: We stand today on the brink
More informationFully Succinct Garbled RAM
Fully Succinct Garbled RAM Ran Canetti Tel-Aviv University and Boston University canetti@bu.edu Justin Holmgren MIT holmgren@csail.mit.edu ABSTRACT We construct the first fully succinct garbling scheme
More informationCrypto for PRAM from io (via Succinct Garbled PRAM)
Crypto for PRAM from io (via Succinct Garbled PRAM) Kai-Min Chung Academia Sinica, Taiwan Joint work with: Yu-Chi Chen, Sherman S.M. Chow, Russell W.F. Lai, Wei-Kai Lin, Hong-Sheng Zhou Computation in
More informationTools for Computing on Encrypted Data
Tools for Computing on Encrypted Data Scribe: Pratyush Mishra September 29, 2015 1 Introduction Usually when analyzing computation of encrypted data, we would like to have three properties: 1. Security:
More informationOn the Implausibility of Differing-Inputs Obfuscation and Extractable Witness Encryption with Auxiliary Input
On the Implausibility of Differing-Inputs Obfuscation and Extractable Witness Encryption with Auxiliary Input Sanjam Garg 1, Craig Gentry 1, Shai Halevi 1, and Daniel Wichs 2 1 IBM Research, T.J. Watson.
More informationCryptography with Updates
Cryptography with Updates Slides and research in collaboration with: Prabhanjan Ananth UCLA Aloni Cohen MIT Abhishek Jain JHU Garbled Circuits C Offline: slow Online: fast x C(x) Garbled Circuits C Offline:
More informationFunctional Encryption and its Impact on Cryptography
Functional Encryption and its Impact on Cryptography Hoeteck Wee ENS, Paris, France Abstract. Functional encryption is a novel paradigm for public-key encryption that enables both fine-grained access control
More informationConstraint hiding constrained PRF for NC1 from LWE. Ran Canetti, Yilei Chen, # Eurocrypt 2017 special edition
Constraint hiding constrained PRF for NC1 from LWE Ran Canetti, Yilei Chen, # Eurocrypt 2017 special edition 1 2 Puncture! 3 4 Puncturable/constrained PRF [Boneh, Waters 13, Kiayias, Papadopoulos, Triandopoulos,
More informationSomewhat Homomorphic Encryption
Somewhat Homomorphic Encryption Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Part 1: Homomorphic Encryption: Background, Applications, Limitations Computing
More informationCryptography for Parallel RAM via Indistinguishability Obfuscation
Cryptography for Parallel RM via Indistinguishability Obfuscation Yu-Chi Chen Sherman S. M. Chow Kai-Min Chung Russell W. F. Lai Wei-Kai Lin Hong-Sheng Zhou ugust 22, 2015 bstract Since many cryptographic
More informationOn Virtual Grey Box Obfuscation for General Circuits
On Virtual Grey Box Obfuscation for General Circuits Nir Bitansky 1, Ran Canetti 1,2, Yael Tauman Kalai 3, and Omer Paneth 2 1 Tel Aviv University, Tel Aviv, Israel 2 Boston University, Boston, U.S.A.
More informationNotes for Lecture 14
COS 533: Advanced Cryptography Lecture 14 (November 6, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Fermi Ma Notes for Lecture 14 1 Applications of Pairings 1.1 Recap Consider a bilinear e
More informationOn Obfuscation with Random Oracles
On Obfuscation with Random Oracles Ran Canetti Yael Tauman Kalai Omer Paneth January 20, 2015 Abstract Assuming trapdoor permutations, we show that there eist function families that cannot be VBBobfuscated
More informationBetter 2-round adaptive MPC
Better 2-round adaptive MPC Ran Canetti, Oxana Poburinnaya TAU and BU BU Adaptive Security of MPC Adaptive corruptions: adversary adversary can decide can decide who to who corrupt to corrupt adaptively
More informationObfuscation (IND-CPA Security Circular Security)
Obfuscation (IND-CPA Security Circular Security) Antonio Marcedone 1, and Claudio Orlandi 2 1 Scuola Superiore di Catania, University of Catania, Italy, amarcedone@cs.au.dk 2 Aarhus University, Denmark,
More informationIndistinguishability Obfuscation with Non-trivial Efficiency
Indistinguishability Obfuscation with Non-trivial Efficiency Huijia Lin Rafael Pass Karn Seth Sidharth Telang January 4, 2016 Abstract It is well known that inefficient indistinguishability obfuscators
More informationThe Magic of ELFs. Mark Zhandry Princeton University (Work done while at MIT)
The Magic of ELFs Mark Zhandry Princeton University (Work done while at MIT) Prove this secure: Enc(m) = ( TDP(r), H(r) m ) (CPA security, many- bit messages, arbitrary TDP) Random Oracles Random Oracle
More informationFunctional Encryption from (Small) Hardware Tokens
Functional Encryption from (Small) Hardware Tokens Kai-Min Chung 1, Jonathan Katz 2, and Hong-Sheng Zhou 3 1 Academia Sinica kmchung@iis.sinica.edu.tw 2 University of Maryland jkatz@cs.umd.edu 3 Virginia
More informationImproved Delegation Of Computation Using Somewhat Homomorphic Encryption To Reduce Storage Space
Improved Delegation Of Computation Using Somewhat Homomorphic Encryption To Reduce Storage Space Dhivya.S (PG Scholar) M.E Computer Science and Engineering Institute of Road and Transport Technology Erode,
More informationFunctional Encryption from (Small) Hardware Tokens
Functional Encryption from (Small) Hardware Tokens Kai-Min Chung 1, Jonathan Katz 2, and Hong-Sheng Zhou 3 1 Academia Sinica, kmchung@iis.sinica.edu.tw 2 University of Maryland, jkatz@cs.umd.edu 3 Virginia
More informationUpdatable Functional Encryption
Updatable Functional Encryption Afonso Arriaga 1, Vincenzo Iovino 1, and Qiang Tang 1 SnT, University of Luxembourg, Luxembourg City, Luxembourg afonso.delerue@uni.lu, vincenzo.iovino@uni.lu, tonyrhul@gmail.com
More informationProgram Obfuscation with Leaky Hardware
Program Obfuscation with Leaky Hardware The MIT Faculty has made this article openly available. Please share how this access benefits you. Your story matters. Citation As Published Publisher Bitansky,
More informationGarbled Circuits via Structured Encryption Seny Kamara Microsoft Research Lei Wei University of North Carolina
Garbled Circuits via Structured Encryption Seny Kamara Microsoft Research Lei Wei University of North Carolina Garbled Circuits Fundamental cryptographic primitive Possess many useful properties Homomorphic
More informationHow to Delegate and Verify in Public: Verifiable Computation from Attribute-based Encryption
How to Delegate and Verify in Public: Verifiable Computation from Attribute-based Encryption Bryan Parno 1, Mariana Raykova 2, and Vinod Vaikuntanathan 3 1 Microsoft Research 2 Columbia University 3 University
More informationPROGRAM obfuscation is the process of making it unintelligible
INTL JOURNAL OF ELECTRONICS AND TELECOMMUNICATIONS, 2018, VOL. 64, NO. 2, PP. 173 178 Manuscript received January 24, 2018; revised March, 2018. DOI: 10.24425/119366 Block Cipher Based Public Key Encryption
More informationResearch Statement. Yehuda Lindell. Dept. of Computer Science Bar-Ilan University, Israel.
Research Statement Yehuda Lindell Dept. of Computer Science Bar-Ilan University, Israel. lindell@cs.biu.ac.il www.cs.biu.ac.il/ lindell July 11, 2005 The main focus of my research is the theoretical foundations
More informationClient-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity
Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity Ran Canetti 1, Abhishek Jain 2, and Omer Paneth 3 1 Boston University and Tel-Aviv University, canetti@bu.edu 2 Boston
More informationA Punctured Programming Approach to Adaptively Secure Functional Encryption
A Punctured Programming Approach to Adaptively Secure Functional Encryption Brent Waters University of Texas at Austin bwaters@cs.utexas.edu Abstract We propose the first construction for achieving adaptively
More informationIncremental Program Obfuscation
Incremental Program Obfuscation Sanjam Garg University of California, Berkeley Omkant Pandey Stony Brook University, New York Abstract Recent advances in program obfuscation suggest that it is possible
More informationSecure Multiparty Computation: Introduction. Ran Cohen (Tel Aviv University)
Secure Multiparty Computation: Introduction Ran Cohen (Tel Aviv University) Scenario 1: Private Dating Alice and Bob meet at a pub If both of them want to date together they will find out If Alice doesn
More informationCryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015
Cryptographic Hash Functions Rocky K. C. Chang, February 5, 2015 1 This set of slides addresses 2 Outline Cryptographic hash functions Unkeyed and keyed hash functions Security of cryptographic hash functions
More informationLecture 10, Zero Knowledge Proofs, Secure Computation
CS 4501-6501 Topics in Cryptography 30 Mar 2018 Lecture 10, Zero Knowledge Proofs, Secure Computation Lecturer: Mahmoody Scribe: Bella Vice-Van Heyde, Derrick Blakely, Bobby Andris 1 Introduction Last
More informationObfuscation Omer Paneth
Obfuscation Omer Paneth What does it do? #include void primes(int cap) { int i, j, composite; for(i = 2; i < cap; ++i) { composite = 0; for(j = 2; j * j
More informationSemi-Adaptive Security and Bundling Functionalities Made Generic and Easy
Semi-Adaptive Security and Bundling Functionalities Made Generic and Easy Rishab Goyal rgoyal@cs.utexas.edu Venkata Koppula kvenkata@cs.utexas.edu Brent Waters bwaters@cs.utexas.edu Abstract Semi-adaptive
More informationNotes for Lecture 5. 2 Non-interactive vs. Interactive Key Exchange
COS 597C: Recent Developments in Program Obfuscation Lecture 5 (9/29/16) Lecturer: Mark Zhandry Princeton University Scribe: Fermi Ma Notes for Lecture 5 1 Last Time Last time, we saw that we can get public
More informationStructured Encryption and Controlled Disclosure
Structured Encryption and Controlled Disclosure Melissa Chase Seny Kamara Microsoft Research Cloud Storage Security for Cloud Storage o Main concern: will my data be safe? o it will be encrypted o it will
More informationHow to (not) Share a Password:
How to (not) Share a Password: Privacy preserving protocols for finding heavy hitters with adversarial behavior Moni Naor Benny Pinkas Eyal Ronen Passwords First modern use in MIT's CTSS (1961) Passwords
More informationAttribute-Based Fully Homomorphic Encryption with a Bounded Number of Inputs
Attribute-Based Fully Homomorphic Encryption with a Bounded Number of Inputs Michael Clear and Ciarán McGoldrick School of Computer Science and Statistics, Trinity College Dublin {clearm, Ciaran.McGoldrick}@scss.tcd.ie
More informationLecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422
Lecture 18 Message Integrity Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422 Cryptography is the study/practice of techniques for secure communication,
More informationHashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5
Hashes, MACs & Passwords Tom Chothia Computer Security Lecture 5 Today s Lecture Hashes and Message Authentication Codes Properties of Hashes and MACs CBC-MAC, MAC -> HASH (slow), SHA1, SHA2, SHA3 HASH
More informationFunction-Private Functional Encryption in the Private-Key Setting
Function-Private Functional Encryption in the Private-Key Setting Zvika Brakerski 1 and Gil Segev 2 1 Department of Computer Science and Applied Mathematics, Weizmann Institute of Science, Rehovot 76100,
More informationPractical Implementations of Program Obfuscators for Point Functions
Practical Implementations of Program Obfuscators for Point Functions Giovanni Di Crescenzo Lisa Bahler, Brian Coan Applied Communication Sciences Basking Ridge, NJ, 07920, USA Email: gdicrescenzo@appcomsci.com
More informationAlgorithms (III) Yijia Chen Shanghai Jiaotong University
Algorithms (III) Yijia Chen Shanghai Jiaotong University Review of the Previous Lecture Factoring: Given a number N, express it as a product of its prime factors. Many security protocols are based on the
More informationDigital Signatures. Luke Anderson. 7 th April University Of Sydney.
Digital Signatures Luke Anderson luke@lukeanderson.com.au 7 th April 2017 University Of Sydney Overview 1. Digital Signatures 1.1 Background 1.2 Basic Operation 1.3 Attack Models Replay Naïve RSA 2. PKCS#1
More informationAlgorithms (III) Yijia Chen Shanghai Jiaotong University
Algorithms (III) Yijia Chen Shanghai Jiaotong University Review of the Previous Lecture Factoring: Given a number N, express it as a product of its prime factors. Many security protocols are based on the
More informationMultiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation
Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation Dan Boneh and Mark Zhandry Stanford University {dabo,zhandry}@cs.stanford.edu Abstract. In this work,
More informationIdentification Schemes
Identification Schemes Lecture Outline Identification schemes passwords one-time passwords challenge-response zero knowledge proof protocols Authentication Data source authentication (message authentication):
More informationENEE 459-C Computer Security. Message authentication
ENEE 459-C Computer Security Message authentication Data Integrity and Source Authentication Encryption does not protect data from modification by another party. Why? Need a way to ensure that data arrives
More informationLectures 6+7: Zero-Leakage Solutions
Lectures 6+7: Zero-Leakage Solutions Contents 1 Overview 1 2 Oblivious RAM 1 3 Oblivious RAM via FHE 2 4 Oblivious RAM via Symmetric Encryption 4 4.1 Setup........................................ 5 4.2
More information1 A Tale of Two Lovers
CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Dec. 12, 2006 Lecture Notes 19 (expanded): Secure Two-Party Computation Recommended Reading. Goldreich Volume II 7.2.2, 7.3.2, 7.3.3.
More informationCSC 5930/9010 Modern Cryptography: Public-Key Infrastructure
CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure Professor Henry Carter Fall 2018 Recap Digital signatures provide message authenticity and integrity in the public-key setting As well as public
More informationHomework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING
UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING ENEE 457 Computer Systems Security Instructor: Charalampos Papamanthou Homework 2 Out: 09/23/16 Due: 09/30/16 11:59pm Instructions
More informationRSA. Public Key CryptoSystem
RSA Public Key CryptoSystem DIFFIE AND HELLMAN (76) NEW DIRECTIONS IN CRYPTOGRAPHY Split the Bob s secret key K to two parts: K E, to be used for encrypting messages to Bob. K D, to be used for decrypting
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 6 Week of March 6, 2017 Question 1 Password Hashing (10 min) When storing a password p for user u, a website randomly generates a string s (called
More informationTwo-round Secure MPC from Indistinguishability Obfuscation
Two-round Secure MPC from Indistinguishability Obfuscation Sanjam Garg 1, Craig Gentry 1, Shai Halevi 1, and Mariana Raykova 2 1 IBM T. J. Watson 2 SRI International Abstract. One fundamental complexity
More informationSearchable Encryption Using ORAM. Benny Pinkas
Searchable Encryption Using ORAM Benny Pinkas 1 Desiderata for Searchable Encryption Security No leakage about the query or the results Functionality Variety of queries that are supported Performance 2
More informationAlgorithms (III) Yu Yu. Shanghai Jiaotong University
Algorithms (III) Yu Yu Shanghai Jiaotong University Review of the Previous Lecture Factoring: Given a number N, express it as a product of its prime factors. Many security protocols are based on the assumed
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary Introduction Stream & Block Ciphers Block Ciphers Modes (ECB,CBC,OFB) Advanced Encryption Standard (AES) Message Authentication
More informationMore crypto and security
More crypto and security CSE 199, Projects/Research Individual enrollment Projects / research, individual or small group Implementation or theoretical Weekly one-on-one meetings, no lectures Course grade
More informationAn Overview of Secure Multiparty Computation
An Overview of Secure Multiparty Computation T. E. Bjørstad The Selmer Center Department of Informatics University of Bergen Norway Prøveforelesning for PhD-graden 2010-02-11 Outline Background 1 Background
More informationCryptography. and Network Security. Lecture 0. Manoj Prabhakaran. IIT Bombay
Cryptography and Network Security Lecture 0 Manoj Prabhakaran IIT Bombay Security In this course: Cryptography as used in network security Humans, Societies, The World Network Hardware OS Libraries Programs
More informationLeakage-Resilient Zero Knowledge
Leakage-Resilient Zero Knowledge Sanjam Garg, Abhishek Jain, and Amit Sahai UCLA {sanjamg,abhishek,sahai}@cs.ucla.edu Abstract. In this paper, we initiate a study of zero knowledge proof systems in the
More informationRe-encryption, functional re-encryption, and multi-hop re-encryption: A framework for achieving obfuscation-based security
Re-encryption, functional re-encryption, and multi-hop re-encryption: A framework for achieving obfuscation-based security and instantiations from lattices Nishanth Chandran 1, Melissa Chase 1, Feng-Hao
More informationImplementing Resettable UC-functionalities with Untrusted Tamper-proof Hardware-Tokens
Implementing Resettable UC-functionalities with Untrusted Tamper-proof Hardware-Tokens Nico Döttling, Thilo Mie, Jörn Müller-Quade, and Tobias Nilges Karlsruhe Institute of Technology, Karlsruhe, Germany
More informationLecture 1: Course Introduction
Lecture 1: Course Introduction Thomas Johansson T. Johansson (Lund University) 1 / 37 Chapter 9: Symmetric Key Distribution To understand the problems associated with managing and distributing secret keys.
More informationPaper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage
1 Announcements Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage 2 Recap and Overview Previous lecture: Symmetric key
More informationAttribute-Based Encryption. Allison Lewko, Microsoft Research
Attribute-Based Encryption Allison Lewko, Microsoft Research The Cast of Characters This talk will feature work by: Brent Waters Amit Sahai Vipul Goyal Omkant Pandey With special guest appearances by:
More informationSHE AND FHE. Hammad Mushtaq ENEE759L March 10, 2014
SHE AND FHE Hammad Mushtaq ENEE759L March 10, 2014 Outline Introduction Needs Analogy Somewhat Homomorphic Encryption (SHE) RSA, EL GAMAL (MULT) Pallier (XOR and ADD) Fully Homomorphic Encryption (FHE)
More informationResettably Sound Zero-Knoweldge Arguments from OWFs - the (semi) Black-Box way
Resettably Sound Zero-Knoweldge Arguments from OWFs - the (semi) Black-Box way Rafail Ostrovsky 1 and Alessandra Scafuro 2 Muthuramakrishnan Venkitasubramanian 3 1 UCLA, USA 2 Boston University and Northeastern
More informationCryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu
More informationLecture 22 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)
Lecture 22 - Oblivious Transfer (OT) and Private Information Retrieval (PIR) Boaz Barak December 8, 2005 Oblivious Transfer We are thinking of the following situation: we have a server and a client (or
More informationCryptography. Summer Term 2010
Summer Term 2010 Chapter 2: Hash Functions Contents Definition and basic properties Basic design principles and SHA-1 The SHA-3 competition 2 Contents Definition and basic properties Basic design principles
More informationCOMS W4995 Introduction to Cryptography November 13, Lecture 21: Multiple Use Signature Schemes
COMS W4995 Introduction to Cryptography November 13, 2003 Lecture 21: Multiple Use Signature Schemes Lecturer: Tal Malkin Scribes: M. Niccolai, M. Raibert Summary In this lecture, we use the one time secure
More informationApplication to More Efficient Obfuscation
Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Program Obfuscation [BGIRSVY01, GGHRSW13] Indistinguishability obfuscation (io)
More informationFrom Stateful Hardware to Resettable Hardware Using Symmetric Assumptions
A conference version of this paper appeared at ProvSec 2015 [DKMN15a]. This is the full version. From Stateful Hardware to Resettable Hardware Using Symmetric Assumptions Nico Döttling 121, Daniel Kraschewski
More informationResearch Statement. Computational Assumptions in Cryptography. Mohammad Mahmoody (August 2018)
Research Statement Mohammad Mahmoody (August 2018) My research is focused on foundations of cryptography, which is the the science of designing provably secure protocols based computationally intractable
More informationSeparating IND-CPA and Circular Security for Unbounded Length Key Cycles
Separating IND-CPA and Circular Security for Unbounded Length Key Cycles Rishab Goyal Venkata Koppula Brent Waters Abstract A public key encryption scheme is said to be n-circular secure if no PPT adversary
More informationSFU CMPT Lecture: Week 8
SFU CMPT-307 2008-2 1 Lecture: Week 8 SFU CMPT-307 2008-2 Lecture: Week 8 Ján Maňuch E-mail: jmanuch@sfu.ca Lecture on June 24, 2008, 5.30pm-8.20pm SFU CMPT-307 2008-2 2 Lecture: Week 8 Universal hashing
More informationInformation Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1
Information Security message M one-way hash fingerprint f = H(M) 4/19/2006 Information Security 1 Outline and Reading Digital signatures Definition RSA signature and verification One-way hash functions
More informationDetectable Byzantine Agreement Secure Against Faulty Majorities
Detectable Byzantine Agreement Secure Against Faulty Majorities Matthias Fitzi, ETH Zürich Daniel Gottesman, UC Berkeley Martin Hirt, ETH Zürich Thomas Holenstein, ETH Zürich Adam Smith, MIT (currently
More informationfrom circuits to RAM programs in malicious-2pc
from circuits to RAM programs in malicious-2pc Abstract: Secure 2-party computation (2PC) is becoming practical in some domains However, most approaches are limited by the fact that the desired functionality
More informationPassword. authentication through passwords
Password authentication through passwords Human beings Short keys; possibly used to generate longer keys Dictionary attack: adversary tries more common keys (easy with a large set of users) Trojan horse
More informationCryptographic Hash Functions
ECE458 Winter 2013 Cryptographic Hash Functions Dan Boneh (Mods by Vijay Ganesh) Previous Lectures: What we have covered so far in cryptography! One-time Pad! Definition of perfect security! Block and
More informationPinocchio: Nearly Practical Verifiable Computation. Bryan Pano, Jon Howell, Craig Gentry, Mariana Raykova
Pinocchio: Nearly Practical Verifiable Computation Bryan Pano, Jon Howell, Craig Gentry, Mariana Raykova Presentated by Phd@ECE,UMD Hui Zhang wayne.huizhang@gmail.com Introduction Outsourcing complex computation
More informationData Integrity. Modified by: Dr. Ramzi Saifan
Data Integrity Modified by: Dr. Ramzi Saifan Encryption/Decryption Provides message confidentiality. Does it provide message authentication? 2 Message Authentication Bob receives a message m from Alice,
More informationSecure Multiparty RAM Computation in Constant Rounds,
Secure Multiparty RAM Computation in Constant Rounds, Sanjam Garg 1, Divya Gupta 1, Peihan Miao 1, and Omkant Pandey 2 1 University of California, Berkeley {sanjamg,divyagupta2016,peihan}@berkeley.edu
More informationData Integrity & Authentication. Message Authentication Codes (MACs)
Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice (sender) Bob (receiver) Fran
More informationHow to (not) Share a Password:
How to (not) Share a Password: Privacy preserving protocols for finding heavy hitters with adversarial behavior Moni Naor Benny Pinkas Eyal Ronen Passwords First modern use in MIT's CTSS (1961) Passwords
More informationAttribute-based encryption with encryption and decryption outsourcing
Edith Cowan University Research Online Australian Information Security Management Conference Conferences, Symposia and Campus Events 2014 Attribute-based encryption with encryption and decryption outsourcing
More informationLecture 3 Algorithms with numbers (cont.)
Advanced Algorithms Floriano Zini Free University of Bozen-Bolzano Faculty of Computer Science Academic Year 2013-2014 Lecture 3 Algorithms with numbers (cont.) 1 Modular arithmetic For cryptography it
More informationSecure digital certificates with a blockchain protocol
Secure digital certificates with a blockchain protocol Federico Pintore 1 Trento, 10 th February 2017 1 University of Trento Federico Pintore Blockchain and innovative applications Trento, 10 th February
More informationCS 395T. Formal Model for Secure Key Exchange
CS 395T Formal Model for Secure Key Exchange Main Idea: Compositionality Protocols don t run in a vacuum Security protocols are typically used as building blocks in a larger secure system For example,
More informationIntroduction to Cryptography Lecture 7
Introduction to Cryptography Lecture 7 Public-Key Encryption: El-Gamal, RSA Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing
More informationFunction-Private Identity-Based Encryption: Hiding the Function in Functional Encryption
Function-Private Identity-Based Encryption: Hiding the Function in Functional Encryption Dan Boneh, Ananth Raghunathan, and Gil Segev Computer Science Department Stanford University, Stanford, CA 94305.
More informationVlad Kolesnikov Bell Labs
Vlad Kolesnikov Bell Labs DIMACS/Northeast Big Data Hub Workshop on Privacy and Security for Big Data Apr 25, 2017 You are near Starbucks; here is a special Legislation may require user consent each time
More informationDigital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2
Digital Signatures KG November 3, 2017 Contents 1 Introduction 1 2 Digital Signatures 2 3 Hash Functions 3 3.1 Attacks.................................... 4 3.2 Compression Functions............................
More informationFrom Selective to Adaptive Security in Functional Encryption
From Selective to Adaptive Security in Functional Encryption Prabhanjan Ananth 1, Zvika Brakerski 2, Gil Segev 3, and Vinod Vaikuntanathan 4 1 University of California, Los Angeles, USA. 2 Weizmann Institute
More informationRobust Combiner for Obfuscators
Robust Combiner for Obfuscators Amir Herzberg and Haya Shulman Bar Ilan University Department of Computer Science Ramat Gan, 52900, Israel Abstract. Practical software hardening schemes are heuristic and
More informationCryptographic Agents: Towards a Unified Theory of Computing on Encrypted Data
Cryptographic Agents: Towards a Unified Theory of Computing on Encrypted Data Shashank Agrawal 1, Shweta Agrawal 2, and Manoj Prabhakaran 1 University of Illinois Urbana-Champaign {sagrawl2,mmp}@illinois.edu
More informationAdvanced Topics in Cryptography
Advanced Topics in Cryptography Lecture 9: Identity based encryption (IBE), Cocks scheme. Benny Pinkas page 1 1 Related papers Lecture notes from MIT http://crypto.csail.mit.edu/classes/6.876/lecture-notes.html
More information