# Lecture 2: Complexity Theory Review and Interactive Proofs

Save this PDF as:

Size: px
Start display at page:

## Transcription

1 Special Topics in Theoretical Cryptography January 23, 2007 Lecture 2: Complexity Theory Review and Interactive Proofs Instructor: Susan Hohenberger Scribe: Karyn Benson 1 Introduction to Cryptography Question 1 What is cryptography? When most people think of cryptography, they think encryption. The field also includes authentication, signatures, trust relationships, elimination of trusted parties and more. Question 2 Are these tools useful in other fields? Cryptography, in the 1980 s, was far from becoming an extinct field of study. Modern cryptographers apply their tools and techniques to branch into other fields. This expansion was possible through breakthrough work done in , shown in Figure 1. Figure 1: Some Important Results in Modern Cryptography 1. Diffie and Hellman [DH76], explained in New Directions in Cryptography, a key exchange protocol, which can be performed over an insecure channel. Before Diffie- Hellman, people believed that cryptography required a shared secret. Now two parties who have never met can carry on a private conversation even if an adversary observes all the messages passing between them! 2. Rivest, Shamir, and Adelman (RSA) present public key encryption and signature schemes [RSA78]. These techniques are efficient and (now) commonly used. 3. Goldwasser and Micali [GM84] studied the question What does it mean to encrypt something securely? They presented a definition of security for probabilistic encryption schemes and a construction that meets their definition. (The basic RSA scheme is deterministic and does not meet this definition.) 4. Goldwasser, Micali, and Rivest published a paper defining security for signature schemes with a construction meeting their definition [GMR88]. 2-1

2 5. Goldwasser, Micali, and Rackoff studied in detail interactive proofs and introduced the concept of the zero-knowledge proof [GMR85]. 6. Goldreich, Micali, and Wigderson further refined the concept of a zero-knowledge (ZK) proof and showed that there is a ZK proof for all NP statements [GMW86b,GMW86a]. There are, of course, many other great results not included in this timeline. This class will start with the results listed above from 1985 and move forward. We will then revisit some of the topics prior to Review of Complexity Hierarchy Figure 2: Complexity Hierarchy NP, which stands for Nondeterministic Polynomial Time, is the class of languages where membership can be verified quickly: for all x L, this fact can be verified in polynomial time. x will be used to denote the size of the binary representation of x (i.e., the value x can be represented compactly in roughly log 2 (x) bits. The only separation between these classes of languages that we know is: EXPTIME P. 3 Co-NP Definition 1 Co-NP - If L NP, then L Co-NP, where L is the set of strings (defined over some alphabet) which are not in L. 2-2

3 Example 1 Recall that SAT NP and that SAT is the set of strings representing all satisfiable formulas. An example of a satisfiable formula is x 1 x 2 x 3, which can be satisfied by setting x 1 = x 2 = x 3 = 1. SAT Co-NP, where SAT is the set of all unsatisfiable formulas. unsatisfiable formula is x 1 x 1. An example of an Figure 3: The Classes P, NP, Co-NP, and PSPACE The intersection of Co-NP and NP includes P and is included in PSPACE. It is possible that there exists a language L which is in both NP and Co-NP and yet not in P, but this isn t known for sure. Example 2 PRIMES, which contains all prime numbers, is an example of a language known to be in both NP and Co-NP. Last lecture, we discussed that PRIMES P, P NP and P Co-NP. Also, P RIMES is a language in P. 4 Introduction to Interactive Proof Systems In a proof system, there are two parties: a prover and a verifier. 4.1 Classical Proofs Classical proofs are proven using steps like the following: 1. Start with a statement: A. 2. Make an inference: A B. 3. Draw a conclusion: B. In a classical proof, a prover typically writes down all that he has to say and a verifier then checks this statement. The prover and the verifier have no interaction. (This is like a written exam.) 2-3

4 4.2 Interactive Proofs In an interactive proof, however, the prover and the verifier are allowed to send multiple messages back and forth to each other. This requires that the prover and verifier be online together, but perhaps there is some power in interacting. Perhaps there are theorems that a prover cannot prove to the verifier via a classical proof, but could prove via an interactive proof. (This is like an oral exam.) Let s say more about these interactions. There are two parties involved: 1. Prover: can have infinite running time - can think of as a powerful wizard. 2. Verifier: has polynomial running time, and has the ability to generate random numbers. This is known as probabilistic polynomial time, abbreviated ppt. The Prover and Verifier interact for a polynomial time. Eventually the Verifier accepts that x L or rejects since it is not convinced that x L. (Note that x may be in L, but rejection means that the prover did not convince the verifier.) Example 3 Graph Isomorphism (ISO). Suppose an (undirected) graph is represented as a number of nodes n and a set of edges, where an edge between node i to node j is represented as (i, j). Given two graphs G and H in this representation, one question one might ask about them is: are G and H isomorphic? That is, is it possible to relabel the nodes of H so that G and H are exactly the same? In essence, we are asking if G and H are the same graph. Formally, ISO = { (G,H) : G = H } ISO NP. Intuitively, there are lots of reorderings (n! > 2 n ) but if given instructions on how to relabel the nodes, the isomorphism is easy to verify. It is key that these instructions be at most polynomial in size, and indeed, they are. Figure 4: Example of two isomorphic graphs 2-4

5 We have just seen that membership in ISO has an efficient classical proof. Let s now consider a related language. Example 4 Graph Non-Isomorphism (NISO). The set of all pairs of graphs that are not isomorphic. NISO= {(G,H) : G H } How would you prove, using a classical proof, that two graphs are not isomorphic? What short proof of this can you give? We don t know of an algorithm that works all the time, and the verifier can t check all the possibilities in polynomial time. So we don t know how to prove that NISO NP. However, by definition, NISO Co-NP. So, NISO PSPACE and since PSPACE=IP we know NISO has an interactive proof (IP) [Sha90]. Let s consider the following interactive proof for NISO. The statement being prove is (G, H) NISO. Recall that the computational power of the prover is unbounded, but that the verifier must run in ppt. P (G, H) NISO V Pick F= G or H at random. Pick a random permutation π. C = π(f ) C Decide if C = G, or C = H G or H Verify the answer from the prover is F. Why does this protocol work? Intuitively, if G and H are not isomorphic, then an honest P can always correctly answer the verifier. If G and H are isomorphic, then even a malicious P is correct at most half the time. For a better soundness probability, run this protocol k times and have the verifier reject if the prover is ever wrong. Then, the probability that any malicious Prover cheats the verifier is ( 1 2 )k. When k = 32, the prover has roughly 1 in a billion chance of cheating the verifier. When k = 80, the prover has a better chance of winning the lottery ten times in a row! 5 Defining Interactive Proof Systems (IPS) Now that have seen an interactive proof and have some appreciation for the potential power of these proofs, let s define this idea more formally. First, let s start with some intuition on what these proof systems should do. 5.1 Informal Definition Definition 2 Any proof system should have the following two properities: 1. Completeness: Any true theorem can be proven 2-5

6 2. Soundness: Any false theorem cannot be proven We say that a pair of algorithms (P, V ) form an Interactive Proof System (IPS) for membership in a language L if the IPS is: 1. Complete with a small probability of error. 2. Sound with a small probability of error. 5.2 Formal Definition Definition 3 (P,V) is an Interactive Proof System (IPS) for a language L, and security parameter k if: 1. Completeness: x L, Pr[(P,V)[x] = accept] 1 - negl(k). 2. Soundness: x / L, P, Pr[(P,V)[x] = accept] negl(k). Here negl( ) denotes a negligible function. The security parameter is a value we pick to control the probability of error. Typically, k << x. When we write P and V we mean the honest algorithm, but by P we denote a possibility malicious prover. We could have defined our soundness such that Pr[(P,V)[x] = accept] = 0. But then our NISO protocol would not have satisfied the definition. Since the probability of P and V selecting the same graph is 1 2 ; by repeating NISO we can reduce the probability of P and V had selected the same graph every time. However, this probability will never be zero since k > 0, it holds that ( 1 2 )k > 0. 6 Minimizing the Information Revealed by the Prover In the proof protocols from the previous section, what could the Verifier learn? What if the Prover didn t want the Verifier to learn this extra information? How can we quantify this information? 6.1 A Zero Knowledge Proof for Graph Isomorphism Recall: ISO = { (G,H) : G = H }. Suppose (G, H) ISO. Next, suppose Tom (a third party) would like to know if the two graphs G and H are isomorphic, and asks ther verifier V. Although V does not know the answer itself, it can query P to obtain a permutation π such that π(g) = H. An example of using P in an oracle like fashion is shown below: P (1,5)(2,2)...(5,1) V (1,5)(2,2)...(5,1) Tom The equates to V learning a lot of information from P, which may be undesirable. The 2-6

7 information that V learns from P could be a credit card number, mother s maiden name,.... V could use this information at a later time to steal P s identity. Example 5 Let s try a different protocol for ISO: P (G,H) ISO V Pick F=G or H at random. Pick a random permutation π C = π(f ) C Choose J= G or H at random J Proof (C,J) are isomorphic In the last step above, the proof that (C,J) are isomorphic can be the classic ISO proof described in the last section. Claim: This solution is both sound and complete with a small probability of error when we run it k times. This ISP ISO proof reveals less information to the verifier than the classic ISO proof since the Verifier only knows isomorphism between random graphs and G and random graphs and H, but this does not help the verifier learn an isomorphism between G and H. As a remark, we note that the interactive proof above need not be between an prover with infinite running time and a ppt verifier. If the prover is also ppt *and* the prover knows valid permutation between G and H, then the proof system still works. For example, suppose the prover knows a permutation φ such that φ(g) = H. In step one of the protocol, the prover can pick a random permutation π and send to the verifier C = π(g). If the verifier asks for J= G in step two, then in step three, the prover returns π 1 since G = π 1 π(g). Otherwise, the verifier has asked for J= H, and the prover sends φ π 1 since H = φ(π 1 π(g)). It seems like the verifier doesn t learn much beyond the fact that (G, H) ISO by talking to the prover. Let s now try to capture this intuition in a definition. 6.2 Informal Definition of Zero Knowledge-Interactive Proof System (P,V) is a Zero Knowledge-Interactive Proof System (ZK-IPS) if it: 1. is complete. 2. is sound. 2-7

8 3. has zero-knowledgeness: the verifier does not learn anything except the truth of the statement. Question 3 What does it mean for the verifier not learn anything? One idea: The verifier could have created the conversation itself. For each iteration of the proof choose a random F = H or G, random π and apply π 1 H = C, to create the transcript. Placing them in the order C, F, π creates a conversation that looks a lot like a real conversation between the prover and the (honest) verifier. But is this enough? We ll explore this idea more in the next lecture. References [DH76] [GM84] [GMR85] Whitfield Diffie and Martin E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, IT-22(6): , Shafi Goldwasser and Silvio Micali. Probabilistic encryption. J. Comput. Syst. Sci., 28(2): , Shafi Goldwasser, Silvio Micali, and Charles Rackoff. The knowledge complexity of interactive proof-systems. In STOC 85: Proceedings of the seventeenth annual ACM symposium on Theory of computing, pages , [GMR88] Shafi Goldwasser, Silvio Micali, and Ronald L. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing, 17(2): , Earlier versions appeared in FOCS 84 and CRYPTO 84. [GMW86a] Oded Goldreich, Silvio Micali, and Avi Wigderson. How to prove all NPstatements in zero-knowledge, and a methodology of cryptographic protocol design. In CRYPTO 86, volume 263 of LNCS, pages , [GMW86b] Oded Goldreich, Silvio Micali, and Avi Wigderson. Proofs that yield nothing but their validity and a methodology of cryptographic protocol design (extended abstract). In FOCS 86, pages , [RSA78] Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM, 21(2): , [Sha90] Adi Shamir. IP=PSPACE. In FOCS 90, pages 11 15,

### How to Prove a Theorem So No One Else Can Claim It

Proceedings of the International Congress of Mathematicians Berkeley, California, USA, 1986 How to Prove a Theorem So No One Else Can Claim It MANUEL BLUM Goldwasser, Micali, and Rackoff [GMR] define for

### Lecture 15 - Digital Signatures

Lecture 15 - Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations - easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.

### A Survey of Zero-Knowledge Proofs with Applications to Cryptography

A Survey of Zero-Knowledge Proofs with Applications to Cryptography Austin Mohr Southern Illinois University at Carbondale Carbondale, IL 62901 E-mail: austinmohr@gmail.com Abstract Zero-knowledge proofs

### Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract

Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart

### Improved Online/Offline Signature Schemes

Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion

### Lecture 11: The Goldreich-Levin Theorem

COM S 687 Introduction to Cryptography September 28, 2006 Lecture 11: The Goldreich-Levin Theorem Instructor: Rafael Pass Scribe: Krishnaprasad Vikram Hard-Core Bits Definition: A predicate b : {0, 1}

### The Mathematics of the RSA Public-Key Cryptosystem

The Mathematics of the RSA Public-Key Cryptosystem Burt Kaliski RSA Laboratories ABOUT THE AUTHOR: Dr Burt Kaliski is a computer scientist whose involvement with the security industry has been through

### Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak

Non-Black-Box Techniques In Crytpography Introduction Thesis for the Ph.D degree Boaz Barak A computer program (or equivalently, an algorithm) is a list of symbols a finite string. When we interpret a

### 1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

### Security of Blind Digital Signatures

Security of Blind Digital Signatures (Revised Extended Abstract) Ari Juels 1 Michael Luby 2 Rafail Ostrovsky 3 1 RSA Laboratories. Email: ari@rsa.com. 2 Digital Fountain 3 UCLA, Email: rafail@cs.ucla.edu.

### Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

### Provably Secure Cryptography: State of the Art and Industrial Applications

Provably Secure Cryptography: State of the Art and Industrial Applications Pascal Paillier Gemplus/R&D/ARSC/STD/Advanced Cryptographic Services French-Japanese Joint Symposium on Computer Security Outline

### SUBLIMINALFREE AUTHENTICATION AND SIGNATURE

SUBLIMINALFREE AUTHENTICATION AND SIGNATURE (Extended Abstract) Yvo Desmedt Dept. EE & CS, Univ. of Wisconsin - Milwaukee P.O. Box 784, WI 53201 Milwaukee, U.S.A. ABSTRACT Simmons [17] introduced the notion

### A Secure and Efficient Conference Key Distribution System

********************** COVER PAGE ********************** A Secure and Efficient Conference Key Distribution System (Extended Abstract) Mike Burmester Department of Mathematics Royal Holloway University

### Lecture 25: Pairing-Based Cryptography

6.897 Special Topics in Cryptography Instructors: Ran Canetti and Ron Rivest May 5, 2004 Lecture 25: Pairing-Based Cryptography Scribe: Ben Adida 1 Introduction The field of Pairing-Based Cryptography

### CSCE 465 Computer & Network Security

CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Public Key Cryptogrophy 1 Roadmap Introduction RSA Diffie-Hellman Key Exchange Public key and

### P versus NP, and More

1 P versus NP, and More Great Ideas in Theoretical Computer Science Saarland University, Summer 2014 If you have tried to solve a crossword puzzle, you know that it is much harder to solve it than to verify

### International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

FACTORING CRYPTOSYSTEM MODULI WHEN THE CO-FACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II Mohammedia-Casablanca,

### Introduction. Digital Signature

Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

### Introduction to Cryptography

Introduction to Cryptography Part 2: public-key cryptography Jean-Sébastien Coron January 2007 Public-key cryptography Invented by Diffie and Hellman in 1976. Revolutionized the field. Each user now has

### A Secure Protocol for the Oblivious Transfer (Extended Abstract) M. J. Fischer. Yale University. S. Micali Massachusetts Institute of Technology

J, Cryptoiogy (1996) 9:191-195 Joumol of CRYPTOLOGY O 1996 International Association for Cryptologic Research A Secure Protocol for the Oblivious Transfer (Extended Abstract) M. J. Fischer Yale University

### 1 Message Authentication

Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

### Cryptographic and Physical Zero- Knowledge Proof Systems for Solutions of Sudoku Puzzles

Cryptographic and Physical Zero- Knowledge Proof Systems for Solutions of Sudoku Puzzles, University of Haifa Joint work with Ronen Gradwohl, Moni Naor and Guy Rothblum page 1 Sudoku Fill in the empty

### Introduction to Security Proof of Cryptosystems

Introduction to Security Proof of Cryptosystems D. J. Guan November 16, 2007 Abstract Provide proof of security is the most important work in the design of cryptosystems. Problem reduction is a tool to

### Chapter 9 Public Key Cryptography and RSA

Chapter 9 Public Key Cryptography and RSA Cryptography and Network Security: Principles and Practices (3rd Ed.) 2004/1/15 1 9.1 Principles of Public Key Private-Key Cryptography traditional private/secret/single

### A NOVEL APPROACH FOR VERIFIABLE SECRET SHARING BY USING A ONE WAY HASH FUNCTION

A NOVEL APPROACH FOR VERIFIABLE SECRET SHARING BY Abstract USING A ONE WAY HASH FUNCTION Keyur Parmar & Devesh Jinwala Sardar Vallabhbhai National Institute of Technology, Surat Email : keyur.beit@gmail.com

### Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

### Lecture 3: One-Way Encryption, RSA Example

ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require

MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and

### Asymmetric Cryptography. Mahalingam Ramkumar Department of CSE Mississippi State University

Asymmetric Cryptography Mahalingam Ramkumar Department of CSE Mississippi State University Mathematical Preliminaries CRT Chinese Remainder Theorem Euler Phi Function Fermat's Theorem Euler Fermat's Theorem

### PRIME NUMBERS & SECRET MESSAGES

PRIME NUMBERS & SECRET MESSAGES I. RSA CODEBREAKER GAME This is a game with two players or teams. The players take turns selecting either prime or composite numbers as outlined on the board below. The

### Computational Soundness of Symbolic Security and Implicit Complexity

Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 3-7, 2013 Overview

### 6.080 / 6.089 Great Ideas in Theoretical Computer Science Spring 2008

MIT OpenCourseWare http://ocw.mit.edu 6.080 / 6.089 Great Ideas in Theoretical Computer Science Spring 2008 For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms.

### Symmetric Key cryptosystem

SFWR C03: Computer Networks and Computer Security Mar 8-11 200 Lecturer: Kartik Krishnan Lectures 22-2 Symmetric Key cryptosystem Symmetric encryption, also referred to as conventional encryption or single

### Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

### The Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems

The Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems Becky Cutler Rebecca.cutler@tufts.edu Mentor: Professor Chris Gregg Abstract Modern day authentication systems

### Midterm Exam Solutions CS161 Computer Security, Spring 2008

Midterm Exam Solutions CS161 Computer Security, Spring 2008 1. To encrypt a series of plaintext blocks p 1, p 2,... p n using a block cipher E operating in electronic code book (ECB) mode, each ciphertext

### Public Key (asymmetric) Cryptography

Public-Key Cryptography UNIVERSITA DEGLI STUDI DI PARMA Dipartimento di Ingegneria dell Informazione Public Key (asymmetric) Cryptography Luca Veltri (mail.to: luca.veltri@unipr.it) Course of Network Security,

### MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

### Lukasz Pater CMMS Administrator and Developer

Lukasz Pater CMMS Administrator and Developer EDMS 1373428 Agenda Introduction Why do we need asymmetric ciphers? One-way functions RSA Cipher Message Integrity Examples Secure Socket Layer Single Sign

### Public Key Cryptography. c Eli Biham - March 30, 2011 258 Public Key Cryptography

Public Key Cryptography c Eli Biham - March 30, 2011 258 Public Key Cryptography Key Exchange All the ciphers mentioned previously require keys known a-priori to all the users, before they can encrypt

### 9 Digital Signatures: Definition and First Constructions. Hashing.

Leo Reyzin. Notes for BU CAS CS 538. 1 9 Digital Signatures: Definition and First Constructions. Hashing. 9.1 Definition First note that encryption provides no guarantee that a message is authentic. For

### Privacy-Providing Signatures and Their Applications. PhD Thesis. Author: Somayeh Heidarvand. Advisor: Jorge L. Villar

Privacy-Providing Signatures and Their Applications PhD Thesis Author: Somayeh Heidarvand Advisor: Jorge L. Villar Privacy-Providing Signatures and Their Applications by Somayeh Heidarvand In fulfillment

### 1720 - Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

1720 - Forward Secrecy: How to Secure SSL from Attacks by Government Agencies Dave Corbett Technical Product Manager Implementing Forward Secrecy 1 Agenda Part 1: Introduction Why is Forward Secrecy important?

### Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The Diffie-Hellman key-exchange protocol may naturally be extended to k > 2

### Cryptography and Network Security Chapter 9

Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 9 Public Key Cryptography and RSA Every Egyptian received two names,

### Lecture 13 - Basic Number Theory.

Lecture 13 - Basic Number Theory. Boaz Barak March 22, 2010 Divisibility and primes Unless mentioned otherwise throughout this lecture all numbers are non-negative integers. We say that A divides B, denoted

### Lecture 5 - CPA security, Pseudorandom functions

Lecture 5 - CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.

### Lecture 10 Security (Part 2) <lecturer, date>

Lecture 10 Security (Part 2) Outline Securing computer systems Cryptography Virtual Private Networks (VPN) Access controls Mandatory access control Discretionary access control Role based

### Ch.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis

Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography

### SECURITY IN NETWORKS

SECURITY IN NETWORKS GOALS Understand principles of network security: Cryptography and its many uses beyond confidentiality Authentication Message integrity Security in practice: Security in application,

### Public Key Cryptography and RSA. Review: Number Theory Basics

Public Key Cryptography and RSA Murat Kantarcioglu Based on Prof. Ninghui Li s Slides Review: Number Theory Basics Definition An integer n > 1 is called a prime number if its positive divisors are 1 and

### Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

IT 4823 Information Security Administration Public Key Encryption Revisited April 5 Notice: This session is being recorded. Lecture slides prepared by Dr Lawrie Brown for Computer Security: Principles

### 6 Introduction to Cryptography

6 Introduction to Cryptography This section gives a short introduction to cryptography. It is based on the recent tutorial by Jörg Rothe. For an in-depth treatment of cryptography, please consult the Handbook

Group Blind Digital Signatures: Theory and Applications by Zulækar Amin Ramzan Submitted to the Department of Electrical Engineering and Computer Science in partial fulællment of the requirements for the

### CRYPTOGRAPHIC ALGORITHMS (AES, RSA)

CALIFORNIA STATE POLYTECHNIC UNIVERSITY, POMONA CRYPTOGRAPHIC ALGORITHMS (AES, RSA) A PAPER SUBMITTED TO PROFESSOR GILBERT S. YOUNG IN PARTIAL FULFILLMENT OF THE REQUIREMENT FOR THE COURSE CS530 : ADVANCED

### COM S 687 Introduction to Cryptography October 19, 2006

COM S 687 Introduction to Cryptography October 19, 2006 Lecture 16: Non-Malleability and Public Key Encryption Lecturer: Rafael Pass Scribe: Michael George 1 Non-Malleability Until this point we have discussed

### Notes on Network Security Prof. Hemant K. Soni

Chapter 9 Public Key Cryptography and RSA Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications

### The science of encryption: prime numbers and mod n arithmetic

The science of encryption: prime numbers and mod n arithmetic Go check your e-mail. You ll notice that the webpage address starts with https://. The s at the end stands for secure meaning that a process

### A New Forward-Secure Digital Signature Scheme

The extended abstract of this work appears Advances in Cryptology Asiacrypt 2000, Tatsuaki Okamoto, editor, Lecture Notes in Computer Science vol. 1976, Springer-Verlag, 2000. c IACR A New Forward-Secure

### 2.1 Complexity Classes

15-859(M): Randomized Algorithms Lecturer: Shuchi Chawla Topic: Complexity classes, Identity checking Date: September 15, 2004 Scribe: Andrew Gilpin 2.1 Complexity Classes In this lecture we will look

### Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Network Security Abusayeed Saifullah CS 5600 Computer Networks These slides are adapted from Kurose and Ross 8-1 Public Key Cryptography symmetric key crypto v requires sender, receiver know shared secret

### Implementation of Elliptic Curve Digital Signature Algorithm

Implementation of Elliptic Curve Digital Signature Algorithm Aqeel Khalique Kuldip Singh Sandeep Sood Department of Electronics & Computer Engineering, Indian Institute of Technology Roorkee Roorkee, India

### NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES

NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES Ounasser Abid 1, Jaouad Ettanfouhi 2 and Omar Khadir 3 1,2,3 Laboratory of Mathematics, Cryptography and Mechanics, Department of Mathematics, Fstm,

### Digital Signatures. Meka N.L.Sneha. Indiana State University. nmeka@sycamores.indstate.edu. October 2015

Digital Signatures Meka N.L.Sneha Indiana State University nmeka@sycamores.indstate.edu October 2015 1 Introduction Digital Signatures are the most trusted way to get documents signed online. A digital

### 1 Pseudorandom Permutations

Theoretical Foundations of Cryptography Lecture 9 Georgia Tech, Spring 2010 PRPs, Symmetric Encryption 1 Pseudorandom Permutations Instructor: Chris Peikert Scribe: Pushkar Tripathi In the first part of

### CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash

### Cryptography: Authentication, Blind Signatures, and Digital Cash

Cryptography: Authentication, Blind Signatures, and Digital Cash Rebecca Bellovin 1 Introduction One of the most exciting ideas in cryptography in the past few decades, with the widest array of applications,

### Capture Resilient ElGamal Signature Protocols

Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department

### A Factoring and Discrete Logarithm based Cryptosystem

Int. J. Contemp. Math. Sciences, Vol. 8, 2013, no. 11, 511-517 HIKARI Ltd, www.m-hikari.com A Factoring and Discrete Logarithm based Cryptosystem Abdoul Aziz Ciss and Ahmed Youssef Ecole doctorale de Mathematiques

### Diagonalization. Ahto Buldas. Lecture 3 of Complexity Theory October 8, 2009. Slides based on S.Aurora, B.Barak. Complexity Theory: A Modern Approach.

Diagonalization Slides based on S.Aurora, B.Barak. Complexity Theory: A Modern Approach. Ahto Buldas Ahto.Buldas@ut.ee Background One basic goal in complexity theory is to separate interesting complexity

### MANAGING OF AUTHENTICATING PASSWORD BY MEANS OF NUMEROUS SERVERS

INTERNATIONAL JOURNAL OF ADVANCED RESEARCH IN ENGINEERING AND SCIENCE MANAGING OF AUTHENTICATING PASSWORD BY MEANS OF NUMEROUS SERVERS Kanchupati Kondaiah 1, B.Sudhakar 2 1 M.Tech Student, Dept of CSE,

### LUC: A New Public Key System

LUC: A New Public Key System Peter J. Smith a and Michael J. J. Lennon b a LUC Partners, Auckland UniServices Ltd, The University of Auckland, Private Bag 92019, Auckland, New Zealand. b Department of

### Secure Network Communication Part II II Public Key Cryptography. Public Key Cryptography

Kommunikationssysteme (KSy) - Block 8 Secure Network Communication Part II II Public Key Cryptography Dr. Andreas Steffen 2000-2001 A. Steffen, 28.03.2001, KSy_RSA.ppt 1 Secure Key Distribution Problem

### Shor s algorithm and secret sharing

Shor s algorithm and secret sharing Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 1/41 Goals: 1 To explain why the factoring is important. 2 To describe the oldest and most successful

### 1 Recap: Perfect Secrecy. 2 Limits of Perfect Secrecy. Recall from last time:

Theoretical Foundations of Cryptography Lecture 2 Georgia Tech, Spring 2010 Computational Hardness 1 Recap: Perfect Secrecy Instructor: Chris Peikert Scribe: George P. Burdell Recall from last time: Shannon

### RSA Attacks. By Abdulaziz Alrasheed and Fatima

RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.

### The Internal and External Algebraic Structure. of Complexity Classes. Lance Fortnow. Department of Computer Science. The University of Chicago

The Internal and External Algebraic Structure of Complexity Classes Lance Fortnow Department of Computer Science The University of Chicago 1100 East 58th Street Chicago, Illinois 60637 Abstract The report

### ΕΠΛ 674: Εργαστήριο 3

ΕΠΛ 674: Εργαστήριο 3 Ο αλγόριθμος ασύμμετρης κρυπτογράφησης RSA Παύλος Αντωνίου Department of Computer Science Private-Key Cryptography traditional private/secret/single key cryptography uses one key

### Non-interactive and Reusable Non-malleable Commitment Schemes

Non-interactive and Reusable Non-malleable Commitment Schemes Ivan Damgård a Jens Groth b June 16, 2003 Abstract We consider non-malleable (NM) and universally composable (UC) commitment schemes in the

### Applied Cryptography Public Key Algorithms

Applied Cryptography Public Key Algorithms Sape J. Mullender Huygens Systems Research Laboratory Universiteit Twente Enschede 1 Public Key Cryptography Independently invented by Whitfield Diffie & Martin

### 1 Construction of CCA-secure encryption

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.

### Identity-Based Encryption from the Weil Pairing

Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages

### ETH Zurich. Email: stadler@inf.ethz.ch. participants such that only certain groups of them can recover it.

Publicly Veriable Secret Sharing Markus Stadler? Institute for Theoretical Computer Science ETH Zurich CH-8092 Zurich, Switzerland Email: stadler@inf.ethz.ch Abstract. A secret sharing scheme allows to

### On Generating the Initial Key in the Bounded-Storage Model

On Generating the Initial Key in the Bounded-Storage Model Stefan Dziembowski Institute of Informatics, Warsaw University Banacha 2, PL-02-097 Warsaw, Poland, std@mimuw.edu.pl Ueli Maurer Department of

### Tetris is Hard: An Introduction to P vs NP

Tetris is Hard: An Introduction to P vs NP Based on Tetris is Hard, Even to Approximate in COCOON 2003 by Erik D. Demaine (MIT) Susan Hohenberger (JHU) David Liben-Nowell (Carleton) What s Your Problem?

### Alternative machine models

Alternative machine models Computational complexity thesis: All reasonable computer models can simulate one another in polynomial time (i.e. P is robust or machine independent ). But the Turing machine

### UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering. Introduction to Cryptography ECE 597XX/697XX

UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Introduction to Cryptography ECE 597XX/697XX Part 6 Introduction to Public-Key Cryptography Israel Koren ECE597/697 Koren Part.6.1

### Two Factor Zero Knowledge Proof Authentication System

Two Factor Zero Knowledge Proof Authentication System Quan Nguyen Mikhail Rudoy Arjun Srinivasan 6.857 Spring 2014 Project Abstract It is often necessary to log onto a website or other system from an untrusted

### 1 Signatures vs. MACs

CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures

### Peer-to-Peer Networks Anonymity 9th Week

Peer-to-Peer Networks Anonymity 9th Week Department of Computer Science 1 Motivation Society Free speech is only possible if the speaker does not suffer negative consequences Thus, only an anonymous speaker

### Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical public-key

### Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY. Sourav Mukhopadhyay

Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY Sourav Mukhopadhyay Cryptography and Network Security - MA61027 Modern/Public-key cryptography started in 1976 with the publication of the following paper. W. Diffie

### Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012

Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database

### Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Module No. # 01 Lecture No. # 05 Classic Cryptosystems (Refer Slide Time: 00:42)