# Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak

Save this PDF as:

Size: px
Start display at page:

Download "Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak"

## Transcription

2 known as reverse-engineering) is a notoriously hard problem. In fact, considerable efforts are made at writing programs so they would be easy to understand. Programs written without such efforts, or programs written or compiled to low level languages are considered to be quite incomprehensible. In fact, in some cases it is either proven (e.g., the Halting problem, Rice s theorem) or widely conjectured (e.g., the Satisfiability problem) that when trying to learn properties of a function, there is no significant advantage to getting its representation as a program, over getting black-box access to it. Thus, a common intuition is the following: The only useful thing one can do with a program is to execute it (on chosen inputs). In this thesis, we test this intuition in several settings in cryptography. Somewhat surprisingly, we find several cases in which it does not hold. That is, we find several cases in which it can be shown that non-black-box algorithms have significantly more power than black-box algorithms. We use this additional power of non-black box algorithms to obtain new results. Some of these results were previously proven to be impossible to obtain when using only black-box techniques. 1 Our Results The main theme of this thesis is that non-black-box techniques can indeed be more powerful than black-box techniques in several interesting contexts in cryptography. Below, we elaborate more on our specific results in particular contexts. We only mention here our results, and we do not elaborate on the ideas and techniques used to obtain these results. Each chapter in this thesis has its own introduction, which contains a much more detailed (but still high level) discussion on the results of the chapter and on the ideas used in the proofs. We note that we present the results here in a different order than the order of the chapters. This is because the results of Chapter 6 are somewhat easier to state than the results of Chapters 4 and 5, but the proofs of Chapter 6 are actually more complicated and use some ideas from the previous chapters. 1.1 Code Obfuscation Code obfuscation is about trying to make practical use of the difficulty of reverse-engineering programs. Informally, an obfuscator O is an (efficient, probabilistic) compiler that takes as input a program Π and produces a new program O(Π) that has the same functionality as Π yet is unintelligible in some sense. Obfuscators, if they exist, would have a wide variety of cryptographic and complexity-theoretic applications, ranging from software protection to homomorphic encryption to complexity-theoretic analogues of Rice s theorem. Most of these applications are based on an interpretation of the unintelligibility condition in obfuscation as meaning that O(Π) is a virtual black box, in the sense that anything one can efficiently compute given O(Π), one could also efficiently compute given black-box access to Π. Several constructions of software obfuscators have been previously suggested (c.f., [CTL97] and the references therein). However, no formal definition of obfuscation has been suggested, and so in particular none of these candidates has been proven to meet some formal security definition. In Chapter 3 of this thesis, we initiate a theoretical investigation of obfuscation. Our main result is that, even under very weak formalizations, obfuscation is impossible. We prove this by constructing a family of programs P that are inherently unobfuscatable in the sense that 1. There is an efficient algorithm A such that for every program Π P and every program Π that computes the same function as Π, A(Π ) = Π. That is, for every possible obfuscator O, A can recover the original source code of Π from O(Π). 2

4 further knowledge as the result of interacting with Bob, beyond what she could have discovered by herself. Formally, this is shown by exhibiting a simulator. A simulator is an algorithm, that gets as input an algorithm A which describes Alice s strategy in the protocol, and outputs a distribution that is indistinguishable from the distribution of the messages that Alice sees in a real interaction with Bob when she is using the strategy A. The existence of such a simulator demonstrates that regardless of the strategy A that Alice s uses, she has not learned anything about Bob s secret that she couldn t have learned by herself without having any interaction with Bob (by simply running the simulator). Almost all previously known simulators used only black-box access to the algorithm A they received as input. 1 In Chapter 4, we present the first construction of a protocol with a non-blackbox simulator under standard assumptions. Using these new non-black-box techniques we obtain several results that were previously shown to be impossible to obtain using black-box simulators. Specifically, assuming the existence of collision-resistent hash functions, we construct a new zeroknowledge argument (i.e., a computationally-sound proof) for any language in NP that satisfies the following properties: 1. It is zero-knowledge with respect to non-uniform adversaries with auxiliary information. 2. It has a constant number of rounds and negligible soundness error. 3. It remains zero-knowledge even if executed concurrently n times, where n is the security parameter. We call a protocol that satisfies this property a bounded concurrent zero-knowledge protocol It is an Arthur-Merlin (public coins) protocol. 5. It has a simulator that runs in strict probabilistic polynomial-time, rather than expected probabilistic polynomial-time. The above protocol should be contrasted with the following impossibility results regarding blackbox zero-knowledge arguments for non-trivial languages: Goldreich and Krawczyk [GK90] showed that such protocols cannot satisfy both Properties 2 and 4. Canetti, Kilian, Petrank and Rosen [CKPR01] showed that such protocols cannot satisfy both Properties 2 and 3. In Chapter 5, we also show that such protocols cannot satisfy Properties 2 and 5. In addition, in Chapter 5 we use this zero-knowledge system to obtain other new results in cryptography. These applications include (a) a construction of constant-round zero-knowledge argument of knowledge with a strict polynomial-time knowledge extractor, (b) a zero-knowledge resettably sound argument for NP, and (c) a resettable zero-knowledge argument of knowledge. We show that all these three applications are impossible to obtain when restricted to black-box techniques. We remark that application (b) in particular, is somewhat counter-intuitive, and demonstrates well the power of non-black-box techniques. In particular it means that if you are given a device (e.g., a smart-card) that proves some statement σ in this system then you are not able to learn 1 One exception is the zero-knowledge proof system of [HT99]. However, that protocol was constructed under a computational assumption that the authors themselves describe as unreasonable. 2 The choice of n repetitions is quite arbitrary and could be replaced by any fixed polynomial (e.g. n 3 ) in the security parameter. This is in contrast to a standard concurrent zero-knowledge protocol [DNS98, RK99] that remains zero-knowledge when executed concurrently any polynomial number of times. 4

5 anything new about σ except its validity by playing with the device feeding it with different inputs, and examining its outputs. However you can still be certain that if you were to open the device and examine its internal workings, you would be able to extract a witness for σ. Relation to non-black-box proofs of security. We remark that in some sense non-black-box simulation is a special case of non-black-box proofs of security. This is because one can view the existence of a simulator as a proof that the protocol is secure, and so a non-black-box simulator can be viewed as a non-black-box proof of security. Indeed, usually when a zero-knowledge protocol is used as a component in a larger sub-protocol, the security reduction for the larger protocol involves using the simulator for the zero-knowledge protocol. Thus, if the zero-knowledge protocol used has a non-black-box simulator, then the security reduction for the larger protocols will be non-black-box. References [BG84] [CKPR01] [CTL97] [DDN91] [DNS98] [GK90] [GMR85] M. Blum and S. Goldwasser. An Efficient Probabilistic Public-Key Encryption Scheme which Hides All Partial Information. In Crypto 84, pages , LNCS No R. Canetti, J. Kilian, E. Petrank, and A. Rosen. Black-Box Concurrent Zero-Knowledge Requires Ω(log n) Rounds. Record 2001/051, Cryptology eprint Archive, June Extended abstract appeared in STOC 01. C. Collberg, C. Thomborson, and D. Low. A Taxonomy of Obfuscating Transformations. Technical Report 148, University of Auckland, July See also arizona.edu/~collberg/research/obfuscation/index.html. D. Dolev, C. Dwork, and M. Naor. Nonmalleable cryptography. SIAM J. Comput., 30(2): (electronic), Preliminary version in STOC C. Dwork, M. Naor, and A. Sahai. Concurrent Zero Knowledge. In Proc. 30th STOC, pages ACM, O. Goldreich and H. Krawczyk. On the Composition of Zero-Knowledge Proof Systems. SIAM J. Comput., 25(1): , Feb Preliminary version appeared in ICALP 90. S. Goldwasser, S. Micali, and C. Rackoff. The knowledge complexity of interactive proof systems. SIAM J. Comput., 18(1): , Preliminary version in STOC 85. [HT99] S. Hada and T. Tanaka. On the Existence of 3-Round Zero-Knowledge Protocols. Cryptology eprint Archive, Report 1999/009, [Rab79] [RK99] M. O. Rabin. Digitalized Signatures and Public-Key Functions as Intractable as Factorization. Technical Report MIT/LCS/TR-212, Massachusetts Institute of Technology, Jan R. Richardson and J. Kilian. On the Concurrent Composition of Zero-Knowledge Proofs. In Eurocrypt 99, LNCS No

### Lecture 15 - Digital Signatures

Lecture 15 - Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations - easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.

### On Combining Privacy with Guaranteed Output Delivery in Secure Multiparty Computation

On Combining Privacy with Guaranteed Output Delivery in Secure Multiparty Computation Yuval Ishai 1, Eyal Kushilevitz 1, Yehuda Lindell 2, and Erez Petrank 1 1 Technion ({yuvali,eyalk,erez}@cs.technion.ac.il)

### Guaranteed Slowdown, Generalized Encryption Scheme, and Function Sharing

Guaranteed Slowdown, Generalized Encryption Scheme, and Function Sharing Yury Lifshits July 10, 2005 Abstract The goal of the paper is to construct mathematical abstractions of different aspects of real

### Ch.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis

Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography

### Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical public-key

### Secure Computation Without Authentication

Secure Computation Without Authentication Boaz Barak 1, Ran Canetti 2, Yehuda Lindell 3, Rafael Pass 4, and Tal Rabin 2 1 IAS. E:mail: boaz@ias.edu 2 IBM Research. E-mail: {canetti,talr}@watson.ibm.com

### A Secure Protocol for the Oblivious Transfer (Extended Abstract) M. J. Fischer. Yale University. S. Micali Massachusetts Institute of Technology

J, Cryptoiogy (1996) 9:191-195 Joumol of CRYPTOLOGY O 1996 International Association for Cryptologic Research A Secure Protocol for the Oblivious Transfer (Extended Abstract) M. J. Fischer Yale University

### Computational Soundness of Symbolic Security and Implicit Complexity

Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 3-7, 2013 Overview

### Non-interactive and Reusable Non-malleable Commitment Schemes

Non-interactive and Reusable Non-malleable Commitment Schemes Ivan Damgård a Jens Groth b June 16, 2003 Abstract We consider non-malleable (NM) and universally composable (UC) commitment schemes in the

### Security of Blind Digital Signatures

Security of Blind Digital Signatures (Revised Extended Abstract) Ari Juels 1 Michael Luby 2 Rafail Ostrovsky 3 1 RSA Laboratories. Email: ari@rsa.com. 2 Digital Fountain 3 UCLA, Email: rafail@cs.ucla.edu.

### Improved Online/Offline Signature Schemes

Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion

### Applications of obfuscation to software and hardware systems

Applications of obfuscation to software and hardware systems Victor P. Ivannikov Institute for System Programming Russian Academy of Sciences (ISP RAS) www.ispras.ru Program obfuscation is an efficient

### Lecture 2: Complexity Theory Review and Interactive Proofs

600.641 Special Topics in Theoretical Cryptography January 23, 2007 Lecture 2: Complexity Theory Review and Interactive Proofs Instructor: Susan Hohenberger Scribe: Karyn Benson 1 Introduction to Cryptography

Trading Static for Adaptive Security in Universally Composable Zero-Knowledge Aggelos Kiayias and Hong-Sheng Zhou Computer Science and Engineering University of Connecticut Storrs, CT, USA {aggelos,hszhou}@cse.uconn.edu

### Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The Diffie-Hellman key-exchange protocol may naturally be extended to k > 2

### Constant-Round Leakage-Resilient Zero-Knowledge Arguments of Knowledge for NP

Constant-Round Leakage-Resilient Zero-Knowledge Arguments of Knowledge for NP Hongda Li, Qihua Niu, Guifang Huang 1 The Data Assurance and Communication Security Research Center 2 State Key Lab of Information

### Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract

Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart

### Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

### Adaptive One-way Functions and Applications

Adaptive One-way Functions and Applications Omkant Pandey 1, Rafael Pass 2, and Vinod Vaikuntanathan 3 1 UCLA (omkant@cs.ucla.edu) 2 Cornell University (rafael@cs.cornell.edu) 3 MIT (vinodv@mit.edu) Abstract.

### Succinct Proofs for NP and Spooky Interactions

Succinct Proofs for NP and Spooky Interactions Cynthia Dwork Michael Langberg Moni Naor Kobbi Nissim Omer Reingold December 21, 2004 Abstract This paper investigates the possibility that any NP statement

### Lecture 5 - CPA security, Pseudorandom functions

Lecture 5 - CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.

### Remotely Keyed Encryption Using Non-Encrypting Smart Cards

THE ADVANCED COMPUTING SYSTEMS ASSOCIATION The following paper was originally published in the USENIX Workshop on Smartcard Technology Chicago, Illinois, USA, May 10 11, 1999 Remotely Keyed Encryption

### Security Analysis of DRBG Using HMAC in NIST SP 800-90

Security Analysis of DRBG Using MAC in NIST SP 800-90 Shoichi irose Graduate School of Engineering, University of Fukui hrs shch@u-fukui.ac.jp Abstract. MAC DRBG is a deterministic random bit generator

### Limits of Computational Differential Privacy in the Client/Server Setting

Limits of Computational Differential Privacy in the Client/Server Setting Adam Groce, Jonathan Katz, and Arkady Yerukhimovich Dept. of Computer Science University of Maryland {agroce, jkatz, arkady}@cs.umd.edu

### 3-6 Toward Realizing Privacy-Preserving IP-Traceback

3-6 Toward Realizing Privacy-Preserving IP-Traceback The IP-traceback technology enables us to trace widely spread illegal users on Internet. However, to deploy this attractive technology, some problems

### A Secure and Efficient Conference Key Distribution System

********************** COVER PAGE ********************** A Secure and Efficient Conference Key Distribution System (Extended Abstract) Mike Burmester Department of Mathematics Royal Holloway University

### Efficient Cryptographic Protocols Preventing Man-in-the-Middle Attacks

Efficient Cryptographic Protocols Preventing Man-in-the-Middle Attacks Jonathan Katz Submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy in the Graduate School of

### 1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

### Cryptography: Authentication, Blind Signatures, and Digital Cash

Cryptography: Authentication, Blind Signatures, and Digital Cash Rebecca Bellovin 1 Introduction One of the most exciting ideas in cryptography in the past few decades, with the widest array of applications,

### NP-Completeness I. Lecture 19. 19.1 Overview. 19.2 Introduction: Reduction and Expressiveness

Lecture 19 NP-Completeness I 19.1 Overview In the past few lectures we have looked at increasingly more expressive problems that we were able to solve using efficient algorithms. In this lecture we introduce

### MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

### International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

FACTORING CRYPTOSYSTEM MODULI WHEN THE CO-FACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II Mohammedia-Casablanca,

### How to Prove a Theorem So No One Else Can Claim It

Proceedings of the International Congress of Mathematicians Berkeley, California, USA, 1986 How to Prove a Theorem So No One Else Can Claim It MANUEL BLUM Goldwasser, Micali, and Rackoff [GMR] define for

### A Factoring and Discrete Logarithm based Cryptosystem

Int. J. Contemp. Math. Sciences, Vol. 8, 2013, no. 11, 511-517 HIKARI Ltd, www.m-hikari.com A Factoring and Discrete Logarithm based Cryptosystem Abdoul Aziz Ciss and Ahmed Youssef Ecole doctorale de Mathematiques

### Privacy-Providing Signatures and Their Applications. PhD Thesis. Author: Somayeh Heidarvand. Advisor: Jorge L. Villar

Privacy-Providing Signatures and Their Applications PhD Thesis Author: Somayeh Heidarvand Advisor: Jorge L. Villar Privacy-Providing Signatures and Their Applications by Somayeh Heidarvand In fulfillment

Group Blind Digital Signatures: Theory and Applications by Zulækar Amin Ramzan Submitted to the Department of Electrical Engineering and Computer Science in partial fulællment of the requirements for the

### Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz Abstract We propose simple and efficient CCA-secure public-key encryption schemes (i.e., schemes

### Open Problems in Quantum Information Processing. John Watrous Department of Computer Science University of Calgary

Open Problems in Quantum Information Processing John Watrous Department of Computer Science University of Calgary #1 Open Problem Find new quantum algorithms. Existing algorithms: Shor s Algorithm (+ extensions)

### Introduction. Digital Signature

Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

### SUBLIMINALFREE AUTHENTICATION AND SIGNATURE

SUBLIMINALFREE AUTHENTICATION AND SIGNATURE (Extended Abstract) Yvo Desmedt Dept. EE & CS, Univ. of Wisconsin - Milwaukee P.O. Box 784, WI 53201 Milwaukee, U.S.A. ABSTRACT Simmons [17] introduced the notion

### On-Line/Off-Line Digital Signatures

J. Cryptology (996) 9: 35 67 996 International Association for Cryptologic Research On-Line/Off-Line Digital Signatures Shimon Even Computer Science Department, Technion Israel Institute of Technology,

### 1 Construction of CCA-secure encryption

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.

### Multi-Party Computations: Past and Present

Invited Talk: Multi-Party Computations: Past and Present Shafi Goldwasser Cryptography is traditionally concerned with two users, Alice and Bob, who want to communicate privately and authentically over

### Private Inference Control For Aggregate Database Queries

Private Inference Control For Aggregate Database Queries Geetha Jagannathan geetha@cs.rutgers.edu Rebecca N. Wright Rebecca.Wright@rutgers.edu Department of Computer Science Rutgers, State University of

### On Generating the Initial Key in the Bounded-Storage Model

On Generating the Initial Key in the Bounded-Storage Model Stefan Dziembowski Institute of Informatics, Warsaw University Banacha 2, PL-02-097 Warsaw, Poland, std@mimuw.edu.pl Ueli Maurer Department of

### RSA OAEP is Secure under the RSA Assumption

This is a revised version of the extended abstract RSA OAEP is Secure under the RSA Assumption which appeared in Advances in Cryptology Proceedings of CRYPTO 2001 (19 23 august 2001, Santa Barbara, California,

### Introduction to Program Obfuscation

Introduction to Program Obfuscation p. 1/26 Introduction to Program Obfuscation Yury Lifshits Saint-Petersburg State University http://logic.pdmi.ras.ru/ yura/ yura@logic.pdmi.ras.ru Introduction to Program

### Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense

### Legally Enforceable Fairness in Secure Two-Party Computation

Legally Enforceable Fairness in Secure Two-Party Computation Yehuda Lindell Department of Computer Science Bar-Ilan University, Israel. lindell@cs.biu.ac.il Abstract In the setting of secure multiparty

### Certified Security Proofs of Cryptographic Protocols in the Computational Model : an Application to Intrusion Resilience

Certified Security Proofs of Cryptographic Protocols in the Computational Model : an Application to Intrusion Resilience Pierre Corbineau Mathilde Duclos Yassine Lakhnech Université de Grenoble, CNRS Verimag,

### Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

### On the Concept of Software Obfuscation in Computer Security

On the Concept of Software Obfuscation in Computer Security Nikolay Kuzurin 1, Alexander Shokurov 1, Nikolay Varnovsky 2, and Vladimir Zakharov 2 1 Institute for System Programming, Moscow, Russia 2 Lomonosov

### Fundamental problems in provable security and cryptography

Fundamental problems in provable security and cryptography By Alexander W. Dent Information Security Group, Royal Holloway, University of London, Egham, Surrey TW20 0EX, UK This paper examines methods

### P versus NP, and More

1 P versus NP, and More Great Ideas in Theoretical Computer Science Saarland University, Summer 2014 If you have tried to solve a crossword puzzle, you know that it is much harder to solve it than to verify

### Multi-Input Functional Encryption for Unbounded Arity Functions

Multi-Input Functional Encryption for Unbounded Arity Functions Saikrishna Badrinarayanan, Divya Gupta, Abhishek Jain, and Amit Sahai Abstract. The notion of multi-input functional encryption (MI-FE) was

### 1 Signatures vs. MACs

CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures

### Massachusetts Institute of Technology. rosario,silvio@theory.lcs.mit.edu. Abstract

Veriable Secret Sharing as Secure Computation Rosario Gennaro Silvio Micali Laboratory for Computer Science Massachusetts Institute of Technology rosario,silvio@theory.lcs.mit.edu Abstract We present a

### On the Achievability of Simulation-Based Security for Functional Encryption

On the Achievability of Simulation-Based Security for Functional Encryption Angelo De Caro 1, Vincenzo Iovino 2, Abhishek Jain 3, Adam O Neill 4, Omer Paneth 4, and Giuseppe Persiano 2 1 NTT Secure Platform

### A Survey on Optimistic Fair Digital Signature Exchange Protocols

A Survey on Optimistic Fair Digital Signature Exchange s Alfin Abraham Vinodh Ewards Harlay Maria Mathew Abstract Security services become crucial to many applications such as e-commerce payment protocols,

### A Method for Making Password-Based Key Exchange Resilient to Server Compromise

A Method for Making Password-Based Key Exchange Resilient to Server Compromise Craig Gentry 1, Philip MacKenzie 2, and Zulfikar Ramzan 3 1 Stanford University, Palo Alto, CA, USA, cgentry@cs.stanford.edu

### Simulation-Based Security with Inexhaustible Interactive Turing Machines

Simulation-Based Security with Inexhaustible Interactive Turing Machines Ralf Küsters Institut für Informatik Christian-Albrechts-Universität zu Kiel 24098 Kiel, Germany kuesters@ti.informatik.uni-kiel.de

### Efficient Two Party and Multi Party Computation against Covert Adversaries

Efficient Two Party and Multi Party Computation against Covert Adversaries Vipul Goyal 1, Payman Mohassel 2, and Adam Smith 3 1 Department of Computer Science, UCLA vipul@cs.ucla.edu 2 Department of Computer

### Universal Padding Schemes for RSA

Universal Padding Schemes for RSA Jean-Sébastien Coron, Marc Joye, David Naccache, and Pascal Paillier Gemplus Card International, France {jean-sebastien.coron, marc.joye, david.naccache, pascal.paillier}@gemplus.com

### 2.1 Complexity Classes

15-859(M): Randomized Algorithms Lecturer: Shuchi Chawla Topic: Complexity classes, Identity checking Date: September 15, 2004 Scribe: Andrew Gilpin 2.1 Complexity Classes In this lecture we will look

### NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES

NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES Ounasser Abid 1, Jaouad Ettanfouhi 2 and Omar Khadir 3 1,2,3 Laboratory of Mathematics, Cryptography and Mechanics, Department of Mathematics, Fstm,

### ZQL. a cryptographic compiler for processing private data. George Danezis. Joint work with Cédric Fournet, Markulf Kohlweiss, Zhengqin Luo

ZQL Work in progress a cryptographic compiler for processing private data George Danezis Joint work with Cédric Fournet, Markulf Kohlweiss, Zhengqin Luo Microsoft Research and Joint INRIA-MSR Centre Data

### CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 1 January 9, 2012 CPSC 467b, Lecture 1 1/22 Course Overview Symmetric Cryptography CPSC 467b, Lecture 1 2/22 Course Overview CPSC

### A novel deniable authentication protocol using generalized ElGamal signature scheme

Information Sciences 177 (2007) 1376 1381 www.elsevier.com/locate/ins A novel deniable authentication protocol using generalized ElGamal signature scheme Wei-Bin Lee a, Chia-Chun Wu a, Woei-Jiunn Tsaur

### The Complexity of Online Memory Checking

The Complexity of Online Memory Checking Moni Naor Guy N. Rothblum Abstract We consider the problem of storing a large file on a remote and unreliable server. To verify that the file has not been corrupted,

### IMPACT OF HASH FUNCTION NON-UNIFORMITY ON DIGITAL SIGNATURE SECURITY Introduction. 2. Digital Signature

Novi Sad J. Math. Vol. 38, No. 3, 008, 01-08 IMPACT OF HASH FUNCTION NON-UNIFORMITY ON DIGITAL SIGNATURE SECURITY 1 Milan Tuba, Nadezda Stanarevic 3, Perica Strbac 4, Jasmina Novakovic 5 Abstract. This

### Trading One-Wayness against Chosen-Ciphertext Security in Factoring-Based Encryption

Trading One-Wayness against Chosen-Ciphertext Security in Factoring-Based Encryption Pascal Paillier 1 and Jorge L. Villar 2 1 Cryptography Group, Security Labs, Gemalto pascal.paillier@gemalto.com 2 Departament

### On Factoring Integers and Evaluating Discrete Logarithms

On Factoring Integers and Evaluating Discrete Logarithms A thesis presented by JOHN AARON GREGG to the departments of Mathematics and Computer Science in partial fulfillment of the honors requirements

### New Online/Offline Signature Schemes Without Random Oracles

New Online/Offline Signature Schemes Without Random Oracles Kaoru Kurosawa 1 and Katja Schmidt-Samoa 2 1 Department of Computer and Information Sciences, Ibaraki University, Japan 2 Fachbereich Informatik,

### Factoring & Primality

Factoring & Primality Lecturer: Dimitris Papadopoulos In this lecture we will discuss the problem of integer factorization and primality testing, two problems that have been the focus of a great amount

### Efficient Constructions of Variable-Input-Length Block Ciphers

Efficient Constructions of Variable-Input-Length Block Ciphers Sarvar Patel 1, Zulfikar Ramzan 2 and Ganapathy S. Sundaram 1 1 Lucent Technologies {sarvar, ganeshs}@bell-labs.com 2 DoCoMo Communications

### Entangled Encodings and Data Entanglement

An extended abstract of this paper is published in the proceedings of the 3rd International Workshop on Security in Cloud Computing SCC@AsiaCCS 2015. This is the full version. Entangled Encodings and Data

### Study of algorithms for factoring integers and computing discrete logarithms

Study of algorithms for factoring integers and computing discrete logarithms First Indo-French Workshop on Cryptography and Related Topics (IFW 2007) June 11 13, 2007 Paris, France Dr. Abhijit Das Department

### Capture Resilient ElGamal Signature Protocols

Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department

### New Efficient Searchable Encryption Schemes from Bilinear Pairings

International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang

### Analysis of Privacy-Preserving Element Reduction of Multiset

Analysis of Privacy-Preserving Element Reduction of Multiset Jae Hong Seo 1, HyoJin Yoon 2, Seongan Lim 3, Jung Hee Cheon 4 and Dowon Hong 5 1,4 Department of Mathematical Sciences and ISaC-RIM, Seoul

Adaptively-Secure, Non-Interactive Public-Key Encryption Ran Canetti 1, Shai Halevi 1, and Jonathan Katz 2 1 IBM T.J. Watson Research Center, NY, USA. 2 Department of Computer Science, University of Maryland.

### Round-Efficient Secure Computation in Point-to-Point Networks

Round-Efficient Secure Computation in Point-to-Point Networks Jonathan Katz and Chiu-Yuen Koo Dept. of Computer Science, University of Maryland, College Park, USA {jkatz,cykoo}@cs.umd.edu Abstract. Essentially

### Network Security. Chapter 6 Random Number Generation. Prof. Dr.-Ing. Georg Carle

Network Security Chapter 6 Random Number Generation Prof. Dr.-Ing. Georg Carle Chair for Computer Networks & Internet Wilhelm-Schickard-Institute for Computer Science University of Tübingen http://net.informatik.uni-tuebingen.de/

### Computational complexity theory

Computational complexity theory Goal: A general theory of the resources needed to solve computational problems What types of resources? Time What types of computational problems? decision problem Decision

### 9 Digital Signatures: Definition and First Constructions. Hashing.

Leo Reyzin. Notes for BU CAS CS 538. 1 9 Digital Signatures: Definition and First Constructions. Hashing. 9.1 Definition First note that encryption provides no guarantee that a message is authentic. For

### Paillier Threshold Encryption Toolbox

Paillier Threshold Encryption Toolbox October 23, 2010 1 Introduction Following a desire for secure (encrypted) multiparty computation, the University of Texas at Dallas Data Security and Privacy Lab created

### INTERACTIVE TWO-CHANNEL MESSAGE AUTHENTICATION BASED ON INTERACTIVE-COLLISION RESISTANT HASH FUNCTIONS

INTERACTIVE TWO-CHANNEL MESSAGE AUTHENTICATION BASED ON INTERACTIVE-COLLISION RESISTANT HASH FUNCTIONS ATEFEH MASHATAN 1 AND DOUGLAS R STINSON 2 Abstract We propose an interactive message authentication

### Protocols and Lower Bounds for Failure Localization in the Internet

Protocols and Lower Bounds for Failure Localization in the Internet Boaz Barak, Sharon Goldberg, and David Xiao Princeton University, Princeton, NJ 08544 Abstract. A secure failure-localization path-quality-monitoring

### Efficient Unlinkable Secret Handshakes for Anonymous Communications

보안공학연구논문지 (Journal of Security Engineering), 제 7권 제 6호 2010년 12월 Efficient Unlinkable Secret Handshakes for Anonymous Communications Eun-Kyung Ryu 1), Kee-Young Yoo 2), Keum-Sook Ha 3) Abstract The technique

### 1 Message Authentication

Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

### A Proposal for an ISO Standard for Public Key Encryption (version 2.1)

A Proposal for an ISO Standard for Public Key Encryption (version 2.1) Victor Shoup IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland sho@zurich.ibm.com December 20, 2001 Abstract This

### CIS 5371 Cryptography. 8. Encryption --

CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.

### Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz June 13, 2006 Abstract We propose simple and efficient CCA-secure public-key encryption schemes

### Computational Complexity: A Modern Approach

i Computational Complexity: A Modern Approach Draft of a book: Dated January 2007 Comments welcome! Sanjeev Arora and Boaz Barak Princeton University complexitybook@gmail.com Not to be reproduced or distributed

### A Brief Introduction to Property Testing

A Brief Introduction to Property Testing Oded Goldreich Abstract. This short article provides a brief description of the main issues that underly the study of property testing. It is meant to serve as

### Lecture 11: The Goldreich-Levin Theorem

COM S 687 Introduction to Cryptography September 28, 2006 Lecture 11: The Goldreich-Levin Theorem Instructor: Rafael Pass Scribe: Krishnaprasad Vikram Hard-Core Bits Definition: A predicate b : {0, 1}

### Network Security. Chapter 6 Random Number Generation

Network Security Chapter 6 Random Number Generation 1 Tasks of Key Management (1)! Generation:! It is crucial to security, that keys are generated with a truly random or at least a pseudo-random generation

### Efficient Non-interactive Proof Systems for Bilinear Groups

Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth 1, and Amit Sahai 2, 1 University College London j.groth@ucl.ac.uk 2 University of California Los Angeles sahai@cs.ucla.edu Abstract.