VERIFIABLE SEARCHABLE SYMMETRIC ENCRYPTION

Size: px
Start display at page:

Download "VERIFIABLE SEARCHABLE SYMMETRIC ENCRYPTION"

Transcription

1 VERIFIABLE SEARCHABLE SYMMETRIC ENCRYPTION BY ZACHARY A. KISSEL B.S. MERRIMACK COLLEGE (2005) M.S. NORTHEASTERN UNIVERSITY (2007) SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF DOCTOR OF PHILOSOPHY COMPUTER SCIENCE UNIVERSITY OF MASSACHUSETTES LOWELL Signature of Author: Date: Signature of Dissertation Chair: Dr. Jie Wang Signatures of Other Dissertation Committee Members Committee Member Signature: Committee Member Signature: Committee Member Signature: Dr. Xinwen Fu Dr. Tingjian Ge Dr. Yan Luo

2 VERIFIABLE SEARCHABLE SYMMETRIC ENCRYPTION BY ZACHARY A. KISSEL ABSTRACT OF A DISSERTATION SUBMITTED TO THE FACULTY OF THE DEPARTMENT OF COMPUTER SCIENCE IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF DOCTOR OF PHILOSOPHY COMPUTER SCIENCE UNIVERSITY OF MASSACHUSETTS LOWELL 2013 Dissertation Supervisor: Jie Wang, Ph.D. Professor and Chair, Department of Computer Science

3 Cloud storage has become increasingly prevalent in recent years. It provides a convenient platform for users to store data that can be accessed from anywhere at anytime without the cost of maintaining a storage infrastructure. However, cloud storage is inherently insecure, hindering general acceptance of the paradigm shift. To make use of storage services provided by a cloud, users would need to place their trust, at least implicitly, in the provider. There have been a number of attempts to alleviate the need for this trust through cryptographic methods. An immediate approach would be to encrypt each file before uploading it to the cloud. This approach, calls for a new searching mechanism over encrypted data stored in the cloud. This dissertation considers a solution to this problem using Symmetric Searchable Encryption (SSE). SSE allows users to offload search queries to the cloud. The cloud is then responsible for returning the encrypted files that match the search queries (also encrypted). Most previous work was focused on keyword search in the Honest-but- Curious (HBC) cloud model, while some more recent work has considered searching on phrases. Recently, a new cloud model was introduced that supersedes the HBC model. This new model, called Semi-Honest but Curious (SHBC), is less restrictive over the actions a cloud can take. In this dissertation, we present three systems that are secure under this new SHBC model. Two systems provide phrase search and the other provides hierarchical access control over keyword search. ii

4 Acknowledgements I would like to begin by thanking the person responsible most for the success of this dissertation, my advisor, Prof. Jie Wang. Prof. Wang provided me with the unique opportunity to look at the problems that interested me, providing encouragement and guidance as I progressed. I would also like to thank my committee members Professors Xinwen Fu, Tingjian Ge, and Yan Luo. Together, they provided helpful comments that improved this work. In particular, the article that became Chapter 5 was in preparation at the time of the proposal; their comments around investigating access control over searching validated the need to submit that work. While completing the last year of my PhD studies, I was fortunate to have the opportunity to join the faculty at Merrimack College as a visiting professor. This appointment gave me a chance to branch out in all facets of academia. I am most indebted to the friendships and hallway conversations with Lisa Michaud, Vance Poteat, and Chris Stuetzle. In particular, I wish to thank Chris Stuetzle for early reviews of the material that would become Chapter 3. I would also like to thank Vance Poteat for serving as a mentor for my transition from industry to teaching this year, and for sparking my interest in networking and security many years ago. I would like to thank my parents Dan and Deb for their continued love, support, and encouragement over all these years, specifically for demonstrating to me the most important lesson, with hard work there are no limits. To Wendy, thank you for sharing this journey with me. Thank you for all the encouragement and understanding for iii

5 all the hours and late nights it took to write this dissertation. iv

6 Contents List of Figures vii 1 Introduction Applications of Searchable Encryption Overview of Results Dissertation Structure Background Background on Probability Background on Cryptography Pseudo-Random Primitives Symmetric Encryption Cryptographic Hash Functions Searchable Encryption Framework Index Data Structures Models of Clouds and Security Previous Work A First Solution Early Indexed Approaches Improved SSE Constructions Phrase Searching v

7 2.6.5 Non-HBC Systems Verifiable Phrase Search Verifiable Encrypted Phrase Search Verifiable Keyword Search Verified Phrase Searching Correctness Conclusion Verifiable Phrase Search in a Single Phase Notations Notations Background Background on Next-Word Indexing Secure Linked Lists Basic Construction Constructing an Encrypted Next-Word Index An SSE Construction Security and Efficiency Adding Verification Discussion of Security Guarantees Conclusion Hierarchical Access Control Model Key Regression Construction of HAC-SSE and Security Security Guarantees of HAC-SSE Adding Revocation and Verification vi

8 5.4.1 Security Guarantees Conclusion Conclusion Results Future Work Bibliography 78 Biography 80 vii

9 List of Figures 2.1 A secure linked list on the set {D 1, D 3, D 5, D 6 } An example of a phase two table based index An example next-word index Example arrays A and N for = {w 1, w 2, w 3 }. The arcs represent a logical connection An annotated trie for dictionaries 1 = {cat, dog} and 2 = {car, do} Final trie based on Figure 5.1. The values P h denotes the parents hash value and l denotes the current nodes level Modification to the BuildIndex algorithm to add verification support to the trie The HVerify algorithm The HRevokeUser algorithm viii

10 1 Chapter 1 Introduction Imagine for the moment that Alice has a large collection of documents, D, that she wishes to store in a distributed storage environment owned by Bob. Bob has been known to be nosy, which means Alice must encrypt all the documents in her document collection before uploading them to Bob s distributed storage environment. Assume, now, that Alice wants to read the documents in D that contain a certain word or phrase. What does she do? Trivially, she could ask Bob to send her all the files, decrypt them locally, and then search for the documents that contain the information she is looking for. Retrieving all the files and then decrypting them, however, will incur a great cost in both communication and time. It would be far more efficient, for Alice, if Bob could perform the search and only send the documents that match her query. Alice s problem is known as the searchable encryption problem. Song, Wagner, and Perrig offered the first glimpse of a solution to Alice s problem [1]. They introduced Searchable Symmetric Encryption (SSE). This new SSE construction allows for Alice to ask Bob to query the encrypted document collection for a specific word or phrase. Alice enables Bob to perform the search by providing Bob, at query time, with some special information known as a trapdoor. Bob then returns the results of the query to Alice. The guarantees that they provided are that

11 2 the queries remain unknown to the Bob (query privacy) and any information beyond the number of results and size of the encrypted documents is unknown to Bob (query result privacy). Though not its original intention, we can adapt the searchable encryption to cloud storage. We assume that a collection of encrypted documents, D, are stored in the cloud such that a search query can be executed over all the documents in the collection. The cloud is responsible for both executing the query and returning the results. We have the added security guarantee that the cloud should be unable to learn the nature of the query. If one uses only symmetric cryptography in the solution, the problem is called the Symmetric Searchable Encryption (SSE) problem. While there do exist asymmetric forms of searchable encryption [2], we will only consider the SSE problem,for it is more efficient in comparison to asymmetric solutions to the searchable encryption problem. 1.1 Applications of Searchable Encryption Searchable Encryption over phrases can be used to support a large number of diverse applications. For example, in human resource management, one may want to look for a series of phrases that assess the performance of an employee. In medical record management, a doctor may want to retrieve all records where a certain phrase of ailments occur next to each other. At an educational institution an instructor may want to search for student information based on phrases related to the course performance. All of these applications share the common need of querying for phrases that are not necessarily pre-known. In the case we have access to a hierarchical access control mechanism on encrypted keyword search we have even more applications. For example, a company can outsource their data to the cloud and different employees can have different access. For

12 3 example, only members of the finance department should be able to search for financial information and only the members of the engineering department should be able to search for blueprint information. In the area of parental controls, envision a search engine where you do not have to forgo query privacy for filtering of explicit content. All the applications presented share common needs: confidentiality of data, query privacy, and query result privacy. Thus, they are perfect for the application of searchable encryption. 1.2 Overview of Results In this dissertation we provide efficient solutions to two problems in Symmetric Searchable Encryption. Both solutions exhibit the property of verifiability. By verifiability we mean the client, in an SSE scheme, can detect if the cloud has returned incomplete or inaccurate results. Therefore, the cloud should be allowed to fabricate results that are inconsistent with the truth about the document collection. This can be achieved by considering SSE solutions under the model developed by Chai and Gong in [3]. The model is called the Semi-Honest but Curious model (SHBC). In this model, the cloud does the following: (1) honestly store data; (2) honestly execute the search operations or a fraction of them; (3) return a non-zero fraction of the query results honestly; and (4) try to learn as much information as possible. If a solution has the property of verifiability over its returned results, we say that we have a solution to the Verifiable SSE problem. Our first result is structured around providing a verifiable phrase search mechanism. This result is based on the two phase protocol presented in [4]. Given a phrase, p, the first phase finds all the documents in D that contain all the words in p. The second phase, using the results of the first, determines which documents in D contain all the words in p, ordered according to p.

13 4 Our second result, improving on our first result, presenting a single phase search protocol. This new single phase protocol reduces both communication complexity as well as reducing the work that must be performed by the client to do a successful search. Like our first result, the second result is also verifiable. In a second vein, we investigate an efficient verifiable searchable encryption scheme which provides access control over keywords that appear in a document collection. The most trivial access control is creating one group of users and allowing dynamic changes to the group. This problem has a good constructive solution provided by Curtmola et. al. in [5]. We demonstrate a hierarchical access control mechanism where we divide the users into numbered groups such that if a user in group i has the ability to successfully search for a particular search term, then any user in any group j > i can also successfully search for the same search term. 1.3 Dissertation Structure The remainder of this dissertation is structured as follows. In Chapter 2 we will discuss the cryptography, theory, and data structures needed to realize SSE. We will conclude this chapter with a discussion of existing work on SSE. In Chapter 3 we will present a verifiable phrase search SSE scheme. In Chapter 4 we will improve our system in Chapter 3 by introducing a single phase protocol. In Chapter 5 we will present a hierarchical access control mechanism for SSE. We conclude in Chapter 6 by discussing future directions based on the results presented.

14 5 Chapter 2 Background Song, Wagner and Perrig posed the question [1]: Given an encrypted document, how does one search for a word in that document? They created a system known as Searchable Symmetric Encryption (SSE) to answer just this question. In this chapter we present all the background information necessary to understand SSE. We start by reviewing a few details from probability and cryptography. We proceed to discuss two formal models of clouds and the existing security models for SSE. We conclude by discussing the existing work in the area. 2.1 Background on Probability In order to understand modern cryptography, one needs a firm grasp on probability theory. In this section we will review the probability theory needed to understand Section 2.2. The ideas that must be understood are the notions of probability distributions, statistical distance, and computational indisguishability. We begin by discussing the idea of negligible functions. In cryptography we do not require that the adversary always fail, but that the adversary only succeeds with some very small non-zero probability. Formally, we call this small non-zero probability negligible, denoted by negl. This is an asymptotic notion which we formally define in

15 6 Definition Definition (Negligible Function [6]). A function f(n) is called negligible, if for all polynomial functions, poly (n), and for all n > n 0, we have f(n) < 1 poly(n). If the bound holds, we denote f(n) by negl (n). We are interested in making statements about probability distributions. Define a sample space S as the set of possible outcomes of some experiment and an event A as a subset of S. A probability distribution is defined as follows: Definition (Probability Distribution [7]). A probability distribution Pr ( ) on a sample space S is a mapping from events of S to real numbers satisfying the following axioms: 1. Pr (A) 0 for any event A. 2. Pr (S) = Pr (A B) = Pr (A) + Pr (B) for any two mutually exclusive events A and B. More generally, for any (finite or countably infinite) sequence of events A 1, A 2,... that are pairwise mutually exclusive, ( ) Pr A i = i i Pr (A i ). The notation Pr (A) also denotes the probability of event A. A random variable is a function X : S R, where S is a sample space. Given Definition and the notion of a random variable we can define the notion of a probability ensemble. A probability ensemble is a, possibly infinite, collection of probability distributions. Formally, we define them as follows: Definition (Probability Ensemble [6]). Let I be a countable set. A probability ensemble indexed by I is a collection of random variables {X i } i I.

16 7 Several cryptographic discussions rely on the notion of one probability distribution being computationally indistinguishable from another. What this means is that one cannot construct a probabilistic polynomial-time algorithm that can distinguish one distribution from another with more than a negligible probability. Given Definition we define computational indistinguishability formally as follows: Definition (Computational Indistinguishablility [6]). Two probability ensembles X = {X n } n N and Y = {Y n } n N are computationally indistinguishable, denoted X c Y, if for every probabilistic polynomial-time distinguisher D there exists a negligible function negl (n) such that Pr (D (1 n, X n ) = 1) Pr (D (1 n, Y n ) = 1) negl (n) where D (1 n, X n ) means to choose x according to distribution X n, and then run D (1 n, x). 2.2 Background on Cryptography Searchable Symmetric Encryption is based on several cryptographic primitives. The necessary primitives are pseudo-random generators, pseudo-random functions, pseudo-random permutations, symmetric key encryption, and cryptographic hash functions. For discussions of these primitives please see, for example, [8, 6, 9] Pseudo-Random Primitives We consider a pseudo-random generator (PRG). A pseudo-random generator is a function provided with an n-bit input that expands its input to a longer sequence in a way that the distribution generated by the pseudo-random generator is computationally indistinguishable from being truly random. The precise definition appears in

17 8 Definition Definition (Pseudo-Random Generator [6]). Let l( ) be a polynomial and G a deterministic polynomial-time algorithm such that for any input s {0, 1} n, algorithm G outputs a string of length l(n). We say that G is a pseudo-random generator if the following two conditions hold: 1. For every n it holds that l(n) > n. 2. For any probabilistic polynomial-time distinguisher D, there exists a negligible function negl (n) such that Pr (D(r) = 1) Pr (D(G(s)) = 1) negl (n), where r is chosen uniformly at random from {0, 1} l(n), the seed, s, is chosen uniformly at random from {0, 1} n, and the probabilities are taken over the random coin tosses used by D and the choice of r and s. A stronger pseudo-random primitive comes in the form of a pseudo-random function (PRF). A pseudo-random function is a member of the family of functions where the behavior of one function, drawn randomly from the family, is computationally indistinguishable from any other random function. A family of functions as a set of keyed functions F : {0, 1} k {0, 1} n {0, 1} l, where k, n, l > 1. If k = n = l then we have a pseudo-random permutation (PRP). Formally, a pseudo-random function is defined by Definition Definition (Pseudo-Random Function). A keyed function F : {0, 1} k {0, 1} n {0, 1} l is pseudo-random if for any probabilistic polynomial-time distinguisher D, given oracle access to F k = F (k, ), there exists a negligible function, negl(n) such that Pr ( D F K( ) (1 n ) = 1 ) Pr ( D f( ) (1 n ) = 1 ) negl (n),

18 9 where K R {0, 1} k is chosen uniformly at random and f is chosen uniformly at random from all functions that map {0, 1} n to {0, 1} l. If we have a family of length preserving functions, then we get a PRP. We say a function is length preserving if F (k, x) = x = k. Formally, this is given by Definition Definition (Pseudo-Random Permutation [6]). Let F : {0, 1} {0, 1} {0, 1} be an efficient, length-preserving, keyed function. We say that F is a pseudorandom permutation if for any probabilistic polynomial-time distinguisher D, there exists a negligible function negl(n) such that Pr ( D F K ( ) (1 n ) = 1 ) Pr ( D f( ) (1 n ) = 1 ) negl (n), where K R {0, 1} n is chosen uniformly at random and f is chosen uniformly at random from the set of functions mapping {0, 1} n to {0, 1} n. Notationally, D f( ) ( ) means that D uses f as an oracle and D can query f a polynomial number of times Symmetric Encryption Given a set M known as the message space, a set C known as the cipher-text space, and a set K known as the key space we define symmetric encryption as a tuple (G, E, D) of probabilistic polynomial-time algorithms. G : 1 λ K: The key generation algorithm, takes a security parameter, 1 λ, and selects a key k K. E : M K C: The encryption algorithm takes a message and a key as input and outputs a string of ciphertext.

19 10 D : C K M: The decryption algorithm takes a string of ciphertext and a key as input and outputs the plaintext if, and only if, the ciphertext was encrypted with the key. Otherwise, is returned. There is one correctness guarantee, namely, D k (E k (m)) = m must hold for all keys k and messages m. Notationally, we will write the key used for encryption and decryption as a subscript of the function, not as an argument. The simplest, practical, security guarantee that a symmetric encryption scheme can exhibit is that of semantic security, meaning that an attacker is unable to learn anything about the plaintext except what is leaked by the ciphertext (e.g., length of the message). IN other words, the probability of finding the plaintext from teh ciphertext is no much differnt from gussing the plaintext without the ciphertext. Formally, this can be defined as follows: Definition (Semantic Security for Symmetric Encryption [6]). A symmetric encryption scheme (G, E, D) is semantically secure in the presence of an eavesdropper if for every probabilistic polynomial-time algorithm A, there exists a probabilistic polynomial-time algorithm A, such that for all efficiently-sampleable distributions X = (X 1,...) and all polynomial-time computable functions f and h, there exists a negligible function negl (n) such that Pr (A (1 n, E k (m), h (m)) = f (m)) Pr (A (1 n, h (m)) = f (m)) negl (n), where m is chosen according to distribution X n, and the probabilities are taken over the choice of m and the key k, and any random coins used by A, A, and the encryption process. This definition is based on the pioneering work of Goldwasser and Micali [10]. From Goldwasser and Micali s work, Bellare, Desai, Jokipii, and Rogaway [11] defined semantic security for symmetric encryption systems

20 11 Using pseudo-random generators, pseudo-random functions, and pseudo-random permutations one can construct symmetric encryption schemes. One-time pad encryption systems can be constructed from pseudo-random generators and block ciphers can be constructed from pseudo-random permutations or pseudo-random functions. In particular, block ciphers can be constructed using the Luby-Rackoff construction [12]. In the remainder of this dissertation we will consider a symmetric encryption system to be modeled as one of the pseudo-random primitives to exhibit its properties Cryptographic Hash Functions We define a hash family H as a family of surjective functions h s : {0, 1} n {0, 1} m for m < n. We say that the hash function, h s H, is collision resistant if it is hard to find different strings x 1, x 2 {0, 1} n that hash to the same value v {0, 1} m. We say that the hash function h s is pre-image resistant if given the value h s (x), an attacker can recover x with negligible probability. Lastly, we say that the hash function h s is second pre-image resistant if given a value x {0, 1} n, an attacker can find, with only negligible probability, an x {0, 1} n such that h s (x) = h s (x ). Cryptographic hash functions are a family of collision, pre-image, and second pre-image resistant hash functions which are used in many areas of cryptography. They consist of a pair of probabilistic polynomial-time functions (G, H). G is used to select, at random, a key s. This key is an index of the hash function in the family. The function h s : {0, 1} {0, 1} l(n) is drawn from H according to s. The range of h s (i.e., l(n)) must be less than, or equal to, the length of the message being hashed. Cryptographic hash functions can be constructed from block ciphers using the Merkle-Damgård construction [13, 14]. Generally, the security of hash functions is modeled in two ways. The first is called the standard security model. In the standard model, one only uses the three properties of cryptographic hash functions stated above. The second model, called the

21 12 random oracle model, treats a hash function as a random oracle. This random oracle responds with a random value for each query. However, if a query is repeated the oracle will respond with the same value. This model was first proposed by Goldreich, Goldwasser, and Micali in 1985 [15]. 2.3 Searchable Encryption Framework We make use of the following notation for discussing the results of research into SSE. Let D = {D 1, D 2,..., D n } denote a collection of n encrypted documents in the cloud storage, Σ the alphabet over which characters from strings are drawn, and = {w 1, w 2,..., w d } a dictionary of d words drawn from Σ. We associate with each document in collection D a number used as an index. The function is denoted by id : D Z. Let D (w i ) denote the set of document identifiers that contain the word w i. We will use m 1 m 2 to denote the concatenation of message m 1 and m 2. For the remainder of this dissertation we will define our SSE systems following the rigorous framework of Curtmola, Garay, Kamara, and Ostrovsky in [5]. Their model consists of a tuple of four algorithms (Keygen, BuildIndex, Trapdoor, Search). These algorithms are defined as follows: Keygen ( 1 λ) : A probabilistic algorithm run by the owner to setup the scheme. It takes a security parameter λ, as input, and returns a secret key K. BuildIndex (K, D): A probabilistic algorithm run by the owner to generate the indexes. It takes a key K and a document collection D as input and returns an index I. Trapdoor (K, w): An algorithm run by the owner to generate a trapdoor T w, give a word w and a key K.

22 13 Search (I, T w ): An algorithm, run by the cloud, that searches for a keyword in the document collection. It takes an index I and a trapdoor T w and returns the document identifiers for documents that contain word w. An index, I, is a data structure, or set of data structures, that tracks keywords and documents that contain those keywords. We note that in some chapters of this dissertation we will, in some cases, assume that the model will be using phrases p instead of words w. This will cause small modifications to both the Trapdoor and Search function inputs. There are two major forms of indexes used by SSE. They are the inverted index and the per-document index. The inverted index structure, borrowed from the field of information retrieval, is a single data structure that is used to associate each keyword with the set of documents in the document collection that contain the word [16]. The per-document index associates, with each document, a data structure that tracks the keywords stored in that document. 2.4 Index Data Structures In this section we will discuss two data structures that permeate the research. These data structures are used to construct both per-document and inverted indexes. Indexes are required to provide two operations: Search and Insert with a third optional operation: Delete. The Search operation is used to determine if a search key occurs in the data structure. The Insert operation is used to add a new key, with its associated data, to the data structure. The Delete opertion is used to remove a key, and associated data, from the data, structure. We present two index structures in this section, the trie and the Bloom Filter. Devised by Fredkin [17], a tries is an index method, which supports three main operations: Insert, Search, and Delete; all take a word w Σ as input. A trie is a Σ {$} -ary tree, where each node of the tree is labeled with an element of Σ {$}.

23 14 Moreover, a root-to-leaf path through the tree denotes a word w Σ, which is terminated by a special character $ Σ. The Insert operation appends a $ to the input w. Starting at the root node of the tree, we use w to create a path. The first time we reach a node that does not have the current corresponding letter in w, we add a subpath as a child to the current node. Moreover, we label this subpath appropriately with the remaining letters of w, terminating the path with a $. We note that the insertion time with in the trie is O( w ). The Search operation uses input w as a path through the tree. The function first adds a $ to the path. If that path ends in a leaf, i.e., the path is a root-to-leaf path, the search is successful. Otherwise, the word does not exist in the dictionary. We note that the search time with in the trie is Θ ( w ) in the worst case. The Delete operation uses input w as a path through the tree. This function will remove all nodes, in a bottom up fashion, according to the path given by w. There is an exception, a node will not be removed if it has children that do not match the symbol indicated by the previous level in w. We note that the Delete time in the trie is Θ ( w ). In this dissertation we will denote a trie by T and a node of the trie by T i,j, where i is the depth of the node and j the left to right placement of the node. We will denote the access to values stored in the node of T by T i,j [s], where s denotes the name of the field. Devised by B. H. Bloolm [18], a Bloom Filter is an index method, whch consists of a k-bit vector and three hash functions h 1, h 2, and h 3 with range {1, 2,..., k} and supports two operations: Insert and Search. The Insert operations inserts input v by setting position h 1 (v), h 2 (v), and h 3 (v) in the k-bit vector to 1. The Search operation determines if input v is in the filter. To do this it checks if all locations h 1 (v), h 2 (v), and h 3 (v) in the k-bit vector are 1.

Verifiable Symmetric Searchable Encryption for Multiple Groups of Users

Verifiable Symmetric Searchable Encryption for Multiple Groups of Users Verifiable Symmetric Searchable Encryption for Multiple Groups of Users Zachary A. Kissel and Jie Wang Department of Computer Science, University of Massachusetts Lowell, Lowell, MA, USA Abstract We present

More information

Searchable Symmetric Encryption: Improved Definitions and Efficient Constructions

Searchable Symmetric Encryption: Improved Definitions and Efficient Constructions Searchable Symmetric Encryption: Improved Definitions and Efficient Constructions Reza Curtmola Juan Garay Seny Kamara Rafail Ostrovsky Abstract Searchable symmetric encryption (SSE) allows a party to

More information

Lecture 5 - CPA security, Pseudorandom functions

Lecture 5 - CPA security, Pseudorandom functions Lecture 5 - CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.

More information

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

More information

Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012

Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012 Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database

More information

1 Message Authentication

1 Message Authentication Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

More information

MACs Message authentication and integrity. Table of contents

MACs Message authentication and integrity. Table of contents MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and

More information

Computational Soundness of Symbolic Security and Implicit Complexity

Computational Soundness of Symbolic Security and Implicit Complexity Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 3-7, 2013 Overview

More information

Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract

Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart

More information

A NOVEL APPROACH FOR MULTI-KEYWORD SEARCH WITH ANONYMOUS ID ASSIGNMENT OVER ENCRYPTED CLOUD DATA

A NOVEL APPROACH FOR MULTI-KEYWORD SEARCH WITH ANONYMOUS ID ASSIGNMENT OVER ENCRYPTED CLOUD DATA A NOVEL APPROACH FOR MULTI-KEYWORD SEARCH WITH ANONYMOUS ID ASSIGNMENT OVER ENCRYPTED CLOUD DATA U.Pandi Priya 1, R.Padma Priya 2 1 Research Scholar, Department of Computer Science and Information Technology,

More information

Introduction. Digital Signature

Introduction. Digital Signature Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

More information

An Efficiency Keyword Search Scheme to improve user experience for Encrypted Data in Cloud

An Efficiency Keyword Search Scheme to improve user experience for Encrypted Data in Cloud , pp.246-252 http://dx.doi.org/10.14257/astl.2014.49.45 An Efficiency Keyword Search Scheme to improve user experience for Encrypted Data in Cloud Jiangang Shu ab Xingming Sun ab Lu Zhou ab Jin Wang ab

More information

1 Construction of CCA-secure encryption

1 Construction of CCA-secure encryption CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.

More information

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6. 1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

More information

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

More information

Lecture 15 - Digital Signatures

Lecture 15 - Digital Signatures Lecture 15 - Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations - easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.

More information

Public Key Encryption that Allows PIR Queries

Public Key Encryption that Allows PIR Queries Public Key Encryption that Allows PIR Queries Dan Boneh Eyal Kushilevitz Rafail Ostrovsky William E Skeith III Appeared at CRYPTO 2007: 50-67 Abstract Consider the following problem: Alice wishes to maintain

More information

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the

More information

Ranked Search over Encrypted Cloud Data using Multiple Keywords

Ranked Search over Encrypted Cloud Data using Multiple Keywords Ranked Search over Encrypted Cloud Data using Multiple Keywords [1] Nita Elizabeth Samuel, [2] Revathi B. R, [3] Sangeetha.M, [4] SreelekshmySelvin, [5] Dileep.V.K [1][2][3][4] LBS Institute of Technology

More information

Searchable encryption

Searchable encryption RESEARCH MASTER S DEGREE IN COMPUTER SCIENCE Searchable encryption BIBLIOGRAPHICAL STUDY 26 January 2012 Tarik Moataz INTERNSHIP at Alcatel-Lucent Bell Labs Supervisors Cuppens Frédéric, SFIIS LabSTICC

More information

Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

More information

Ch.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis

Ch.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography

More information

Master s Thesis. Secure Indexes for Keyword Search in Cloud Storage. Supervisor Professor Hitoshi Aida ( ) !!!

Master s Thesis. Secure Indexes for Keyword Search in Cloud Storage. Supervisor Professor Hitoshi Aida ( ) !!! Master s Thesis Secure Indexes for Keyword Search in Cloud Storage ( ) 2014 8 Supervisor Professor Hitoshi Aida ( ) Electrical Engineering and Information Systems Graduate School of Engineering The University

More information

Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak

Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak Non-Black-Box Techniques In Crytpography Introduction Thesis for the Ph.D degree Boaz Barak A computer program (or equivalently, an algorithm) is a list of symbols a finite string. When we interpret a

More information

Multi-Input Functional Encryption for Unbounded Arity Functions

Multi-Input Functional Encryption for Unbounded Arity Functions Multi-Input Functional Encryption for Unbounded Arity Functions Saikrishna Badrinarayanan, Divya Gupta, Abhishek Jain, and Amit Sahai Abstract. The notion of multi-input functional encryption (MI-FE) was

More information

Lecture 3: One-Way Encryption, RSA Example

Lecture 3: One-Way Encryption, RSA Example ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require

More information

Department Informatik. Privacy-Preserving Email Forensics. Technical Reports / ISSN 2191-5008. Frederik Armknecht, Andreas Dewald

Department Informatik. Privacy-Preserving Email Forensics. Technical Reports / ISSN 2191-5008. Frederik Armknecht, Andreas Dewald Department Informatik Technical Reports / ISSN 2191-5008 Frederik Armknecht, Andreas Dewald Privacy-Preserving Email Forensics Technical Report CS-2015-03 April 2015 Please cite as: Frederik Armknecht,

More information

An Efficient Multi-Keyword Ranked Secure Search On Crypto Drive With Privacy Retaining

An Efficient Multi-Keyword Ranked Secure Search On Crypto Drive With Privacy Retaining An Efficient Multi-Keyword Ranked Secure Search On Crypto Drive With Privacy Retaining 1 B.Sahaya Emelda and 2 Mrs. P. Maria Jesi M.E.,Ph.D., 1 PG Student and 2 Associate Professor, Department of Computer

More information

Message Authentication Codes 133

Message Authentication Codes 133 Message Authentication Codes 133 CLAIM 4.8 Pr[Mac-forge A,Π (n) = 1 NewBlock] is negligible. We construct a probabilistic polynomial-time adversary A who attacks the fixed-length MAC Π and succeeds in

More information

Advanced Cryptography

Advanced Cryptography Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

More information

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) Hugo Krawczyk Abstract. We study the question of how to generically compose symmetric encryption and authentication

More information

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a

More information

Secure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment

Secure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment Secure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment Chih Hung Wang Computer Science and Information Engineering National Chiayi University Chiayi City 60004,

More information

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical public-key

More information

A Survey and Analysis of Solutions to the. Oblivious Memory Access Problem. Erin Elizabeth Chapman

A Survey and Analysis of Solutions to the. Oblivious Memory Access Problem. Erin Elizabeth Chapman A Survey and Analysis of Solutions to the Oblivious Memory Access Problem by Erin Elizabeth Chapman A thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in

More information

Keyword Search over Shared Cloud Data without Secure Channel or Authority

Keyword Search over Shared Cloud Data without Secure Channel or Authority Keyword Search over Shared Cloud Data without Secure Channel or Authority Yilun Wu, Jinshu Su, and Baochun Li College of Computer, National University of Defense Technology, Changsha, Hunan, China Department

More information

Ranked Keyword Search Using RSE over Outsourced Cloud Data

Ranked Keyword Search Using RSE over Outsourced Cloud Data Ranked Keyword Search Using RSE over Outsourced Cloud Data Payal Akriti 1, Ms. Preetha Mary Ann 2, D.Sarvanan 3 1 Final Year MCA, Sathyabama University, Tamilnadu, India 2&3 Assistant Professor, Sathyabama

More information

Shared and Searchable Encrypted Data for Untrusted Servers

Shared and Searchable Encrypted Data for Untrusted Servers Shared and Searchable Encrypted Data for Untrusted Servers Changyu Dong 1, Giovanni Russello 2, Naranker Dulay 1 1 Department of Computing, 2 Security Area, Imperial College London, Create-Net, 180 Queen

More information

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash

More information

Message Authentication Code

Message Authentication Code Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44

More information

MTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu

MTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic

More information

Yale University Department of Computer Science

Yale University Department of Computer Science Yale University Department of Computer Science On Backtracking Resistance in Pseudorandom Bit Generation (preliminary version) Michael J. Fischer Michael S. Paterson Ewa Syta YALEU/DCS/TR-1466 October

More information

1 Signatures vs. MACs

1 Signatures vs. MACs CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures

More information

Provable-Security Analysis of Authenticated Encryption in Kerberos

Provable-Security Analysis of Authenticated Encryption in Kerberos Provable-Security Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 30332-0765

More information

Capture Resilient ElGamal Signature Protocols

Capture Resilient ElGamal Signature Protocols Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department

More information

Talk announcement please consider attending!

Talk announcement please consider attending! Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically

More information

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 1 January 9, 2012 CPSC 467b, Lecture 1 1/22 Course Overview Symmetric Cryptography CPSC 467b, Lecture 1 2/22 Course Overview CPSC

More information

Privacy and Security in Cloud Computing

Privacy and Security in Cloud Computing Réunion CAPPRIS 21 mars 2013 Monir Azraoui, Kaoutar Elkhiyaoui, Refik Molva, Melek Ӧnen Slide 1 Cloud computing Idea: Outsourcing Ø Huge distributed data centers Ø Offer storage and computation Benefit:

More information

CS 758: Cryptography / Network Security

CS 758: Cryptography / Network Security CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html

More information

New Efficient Searchable Encryption Schemes from Bilinear Pairings

New Efficient Searchable Encryption Schemes from Bilinear Pairings International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang

More information

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The Diffie-Hellman key-exchange protocol may naturally be extended to k > 2

More information

Privacy-preserving Ranked Multi-Keyword Search Leveraging Polynomial Function in Cloud Computing

Privacy-preserving Ranked Multi-Keyword Search Leveraging Polynomial Function in Cloud Computing Privacy-preserving Ranked Multi-Keyword Search Leveraging Polynomial Function in Cloud Computing Yanzhi Ren, Yingying Chen, Jie Yang, Bin Xie 3 Department of ECE, Stevens Institute of Technology, Hoboken,

More information

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1 SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K,E,D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2 Correct

More information

Post-Quantum Cryptography #4

Post-Quantum Cryptography #4 Post-Quantum Cryptography #4 Prof. Claude Crépeau McGill University http://crypto.cs.mcgill.ca/~crepeau/waterloo 185 ( 186 Attack scenarios Ciphertext-only attack: This is the most basic type of attack

More information

Security over Cloud Data through Encryption Standards

Security over Cloud Data through Encryption Standards Security over Cloud Data through Encryption Standards Santhi Baskaran 1, Surya A 2, Stephen Pius C 3, Sudesh Goud G 4 1 Professor, 2,3,4 Student, Department of Information Technology, Pondicherry Engineering

More information

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Module No. # 01 Lecture No. # 05 Classic Cryptosystems (Refer Slide Time: 00:42)

More information

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Lecture No. # 11 Block Cipher Standards (DES) (Refer Slide

More information

Privacy Preserving String Matching for Cloud Computing

Privacy Preserving String Matching for Cloud Computing 2015 IEEE 35th International Conference on Distributed Computing Systems Privacy Preserving String Matching for Cloud Computing Bruhadeshwar Bezawada,AlexX.Liu, Bargav Jayaraman, Ann L. Wang and Rui Li

More information

MAC. SKE in Practice. Lecture 5

MAC. SKE in Practice. Lecture 5 MAC. SKE in Practice. Lecture 5 Active Adversary Active Adversary An active adversary can inject messages into the channel Active Adversary An active adversary can inject messages into the channel Eve

More information

Parallel and Dynamic Searchable Symmetric Encryption

Parallel and Dynamic Searchable Symmetric Encryption Parallel and Dynamic Searchable Symmetric Encryption Seny Kamara 1 and Charalampos Papamanthou 2 1 Microsoft Research, senyk@microsoft.com 2 UC Berkeley, cpap@cs.berkeley.edu Abstract. Searchable symmetric

More information

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense

More information

Multi-User Private Queries over Encrypted Databases

Multi-User Private Queries over Encrypted Databases Multi-User Private Queries over Encrypted Databases Y.J. Yang* Institute for Infocomm Research, Singapore 138632 E-mail: yyang@i2r.a-star.edu.sg *Corresponding author X.H. Ding School of Information Systems,

More information

Identity-Based Encryption from the Weil Pairing

Identity-Based Encryption from the Weil Pairing Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages

More information

Improved Online/Offline Signature Schemes

Improved Online/Offline Signature Schemes Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion

More information

Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm

Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm Error oracle attacks and CBC encryption Chris Mitchell ISG, RHUL http://www.isg.rhul.ac.uk/~cjm Agenda 1. Introduction 2. CBC mode 3. Error oracles 4. Example 1 5. Example 2 6. Example 3 7. Stream ciphers

More information

Keywords: cloud computing, multiple keywords, service provider, search request, ranked search

Keywords: cloud computing, multiple keywords, service provider, search request, ranked search Volume 5, Issue 1, January 2015 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com A Survey on

More information

Seclusion Search over Encrypted Data in Cloud Storage Services

Seclusion Search over Encrypted Data in Cloud Storage Services Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology IJCSMC, Vol. 4, Issue. 3, March 2015,

More information

Lecture 13: Message Authentication Codes

Lecture 13: Message Authentication Codes Lecture 13: Message Authentication Codes Last modified 2015/02/02 In CCA security, the distinguisher can ask the library to decrypt arbitrary ciphertexts of its choosing. Now in addition to the ciphertexts

More information

Security Analysis of DRBG Using HMAC in NIST SP 800-90

Security Analysis of DRBG Using HMAC in NIST SP 800-90 Security Analysis of DRBG Using MAC in NIST SP 800-90 Shoichi irose Graduate School of Engineering, University of Fukui hrs shch@u-fukui.ac.jp Abstract. MAC DRBG is a deterministic random bit generator

More information

Chapter 12. Digital signatures. 12.1 Digital signature schemes

Chapter 12. Digital signatures. 12.1 Digital signature schemes Chapter 12 Digital signatures In the public key setting, the primitive used to provide data integrity is a digital signature scheme. In this chapter we look at security notions and constructions for this

More information

Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives

Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives Olivier Pereira Université catholique de Louvain ICTEAM Crypto Group B-1348, Belgium olivier.pereira@uclouvain.be

More information

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Karagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Karagpur Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Karagpur Lecture No. #06 Cryptanalysis of Classical Ciphers (Refer

More information

Lecture 2: Complexity Theory Review and Interactive Proofs

Lecture 2: Complexity Theory Review and Interactive Proofs 600.641 Special Topics in Theoretical Cryptography January 23, 2007 Lecture 2: Complexity Theory Review and Interactive Proofs Instructor: Susan Hohenberger Scribe: Karyn Benson 1 Introduction to Cryptography

More information

Scalable Private Database Querying for Arbitrary Formulas

Scalable Private Database Querying for Arbitrary Formulas Scalable Private Database Querying for Arbitrary Formulas Vladimir Kolesnikov (Bell Labs) Seung Geol Choi, Angelos Keromytis, Fernando Krell, Tal Malkin, Vasilis Pappas and Binh Vo (Columbia) Wesley George

More information

Private Searching On Streaming Data

Private Searching On Streaming Data Journal of Cryptology, Volume 20:4, pp. 397-430, October 2007. 1 Private Searching On Streaming Data Rafail Ostrovsky William E. Skeith III Abstract In this paper, we consider the problem of private searching

More information

Democratic Group Signatures on Example of Joint Ventures

Democratic Group Signatures on Example of Joint Ventures Democratic Group Signatures on Example of Joint Ventures Mark Manulis Horst-Görtz Institute Ruhr-University of Bochum D-44801, Germany EMail: mark.manulis@rub.de Abstract. In the presence of economic globalization

More information

Verifiable Delegation of Computation over Large Datasets

Verifiable Delegation of Computation over Large Datasets Verifiable Delegation of Computation over Large Datasets Siavosh Benabbas University of Toronto Rosario Gennaro IBM Research Yevgeniy Vahlis AT&T Cloud Computing Data D Code F Y F(D) Cloud could be malicious

More information

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. #01 Lecture No. #10 Symmetric Key Ciphers (Refer

More information

Developing and Investigation of a New Technique Combining Message Authentication and Encryption

Developing and Investigation of a New Technique Combining Message Authentication and Encryption Developing and Investigation of a New Technique Combining Message Authentication and Encryption Eyas El-Qawasmeh and Saleem Masadeh Computer Science Dept. Jordan University for Science and Technology P.O.

More information

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015 Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015 Chapter 2: Introduction to Cryptography What is cryptography? It is a process/art of mangling information in such a way so as to make it

More information

The Complexity of Online Memory Checking

The Complexity of Online Memory Checking The Complexity of Online Memory Checking Moni Naor Guy N. Rothblum Abstract We consider the problem of storing a large file on a remote and unreliable server. To verify that the file has not been corrupted,

More information

Digital Signatures. What are Signature Schemes?

Digital Signatures. What are Signature Schemes? Digital Signatures Debdeep Mukhopadhyay IIT Kharagpur What are Signature Schemes? Provides message integrity in the public key setting Counter-parts of the message authentication schemes in the public

More information

Improving data integrity on cloud storage services

Improving data integrity on cloud storage services International Journal of Engineering Science Invention ISSN (Online): 2319 6734, ISSN (Print): 2319 6726 Volume 2 Issue 2 ǁ February. 2013 ǁ PP.49-55 Improving data integrity on cloud storage services

More information

Secure Collaborative Privacy In Cloud Data With Advanced Symmetric Key Block Algorithm

Secure Collaborative Privacy In Cloud Data With Advanced Symmetric Key Block Algorithm Secure Collaborative Privacy In Cloud Data With Advanced Symmetric Key Block Algorithm Twinkle Graf.F 1, Mrs.Prema.P 2 1 (M.E- CSE, Dhanalakshmi College of Engineering, Chennai, India) 2 (Asst. Professor

More information

1 Domain Extension for MACs

1 Domain Extension for MACs CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures Katz-Lindell Ÿ4.34.4 (2nd ed) and Ÿ12.0-12.3 (1st ed).

More information

3-6 Toward Realizing Privacy-Preserving IP-Traceback

3-6 Toward Realizing Privacy-Preserving IP-Traceback 3-6 Toward Realizing Privacy-Preserving IP-Traceback The IP-traceback technology enables us to trace widely spread illegal users on Internet. However, to deploy this attractive technology, some problems

More information

Official Arbitration with Secure Cloud Storage Application

Official Arbitration with Secure Cloud Storage Application Official Arbitration with Secure Cloud Storage Application Alptekin Küpçü Koç University, İstanbul, Turkey akupcu@ku.edu.tr February 11, 2013 Abstract Static and dynamic proof of storage schemes have been

More information

Chapter 2 TSAS: Third-Party Storage Auditing Service

Chapter 2 TSAS: Third-Party Storage Auditing Service Chapter 2 TSAS: Third-Party Storage Auditing Service Abstract In cloud storage systems, data owners host their data on cloud servers and users (data consumers) can access the data from cloud servers Due

More information

Verifiable Outsourced Computations Outsourcing Computations to Untrusted Servers

Verifiable Outsourced Computations Outsourcing Computations to Untrusted Servers Outsourcing Computations to Untrusted Servers Security of Symmetric Ciphers in Network Protocols ICMS, May 26, 2015, Edinburgh Problem Motivation Problem Motivation Problem Motivation Problem Motivation

More information

Proofs in Cryptography

Proofs in Cryptography Proofs in Cryptography Ananth Raghunathan Abstract We give a brief overview of proofs in cryptography at a beginners level. We briefly cover a general way to look at proofs in cryptography and briefly

More information

SECURE AND EFFICIENT PRIVACY-PRESERVING PUBLIC AUDITING SCHEME FOR CLOUD STORAGE

SECURE AND EFFICIENT PRIVACY-PRESERVING PUBLIC AUDITING SCHEME FOR CLOUD STORAGE International Journal of Computer Network and Security(IJCNS) Vol 7. No.1 2015 Pp. 1-8 gopalax Journals, Singapore available at : www.ijcns.com ISSN: 0975-8283 ----------------------------------------------------------------------------------------------------------------------------------------------------------

More information

Digital Signatures. Prof. Zeph Grunschlag

Digital Signatures. Prof. Zeph Grunschlag Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each

More information

Secure Computation Without Authentication

Secure Computation Without Authentication Secure Computation Without Authentication Boaz Barak 1, Ran Canetti 2, Yehuda Lindell 3, Rafael Pass 4, and Tal Rabin 2 1 IAS. E:mail: boaz@ias.edu 2 IBM Research. E-mail: {canetti,talr}@watson.ibm.com

More information

Key Privacy for Identity Based Encryption

Key Privacy for Identity Based Encryption Key Privacy for Identity Based Encryption Internet Security Research Lab Technical Report 2006-2 Jason E. Holt Internet Security Research Lab Brigham Young University c 2006 Brigham Young University March

More information

Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53

Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53 Cryptography and Network Security, PART IV: Reviews, Patches, and Theory Timo Karvi 11.2012 Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53 Key Lengths I The old

More information

Comments on "public integrity auditing for dynamic data sharing with multi-user modification"

Comments on public integrity auditing for dynamic data sharing with multi-user modification University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers Faculty of Engineering and Information Sciences 2016 Comments on "public integrity auditing for dynamic

More information

A Secure RFID Ticket System For Public Transport

A Secure RFID Ticket System For Public Transport A Secure RFID Ticket System For Public Transport Kun Peng and Feng Bao Institute for Infocomm Research, Singapore Abstract. A secure RFID ticket system for public transport is proposed in this paper. It

More information

Survey on Efficient Information Retrieval for Ranked Query in Cost-Efficient Clouds

Survey on Efficient Information Retrieval for Ranked Query in Cost-Efficient Clouds Survey on Efficient Information Retrieval for Ranked Query in Cost-Efficient Clouds Ms. Jyotsna T. Kumbhar 1 ME Student, Department of Computer Engineering, TSSM S, P.V.P.I.T., Bavdhan, Pune University,

More information

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 1 (rev. 1) Professor M. J. Fischer September 3, 2008 1 Course Overview Lecture Notes 1 This course is

More information