# CryptoVerif Tutorial

Save this PDF as:

Size: px
Start display at page:

## Transcription

1 CryptoVerif Tutorial Bruno Blanchet INRIA Paris-Rocquencourt November 2014 Bruno Blanchet (INRIA) CryptoVerif Tutorial November / 14

2 Exercise 1: preliminary definition SUF-CMA Definition (SUF-CMA MACs) The advantage of the adversary against strong unforgeability under chosen message attacks (SUF-CMA) of MACs is: Succ suf cma MAC (t, q m, q v, l) = [ max Pr A k R mkgen; (m, s) A mac(.,k),verify(.,k,.) : verify(m, k, s) s is not the result of calling the oracle mac(., k) on m where A runs in time at most t, calls mac(., k) at most q m times with messages of length at most l, calls verify(., k,.) at most q v times with messages of length at most l. MAC is SUF-CMA if and only if Succ suf cma MAC (t, q m, q v, l) is negligible when t, q m, q v, l are polynomial in the security parameter. ] Bruno Blanchet (INRIA) CryptoVerif Tutorial November / 14

3 Exercise 1: preliminary definition IND-CCA2 Definition (IND-CCA2 symmetric encryption) The advantage of the adversary against indistinguishabibility under adaptive chosen-ciphertext attacks (IND-CCA2) of a symmetric encryption scheme SE is: Succ ind cca2 SE (t, q e, q d, l e, l d ) = b {0, R 1}; k R kgen; max 2 Pr b A enc(lr(.,.,b),k),dec(.,k) : b = b A A has not called dec(., k) on the result of 1 enc(lr(.,., b), k) where A runs in time at most t, calls enc(lr(.,., b), k) at most q e times on messages of length at most l e, calls dec(., k) at most q d times on messages of length at most l d. SE is IND-CCA2 if and only if Succ ind cca2 SE (t, q e, q d, l e, l d ) is negligible when t, q e, q d, L e, l d are polynomial in the security parameter. Bruno Blanchet (INRIA) CryptoVerif Tutorial November / 14

4 Exercise 1: preliminary definition INT-CTXT Definition (INT-CTXT symmetric encryption) The advantage of the adversary against ciphertext integrity (INT-CTXT) of a symmetric encryption scheme SE is: Succ int ctxt SE (t, q e, q d, l e, l d ) = [ max Pr A k R kgen; c A enc(.,k),dec(.,k) : dec(c, k) c is not the result of a call to the enc(., k) oracle where A runs in time at most t, calls enc(., k) at most q e times with messages of length at most l e, calls dec(., k) at most q d times with messages of length at most l d. SE is INT-CTXT if and only if Succ int ctxt SE (t, q e, q d, l e, l d ) is negligible when t, q e, q d, L e, l d are polynomial in the security parameter. ] Bruno Blanchet (INRIA) CryptoVerif Tutorial November / 14

5 Exercise 1 1 Show using CryptoVerif that, if the MAC scheme is SUF-CMA and the encryption scheme is IND-CPA, then the encrypt-then-mac scheme is IND-CPA. 2 Show using the same assumptions that the encrypt-then-mac scheme is IND-CCA2. 3 Show using the same assumptions that the encrypt-then-mac scheme is INT-CTXT. 4 What happens if the MAC scheme is only UF-CMA? Bruno Blanchet (INRIA) CryptoVerif Tutorial November / 14

6 Exercise 2: Preliminary definition A public-key encryption scheme AE consists of a key generation algorithm (pk, sk) R kgen a probabilistic encryption algorithm enc(m, pk) a decryption algorithm dec(m, sk) such that dec(enc(m, pk), sk) = m. The advantage of the adversary against indistinguishability under chosen-plaintext attacks (IND-CPA) is Succ ind cca2 AE (t) = max 2 Pr b {0, R 1}; (pk, sk) R kgen; (m A 0, m 1, s) A 1 (pk); y enc(m b, pk); 1 b A 2 (m 0, m 1, s, y) : b = b where A = (A 1, A 2 ) runs in time at most t. AE is IND-CPA if and only if Succ ind cpa AE (t) is negligible when t is polynomial in the security parameter. Bruno Blanchet (INRIA) CryptoVerif Tutorial November / 14

7 Exercise 2 Suppose that H is a hash function in the Random Oracle Model and that f is a one-way trapdoor permutation. Consider the encryption function E pk (x) = f pk (r) H(r) x, where denotes concatenation and denotes exclusive or (Bellare & Rogaway, CCS 93). What is the decryption function? Show using CryptoVerif that this public-key encryption scheme is IND-CPA. Bruno Blanchet (INRIA) CryptoVerif Tutorial November / 14

8 Exercise 3 Consider the fixed version of the Woo-Lam shared-key protocol, by Gordon and Jeffrey (CSFW 01): A B: B A: A B: B S: S B: A N (fresh nonce) {m3, B, N} kas A, B, {m3, B, N} kas {m5, A, N} kbs At the end, B verifies that {m5, A, N} kbs is the message from S. Show that, at the end of the protocol, A is authenticated to B. Suggestion: one may consider 1 First, a simple version in which A talks only to B, B talks only to A, and S talks only to A and B. 2 Then, generalize to the case in which A, B, and S may also talk to dishonest participants. Bruno Blanchet (INRIA) CryptoVerif Tutorial November / 14

9 Exercise 4 Consider the Needham-Schroeder public-key protocol, as fixed by Lowe. We first consider a simplified version without certificates: A B: B A: A B: {N A, pk A } pkb {N A, N B, pk B } pka {N B } pkb Show that, at the end of the protocol, A and B are mutually authenticated. Bruno Blanchet (INRIA) CryptoVerif Tutorial November / 14

10 Exercise 4 Now consider the full version with certificates: A S: (A, B) S A: (pk B, B, {pk B, B} sks ) A B: {N A, A} pkb B S: (B, A) S B: (pk A, A, {pk A, A} sks ) B A: {N A, N B, B} pka A B: {N B } pkb Show that, at the end of the protocol, A and B are mutually authenticated. Bruno Blanchet (INRIA) CryptoVerif Tutorial November / 14

11 Exercise 5 The advantage of the adversary against strong unforgeability under chosen message attacks (SUF-CMA) of MACs is: Succ suf cma MAC (t, q m, q v, l) = [ max Pr A k R mkgen; (m, s) A mac(.,k),verify(.,k,.) : verify(m, k, s) s is not the result of calling the oracle mac(., k) on m where A runs in time at most t, calls mac(., k) at most q m times with messages of length at most l, calls verify(., k,.) at most q v times with messages of length at most l. Represent SUF-CMA MACs in the CryptoVerif formalism. ] Bruno Blanchet (INRIA) CryptoVerif Tutorial November / 14

12 Exercise 6 A signature scheme S consists of a key generation algorithm (pk, sk) R kgen a signature algorithm sign(m, sk) a verification algorithm verify(m, pk, s) such that verify(m, pk, sign(m, sk)) = 1. The advantage of the adversary against unforgeability under chosen message attacks (UF-CMA) of signatures is: Succ uf cma S (t, q s, l) = [ max Pr A (pk, sk) R kgen; (m, s) A sign(.,sk) (pk) : verify(m, pk, s) m was never queried to the oracle sign(., sk) where A runs in time at most t, calls sign(., sk) at most q s times with messages of length at most l. Represent UF-CMA signatures in the CryptoVerif formalism. Bruno Blanchet (INRIA) CryptoVerif Tutorial November / 14 ]

13 Exercise 7 The advantage of the adversary against ciphertext integrity (INT-CTXT) of a symmetric encryption scheme SE is: Succ int ctxt SE (t, q e, q d, l e, l d ) = [ max Pr A k R kgen; c A enc(.,k),dec(.,k) : dec(c, k) c is not the result of a call to the enc(., k) oracle where A runs in time at most t, calls enc(., k) at most q e times with messages of length at most l e, calls dec(., k) at most q d times with messages of length at most l d. Represent INT-CTXT encryption in the CryptoVerif formalism. ] Bruno Blanchet (INRIA) CryptoVerif Tutorial November / 14

14 Exercise 8 A public-key encryption scheme AE consists of a key generation algorithm (pk, sk) R kgen a probabilistic encryption algorithm enc(m, pk) a decryption algorithm dec(m, sk) such that dec(enc(m, pk), sk) = m. The advantage of the adversary against indistinguishability under adaptive chosen-ciphertext attacks (IND-CCA2) is Succ ind cca2 AE (t, q d ) = b {0, R 1}; (pk, sk) R kgen; max 2 Pr (m 0, m 1, s) A dec(.,sk) 1 (pk); y enc(m b, pk); A b A dec(.,sk) 2 (m 0, m 1, s, y) : b = b 1 A 2 has not called dec(., sk) on y where A = (A 1, A 2 ) runs in time at most t and calls dec(., sk) at most q d times. Represent IND-CCA2 encryption in the CryptoVerif formalism. Bruno Blanchet (INRIA) CryptoVerif Tutorial November / 14

### Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense

### Provable-Security Analysis of Authenticated Encryption in Kerberos

Provable-Security Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 30332-0765

### Ciphertext verification security of symmetric encryption schemes

www.scichina.com info.scichina.com www.springerlink.com Ciphertext verification security of symmetric encryption schemes HU ZhenYu 1, SUN FuChun 1 & JIANG JianChun 2 1 National Laboratory of Information

### Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm

An extended abstract of this paper appears in Tatsuaki Okamoto, editor, Advances in Cryptology ASIACRYPT 2000, Volume 1976 of Lecture Notes in Computer Science, pages 531 545, Kyoto, Japan, December 3

### Introduction. Chapter 1

Chapter 1 Introduction This is a chapter from version 1.1 of the book Mathematics of Public Key Cryptography by Steven Galbraith, available from http://www.isg.rhul.ac.uk/ sdg/crypto-book/ The copyright

### Introduction. Digital Signature

Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

### Authenticated Encryption (AE) Instructor: Ahmad Boorghany

Sharif University of Technology Department of Computer Engineering Data and Network Security Lab Authenticated Encryption (AE) Instructor: Ahmad Boorghany Most of the slides are obtained from Bellare and

### MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

### Lecture 3: One-Way Encryption, RSA Example

ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require

### The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) Hugo Krawczyk Abstract. We study the question of how to generically compose symmetric encryption and authentication

### 1 Message Authentication

Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

### DIGITAL SIGNATURES 1/1

DIGITAL SIGNATURES 1/1 Signing by hand COSMO ALICE ALICE Pay Bob \$100 Cosmo Alice Alice Bank =? no Don t yes pay Bob 2/1 Signing electronically Bank Internet SIGFILE } {{ } 101 1 ALICE Pay Bob \$100 scan

### Reconsidering Generic Composition

Reconsidering Generic Composition Chanathip Namprempre Thammasat University, Thailand Phillip Rogaway University of California, Davis, USA Tom Shrimpton Portland State University, USA 1/24 What is the

### Authentication and Encryption: How to order them? Motivation

Authentication and Encryption: How to order them? Debdeep Muhopadhyay IIT Kharagpur Motivation Wide spread use of internet requires establishment of a secure channel. Typical implementations operate in

MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and

### 1 Construction of CCA-secure encryption

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.

### Chapter 11. Asymmetric Encryption. 11.1 Asymmetric encryption schemes

Chapter 11 Asymmetric Encryption The setting of public-key cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret

### Semantic Security for the McEliece Cryptosystem without Random Oracles

Semantic Security for the McEliece Cryptosystem without Random Oracles Ryo Nojima 1, Hideki Imai 23, Kazukuni Kobara 3, and Kirill Morozov 3 1 National Institute of Information and Communications Technology

### CS155. Cryptography Overview

CS155 Cryptography Overview Cryptography Is n A tremendous tool n The basis for many security mechanisms Is not n The solution to all security problems n Reliable unless implemented properly n Reliable

### KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE. Mihir Bellare UCSD 1

KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE Mihir Bellare UCSD 1 The public key setting Alice M D sk[a] (C) Bob pk[a] C C \$ E pk[a] (M) σ \$ S sk[a] (M) M, σ Vpk[A] (M, σ) Bob can: send encrypted data

### Privacy in Encrypted Content Distribution Using Private Broadcast Encryption

Privacy in Encrypted Content Distribution Using Private Broadcast Encryption Adam Barth 1, Dan Boneh 1, and Brent Waters 2 1 Stanford University, Stanford, CA 94305 {abarth, dabo}@cs.stanford.edu 2 SRI

### RSA OAEP is Secure under the RSA Assumption

This is a revised version of the extended abstract RSA OAEP is Secure under the RSA Assumption which appeared in Advances in Cryptology Proceedings of CRYPTO 2001 (19 23 august 2001, Santa Barbara, California,

### 1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

### Foundations of Group Signatures: The Case of Dynamic Groups

A preliminary version of this paper appears in Topics in Cryptology CT-RSA 05, Lecture Notes in Computer Science Vol.??, A. Menezes ed., Springer-Verlag, 2005. This is the full version. Foundations of

### Multi-Recipient Encryption Schemes: Efficient Constructions and their Security

This is the full version of the paper with same title that appeared in IEEE Transactions on Information Theory, Volume 53, Number 11, 2007. It extends the previously published versions Ku, BBS. Multi-Recipient

### Simple and Efficient Public-Key Encryption from Computational Diffie-Hellman in the Standard Model

Simple and Efficient Public-Key Encryption from Computational Diffie-Hellman in the Standard Model Kristiyan Haralambiev 1 Tibor Jager 2 Eike Kiltz 3 Victor Shoup 4 Abstract This paper proposes practical

### Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz Abstract We propose simple and efficient CCA-secure public-key encryption schemes (i.e., schemes

### Authenticated encryption

Authenticated encryption Dr. Enigma Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu October 16th, 2013 Active attacks on CPA-secure encryption

### MAC. SKE in Practice. Lecture 5

MAC. SKE in Practice. Lecture 5 Active Adversary Active Adversary An active adversary can inject messages into the channel Active Adversary An active adversary can inject messages into the channel Eve

### Chapter 12. Digital signatures. 12.1 Digital signature schemes

Chapter 12 Digital signatures In the public key setting, the primitive used to provide data integrity is a digital signature scheme. In this chapter we look at security notions and constructions for this

### Crypto-Verifying Protocol Implementations in ML

Crypto-Verifying Protocol Implementations in ML Karthikeyan Bhargavan 1,2 Ricardo Corin 1,3 Cédric Fournet 1,2 1 MSR-INRIA Joint Centre 2 Microsoft Research 3 University of Twente June 2007 Abstract We

### Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

### 1 Signatures vs. MACs

CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures

### Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

### Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks

Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks Tsz Hon Yuen - Huawei, Singapore Ye Zhang - Pennsylvania State University, USA Siu Ming

### Trading One-Wayness against Chosen-Ciphertext Security in Factoring-Based Encryption

Trading One-Wayness against Chosen-Ciphertext Security in Factoring-Based Encryption Pascal Paillier 1 and Jorge L. Villar 2 1 Cryptography Group, Security Labs, Gemalto pascal.paillier@gemalto.com 2 Departament

### Computational Soundness of Symbolic Security and Implicit Complexity

Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 3-7, 2013 Overview

### Identity-Based Encryption from the Weil Pairing

Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages

### Message Authentication Codes 133

Message Authentication Codes 133 CLAIM 4.8 Pr[Mac-forge A,Π (n) = 1 NewBlock] is negligible. We construct a probabilistic polynomial-time adversary A who attacks the fixed-length MAC Π and succeeds in

### On the Security of the Tor Authentication Protocol

On the Security of the Tor Authentication Protocol Ian Goldberg David R. Cheriton School of Computer Science, University of Waterloo, 00 University Ave W, Waterloo, ON NL 3G1 iang@cs.uwaterloo.ca Abstract.

### Securing Remote Access Inside Wireless Mesh Networks

This is the full version of the paper which appears in: Information Security Applications: 10th International Workshop, WISA 2009, Busan, Korea, August 25-27, 2009. H. Y. Youm, M. Yung (Eds.) Springer-Verlag,

### Overview of Public-Key Cryptography

CS 361S Overview of Public-Key Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.1-6 slide 2 Public-Key Cryptography public key public key? private key Alice Bob Given: Everybody knows

### On the Security of the CCM Encryption Mode and of a Slight Variant

On the Security of the CCM Encryption Mode and of a Slight Variant Pierre-Alain Fouque 1 and Gwenaëlle Martinet 2 and Frédéric Valette 3 and Sébastien Zimmer 1 1 École normale supérieure, 45 rue d Ulm,

### Provably Secure Timed-Release Public Key Encryption

Provably Secure Timed-Release Public Key Encryption JUNG HEE CHEON Seoul National University, Korea and NICHOLAS HOPPER, YONGDAE KIM and IVAN OSIPKOV University of Minnesota - Twin Cities A timed-release

### Anonymity and Time in Public-Key Encryption

Anonymity and Time in Public-Key Encryption Elizabeth Anne Quaglia Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group Department of Mathematics

### Fuzzy Identity-Based Encryption

Fuzzy Identity-Based Encryption Janek Jochheim June 20th 2013 Overview Overview Motivation (Fuzzy) Identity-Based Encryption Formal definition Security Idea Ingredients Construction Security Extensions

### Universal Padding Schemes for RSA

Universal Padding Schemes for RSA Jean-Sébastien Coron, Marc Joye, David Naccache, and Pascal Paillier Gemplus Card International, France {jean-sebastien.coron, marc.joye, david.naccache, pascal.paillier}@gemplus.com

### Chapter 16: Authentication in Distributed System

Chapter 16: Authentication in Distributed System Ajay Kshemkalyani and Mukesh Singhal Distributed Computing: Principles, Algorithms, and Systems Cambridge University Press A. Kshemkalyani and M. Singhal

### Authenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol

Authenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol Mihir Bellare UC San Diego mihir@cs.ucsd.edu Tadayoshi Kohno UC San Diego tkohno@cs.ucsd.edu Chanathip Namprempre Thammasat

### Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

Cryptosystems Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K. C= E(M, K), Bob sends C Alice receives C, M=D(C,K) Use the same key to decrypt. Public

### Capture Resilient ElGamal Signature Protocols

Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department

### Symmetric Crypto MAC. Pierre-Alain Fouque

Symmetric Crypto MAC Pierre-Alain Fouque Birthday Paradox In a set of D elements, by picking at random D elements, we have with high probability a collision two elements are equal D=365, about 23 people

### 3-6 Toward Realizing Privacy-Preserving IP-Traceback

3-6 Toward Realizing Privacy-Preserving IP-Traceback The IP-traceback technology enables us to trace widely spread illegal users on Internet. However, to deploy this attractive technology, some problems

### Cryptography Overview

Cryptography Overview Cryptography Is n A tremendous tool n The basis for many security mechanisms Is not n The solution to all security problems n Reliable unless implemented properly n Reliable unless

### Wildcarded Identity-Based Encryption

Wildcarded Identity-Based Encryption Michel Abdalla 1, James Birkett 2, Dario Catalano 3, Alexander W. Dent 4, John Malone-Lee 5, Gregory Neven 6,7, Jacob C. N. Schuldt 8, and Nigel P. Smart 9 1 Ecole

### Digital Signatures. Prof. Zeph Grunschlag

Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each

### Lecture 2 August 29, 13:40 15:40

Lecture 2 August 29, 13:40 15:40 Public-key encryption with keyword search Anonymous identity-based encryption Identity-based encryption with wildcards Public-key encryption with keyword search & anonymous

### Digital Signatures. What are Signature Schemes?

Digital Signatures Debdeep Mukhopadhyay IIT Kharagpur What are Signature Schemes? Provides message integrity in the public key setting Counter-parts of the message authentication schemes in the public

### Talk announcement please consider attending!

Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically

### How to Formally Model Features of Network Security Protocols

, pp.423-432 http://dx.doi.org/10.14257/ijsia How to Formally Model Features of Network Security Protocols Gyesik Lee Dept. of Computer & Web Information Engineering Hankyong National University Anseong-si,

### Q: Why security protocols?

Security Protocols Q: Why security protocols? Alice Bob A: To allow reliable communication over an untrusted channel (eg. Internet) 2 Security Protocols are out there Confidentiality Authentication Example:

### Lecture 15 - Digital Signatures

Lecture 15 - Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations - easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.

### Non-interactive and Reusable Non-malleable Commitment Schemes

Non-interactive and Reusable Non-malleable Commitment Schemes Ivan Damgård a Jens Groth b June 16, 2003 Abstract We consider non-malleable (NM) and universally composable (UC) commitment schemes in the

### Recongurable Cryptography: A exible approach to long-term security

Recongurable Cryptography: A exible approach to long-term security Julia Hesse and Dennis Hofheinz and Andy Rupp Karlsruhe Institute of Technology, Germany {julia.hesse, dennis.hofheinz, andy.rupp}@kit.edu

### Formal Modelling of Network Security Properties (Extended Abstract)

Vol.29 (SecTech 2013), pp.25-29 http://dx.doi.org/10.14257/astl.2013.29.05 Formal Modelling of Network Security Properties (Extended Abstract) Gyesik Lee Hankyong National University, Dept. of Computer

### QUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University

QUANTUM COMPUTERS AND CRYPTOGRAPHY Mark Zhandry Stanford University Classical Encryption pk m c = E(pk,m) sk m = D(sk,c) m??? Quantum Computing Attack pk m aka Post-quantum Crypto c = E(pk,m) sk m = D(sk,c)

### Lecture 13: Message Authentication Codes

Lecture 13: Message Authentication Codes Last modified 2015/02/02 In CCA security, the distinguisher can ask the library to decrypt arbitrary ciphertexts of its choosing. Now in addition to the ciphertexts

### CIS 5371 Cryptography. 8. Encryption --

CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.

### Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

### Message Authentication Code

Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44

### An efficient and provably secure public key encryption scheme based on coding theory

SECUITY AND COMMUNICATION NETWOKS Security Comm. Networks (2010) Published online in Wiley Online Library (wileyonlinelibrary.com)..274 ESEACH ATICLE An efficient and provably secure public key encryption

### Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the

### 1 Domain Extension for MACs

CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures Katz-Lindell Ÿ4.34.4 (2nd ed) and Ÿ12.0-12.3 (1st ed).

### Overview of Symmetric Encryption

CS 361S Overview of Symmetric Encryption Vitaly Shmatikov Reading Assignment Read Kaufman 2.1-4 and 4.2 slide 2 Basic Problem ----- ----- -----? Given: both parties already know the same secret Goal: send

### Efficient and Secure Authenticated Key Exchange Using Weak Passwords

Efficient and Secure Authenticated Key Exchange Using Weak Passwords Jonathan Katz Rafail Ostrovsky Moti Yung Abstract Mutual authentication and authenticated key exchange are fundamental techniques for

### Incremental Deterministic Public-Key Encryption

Incremental Deterministic Public-Key Encryption Ilya Mironov Omkant Pandey Omer Reingold Gil Segev Abstract Motivated by applications in large storage systems, we initiate the study of incremental deterministic

### Certificate Based Signature Schemes without Pairings or Random Oracles

Certificate Based Signature Schemes without Pairings or Random Oracles p. 1/2 Certificate Based Signature Schemes without Pairings or Random Oracles Joseph K. Liu, Joonsang Baek, Willy Susilo and Jianying

### Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz June 13, 2006 Abstract We propose simple and efficient CCA-secure public-key encryption schemes

Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

### Delegation of Cryptographic Servers for Capture-Resilient Devices

ACM, 2001. This is the authors' version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version is available at http://doi.acm.org/10.1145/501983.501986.

### A Secure RFID Ticket System For Public Transport

A Secure RFID Ticket System For Public Transport Kun Peng and Feng Bao Institute for Infocomm Research, Singapore Abstract. A secure RFID ticket system for public transport is proposed in this paper. It

### Distributed Key Generation for Secure Encrypted Deduplication

Distributed Key Generation for Secure Encrypted Deduplication Yitao Duan NetEase Youdao Beijing, China duan@rd.netease.com Abstract. Large-scale storage systems often attempt to achieve two seemingly conflicting

### A Method for Making Password-Based Key Exchange Resilient to Server Compromise

A Method for Making Password-Based Key Exchange Resilient to Server Compromise Craig Gentry 1, Philip MacKenzie 2, and Zulfikar Ramzan 3 1 Stanford University, Palo Alto, CA, USA, cgentry@cs.stanford.edu

### Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract

Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart

### Cryptographic Agility and its Relation to Circular Encryption

Cryptographic Agility and its Relation to Circular Encryption Tolga Acar 1 Mira Belenkiy 2 Mihir Bellare 3 David Cash 4 Abstract We initiate a provable-security treatment of cryptographic agility. A primitive

### 1. a. Define the properties of a one-way hash function. (6 marks)

1. a. Define the properties of a one-way hash function. (6 marks) A hash function h maps arbitrary length value x to fixed length value y such that: Hard to reverse. Given value y not feasible to find

### the server that does not allow to treat relational databases. A fundamental question thus becomes what is the best guaranteed security that can be

New Security Models and Provably-Secure Schemes for Basic Query Support in Outsourced Databases Georgios Amanatidis Alexandra Boldyreva Adam O Neill Abstract In this paper, we take a closer look at the

### Simplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings

Simplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings Ernie Brickell Intel Corporation ernie.brickell@intel.com Liqun Chen HP Laboratories liqun.chen@hp.com March

### An Efficient and Secure Data Sharing Framework using Homomorphic Encryption in the Cloud

An Efficient and Secure Data Sharing Framework using Homomorphic Encryption in the Cloud Sanjay Madria Professor and Site Director for NSF I/UCRC Center on Net-Centric Software and Systems Missouri University

### Proof of Freshness: How to efficiently use an online single secure clock to secure shared untrusted memory.

Proof of Freshness: How to efficiently use an online single secure clock to secure shared untrusted memory. Marten van Dijk, Luis F. G. Sarmenta, Charles W. O Donnell, and Srinivas Devadas MIT Computer

### Identity-Based Encryption Secure Against Chosen-Ciphertext Selective Opening Attack

Identity-Based Encryption Secure Against Chosen-Ciphertext Selective Opening Attack Junzuo Lai, Robert H. Deng, Shengli Liu, Jian Weng, and Yunlei Zhao Shanghai Jiao Tong University, Shanghai 200030, China

### A Generic Framework for Three-Factor Authentication

A Generic Framework for Three-Factor Authentication Jiangshan Yu 1 Guilin Wang 2 Yi Mu 2 Wei Gao 3 1 School of Computer Science University of Birmingham, UK 2 School of Computer Science and Software Engineering

### A CCA2 Secure Variant of the McEliece Cryptosystem

1 A CCA2 Secure Variant of the McEliece Cryptosystem Nico Döttling, Rafael Dowsley, Jörn Müller-Quade and Anderson C. A. Nascimento Abstract The McEliece public-ey encryption scheme has become an interesting

### Security Analysis for Order Preserving Encryption Schemes

Security Analysis for Order Preserving Encryption Schemes Liangliang Xiao University of Texas at Dallas Email: xll052000@utdallas.edu Osbert Bastani Harvard University Email: obastani@fas.harvard.edu I-Ling

### CS558. Network Security. Boston University, Computer Science. Midterm Spring 2014.

CS558. Network Security. Boston University, Computer Science. Midterm Spring 2014. Instructor: Sharon Goldberg March 25, 2014. 9:30-10:50 AM. One-sided handwritten aid sheet allowed. No cell phone or calculators

### Ensuring Integrity in Cloud Computing via Homomorphic Digital Signatures: new tools and results

Ensuring Integrity in Cloud Computing via Homomorphic Digital Signatures: new tools and results Dario Catalano Dario Fiore Luca Nizzardo University of Catania Italy IMDEA Software Institute Madrid, Spain

### Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives

Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives Olivier Pereira Université catholique de Louvain ICTEAM Crypto Group B-1348, Belgium olivier.pereira@uclouvain.be