PostQuantum Cryptography #4


 Chester Stewart
 3 years ago
 Views:
Transcription
1 PostQuantum Cryptography #4 Prof. Claude Crépeau McGill University 185
2 ( 186
3 Attack scenarios Ciphertextonly attack: This is the most basic type of attack and refers to the scenario where the adversary just observes a ciphertext (or multiple ciphertexts) and attempts to determine the underlying plaintext (or plaintexts). m? cwill you marry me? 187
4 cwill you marry me? Attack scenarios Knownplaintext attack: The adversary learns one or more pairs of plaintexts/ciphertexts encrypted under the same key. The aim is to determine the plaintext that was encrypted in some other ciphertext. m m? c Will you marry me? 188
5 Attack scenarios Chosenplaintext attack: The adversary has the ability to obtain the encryption of plaintexts of its choice. It then attempts to determine the plaintext that was encrypted in some other ciphertext. m? m cwill you marry me? c Will you marry me? 189
6 Attack scenarios Chosenciphertext attack: The adversary is even given the capability to obtain the decryption of ciphertexts of its choice. The adversary s aim, once again, is to determine the plaintext that was encrypted in some other ciphertext. c cwill you marry me? m m? c Will you marry me? 190
7 What is secure encryption? Answer 1 an encryption scheme is secure if no adversary can find the secret key when given a ciphertext. 191
8 secure encryption. Answer 2 an encryption scheme is secure if no adversary can find the plaintext that corresponds to the ciphertext. 192
9 secure encryption. Answer 3 an encryption scheme is secure if no adversary can determine any character of the plaintext that corresponds to the ciphertext. 193
10 secure encryption. Answer 4 an encryption scheme is secure if no adversary can derive any meaningful information about the plaintext from the ciphertext. Definitions of security should suffice for all potential applications. 194
11 secure encryption. The Final Answer an encryption scheme is secure if no adversary can compute any function of the plaintext from the ciphertext. 195
12 Perfect Secrecy DEFINITION 2.1 An encryption scheme (Gen, Enc, Dec) over a message space M is perfectly secret if for every probability distribution over M, every message m M, and every ciphertext c C for which Pr[C = c] > 0 : Pr[M = m C = c] = Pr[M = m]. 196
13 An equivalent formulation LEMMA 2.2 An encryption scheme (Gen, Enc, Dec) over a message space M is perfectly secret if and only if for every probability distribution over M, every message m M, and every ciphertext c C : Pr[C = c M = m] = Pr[C = c]. 197
14 Perfect indistinguishability LEMMA 2.3 An encryption scheme (Gen, Enc, Dec) over a message space M is perfectly secret if and only if for every probability distribution over M, every m0, m1 M, and every c C : Pr[ C = c M = m0 ] = Pr[ C = c M = m1 ]. 198
15 Adversarial indistinguishability. 199
16 Adversarial indistinguishability. This other definition is based on an experiment involving an adversary A, and formalizes A s inability to distinguish the encryption of one plaintext from the encryption of another; we thus call it adversarial indistinguishability. 199
17 Adversarial indistinguishability. This other definition is based on an experiment involving an adversary A, and formalizes A s inability to distinguish the encryption of one plaintext from the encryption of another; we thus call it adversarial indistinguishability. This definition will serve as our starting point when we introduce the notion of computational security in the next chapter. 199
18 Adversarial indistinguishability. 200
19 Adversarial indistinguishability. The experiment is defined for any encryption scheme Π = (Gen, Enc, Dec) over message space M and for any adversary A. 200
20 Adversarial indistinguishability. The experiment is defined for any encryption scheme Π = (Gen, Enc, Dec) over message space M and for any adversary A. We let PrivK ea A, v denote an execution of the Π experiment for a given Π and A. The experiment is defined as follows: 200
21 PrivK e A a, v Π A 201
22 PrivK e A a, v Π m0, m1 M A 201
23 PrivK e A a, v Π k Gen m0, m1 M A 201
24 PrivK e A a, v Π k Gen b { 0, 1 } m0, m1 M A 201
25 PrivK e A a, v Π k Gen b { 0, 1 } c Enck(mb) m0, m1 M A 201
26 PrivK e A a, v Π k Gen b { 0, 1 } c Enck(mb) m0, m1 M c A 201
27 PrivK e A a, v Π k Gen b { 0, 1 } c Enck(mb) m0, m1 M c A b 201
28 PrivK e A a, v Π k Gen b { 0, 1 } c Enck(mb) m0, m1 M c A b b 201
29 PrivK e A a, v Π k Gen b { 0, 1 } c Enck(mb) m0, m1 M c A b b b = b? 201
30 Adversarial indistinguishability. 202
31 Adversarial indistinguishability. PrivK e A a, v Π : 202
32 Adversarial indistinguishability. PrivK e A a, v Π : 1. Adversary A outputs a pair of messages m0, m1 M. 202
33 Adversarial indistinguishability. PrivK ea A, v : Π 1. Adversary A outputs a pair of messages m0, m1 M. 2. A random key k is generated by running Gen, and a random bit b { 0, 1 } is chosen (by some imaginary entity that is running the experiment with A.) A ciphertext c Enck(mb) is computed and given to A. 202
34 Adversarial indistinguishability. PrivK ea A, v : Π 1. Adversary A outputs a pair of messages m0, m1 M. 2. A random key k is generated by running Gen, and a random bit b { 0, 1 } is chosen (by some imaginary entity that is running the experiment with A.) A ciphertext c Enck(mb) is computed and given to A. 3. A outputs a bit b. 202
35 Adversarial indistinguishability. PrivK ea A, v : Π 1. Adversary A outputs a pair of messages m0, m1 M. 2. A random key k is generated by running Gen, and a random bit b { 0, 1 } is chosen (by some imaginary entity that is running the experiment with A.) A ciphertext c Enck(mb) is computed and given to A. 3. A outputs a bit b. 4. The output of the experiment is defined to be 1 if b = b, and 0 otherwise. 202
36 Adversarial indistinguishability. 203
37 Adversarial indistinguishability. We write PrivK e A a, v Π = 1 if the output is 1 and in this case we say that A succeeded. 203
38 Adversarial indistinguishability. We write PrivK ea A, v = 1 if the output is 1 and in Π this case we say that A succeeded. One should think of A as trying to guess the value of b that is chosen in the experiment, and A succeeds when its guess b is correct. 203
39 Adversarial indistinguishability. We write PrivK ea A, v = 1 if the output is 1 and in Π this case we say that A succeeded. One should think of A as trying to guess the value of b that is chosen in the experiment, and A succeeds when its guess b is correct. The alternate definition we now give states that an encryption scheme is perfectly secret if no adversary A can succeed with probability any better than 1 /2. 203
40 PrivK e A a, v Π A 204
41 PrivK e A a, v Π k Gen b { 0, 1 } c Enck(mb) m0, m1 M c A 204
42 PrivK e A a, v Π k Gen b { 0, 1 } c Enck(mb) m0, m1 M c A b 204
43 PrivK e A a, v Π k Gen b { 0, 1 } c Enck(mb) m0, m1 M c A b b 204
44 PrivK e A a, v Π k Gen b { 0, 1 } c Enck(mb) m0, m1 M c A b b Pr[ b = b ] = 1 /2 204
45 PrivK e A a, v Π k Gen b { 0, 1 } c Enck(mb) m0, m1 M c A perfectly secret b b Pr[ b = b ] = 1 /2 204
46 Adversarial indistinguishability. DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message space M is perfectly secret if for every adversary A it holds that Pr[ PrivK ea A, v = 1 ] = 1 Π /2. 205
47 Adversarial indistinguishability. PROPOSITION 2.5 Let (Gen, Enc, Dec) be an encryption scheme over a message space M. Then (Gen, Enc, Dec) is perfectly secret with respect to Definition 2.1 if and only if it is perfectly secret with respect to Definition
48 4 Equivalent Formulations DEFINITION 2.1 An encryption scheme (Gen, Enc, Dec) over a message space M is perfectly secret if for every probability distribution over M, every message m M, and every ciphertext c C for which Pr[C = c] > 0 : Pr[M = m C = c] = Pr[M = m]. LEMMA 2.3 An encryption scheme (Gen, Enc, Dec) over a message space M is perfectly secret if and only if for every probability distribution over M, every m0, m1 M, and every c C : Pr[ C = c M = m0 ] = Pr[ C = c M = m1 ]. LEMMA 2.2 An encryption scheme (Gen, Enc, Dec) over a message space M is perfectly secret if and only if for every probability distribution over M, every message m M, and every ciphertext c C : Pr[C = c M = m] = Pr[C = c]. DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message space M is perfectly secret if for every adversary A it holds that Pr[ PrivK e a v A, Π = 1 ] = 1 /2. 207
49 3.2 Defining Computationally Secure Encryption DEFINITION 3.7 A privatekey encryption scheme is a tuple of probabilistic polynomialtime algorithms (Gen, Enc, Dec) such that: 1/3. The keygeneration algorithm Gen takes as input the security parameter 1 n and outputs a key k; we write this as k Gen(1 n ) (thus emphasizing the fact that Gen is a randomized algorithm). We will assume without loss of generality that any key k Gen(1 n ) satisfies k n. 208
50 Defining Computationally Secure Encryption DEFINITION 3.7 A privatekey encryption scheme is a tuple of probabilistic polynomialtime algorithms (Gen, Enc, Dec) such that: 2/3. The encryption algorithm Enc takes as input a key k and a plaintext message m {0,1}, and outputs a ciphertext c. Since Enc may be randomized, we write c Enck(m). 209
51 Defining Computationally Secure Encryption DEFINITION 3.7 A privatekey encryption scheme is a tuple of probabilistic polynomialtime algorithms (Gen, Enc, Dec) such that: 3/3. The decryption algorithm Dec takes as input a key k and a ciphertext c, and outputs a message m. We assume that Dec is deterministic, and so write this as m Deck(c). 210
52 Defining Computationally Secure Encryption It is required that for every n, every key k output by Gen(1 n ), and every m {0,1}, it holds that Deck(Enck(m)) = m. If (Gen, Enc, Dec) is such that for k output by Gen(1 n ), algorithm Enck is only defined for m {0,1} (n), then we say that (Gen, Enc, Dec) is a fixedlength privatekey encryption scheme for messages of length (n). 211
53 Indistinguishability in the presence of an eavesdropper An experiment is defined for any privatekey encryption scheme Π = (Gen, Enc, Dec), any PPT adversary A and any value n for the security parameter. The eavesdropping indistinguishability experiment PrivK e A a, v Π(n) : 212
54 PrivK e A a, v Π 1 n A 213
55 PrivK e A a, v Π 1 n m0, m1 M A 213
56 PrivK e A a, v Π 1 n k Gen(1 n ) m0, m1 M A 213
57 PrivK e A a, v Π 1 n k Gen(1 n ) b { 0, 1 } m0, m1 M A 213
58 PrivK e A a, v Π 1 n k Gen(1 n ) b { 0, 1 } c Enck(mb) m0, m1 M A 213
59 PrivK e A a, v Π 1 n k Gen(1 n ) b { 0, 1 } c Enck(mb) m0, m1 M c A 213
60 PrivK e A a, v Π 1 n k Gen(1 n ) b { 0, 1 } c Enck(mb) m0, m1 M c A b 213
61 PrivK e A a, v Π 1 n k Gen(1 n ) b { 0, 1 } c Enck(mb) m0, m1 M c A b b 213
62 PrivK e A a, v Π 1 n k Gen(1 n ) b { 0, 1 } c Enck(mb) m0, m1 M c A b b Pr[ b = b ] ½ + negl(n) 213
63 PrivK e A a, v Π 1 n k Gen(1 n ) b { 0, 1 } c Enck(mb) m0, m1 M c A computationally secret b b Pr[ b = b ] ½ + negl(n) 213
64 PrivK e A a, v Π(n) 1. The adversary A is given input 1 n, and outputs a pair of messages m0, m1 of the same length. 2. A key k is generated by running Gen(1 n ), and a random bit b {0,1} is chosen. A (challenge) ciphertext c Enck(mb) is computed and given to A. 3. A outputs a bit b. 4. The output of the experiment is defined to be 1 if b = b, and 0 otherwise. (If PrivK e A a, v Π(n) = 1, we say that A succeeded.) 214
65 PrivK e A a, v Π(n) If Π is a fixedlength scheme for messages of length (n), the previous experiment is modified by requiring m0, m1 {0,1} (n). 215
66 Defining Computationally Secure Encryption DEFINITION 3.8 A privatekey encryption scheme Π = (Gen, Enc, Dec) has indistinguishable encryptions in the presence of an eavesdropper if for all PPT adversaries A there exists a negligible function negl such that Pr[ PrivK e A a, v Π(n) = 1 ] ½ + negl(n), where the probability is taken over the random coins used by A, as well as the random coins used in the experiment (for choosing the key, the random bit b, and any random coins used in the encryption process). 216
67 3.2.2* Properties of the Definition DEFINITION 3.12 A privatekey encryption scheme (Gen, Enc, Dec) is semantically secure in the presence of an eavesdropper if for every PPT algorithm A there exists a PPT algorithm A such that for all efficientlysampleable distributions X = (X1,...) and all polynomialtime computable functions f and h, there exists a negligible function negl s.t. Pr[ A(1 n, Enck(m), h(m)) = f(m) ] Pr[ A (1 n, h(m)) = f(m) ] negl(n), where m is chosen according to distribution Xn, and the probabilities are taken over the choice of m and the key k, and any random coins used by A, A, and the encryption process. 217
68 A 218
69 1 n A 218
70 k Gen(1 n ) 1 n A 218
71 k Gen(1 n ) 1 n c Enck(m) A 218
72 k Gen(1 n ) 1 n h(m) c Enck(m) A 218
73 k Gen(1 n ) 1 n c Enck(m) h(m) c A 218
74 k Gen(1 n ) 1 n c Enck(m) h(m) c A z 218
75 k Gen(1 n ) 1 n c Enck(m) h(m) c A z 218
76 k Gen(1 n ) 1 n c Enck(m) h(m) c A z A 218
77 k Gen(1 n ) 1 n c Enck(m) h(m) c A z 1 n A 218
78 k Gen(1 n ) 1 n c Enck(m) h(m) c A z 1 n h(m) A 218
79 k Gen(1 n ) 1 n c Enck(m) h(m) c A z 1 n h(m) z A 218
80 k Gen(1 n ) 1 n c Enck(m) h(m) c A Pr[z = f(m)] Pr[z = f(m)] negl(n), z 1 n h(m) z A 218
81 Semantic Security THEOREM 3.13 A privatekey encryption scheme has indistinguishable encryptions in the presence of an eavesdropper if and only if it is semantically secure in the presence of an eavesdropper. Shafi Goldwasser Silvio Micali 219
82 ) 220
83 PostQuantum Cryptography Finite Fields based cryptography Codes Multivariate Polynomials Integers based cryptography Approximate Integer GCD Lattices 221
84 Lattice based cryptography x 3b1+2b2 b2 0 b1 222
85 Lattices Given nlinearly independent vectors b 1,...,b n R n, the lattice they generate is the set of vectors L(b 1,...,b n ) = i n =1 x i b i :x i Z. The vectors b 1,...,b n are known as a basis of the lattice. 223
86 Lattices x 3b1+2b2 b2 0 b1 224
87 Integer Lattices Given nlinearly independent vectors b 1,...,b n Z n, the lattice they generate is the set of vectors L(b 1,...,b n ) = i n =1 x i b i :x i Z. The vectors b 1,...,b n are known as a basis of the lattice. 225
88 Lattices x b1+b2 b2 0 b1 226
89 Closest Vector Problem Given a basis b 1,...,b n R n, and a vector t R n find the closest vector in the lattice L(b 1,...,b n ) (x 1,...,x n ) Z n : d(t, i n =1 x i b i ) is minimal. d(u,v) is Euclidean distance i n =1 (u i v i ) 2 227
90 CVP t b2 0 b1 Analoguous to correcting errors in codes 228
91 CVP t b2 0 b1 Analoguous to correcting errors in codes 229
92 Shortest Vector Problem Given a basis b 1,...,b n R n find the shortest vector in the lattice L(b 1,...,b n ) (x 1,...,x n ) Z n \0 : d(0, i n =1 x i b i ) is minimal. d(u,v) is Euclidean distance i n =1 (u i v i ) 2 230
93 SVP shortest b2 b1 0 shortest Analoguous to finding min distance in code 231
94 GGH 232
95 GGH The GGH cryptosystem, proposed by Goldreich, Goldwasser, and Halevi is essentially a lattice analogue of the McEliece/Niederreiter cryptosystem 232
96 GGH The GGH cryptosystem, proposed by Goldreich, Goldwasser, and Halevi is essentially a lattice analogue of the McEliece/Niederreiter cryptosystem The private key is a good lattice basis B. 232
97 GGH The GGH cryptosystem, proposed by Goldreich, Goldwasser, and Halevi is essentially a lattice analogue of the McEliece/Niederreiter cryptosystem The private key is a good lattice basis B. Typically, a good basis consists of short, almost orthogonal vectors. 232
98 GGH The GGH cryptosystem, proposed by Goldreich, Goldwasser, and Halevi is essentially a lattice analogue of the McEliece/Niederreiter cryptosystem The private key is a good lattice basis B. Typically, a good basis consists of short, almost orthogonal vectors. Algorithmically, good bases allow to efficiently solve certain instances of the closest vector problem in L(B), e.g., instances where the target is very close to the lattice. 232
99 GGH/HNF 233
100 GGH/HNF The public key H is a bad basis for the same lattice L(H) = L(B). 233
101 GGH/HNF The public key H is a bad basis for the same lattice L(H) = L(B). Micciancio proposed to use the Hermite Normal Form (HNF) of B. This normal form gives a lower triangular basis for L(B). 233
102 GGH/HNF The public key H is a bad basis for the same lattice L(H) = L(B). Micciancio proposed to use the Hermite Normal Form (HNF) of B. This normal form gives a lower triangular basis for L(B). Notice that any attack on the HNF public key can be easily adapted to work with any other basis B of L(B) by first computing H from B. 233
103 GGH/HNF 234
104 GGH/HNF The encryption process consists of adding a short noise vector r (somehow encoding the message to be encrypted) to a properly chosen lattice point v. 234
105 GGH/HNF The encryption process consists of adding a short noise vector r (somehow encoding the message to be encrypted) to a properly chosen lattice point v. It was proposed to select the vector v such that all the coordinates of (r + v) are reduced modulo the corresponding element along the diagonal of the HNF public basis H. 234
106 GGH/HNF The encryption process consists of adding a short noise vector r (somehow encoding the message to be encrypted) to a properly chosen lattice point v. It was proposed to select the vector v such that all the coordinates of (r + v) are reduced modulo the corresponding element along the diagonal of the HNF public basis H. The resulting vector is denoted r mod H, and it provably makes cryptanalysis hardest because r mod H can be efficiently computed from any vector of the form (r + v) with v L(B). 234
107 GGH/HNF 235
108 GGH/HNF The decryption problem corresponds to finding the lattice point v closest to the target ciphertext c = (r mod H) = v+r, and the error vector r = c v. 235
109 GGH/HNF The decryption problem corresponds to finding the lattice point v closest to the target ciphertext c = (r mod H) = v+r, and the error vector r = c v. The correctness of the GGH/HNF cryptosystem rests on the fact that the error vector r is short enough so that the lattice point v can be recovered from the ciphertext v+r using the private basis B, e.g., by using Babai s rounding procedure, which gives v = B[B 1 (v + r)] where [x] stands for the nearest integer to x 235
110 236
111 qary Lattices Given nlinearly independent vectors b 1,...,b n Z n, the qary lattice they generate is the set of vectors L(b 1,...,b n,q 1,...,q n ) = i n =1 x i b i mod q:x i Z where each vector q i is of the form (0,...,0,q,0,...,0) 237
112 qary Lattices mod q x 3b1+2b2 b2 0 b1 238
113 qary Lattices 239
114 qary Lattices Structure very similar to linear codes 239
115 qary Lattices Structure very similar to linear codes We define two types of qary lattices from a matrix A Z nxm q q (A)={y Z m q : y = A T s mod q, s Z qn } q(a)={y Z m q : Ay = 0 mod q} 239
116 Learning With Errors LWE uses a discrete normal distribution   with mean 0 and standard deviation q / 2π defined as [ ] mod q 240
117 Learning With Errors LWE uses a discrete normal distribution   with mean 0 and standard deviation q / 2π defined as [ ] mod q q/2 +q/2 241
118 Learning With Errors A generalization of Learning Parity with Noise where q=2 and Bernouilli errors. 242
119 Learning With Errors A generalization of Learning Parity with Noise where q=2 and Bernouilli errors. LWE is parametrized by n and q=poly(n) 242
120 Learning With Errors A generalization of Learning Parity with Noise where q=2 and Bernouilli errors. LWE is parametrized by n and q=poly(n) A: Z q mxn, a uniform public matrix 242
121 Learning With Errors A generalization of Learning Parity with Noise where q=2 and Bernouilli errors. LWE is parametrized by n and q=poly(n) A: Z q mxn, a uniform public matrix S: Z qn, a uniform secret (trapdoor) vector 242
122 Learning With Errors A generalization of Learning Parity with Noise where q=2 and Bernouilli errors. LWE is parametrized by n and q=poly(n) A: Z q mxn, a uniform public matrix S: Z qn, a uniform secret (trapdoor) vector E: Z qm, a secret vector where each entry has distribution   with s.t. q n (reductions & there is an exp(( q) 2 )time attack) 242
123 Learning With Errors A generalization of Learning Parity with Noise where q=2 and Bernouilli errors. LWE is parametrized by n and q=poly(n) A: Z q mxn, a uniform public matrix S: Z qn, a uniform secret (trapdoor) vector E: Z qm, a secret vector where each entry has distribution   with s.t. q n (reductions & there is an exp(( q) 2 )time attack) (search)lwe: Given A and P=AS+E find S. 242
124 Learning With Errors 243
125 Learning With Errors DecisionLWE is made of 243
126 Learning With Errors DecisionLWE is made of A: Z q mxn, a uniform public matrix 243
127 Learning With Errors DecisionLWE is made of A: Z q mxn, a uniform public matrix S: Z qn, a uniform secret (trapdoor) vector 243
128 Learning With Errors DecisionLWE is made of A: Z q mxn, a uniform public matrix S: Z qn, a uniform secret (trapdoor) vector E: Z qm, a secret vector where each entry has distribution
129 Learning With Errors DecisionLWE is made of A: Z q mxn, a uniform public matrix S: Z qn, a uniform secret (trapdoor) vector E: Z qm, a secret vector where each entry has distribution  . Decision LWE : Given either A and P=AS+E or A,P for unfiorm P, identify which is the case. 243
130 Learning With Errors DecisionLWE is made of A: Z q mxn, a uniform public matrix S: Z qn, a uniform secret (trapdoor) vector E: Z qm, a secret vector where each entry has distribution  . Decision LWE : Given either A and P=AS+E or A,P for unfiorm P, identify which is the case. Equivalent to the search problem. 243
131 LWE hardness GapSVP SIVP searchlwe decisionlwe crypto 244
132 LWE hardness Quantum!!! GapSVP SIVP searchlwe decisionlwe crypto 244
133 LWE based cryptography 245
134 LWE based cryptography Private key: S: Z qn, E: Z q m sampled using
135 LWE based cryptography Private key: S: Z qn, E: Z q m sampled using   Public Key: A: Z q mxn, P=AS+E 245
136 LWE based cryptography Private key: S: Z qn, E: Z q m sampled using   Public Key: A: Z q mxn, P=AS+E Input message: b: {0,1} 245
137 LWE based cryptography Private key: S: Z qn, E: Z q m sampled using   Public Key: A: Z q mxn, P=AS+E Input message: b: {0,1} Enc AP (v) := (A T a,p T a+bq/2) where a: {0,1} m 245
138 LWE based cryptography Private key: S: Z qn, E: Z q m sampled using   Public Key: A: Z q mxn, P=AS+E Input message: b: {0,1} Enc AP (v) := (A T a,p T a+bq/2) where a: {0,1} m Dec S (u,c) := 1 (0) iff cs T u is closer to q/2 (0) cs T u = P T a+bq/2s T A T a = P T a+bq/2p T a+ea = bq/2+ea 245
139 LWE based cryptography 246
140 LWE based cryptography In the first part, one shows that distinguishing between public keys (A,P) as generated by the cryptosystem and pairs chosen uniformly at random from Z q mxn Z q m implies a solution to the LWE problem with parameters n,m,q,
141 LWE based cryptography In the first part, one shows that distinguishing between public keys (A,P) as generated by the cryptosystem and pairs chosen uniformly at random from Z q mxn Z q m implies a solution to the LWE problem with parameters n,m,q,  . The second part consists of showing that if one tries to encrypt with a public key (A,P) chosen at random, then with very high probability, the result carries essentially no statistical information about the encrypted message. (m > n log q) 246
142 LWE based cryptography In the first part, one shows that distinguishing between public keys (A,P) as generated by the cryptosystem and pairs chosen uniformly at random from Z q mxn Z q m implies a solution to the LWE problem with parameters n,m,q,  . The second part consists of showing that if one tries to encrypt with a public key (A,P) chosen at random, then with very high probability, the result carries essentially no statistical information about the encrypted message. (m > n log q) Together, these two parts establish the security of the cryptosystem (under chosen plaintext attacks). 246
143 LWE2 based cryptography 247
144 LWE2 based cryptography Private key: S,E: Z q n both sampled using  , 247
145 LWE2 based cryptography Private key: S,E: Z q n both sampled using  , Public Key: A: Z q nxn, P=AS+E 247
146 LWE2 based cryptography Private key: S,E: Z q n both sampled using  , Public Key: A: Z q nxn, P=AS+E Input message: b: {0,1} 247
147 LWE2 based cryptography Private key: S,E: Z q n both sampled using  , Public Key: A: Z q nxn, P=AS+E Input message: b: {0,1} Enc AP (v) := (A T a+x,p T a+bq/2+e ), a,x,e : Z q n using
148 LWE2 based cryptography Private key: S,E: Z q n both sampled using  , Public Key: A: Z q nxn, P=AS+E Input message: b: {0,1} Enc AP (v) := (A T a+x,p T a+bq/2+e ), a,x,e : Z q n using   Dec S (u,c) := 1 (0) iff cs T u is closer to q/2 (0) cs T u = P T a+bq/2+e S T A T as T x = P T a+bq/2+e P T a+eas T x = bq/2+ea+e S T x 247
149 LWE based cryptography 8 7 feb Peikert
150 Lattice based cryptography 249
151 PostQuantum Cryptography Prof. Claude Crépeau McGill University 250
Introduction to Modern Cryptography
Introduction to Modern Cryptography 3rd lecture: Computational Security of PrivateKey Encryption and Pseudorandomness some of these slides are copied from or heavily inspired by the University College
More informationMACs Message authentication and integrity. Table of contents
MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and
More informationCryptography CS 555. Topic 3: Onetime Pad and Perfect Secrecy. CS555 Spring 2012/Topic 3 1
Cryptography CS 555 Topic 3: Onetime Pad and Perfect Secrecy CS555 Spring 2012/Topic 3 1 Outline and Readings Outline Onetime pad Perfect secrecy Limitation of perfect secrecy Usages of onetime pad
More information1 Message Authentication
Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions
More information1 Pseudorandom Permutations
Theoretical Foundations of Cryptography Lecture 9 Georgia Tech, Spring 2010 PRPs, Symmetric Encryption 1 Pseudorandom Permutations Instructor: Chris Peikert Scribe: Pushkar Tripathi In the first part of
More informationMessage Authentication Codes 133
Message Authentication Codes 133 CLAIM 4.8 Pr[Macforge A,Π (n) = 1 NewBlock] is negligible. We construct a probabilistic polynomialtime adversary A who attacks the fixedlength MAC Π and succeeds in
More informationLecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture  PRGs for one time pads
CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs
More informationLecture 3: OneWay Encryption, RSA Example
ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: OneWay Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require
More informationIntroduction to Security Proof of Cryptosystems
Introduction to Security Proof of Cryptosystems D. J. Guan November 16, 2007 Abstract Provide proof of security is the most important work in the design of cryptosystems. Problem reduction is a tool to
More informationCIS 5371 Cryptography. 8. Encryption 
CIS 5371 Cryptography p y 8. Encryption  Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: Allornothing secrecy.
More informationCSA E0 235: Cryptography (29/03/2015) (Extra) Lecture 3
CSA E0 235: Cryptography (29/03/2015) Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Mayank Tiwari Review From our discussion of perfect secrecy, we know that the notion of perfect secrecy has
More informationQUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University
QUANTUM COMPUTERS AND CRYPTOGRAPHY Mark Zhandry Stanford University Classical Encryption pk m c = E(pk,m) sk m = D(sk,c) m??? Quantum Computing Attack pk m aka Postquantum Crypto c = E(pk,m) sk m = D(sk,c)
More informationOverview of PublicKey Cryptography
CS 361S Overview of PublicKey Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.16 slide 2 PublicKey Cryptography public key public key? private key Alice Bob Given: Everybody knows
More informationLatticebased Cryptography
Latticebased Cryptography Daniele Micciancio Oded Regev July 22, 2008 1 Introduction In this chapter we describe some of the recent progress in latticebased cryptography. Latticebased cryptographic
More informationImproved Online/Offline Signature Schemes
Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion
More informationHomomorphic Encryption from Ring Learning with Errors
Homomorphic Encryption from Ring Learning with Errors Michael Naehrig Technische Universiteit Eindhoven michael@cryptojedi.org joint work with Kristin Lauter (MSR Redmond) Vinod Vaikuntanathan (University
More informationComputational Soundness of Symbolic Security and Implicit Complexity
Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 37, 2013 Overview
More informationIdentityBased Encryption from Lattices in the Standard Model
IdentityBased Encryption from Lattices in the Standard Model Shweta Agrawal and Xavier Boyen Preliminary version July 20, 2009 Abstract. We construct an IdentityBased Encryption (IBE) system without
More informationMessage Authentication Code
Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBCMAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44
More informationLearning with Errors
Learning with Errors Chethan Kamath IST Austria April 22, 2015 Table of contents Background PAC Model NoisyPAC Learning Parity with Noise The Parity Function Learning Parity with Noise BKW Algorithm Cryptography
More informationPostQuantum Cryptography #2
PostQuantum Cryptography #2 Prof. Claude Crépeau McGill University 49 PostQuantum Cryptography Finite Fields based cryptography Codes Multivariate Polynomials Integers based cryptography Approximate
More informationSemantic Security for the McEliece Cryptosystem without Random Oracles
Semantic Security for the McEliece Cryptosystem without Random Oracles Ryo Nojima 1, Hideki Imai 23, Kazukuni Kobara 3, and Kirill Morozov 3 1 National Institute of Information and Communications Technology
More informationA Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem
A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem Jintai Ding, Xiang Xie, Xiaodong Lin University of Cincinnati Chinese Academy of Sciences Rutgers University Abstract.
More informationIntroduction to Cryptography
Introduction to Cryptography Part 2: publickey cryptography JeanSébastien Coron January 2007 Publickey cryptography Invented by Diffie and Hellman in 1976. Revolutionized the field. Each user now has
More informationChapter 10 AsymmetricKey Cryptography
Chapter 10 AsymmetricKey Cryptography Copyright The McGrawHill Companies, Inc. Permission required for reproduction or display. 10.1 Chapter 10 Objectives To distinguish between two cryptosystems: symmetrickey
More informationTalk announcement please consider attending!
Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically
More informationCryptography. Course 2: attacks against RSA. JeanSébastien Coron. September 26, Université du Luxembourg
Course 2: attacks against RSA Université du Luxembourg September 26, 2010 Attacks against RSA Factoring Equivalence between factoring and breaking RSA? Mathematical attacks Attacks against plain RSA encryption
More informationProvably Secure Cryptography: State of the Art and Industrial Applications
Provably Secure Cryptography: State of the Art and Industrial Applications Pascal Paillier Gemplus/R&D/ARSC/STD/Advanced Cryptographic Services FrenchJapanese Joint Symposium on Computer Security Outline
More informationCOM S 687 Introduction to Cryptography October 19, 2006
COM S 687 Introduction to Cryptography October 19, 2006 Lecture 16: NonMalleability and Public Key Encryption Lecturer: Rafael Pass Scribe: Michael George 1 NonMalleability Until this point we have discussed
More informationIntroduction. Chapter 1
Chapter 1 Introduction This is a chapter from version 1.1 of the book Mathematics of Public Key Cryptography by Steven Galbraith, available from http://www.isg.rhul.ac.uk/ sdg/cryptobook/ The copyright
More informationFuzzy IdentityBased Encryption
Fuzzy IdentityBased Encryption Janek Jochheim June 20th 2013 Overview Overview Motivation (Fuzzy) IdentityBased Encryption Formal definition Security Idea Ingredients Construction Security Extensions
More informationComputational Complexity: A Modern Approach
i Computational Complexity: A Modern Approach Draft of a book: Dated January 2007 Comments welcome! Sanjeev Arora and Boaz Barak Princeton University complexitybook@gmail.com Not to be reproduced or distributed
More informationPublicKey Encryption (Asymmetric Encryption)
PublicKey Encryption (Asymmetric Encryption) Summer School, Romania 2014 Marc Fischlin 13. Oktober 2010 Dr.Marc Fischlin Kryptosicherheit 1 The story so far (PrivateKey Crypto) Alice establish secure
More informationRSA Attacks. By Abdulaziz Alrasheed and Fatima
RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.
More informationChosenCiphertext Security from IdentityBased Encryption
ChosenCiphertext Security from IdentityBased Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz Abstract We propose simple and efficient CCAsecure publickey encryption schemes (i.e., schemes
More informationAdvanced Cryptography
Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.
More informationCryptography. Jonathan Katz, University of Maryland, College Park, MD 20742.
Cryptography Jonathan Katz, University of Maryland, College Park, MD 20742. 1 Introduction Cryptography is a vast subject, addressing problems as diverse as ecash, remote authentication, faulttolerant
More informationBasic Algorithms In Computer Algebra
Basic Algorithms In Computer Algebra Kaiserslautern SS 2011 Prof. Dr. Wolfram Decker 2. Mai 2011 References Cohen, H.: A Course in Computational Algebraic Number Theory. Springer, 1993. Cox, D.; Little,
More informationCS Asymmetrickey Encryption. Prof. Clarkson Spring 2016
CS 5430 Asymmetrickey Encryption Prof. Clarkson Spring 2016 Review: block ciphers Encryption schemes: Enc(m; k): encrypt message m under key k Dec(c; k): decrypt ciphertext c with key k Gen(len): generate
More informationOutline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures
Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike
More informationa Course in Cryptography
a Course in Cryptography rafael pass abhi shelat c 2010 Pass/shelat All rights reserved Printed online 11 11 11 11 11 15 14 13 12 11 10 9 First edition: June 2007 Second edition: September 2008 Third edition:
More informationIdentityBased Encryption from the Weil Pairing
Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages
More informationFully Homomorphic Encryption from RingLWE and Security for Key Dependent Messages
Fully Homomorphic Encryption from RingLWE and Security for Key Dependent Messages Zvika Brakerski 1 and Vinod Vaikuntanathan 2 1 Weizmann Institute of Science zvika.brakerski@weizmann.ac.il 2 Microsoft
More informationSecurity Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012
Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database
More informationCh.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis
Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography
More informationLecture 5  CPA security, Pseudorandom functions
Lecture 5  CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.
More informationChapter 4. Symmetric Encryption. 4.1 Symmetric encryption schemes
Chapter 4 Symmetric Encryption The symmetric setting considers two parties who share a key and will use this key to imbue communicated data with various security attributes. The main security goals are
More informationContents. Foundations of cryptography
Contents Foundations of cryptography Security goals and cryptographic techniques Models for evaluating security A sketch of probability theory and Shannon's theorem Birthday problems Entropy considerations
More informationAuthentication and Encryption: How to order them? Motivation
Authentication and Encryption: How to order them? Debdeep Muhopadhyay IIT Kharagpur Motivation Wide spread use of internet requires establishment of a secure channel. Typical implementations operate in
More informationIntroduction. Digital Signature
Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology
More information1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.
1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks
More informationSecurity Analysis for Order Preserving Encryption Schemes
Security Analysis for Order Preserving Encryption Schemes Liangliang Xiao University of Texas at Dallas Email: xll052000@utdallas.edu Osbert Bastani Harvard University Email: obastani@fas.harvard.edu ILing
More informationCryptosystem. Diploma Thesis. Mol Petros. July 17, 2006. Supervisor: Stathis Zachos
s and s and Diploma Thesis Department of Electrical and Computer Engineering, National Technical University of Athens July 17, 2006 Supervisor: Stathis Zachos ol Petros (Department of Electrical and Computer
More informationUniversal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure PublicKey Encryption
Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure PublicKey Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical publickey
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Karagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Karagpur Lecture No. #06 Cryptanalysis of Classical Ciphers (Refer
More informationBoosting LinearlyHomomorphic Encryption to Evaluate Degree2 Functions on Encrypted Data
Boosting LinearlyHomomorphic Encryption to Evaluate Degree2 Functions on Encrypted Data Dario Catalano 1 and Dario Fiore 2 1 Dipartimento di Matematica e Informatica, Università di Catania, Italy. catalano@dmi.unict.it
More informationLeakageResilient Authentication and Encryption from Symmetric Cryptographic Primitives
LeakageResilient Authentication and Encryption from Symmetric Cryptographic Primitives Olivier Pereira Université catholique de Louvain ICTEAM Crypto Group B1348, Belgium olivier.pereira@uclouvain.be
More informationPublicKey Cryptanalysis
To appear in Recent Trends in Cryptography, I. Luengo (Ed.), Contemporary Mathematics series, AMSRSME, 2008. PublicKey Cryptanalysis Phong Q. Nguyen Abstract. In 1976, Diffie and Hellman introduced the
More informationThe Learning with Errors Problem
The Learning with Errors Problem Oded Regev Abstract In this survey we describe the Learning with Errors (LWE) problem, discuss its properties, its hardness, and its cryptographic applications. 1 Introduction
More informationPublicKey Cryptography. Oregon State University
PublicKey Cryptography Çetin Kaya Koç Oregon State University 1 Sender M Receiver Adversary Objective: Secure communication over an insecure channel 2 Solution: Secretkey cryptography Exchange the key
More informationNetwork security and all ilabs
Network security and all ilabs Modern cryptography for communications security part 1 Benjamin Hof hof@in.tum.de Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität
More informationSecurity usually depends on the secrecy of the key, not the secrecy of the algorithm (i.e., the open design model!)
1 A cryptosystem has (at least) five ingredients: 1. 2. 3. 4. 5. Plaintext Secret Key Ciphertext Encryption algorithm Decryption algorithm Security usually depends on the secrecy of the key, not the secrecy
More informationUniversal Padding Schemes for RSA
Universal Padding Schemes for RSA JeanSébastien Coron, Marc Joye, David Naccache, and Pascal Paillier Gemplus Card International, France {jeansebastien.coron, marc.joye, david.naccache, pascal.paillier}@gemplus.com
More informationVictor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract
Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart
More information1 Construction of CCAsecure encryption
CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of secure encryption We now show how the MAC can be applied to obtain a secure encryption scheme.
More informationSecurity and Cryptography 1. Stefan Köpsell, Thorsten Strufe. Module 4: Basic Crypto, Stream Ciphers
Security and Cryptography 1 Stefan Köpsell, Thorsten Strufe Module 4: Basic Crypto, Stream Ciphers Disclaimer: Günter Schäfer, Mark Manulis, large parts from Dan Boneh Dresden, WS 16/17 Reprise from the
More informationNew Efficient Searchable Encryption Schemes from Bilinear Pairings
International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang
More informationLecture 9  Message Authentication Codes
Lecture 9  Message Authentication Codes Boaz Barak March 1, 2010 Reading: BonehShoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,
More informationOn Factoring Integers and Evaluating Discrete Logarithms
On Factoring Integers and Evaluating Discrete Logarithms A thesis presented by JOHN AARON GREGG to the departments of Mathematics and Computer Science in partial fulfillment of the honors requirements
More informationT Cryptology Spring 2009
T79.5501 Cryptology Spring 2009 Homework 2 Tutor : Joo Y. Cho joo.cho@tkk.fi 5th February 2009 Q1. Let us consider a cryptosystem where P = {a, b, c} and C = {1, 2, 3, 4}, K = {K 1, K 2, K 3 }, and the
More informationYale University Department of Computer Science
Yale University Department of Computer Science On Backtracking Resistance in Pseudorandom Bit Generation (preliminary version) Michael J. Fischer Michael S. Paterson Ewa Syta YALEU/DCS/TR1466 October
More informationCIS433/533  Computer and Network Security Cryptography
CIS433/533  Computer and Network Security Cryptography Professor Kevin Butler Winter 2011 Computer and Information Science A historical moment Mary Queen of Scots is being held by Queen Elizabeth and
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K,E,D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2 Correct
More informationMESSAGE AUTHENTICATION IN AN IDENTITYBASED ENCRYPTION SCHEME: 1KEYENCRYPTTHENMAC
MESSAGE AUTHENTICATION IN AN IDENTITYBASED ENCRYPTION SCHEME: 1KEYENCRYPTTHENMAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial
More informationPrimes, Factoring, and RSA A Return to Cryptography. Table of contents
Primes, Factoring, and RSA A Return to Cryptography Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Generating Primes RSA Assumption A classic hard
More informationProofs in Cryptography
Proofs in Cryptography Ananth Raghunathan Abstract We give a brief overview of proofs in cryptography at a beginners level. We briefly cover a general way to look at proofs in cryptography and briefly
More informationChapter 11. Asymmetric Encryption. 11.1 Asymmetric encryption schemes
Chapter 11 Asymmetric Encryption The setting of publickey cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret
More informationThe Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)
The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) Hugo Krawczyk Abstract. We study the question of how to generically compose symmetric encryption and authentication
More informationNetwork Security: Cryptography CS/SS G513 S.K. Sahay
Network Security: Cryptography CS/SS G513 S.K. Sahay BITSPilani, K.K. Birla Goa Campus, Goa S.K. Sahay Network Security: Cryptography 1 Introduction Network security: measure to protect data/information
More informationCryptographic treatment of CryptDB s Adjustable Join
Cryptographic treatment of CryptDB s Adjustable Join Raluca Ada Popa and Nickolai Zeldovich MIT CSAIL March 25, 2012 1 Introduction In this document, we provide a cryptographic treatment of the adjustable
More informationLatticeBased ThresholdChangeability for Standard Shamir SecretSharing Schemes
LatticeBased ThresholdChangeability for Standard Shamir SecretSharing Schemes Ron Steinfeld (Macquarie University, Australia) (email: rons@ics.mq.edu.au) Joint work with: Huaxiong Wang (Macquarie University)
More informationCIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives
CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; DH key exchange; Hash functions; Application of hash
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 1 January 9, 2012 CPSC 467b, Lecture 1 1/22 Course Overview Symmetric Cryptography CPSC 467b, Lecture 1 2/22 Course Overview CPSC
More informationCryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur
Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Module No. # 01 Lecture No. # 05 Classic Cryptosystems (Refer Slide Time: 00:42)
More informationCryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53
Cryptography and Network Security, PART IV: Reviews, Patches, and Theory Timo Karvi 11.2012 Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53 Key Lengths I The old
More informationCryptography and Network Security Chapter 9
Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 9 Public Key Cryptography and RSA Every Egyptian received two names,
More informationRSA OAEP is Secure under the RSA Assumption
This is a revised version of the extended abstract RSA OAEP is Secure under the RSA Assumption which appeared in Advances in Cryptology Proceedings of CRYPTO 2001 (19 23 august 2001, Santa Barbara, California,
More informationSecret Writing. Introduction to Cryptography. Encryption. Decryption. Kerckhoffs s ( ) Principle. Security of Cryptographic System
Introduction to Cryptography ECEN 1200, Telecommunications 1 Secret Writing Cryptography is the science and study of secret writing. More specifically, cryptography is concerned with techniques for enciphering
More informationElements of Applied Cryptography Public key encryption
Network Security Elements of Applied Cryptography Public key encryption Public key cryptosystem RSA and the factorization problem RSA in practice Other asymmetric ciphers Asymmetric Encryption Scheme Let
More informationSolutions to Problem Set 1
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Handout #8 Zheng Ma February 21, 2005 Solutions to Problem Set 1 Problem 1: Cracking the Hill cipher Suppose
More informationIncremental Deterministic PublicKey Encryption
Incremental Deterministic PublicKey Encryption Ilya Mironov Omkant Pandey Omer Reingold Gil Segev Abstract Motivated by applications in large storage systems, we initiate the study of incremental deterministic
More informationCSC474/574  Information Systems Security: Homework1 Solutions Sketch
CSC474/574  Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a oneround Feistel cipher
More informationBreaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and
Breaking The Code Ryan Lowe Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and a minor in Applied Physics. As a sophomore, he took an independent study
More informationOrderPreserving Encryption Revisited: Improved Security Analysis and Alternative Solutions
A preliminary version of this paper appears in Advances in Cryptology  CRYPTO 0, 3st Annual International Cryptology Conference, P. Rogaway ed., LNCS, Springer, 0. OrderPreserving Encryption Revisited:
More informationLecture 6  Cryptography
Lecture 6  Cryptography CSE497b  Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497bs07 Question 2 Setup: Assume you and I don t know anything about
More information1 Signatures vs. MACs
CS 120/ E177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. KatzLindell 10 1 Signatures vs. MACs Digital signatures
More informationMultiInput Functional Encryption for Unbounded Arity Functions
MultiInput Functional Encryption for Unbounded Arity Functions Saikrishna Badrinarayanan, Divya Gupta, Abhishek Jain, and Amit Sahai Abstract. The notion of multiinput functional encryption (MIFE) was
More informationHybrid Signcryption Schemes with Insider Security (Extended Abstract)
Hybrid Signcryption Schemes with Insider Security (Extended Abstract) Alexander W. Dent Royal Holloway, University of London Egham Hill, Egham, Surrey, TW20 0EX, U.K. a.dent@rhul.ac.uk http://www.isg.rhul.ac.uk/~alex/
More informationChapter 10 AsymmetricKey Cryptography
Chapter 10 AsymmetricKey Cryptography Copyright The McGrawHill Companies, Inc. Permission required for reproduction or display. 10.1 Chapter 10 Objectives Present asymmetrickey cryptography. Distinguish
More information