Public-Key Encryption (Asymmetric Encryption)
|
|
- Shanon Robbins
- 7 years ago
- Views:
Transcription
1 Public-Key Encryption (Asymmetric Encryption) Summer School, Romania 2014 Marc Fischlin 13. Oktober 2010 Dr.Marc Fischlin Kryptosicherheit 1
2 The story so far (Private-Key Crypto) Alice establish secure key k Bob 1st Phase 2nd Phase Eve eavesdrops on communication message m Alice C=Enc( k,m) ciphertext C Bob m=dec( k,c) Marc Fischlin Summer School Romania 2014 Public-Key Encryption 2
3 Public-Key Crypto Bob holds pair (sk,pk) of related keys: pk public key, known by everyone sk secret (or private) key, known only by Bob Eve eavesdrops on communication message m Alice C=Enc( pk k,m) public key pk ciphertext C key pair (sk,pk) Bob m=dec( sk k, C) Marc Fischlin Summer School Romania 2014 Public-Key Encryption 3
4 Example: (Textbook) RSA Rivest Shamir from Len Adleman s homepage Adleman Rivest, Shamir, Adleman "A Method for Obtaining Digital Signatures and Public- Key Cryptosystems". Communications of the ACM, 1978 Marc Fischlin Summer School Romania 2014 Public-Key Encryption 4
5 Background: Marc Fischlin Summer School Romania 2014 Public-Key Encryption 5
6 Structure: Marc Fischlin Summer School Romania 2014 Public-Key Encryption 6
7 Alternative characterization: gcd = greatest common divisor Euclid s algorithm: Note: Marc Fischlin Summer School Romania 2014 Public-Key Encryption 7
8 Euler s totient function: Euler s and Fermat s Theorem: Marc Fischlin Summer School Romania 2014 Public-Key Encryption 8
9 RSA Encryption scheme today: N 1024 bits, better at least 2048 bits choosing parameters is non-trivial Key Generation: Encryption: Decryption: Marc Fischlin Summer School Romania 2014 Public-Key Encryption 9
10 RSA assumption: hard to compute m from pk=(n,e) and C implies unknown Factoring asmptn: hard to compute p,q from N minimal security requirement Eve eavesdrops on communication message m Alice C=m e mod N pk=(n,e) ciphertext C Bob m=c d mod N key pair sk=(n,d),pk=(n,e) Marc Fischlin Summer School Romania 2014 Public-Key Encryption 10
11 Warning: When using RSA function for encryption one actually needs additional means to match modern security notions You will see in this lecture why Marc Fischlin Summer School Romania 2014 Public-Key Encryption 11
12 Semantic Security of (Public-Key) Encryption Marc Fischlin Summer School Romania 2014 Public-Key Encryption 12
13 Security of Encryption Schemes Eve eavesdrops on communication message m Alice C=Enc(pk,m) pk ciphertext C Bob m=dec(sk, C) key pair (sk,pk) What does it mean that encryption scheme is secure? Marc Fischlin Summer School Romania 2014 Public-Key Encryption 13
14 Shannon s Entropic Approach Eve eavesdrops on communication message m Alice C=Enc(pk,m) pk ciphertext C Bob m=dec(sk, C) key pair (sk,pk) Eve does not learn anything about message from ciphertext Shannon, Claude. "Communication Theory of Secrecy Systems". Bell System Technical Journal, Marc Fischlin Summer School Romania 2014 Public-Key Encryption 14
15 Excursion: Shannon Entropy = measure for information = measure for (reduction of) uncertainty average number of bits required to communicate outcome Marc Fischlin Summer School Romania 2014 Public-Key Encryption 15
16 Eve eavesdrops on communication message m Alice C=Enc( k,m) pk ciphertext C Bob m=dec( k, C) key pair (sk,pk) Eve s uncertainty about message m does not decrease seeing pk,c: entropy of m= uncertainty of Eve about m before transmission entropy of m, given pk,c= uncertainty of Eve about m after having seen pk,c Marc Fischlin Summer School Romania 2014 Public-Key Encryption 16
17 One-Time-Pad encryption achieves Shannon s bound in private-key setting: Impossible to achieve in public-key setting: sk and pk are information-theoretically related (as required for decryption) Marc Fischlin Summer School Romania 2014 Public-Key Encryption 17
18 small errors, efficient adversaries only, Solution: use appropriate complexity-based relaxation: Whatever information info(m) an efficient adversary E learns about message m from ciphertext C and pk, one could learn from pk alone. Marc Fischlin Summer School Romania 2014 Public-Key Encryption 18
19 Semantic Security Goldwasser, Micali. "Probabilistic encryption". Journal of Computer and System Sciences, A public-key encryption scheme is semantically secure if efficient adversary E efficient (length-invariant) message distribution M efficiently computable function Info efficient algorithm S ( the simulator ) s.t. Source: MIT EECS where Marc Fischlin Summer School Romania 2014 Public-Key Encryption 19
20 RSA: C=m e mod N Goldwasser, Micali. "Probabilistic encryption". Journal of Computer and System Sciences, "Probabilistic encryption" deterministic encryption probabilistic encryption Enc(pk, ) Enc(pk, ) 1-1 message space ciphertext space message space ciphertext space message always mapped to same ciphertext message mapped to random ciphertext Marc Fischlin Summer School Romania 2014 Public-Key Encryption 20
21 Deterministic Encryption Cannot be Semantically Secure (if message space contains at least two equal-length messages) E (length-invariant) M Info S : Define: Then: But: Marc Fischlin Summer School Romania 2014 Public-Key Encryption 21
22 Notes: (Textbook) RSA encryption not semantically secure encryption, but still good function (see later) 1st difference private-key vs. public-key encryption: deterministic encryption like One-Time-Pad can be secure in private-key setting (if used only once) vs. deterministic public-key encryption not secure, even if used only once Marc Fischlin Summer School Romania 2014 Public-Key Encryption 22
23 Things to remember from this part: Semantically secure public-key encryption scheme: cannot learn anything useful about message from ciphertext: E M, info S: Pr( E(pk,C)=info(m) ) Pr ( S(pk)=info(m) ) Fact: deterministic public-key encryption schemes like textbook RSA cannot be semantically secure suggested reading: Goldreich s book Foundations of Cryptography, Volume 2, Chapter 5 Marc Fischlin Summer School Romania 2014 Public-Key Encryption 23
24 Indistinguishability vs. Semantic Security Marc Fischlin Summer School Romania 2014 Public-Key Encryption 24
25 Reminder: Security of Encryption pk b {0,1} pk m 0, m 1 of equal length ciphertext C Challenger C Enc(pk,m b ) b* public-key encryption scheme is indistinguishable under chosen-plaintext attacks (IND-CPA) if for any efficient Eve we have Pr [ b=b* ] ½ Marc Fischlin Summer School Romania 2014 Public-Key Encryption 25
26 Exercise Break (1) Show, like we did for semantic security, that no deterministic public-key encryption scheme can be IND-CPA* *assuming that message space contains at least two equal-length messages (2) Discuss that any encryption scheme with which one can only encrypt one message is IND-CPA Marc Fischlin Summer School Romania 2014 Public-Key Encryption 26
27 Semantic Security Indistinguishability Which one to prefer? It doesn t really matter Marc Fischlin Summer School Romania 2014 Public-Key Encryption 27
28 Theorem: A public-key encryption scheme is semantically secure if and only if it is IND-CPA ( indistinguishable ). * *Need to use slightly stronger definition of semantic security First IND-CPA implies semantic security, then NOT IND-CPA implies NOT semantic security.* Marc Fischlin Summer School Romania 2014 Public-Key Encryption 28
29 IND-CPA Semantic Security E (length-invariant) M Info S : given E, construct S as follows: pk C=Enc(pk,m) pk,c compute C*=Enc(pk,0 0) pk,c* E S run as subroutine E e approximating Info(pk,m) e* Marc Fischlin Summer School Romania 2014 Public-Key Encryption 29
30 IND-CPA Semantic Security E (length-invariant) M Info S : given E, construct S as follows: pk C=Enc(pk,m) pk,c IND-CPA: C* looks like C compute C*=Enc(pk,0 0) pk,c* E S run as e* looks like e subroutine e*, too, approximates Info(pk,m) E e approximating Info(pk,m) e* Marc Fischlin Summer School Romania 2014 Public-Key Encryption 30
31 NOT (IND-CPA) NOT (Semantic Security) pk b {0,1} pk E* m 0, m 1 of equal length ciphertext C Challenger C Enc(pk,m b ) b* such that Pr ( b=b*) >> ½ Marc Fischlin Summer School Romania 2014 Public-Key Encryption 31
32 Things to remember from this part: IND-CPA security of encryption: ciphertexts of adversarially chosen messages are indistinguishable Fact: semantic security and indistinguishability are equivalent suggested reading: Goldreich s book Foundations of Cryptography, Volume 2, Chapter 5 Marc Fischlin Summer School Romania 2014 Public-Key Encryption 32
33 Marc Fischlin Summer School Romania 2014 Public-Key Encryption 33 ElGamal Encryption
34 Key Agreement Eve eavesdrops on communication Alice key K??? Communication key agreement Bob cryptographic key K cryptographic key K secured through K Marc Fischlin Summer School Romania 2014 Public-Key Encryption 34
35 Diffie-Hellman Key Agreement W.Diffie, M.Hellman: New Directions in Cryptography, IEEE Transactions on Information Theory, 1976 Alice Bob Marc Fischlin Summer School Romania 2014 Public-Key Encryption 35
36 From Diffie-Hellman to ElGamal T.ElGamal: A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms". Transactions on Information Theory, 1985 Alice Bob pk =, Z Z= mix K with message m m= unmix K and Z and thus not m Marc Fischlin Summer School Romania 2014 Public-Key Encryption 36
37 ElGamal Encryption Scheme Key Generation: Encryption for message : Decryption: Marc Fischlin Summer School Romania 2014 Public-Key Encryption 37
38 Security of ElGamal Encryption Decisional Diffie-Hellman (DDH) Assumption given X,Y, key K looks random in general unknown implies Computational Diffie-Hellman (DH) Assumption given X,Y, K hard to compute in general unknown implies Discrete Logarithm Assumption given X=g x, x hard to compute Marc Fischlin Summer School Romania 2014 Public-Key Encryption 38
39 Marc Fischlin Summer School Romania 2014 Public-Key Encryption 39
40 Marc Fischlin Summer School Romania 2014 Public-Key Encryption 40
41 ElGamal Encryption is Secure under DDH pk b {0,1} pk=g sk m 0, m 1 G (X,Z) Challenger pick x Z q Z = pk x m b b* Pr (b=b*) ½ DDH pk x looks random and acts like one-time pad in G Marc Fischlin Summer School Romania 2014 Public-Key Encryption 41
42 Note: encoding message into group is usually too inefficient approach in practice via hash function Hash:G {0,1}*: encryption by (X,Z) for Z= Hash(pk x ) m Marc Fischlin Summer School Romania 2014 Public-Key Encryption 42
43 Things to remember from this part: ElGamal encryption: based on Diffie-Hellman key exchange Enc(pk, m) = (X,Z) where x Z q, X=g x, Z= pk x m and pk=g sk Fact: ElGamal encryption is IND-CPA under DDH Assumption (given pk,x, value pk x looks random) suggested reading: Katz-Lindell book Introduction to Modern Cryptography Marc Fischlin Summer School Romania 2014 Public-Key Encryption 43
44 Chosen-Ciphertext Security Marc Fischlin Summer School Romania 2014 Public-Key Encryption 44
45 chosen-ciphertext attack (CCA): Eve modifies ciphertext C to C* (say, by flipping some bits) to deduce some information about m from m* Eve eavesdrops on communication message m m* key pair (sk,pk) Alice C=Enc( pk k,m) ciphertext C public key pk ciphertext C* Bob m * =Dec( sk k, C *) Marc Fischlin Summer School Romania 2014 Public-Key Encryption 45
46 CCA against ElGamal Encryption message m Eve m*=g m key pair (sk,pk) Alice public key pk Bob m * =Dec( sk k, C *) Marc Fischlin Summer School Romania 2014 Public-Key Encryption 46
47 Exercise break Discuss that for ElGamal encryption: (1) given (X,Z) one can compute new ciphertext (X*,Z*) for same unknown message (2) given (X 1,Z 1 ),(X 2,Z 2 ) of unknown messages m 1,m 2 one can compute ciphertext of m 1 m 2 Marc Fischlin Summer School Romania 2014 Public-Key Encryption 47
48 Marc Fischlin Summer School Romania 2014 Public-Key Encryption 48
49 IND-CCA Security of Encryption Schemes pk ciphertext C* message m* Dec(sk, ) b {0,1} pk b* m 0, m 1 of equal length ciphertext C ciphertext C* C message m* public-key encryption scheme is indistinguishable under (adaptive) chosen-ciphertext attacks (IND-CCA) if for any efficient Eve we have Pr [ b=b* ] ½ Challenger C Enc(pk,m b ) Dec(sk, ) Marc Fischlin Summer School Romania 2014 Public-Key Encryption 49
50 Marc Fischlin Summer School Romania 2014 Public-Key Encryption 50
51 Making ElGamal CCA-secure R.Cramer, V.Shoup. A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. Crypto 98. Key Generation: Cramer-Shoup encryption scheme Encryption: Decryption: Marc Fischlin Summer School Romania 2014 Public-Key Encryption 51
52 Marc Fischlin Summer School Romania 2014 Public-Key Encryption 52
53 RSA-OAEP Encryption M.Bellare, P.Rogaway. Optimal Asymmetric Encryption -- How to encrypt with RSA, Eurocrypt 1994 OAEP = optimal asymmetric encryption padding (message space almost entire group ) standardized in ANS X9.44, IEEE P1363, SET Marc Fischlin Summer School Romania 2014 Public-Key Encryption 53
54 Encryption G,H hash functions (random oracles) m 0 k r pad message to m 0 k G pick random string r s H RSA t s = G(r) m 0 k t = H(s) r RSA ( s t ) C = RSA ( s t ) Marc Fischlin Summer School Romania 2014 Public-Key Encryption 54
55 Decryption m 0 k r m z=0 k r? G G H H s= G(r) m 0 k t=h(s) r s t RSA RSA ( s t ) RSA 1 RSA ( s t ) Marc Fischlin Summer School Romania 2014 Public-Key Encryption 55
56 Theorem: RSA-OAEP is IND-CCA under RSA assumption in the random oracle model. first security proof in 1994, but: Shoup: gap in the proof (November 18 th, 2000) Fujisaki, Okamoto, Pointcheval, Stern: gap can be closed (November 27 th, 2000) Marc Fischlin Summer School Romania 2014 Public-Key Encryption 56
57 Security idea for CPA adversary does not learn anything about message from ciphertext m 0 k r G RSA assumption: s hard to compute from C H then r = H(s) t random looking s t also m 0 k = s G(r) quasi random RSA RSA ( s t ) (from adversary s perspective!) Marc Fischlin Summer School Romania 2014 Public-Key Encryption 57
58 Security idea for CCA adversary cannot meaningfully modify ciphertext m 0 k r random G H random Assume: adversary can modify ciphertext through RSA to flip bits in s t s t then r* = H([s+flips]) [t+flips] random, and thus also G(r*) RSA RSA ( s t ) with high probability also bit flips in 0 k, hence ciphertext invalid Marc Fischlin Summer School Romania 2014 Public-Key Encryption 58
59 RSA PKCS #1 v1.5 another encoding scheme for RSA: random string 00 message. still often used instead of OAEP Bleichenbacher s attack: PSA PKCS #1 v1.5 not IND-CCA. D.Bleichenbacher, Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1. Crypto 98 Marc Fischlin Summer School Romania 2014 Public-Key Encryption 59
60 Note on Certification of public keys certification= binding of public keys to person often implicitly assumed in crypto decrypt message m with the help of sk* Eve eavesdrops on communication message m key pair (sk,pk) Alice C=Enc( pk* k, m) public key pk* ciphertext C public key pk Bob Marc Fischlin Summer School Romania 2014 Public-Key Encryption 60
61 Things to remember from this part: Chosen-Ciphertext Security (IND-CCA): adversary cannot distinguish ciphertexts of messages, even if allowed to decrypt other ciphertexts strong security notion, not satisfied by ElGamal encryption Fact: Cramer-Shoup version of ElGamal is IND-CCA (for DDH assumption) RSA-OAEP is IND-CCA for RSA assumption in random oracle model suggested reading: Katz-Lindell book Introduction to Modern Cryptography Marc Fischlin Summer School Romania 2014 Public-Key Encryption 61
62 Marc Fischlin Summer School Romania 2014 Public-Key Encryption 62 Hybrid Encryption
63 So far: public-key encryption only for short messages Hybrid encryption: (best of both worlds) encrypt short symmetric key k under public scheme + encrypt data under key k with faster symmetric scheme message m key pair (sk,pk) Alice pick key k, C PubEnc(pk,k) D SymEnc(k,m) pk ciphertext (C,D) Bob k=pubdec(sk, C) m=symdec(k, D) Marc Fischlin Summer School Romania 2014 Public-Key Encryption 63
64 Theorem (CCA+CCA=CCA): If public-key scheme is IND-CCA and symmetric scheme is IND-CCA, then so is hybrid encryption scheme. But we actually need less: encrypt only random keys under public-key scheme KEM/DEM approach: KEM = key encapsulation mechanism DEM = data encryption mechanism Marc Fischlin Summer School Romania 2014 Public-Key Encryption 64
65 KEM: encryption generates random key k and ciphertext C pk b {0,1} pk (C, k b ) Challenger (C,k 0 ) Enc(pk) pick random k 1 b* Pr( b=b*) ½ Marc Fischlin Summer School Romania 2014 Public-Key Encryption 65
66 KEM/DEM approach can lead to more efficient solutions: Cramer-Shoup encryption: Kurosawa-Desmedt KEM/DEM version: Marc Fischlin Summer School Romania 2014 Public-Key Encryption 66
67 Things to remember from this part: Hybrid Encryption: encrypt symmetric key k with public-key scheme, encrypt message with k under symmetric scheme special case: KEM/DEM suggested reading: Katz-Lindell book Introduction to Modern Cryptography Marc Fischlin Summer School Romania 2014 Public-Key Encryption 67
68 Marc Fischlin Summer School Romania 2014 Public-Key Encryption 68 Wrap Up
69 Semantic Security: Indistinguishability (IND-CPA): Semantic Security.Indistinguishability (IND-CPA) Marc Fischlin Summer School Romania 2014 Public-Key Encryption 69
70 ElGamal encryption: ElGamal encryption is.. secure ElGamal encryption is not.. secure Marc Fischlin Summer School Romania 2014 Public-Key Encryption 70
71 IND-CCA security: Examples of IND-CCA secure schemes: Marc Fischlin Summer School Romania 2014 Public-Key Encryption 71
72 Hybrid encryption: Marc Fischlin Summer School Romania 2014 Public-Key Encryption 72
73 Ph.D. TU Darmstadt: Marc Fischlin Summer School Romania 2014 Public-Key Encryption 73
Overview of Public-Key Cryptography
CS 361S Overview of Public-Key Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.1-6 slide 2 Public-Key Cryptography public key public key? private key Alice Bob Given: Everybody knows
More informationLecture 6 - Cryptography
Lecture 6 - Cryptography CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07 Question 2 Setup: Assume you and I don t know anything about
More informationUniversal Padding Schemes for RSA
Universal Padding Schemes for RSA Jean-Sébastien Coron, Marc Joye, David Naccache, and Pascal Paillier Gemplus Card International, France {jean-sebastien.coron, marc.joye, david.naccache, pascal.paillier}@gemplus.com
More informationLecture 3: One-Way Encryption, RSA Example
ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require
More informationPublic Key Cryptography: RSA and Lots of Number Theory
Public Key Cryptography: RSA and Lots of Number Theory Public vs. Private-Key Cryptography We have just discussed traditional symmetric cryptography: Uses a single key shared between sender and receiver
More informationNetwork Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23
Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest
More informationCIS 5371 Cryptography. 8. Encryption --
CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.
More informationCryptography. Jonathan Katz, University of Maryland, College Park, MD 20742.
Cryptography Jonathan Katz, University of Maryland, College Park, MD 20742. 1 Introduction Cryptography is a vast subject, addressing problems as diverse as e-cash, remote authentication, fault-tolerant
More informationOutline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures
Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike
More informationCSCE 465 Computer & Network Security
CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Public Key Cryptogrophy 1 Roadmap Introduction RSA Diffie-Hellman Key Exchange Public key and
More informationRSA OAEP is Secure under the RSA Assumption
This is a revised version of the extended abstract RSA OAEP is Secure under the RSA Assumption which appeared in Advances in Cryptology Proceedings of CRYPTO 2001 (19 23 august 2001, Santa Barbara, California,
More informationIdentity-Based Encryption from the Weil Pairing
Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages
More informationPublic Key Cryptography and RSA. Review: Number Theory Basics
Public Key Cryptography and RSA Murat Kantarcioglu Based on Prof. Ninghui Li s Slides Review: Number Theory Basics Definition An integer n > 1 is called a prime number if its positive divisors are 1 and
More informationLecture 25: Pairing-Based Cryptography
6.897 Special Topics in Cryptography Instructors: Ran Canetti and Ron Rivest May 5, 2004 Lecture 25: Pairing-Based Cryptography Scribe: Ben Adida 1 Introduction The field of Pairing-Based Cryptography
More informationThe application of prime numbers to RSA encryption
The application of prime numbers to RSA encryption Prime number definition: Let us begin with the definition of a prime number p The number p, which is a member of the set of natural numbers N, is considered
More informationCIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives
CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash
More informationCh.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis
Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography
More informationLecture 15 - Digital Signatures
Lecture 15 - Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations - easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.
More informationPrinciples of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms
Principles of Public Key Cryptography Chapter : Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter : Security on Network and Transport
More information159.334 Computer Networks. Network Security 1. Professor Richard Harris School of Engineering and Advanced Technology
Network Security 1 Professor Richard Harris School of Engineering and Advanced Technology Presentation Outline Overview of Identification and Authentication The importance of identification and Authentication
More informationLecture 17: Re-encryption
600.641 Special Topics in Theoretical Cryptography April 2, 2007 Instructor: Susan Hohenberger Lecture 17: Re-encryption Scribe: Zachary Scott Today s lecture was given by Matt Green. 1 Motivation Proxy
More informationNetwork Security. Chapter 2 Basics 2.2 Public Key Cryptography. Public Key Cryptography. Public Key Cryptography
Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Encryption/Decryption using Public Key Cryptography Network Security Chapter 2 Basics 2.2 Public Key Cryptography
More information1 Message Authentication
Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions
More informationDigital Signatures. Prof. Zeph Grunschlag
Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each
More informationChosen-Ciphertext Security from Identity-Based Encryption
Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz June 13, 2006 Abstract We propose simple and efficient CCA-secure public-key encryption schemes
More informationIntroduction. Digital Signature
Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology
More informationCryptoVerif Tutorial
CryptoVerif Tutorial Bruno Blanchet INRIA Paris-Rocquencourt bruno.blanchet@inria.fr November 2014 Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 1 / 14 Exercise 1: preliminary definition SUF-CMA
More informationPrivacy in Encrypted Content Distribution Using Private Broadcast Encryption
Privacy in Encrypted Content Distribution Using Private Broadcast Encryption Adam Barth 1, Dan Boneh 1, and Brent Waters 2 1 Stanford University, Stanford, CA 94305 {abarth, dabo}@cs.stanford.edu 2 SRI
More informationThe Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)
The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) Hugo Krawczyk Abstract. We study the question of how to generically compose symmetric encryption and authentication
More informationElements of Applied Cryptography Public key encryption
Network Security Elements of Applied Cryptography Public key encryption Public key cryptosystem RSA and the factorization problem RSA in practice Other asymmetric ciphers Asymmetric Encryption Scheme Let
More informationRSA Attacks. By Abdulaziz Alrasheed and Fatima
RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 20 Public-Key Cryptography and Message Authentication First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Public-Key Cryptography
More information1 Domain Extension for MACs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures Katz-Lindell Ÿ4.34.4 (2nd ed) and Ÿ12.0-12.3 (1st ed).
More informationSoftware Tool for Implementing RSA Algorithm
Software Tool for Implementing RSA Algorithm Adriana Borodzhieva, Plamen Manoilov Rousse University Angel Kanchev, Rousse, Bulgaria Abstract: RSA is one of the most-common used algorithms for public-key
More informationPost-Quantum Cryptography #4
Post-Quantum Cryptography #4 Prof. Claude Crépeau McGill University http://crypto.cs.mcgill.ca/~crepeau/waterloo 185 ( 186 Attack scenarios Ciphertext-only attack: This is the most basic type of attack
More information1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.
1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks
More informationCryptography and Network Security
Cryptography and Network Security Fifth Edition by William Stallings Chapter 9 Public Key Cryptography and RSA Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared
More informationQUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University
QUANTUM COMPUTERS AND CRYPTOGRAPHY Mark Zhandry Stanford University Classical Encryption pk m c = E(pk,m) sk m = D(sk,c) m??? Quantum Computing Attack pk m aka Post-quantum Crypto c = E(pk,m) sk m = D(sk,c)
More informationKleptography: The unbearable lightness of being mistrustful
Kleptography: The unbearable lightness of being mistrustful MOTI YUNG Google Inc. / Columbia University Joint work with Adam Young Background: -The time is the Mid 90 s: Cryptography is the big Equalizer
More information1 Signatures vs. MACs
CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures
More informationChosen-Ciphertext Security from Identity-Based Encryption
Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz Abstract We propose simple and efficient CCA-secure public-key encryption schemes (i.e., schemes
More informationProofs in Cryptography
Proofs in Cryptography Ananth Raghunathan Abstract We give a brief overview of proofs in cryptography at a beginners level. We briefly cover a general way to look at proofs in cryptography and briefly
More informationAuthenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre
Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense
More informationDiscrete Mathematics, Chapter 4: Number Theory and Cryptography
Discrete Mathematics, Chapter 4: Number Theory and Cryptography Richard Mayr University of Edinburgh, UK Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 1 / 35 Outline 1 Divisibility
More informationDIRECT ONLINE/OFFLINE DIGITAL SIGNATURE SCHEMES. Ping Yu, M.S. Dissertation Prepared for the Degree of DOCTOR OF PHILOSOPHY UNIVERSITY OF NORTH TEXAS
DIRECT ONLINE/OFFLINE DIGITAL SIGNATURE SCHEMES Ping Yu, M.S. Dissertation Prepared for the Degree of DOCTOR OF PHILOSOPHY UNIVERSITY OF NORTH TEXAS December 2008 APPROVED: Stephen R. Tate, Major Professor
More information1720 - Forward Secrecy: How to Secure SSL from Attacks by Government Agencies
1720 - Forward Secrecy: How to Secure SSL from Attacks by Government Agencies Dave Corbett Technical Product Manager Implementing Forward Secrecy 1 Agenda Part 1: Introduction Why is Forward Secrecy important?
More informationCrittografia e sicurezza delle reti. Digital signatures- DSA
Crittografia e sicurezza delle reti Digital signatures- DSA Signatures vs. MACs Suppose parties A and B share the secret key K. Then M, MAC K (M) convinces A that indeed M originated with B. But in case
More informationCryptography and Network Security Chapter 9
Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 9 Public Key Cryptography and RSA Every Egyptian received two names,
More informationChapter 11. Asymmetric Encryption. 11.1 Asymmetric encryption schemes
Chapter 11 Asymmetric Encryption The setting of public-key cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret
More informationA Factoring and Discrete Logarithm based Cryptosystem
Int. J. Contemp. Math. Sciences, Vol. 8, 2013, no. 11, 511-517 HIKARI Ltd, www.m-hikari.com A Factoring and Discrete Logarithm based Cryptosystem Abdoul Aziz Ciss and Ahmed Youssef Ecole doctorale de Mathematiques
More informationFully homomorphic encryption equating to cloud security: An approach
IOSR Journal of Computer Engineering (IOSR-JCE) e-issn: 2278-0661, p- ISSN: 2278-8727Volume 9, Issue 2 (Jan. - Feb. 2013), PP 46-50 Fully homomorphic encryption equating to cloud security: An approach
More informationAn Introduction to the RSA Encryption Method
April 17, 2012 Outline 1 History 2 3 4 5 History RSA stands for Rivest, Shamir, and Adelman, the last names of the designers It was first published in 1978 as one of the first public-key crytographic systems
More informationImproved Online/Offline Signature Schemes
Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion
More informationA Method for Making Password-Based Key Exchange Resilient to Server Compromise
A Method for Making Password-Based Key Exchange Resilient to Server Compromise Craig Gentry 1, Philip MacKenzie 2, and Zulfikar Ramzan 3 1 Stanford University, Palo Alto, CA, USA, cgentry@cs.stanford.edu
More informationOn Factoring Integers and Evaluating Discrete Logarithms
On Factoring Integers and Evaluating Discrete Logarithms A thesis presented by JOHN AARON GREGG to the departments of Mathematics and Computer Science in partial fulfillment of the honors requirements
More informationProvable-Security Analysis of Authenticated Encryption in Kerberos
Provable-Security Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 30332-0765
More informationCS549: Cryptography and Network Security
CS549: Cryptography and Network Security by Xiang-Yang Li Department of Computer Science, IIT Cryptography and Network Security 1 Notice This lecture note (Cryptography and Network Security) is prepared
More informationEfficient Password-Authenticated Key Exchange Using Human-Memorable Passwords
Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords Jonathan Katz 1 Rafail Ostrovsky 2 Moti Yung 3 1 Telcordia Technologies and Department of Computer Science, Columbia University.
More informationSECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES
www.arpapress.com/volumes/vol8issue1/ijrras_8_1_10.pdf SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES Malek Jakob Kakish Amman Arab University, Department of Computer Information Systems, P.O.Box 2234,
More informationSecure File Transfer Using USB
International Journal of Scientific and Research Publications, Volume 2, Issue 4, April 2012 1 Secure File Transfer Using USB Prof. R. M. Goudar, Tushar Jagdale, Ketan Kakade, Amol Kargal, Darshan Marode
More informationMANAGING OF AUTHENTICATING PASSWORD BY MEANS OF NUMEROUS SERVERS
INTERNATIONAL JOURNAL OF ADVANCED RESEARCH IN ENGINEERING AND SCIENCE MANAGING OF AUTHENTICATING PASSWORD BY MEANS OF NUMEROUS SERVERS Kanchupati Kondaiah 1, B.Sudhakar 2 1 M.Tech Student, Dept of CSE,
More informationPublic Key (asymmetric) Cryptography
Public-Key Cryptography UNIVERSITA DEGLI STUDI DI PARMA Dipartimento di Ingegneria dell Informazione Public Key (asymmetric) Cryptography Luca Veltri (mail.to: luca.veltri@unipr.it) Course of Network Security,
More informationMessage Authentication Code
Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44
More informationChosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1
Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 Daniel Bleichenbacher Bell Laboratories 700 Mountain Ave., Murray Hill, NJ 07974 bleichen@research.bell-labs.com
More informationPublic-Key Cryptanalysis
To appear in Recent Trends in Cryptography, I. Luengo (Ed.), Contemporary Mathematics series, AMS-RSME, 2008. Public-Key Cryptanalysis Phong Q. Nguyen Abstract. In 1976, Diffie and Hellman introduced the
More informationCertificate Based Signature Schemes without Pairings or Random Oracles
Certificate Based Signature Schemes without Pairings or Random Oracles p. 1/2 Certificate Based Signature Schemes without Pairings or Random Oracles Joseph K. Liu, Joonsang Baek, Willy Susilo and Jianying
More information7! Cryptographic Techniques! A Brief Introduction
7! Cryptographic Techniques! A Brief Introduction 7.1! Introduction to Cryptography! 7.2! Symmetric Encryption! 7.3! Asymmetric (Public-Key) Encryption! 7.4! Digital Signatures! 7.5! Public Key Infrastructures
More informationHow To Know If A Message Is From A Person Or A Machine
The RSA Algorithm Evgeny Milanov 3 June 2009 In 1978, Ron Rivest, Adi Shamir, and Leonard Adleman introduced a cryptographic algorithm, which was essentially to replace the less secure National Bureau
More informationTrading One-Wayness against Chosen-Ciphertext Security in Factoring-Based Encryption
Trading One-Wayness against Chosen-Ciphertext Security in Factoring-Based Encryption Pascal Paillier 1 and Jorge L. Villar 2 1 Cryptography Group, Security Labs, Gemalto pascal.paillier@gemalto.com 2 Departament
More informationCapture Resilient ElGamal Signature Protocols
Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department
More informationLecture 2: Complexity Theory Review and Interactive Proofs
600.641 Special Topics in Theoretical Cryptography January 23, 2007 Lecture 2: Complexity Theory Review and Interactive Proofs Instructor: Susan Hohenberger Scribe: Karyn Benson 1 Introduction to Cryptography
More informationA Proposal for an ISO Standard for Public Key Encryption (version 2.1)
A Proposal for an ISO Standard for Public Key Encryption (version 2.1) Victor Shoup IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland sho@zurich.ibm.com December 20, 2001 Abstract This
More informationGroup Blind Digital Signatures: Theory and Applications by Zulækar Amin Ramzan Submitted to the Department of Electrical Engineering and Computer Science in partial fulællment of the requirements for the
More informationNotes on Network Security Prof. Hemant K. Soni
Chapter 9 Public Key Cryptography and RSA Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications
More informationSemantic Security for the McEliece Cryptosystem without Random Oracles
Semantic Security for the McEliece Cryptosystem without Random Oracles Ryo Nojima 1, Hideki Imai 23, Kazukuni Kobara 3, and Kirill Morozov 3 1 National Institute of Information and Communications Technology
More informationVictor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract
Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart
More informationOn the Security of the Tor Authentication Protocol
On the Security of the Tor Authentication Protocol Ian Goldberg David R. Cheriton School of Computer Science, University of Waterloo, 00 University Ave W, Waterloo, ON NL 3G1 iang@cs.uwaterloo.ca Abstract.
More informationAdvanced Cryptography
Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.
More informationLecture 9: Application of Cryptography
Lecture topics Cryptography basics Using SSL to secure communication links in J2EE programs Programmatic use of cryptography in Java Cryptography basics Encryption Transformation of data into a form that
More informationModule: Applied Cryptography. Professor Patrick McDaniel Fall 2010. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Applied Cryptography Professor Patrick McDaniel Fall 2010 Page 1 Key Distribution/Agreement Key Distribution is the process where we assign
More informationSecure Deduplication of Encrypted Data without Additional Independent Servers
Secure Deduplication of Encrypted Data without Additional Independent Servers Jian Liu Aalto University jian.liu@aalto.fi N. Asokan Aalto University and University of Helsinki asokan@acm.org Benny Pinkas
More informationNetwork Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering
Network Security Gaurav Naik Gus Anderson, Philadelphia, PA Lectures on Network Security Feb 12 (Today!): Public Key Crypto, Hash Functions, Digital Signatures, and the Public Key Infrastructure Feb 14:
More informationLukasz Pater CMMS Administrator and Developer
Lukasz Pater CMMS Administrator and Developer EDMS 1373428 Agenda Introduction Why do we need asymmetric ciphers? One-way functions RSA Cipher Message Integrity Examples Secure Socket Layer Single Sign
More informationPaillier Threshold Encryption Toolbox
Paillier Threshold Encryption Toolbox October 23, 2010 1 Introduction Following a desire for secure (encrypted) multiparty computation, the University of Texas at Dallas Data Security and Privacy Lab created
More informationIdentity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks
Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks Tsz Hon Yuen - Huawei, Singapore Ye Zhang - Pennsylvania State University, USA Siu Ming
More informationOutline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg
Outline CSc 466/566 Computer Security 8 : Cryptography Digital Signatures Version: 2012/02/27 16:07:05 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian
More informationHow to Encrypt in the Mobile Cloud. Yuliang Zheng ( 鄭 玉 良 ) UNC Charlotte yzheng@uncc.edu
How to Encrypt in the Mobile Cloud Yuliang Zheng ( 鄭 玉 良 ) UNC Charlotte yzheng@uncc.edu Smartphones meet the cloud (Match made in the heaven) Smartphones Small storage Stolen/lost Models change yearly
More informationA SOFTWARE COMPARISON OF RSA AND ECC
International Journal Of Computer Science And Applications Vol. 2, No. 1, April / May 29 ISSN: 974-13 A SOFTWARE COMPARISON OF RSA AND ECC Vivek B. Kute Lecturer. CSE Department, SVPCET, Nagpur 9975549138
More informationAuthentication and Encryption: How to order them? Motivation
Authentication and Encryption: How to order them? Debdeep Muhopadhyay IIT Kharagpur Motivation Wide spread use of internet requires establishment of a secure channel. Typical implementations operate in
More informationLecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads
CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs
More informationHybrid Encryption in the Multi-User Setting
Hybrid Encryption in the Multi-User Setting G.M. Zaverucha Research In Motion 4701 Tahoe Boulevard Mississauga ON, L4W 0B5 March 20, 2012 Abstract This paper presents an attack in the multi-user setting
More informationSecurity of Blind Digital Signatures
Security of Blind Digital Signatures (Revised Extended Abstract) Ari Juels 1 Michael Luby 2 Rafail Ostrovsky 3 1 RSA Laboratories. Email: ari@rsa.com. 2 Digital Fountain 3 UCLA, Email: rafail@cs.ucla.edu.
More informationEfficient Certificate-Based Encryption Scheme Secure Against Key Replacement Attacks in the Standard Model *
JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 0, 55-568 (04) Efficient Certificate-Based Encryption Scheme Secure Against Key Replacement Attacks in the Standard Model * College of Computer and Information
More informationAdaptively-Secure, Non-Interactive Public-Key Encryption
Adaptively-Secure, Non-Interactive Public-Key Encryption Ran Canetti 1, Shai Halevi 1, and Jonathan Katz 2 1 IBM T.J. Watson Research Center, NY, USA. 2 Department of Computer Science, University of Maryland.
More informationCryptography and Network Security Chapter 10
Cryptography and Network Security Chapter 10 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 10 Other Public Key Cryptosystems Amongst the tribes of Central
More informationUniversal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption
Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical public-key
More informationCryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur
Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Module No. # 01 Lecture No. # 05 Classic Cryptosystems (Refer Slide Time: 00:42)
More informationA New Efficient Digital Signature Scheme Algorithm based on Block cipher
IOSR Journal of Computer Engineering (IOSRJCE) ISSN: 2278-0661, ISBN: 2278-8727Volume 7, Issue 1 (Nov. - Dec. 2012), PP 47-52 A New Efficient Digital Signature Scheme Algorithm based on Block cipher 1
More informationIdentity-based Encryption with Efficient Revocation
A preliminary version of this paper appears in Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 2008, ACM Press, 2008. This is the full version. Identity-based Encryption
More informationCS 758: Cryptography / Network Security
CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html
More information