MESSAGE AUTHENTICATION IN AN IDENTITYBASED ENCRYPTION SCHEME: 1KEYENCRYPTTHENMAC


 Elfreda Baldwin
 2 years ago
 Views:
Transcription
1 MESSAGE AUTHENTICATION IN AN IDENTITYBASED ENCRYPTION SCHEME: 1KEYENCRYPTTHENMAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial Fulfillment of the Requirements for the Degree of Master of Science Florida Atlantic University Boca Raton, Florida May 2010
2 Copyright by Brittanney Jaclyn Amento 2010 ii
3
4 ACKNOWLEDGEMENTS First, I would like to thank my advisor, Dr. Rainer Steinwandt, for always pushing and believing in me especially during those times I wanted to give up! You have been an exceptional mentor and I am so thankful for your direction and confidence. Second, I would like to thank my mother, Neweleen Feldmar, for raising a strong minded, confident young woman. Eight years to get to this point and I couldn t have done it without your love and support. I know I make you proud everyday! Third, I would like to thank my dear friend Lisa Greenberg. I can t imagine how different the last two years would have been without the friendship and math partner we found in each other! Together, we are one half of a Ph.D girl! Last, I owe a sincere thank you to my Fusion boss of five years and friend, Melody Collins, for always finding a way to work my job around my education. I couldn t have done any of this without each of you in my corner! iv
5 ABSTRACT Author: Title: Institution: Thesis Advisor: Degree: Brittanney Jaclyn Amento Message Authentication in an IdentityBased Encryption Scheme: 1KeyEncryptThenMAC Florida Atlantic University Dr. Rainer Steinwandt Master of Science Year: 2010 We present an IdentityBased Encryption scheme, 1KeyEncryptThenMAC, in which we are able to verify the authenticity of messages using a MAC. We accomplish this authentication by combining an IdentityBased Encryption scheme given by Boneh and Franklin, with an IdentityBased NonInteractive Key Distribution given by Paterson and Srinivasan, and attaching a MAC. We prove the scheme is chosen plaintext secure and chosen ciphertext secure, and the MAC is existentially unforgeable. v
6 MESSAGE AUTHENTICATION IN AN IDENTITYBASED ENCRYPTION SCHEME: 1KEYENCRYPTTHENMAC 1 Introduction Preliminaries Cryptographic Primitives Security Notions The Proposed Schemes Building on BasicIdent Building on FullIdent Security Conclusion Bibliography vi
7 CHAPTER 1 INTRODUCTION In this thesis, we build on the IdentityBased Encryption scheme given by Boneh and Franklin in [2] and combine it with the IdentityBased NonInteractive Key Distribution given by Paterson and Srinivasan in [5] to create an IdentityBased Encryption scheme which authenticates messages using a MAC. We follow Martin s motivation in [4] to take a closer look at IdentityBased Encryption. IdentityBased Encryption (IBE) was first introduced in 1984 by Adi Shamir as a way to create a public key from a user s identity. IBE has all the benefits of a public key encryption scheme, plus additional benefits relating to keys being calculated for each recipient, versus being randomly generated. This relieves preenrollment requirements and the need to look up public keys (a huge hamper on public key cryptography). Calculating the keys also allows an IBE to have built in key recovery capability a requirement for use in business. We can also use an IBE to communicate with someone not already enrolled in our system by calculating a public key id for the recipient and using that key to encrypt the message we send them. The recipient would then authenticate himself to the Private Key Generator (PKG) and receive his private decryption key, creating a secure channel of communication. We should mention that a main disadvantage of an IBE versus public key encryption lies with key revocation being difficult to remedy. 1
8 An IBE consists of four algorithms: Setup, which generates the system parameters and a master key; Extract, which uses the master key to extract the private key associated with an identity id {0, 1} ; e.g., an or IP address; Encrypt, which uses an identity id to encrypt messages; and Decrypt, which uses the private key associated with the identity id to decrypt messages. An IdentityBased NonInteractive Key Distribution (IDNIKD) is a scheme which allows two parties to establish a common key without communicating. Each party receives a private key from a Trusted Authority (TA), which allows them to compute a shared key without exchanging any messages. An IDNIKD consists of three algorithms: Setup, which generates the system parameters and a master secret key; Extract, which uses the master secret key to extract the private key associated with an identity id {0, 1}; and SharedKey, which uses an identity id and a private key to return a shared key between them. We combine these two schemes, IBE and IDNIKD, and ask about our ability to authenticate messages. Below, we define our 1KeyEncryptThenMAC scheme and show that we are indeed able to authenticate messages. Further, we show our scheme is chosen plaintext secure (INDIDCPA+MAC), chosen ciphertext secure (INDIDCCA+MAC), and existentially unforgeable (UFIDCPA+MAC). 2
9 CHAPTER 2 PRELIMINARIES 2.1 Cryptographic Primitives We start by recalling the definition of an IdentityBased Encryption scheme as given by Boneh and Franklin in [2]: Definition 1 (IdentityBased Encryption). An IdentityBased Encryption scheme E is specified by four polynomial time algorithms: Setup, Extract, Encrypt, Decrypt. Setup: a probabilistic algorithm which takes a security parameter 1 k and returns params (system parameters) and master key. The system parameters include a description of a finite message space M, and a description of a finite ciphertext space C. Intuitively, the system parameters will be publicly known, while the master key will be known only to the Private Key Generator (PKG). Extract: a probabilistic algorithm which takes as input params, master key, and an arbitrary id {0, 1}, and returns a private key d id. Here id is an arbitrary user identity that will be used as a public key, and d id is the corresponding private decryption key. The Extract algorithm extracts a private key from the given identity. Encrypt: a probabilistic algorithm which takes as input params, id, and M M. It returns a ciphertext C C. 3
10 Decrypt: a deterministic algorithm which takes as input params, C C, and a private key d id. It returns M M or an error symbol. These algorithms must satisfy the standard consistency constraint, namely if d id is the private key generated by algorithm Extract when it is given id as the identity, then M M : Dec did (C) = M where C Enc id (M). We next recall the definition of an IDBased NonInteractive Key Distribution scheme as given by Paterson and Srinivasan in [5]: Definition 2 (IDBased NonInteractive Key Distribution (IDNIKD)). An IDBased Non Interactive Key Distribution (IDNIKD) scheme is specified by three distinct algorithms: Setup, Extract, and SharedKey. Algorithms Setup and Extract are executed by the Trusted Authority (TA), while SharedKey can be executed by any entity in possession of its private key and the identifier of any other entity with which it wishes to generate a shared key. Setup: on input 1 k, outputs a master public key (or system parameters) and a master secret key. Extract: on input a master public key, a master secret key, and an id {0, 1}, returns a private key from some space of private keys SK. SharedKey: on input a master public key, a private key d ida, and an identifier id B {0, 1}, where id B id A, this algorithm returns a shared key K A,B from some space of shared keys SHK specified in the master public key. We require that, for any pair of identities id A, id B, and corresponding private keys d ida 4
11 and d idb, SharedKey satisfies the constraint: SharedKey(master public key, d ida, id B ) = SharedKey(master public key, d idb, id A ) This ensures that entities A and B can indeed generate a shared key without any interaction. We will normally assume that SHK, the space of shared keys, is {0, 1} n(k) for some function n(k). We next recall the definition of a Message Authentication Code (MAC) as given by Bellare, Guerin, and Rogaway in [3]: Definition 3 (Message Authentication Code (MAC)). A Message Authentication Code (MAC) consists of three algorithms: Key Generation, Tagging, and Verification. The Tagging algorithm may be probabilistic; the Verification algorithm typically is not. Key Generation: on parameter 1 k, generates a key c and an L tag where L tag is the corresponding MAC length for k. Tagging: on input a kbit key c and a message M, algorithm Tagging outputs an L tag bit string k called the tag, or MAC, of M. Verfication: on input a kbit key c, a message M, and an L tag bit string τ, algorithm Verification outputs a true for accept and false for reject. We ask for a basic validity condition, namely that authentic signatures are accepted with probability one. That is, for any key c, message M, and tag τ which is output with positive probability by Tag(c, M), it must be the case that Verification(c, M, τ) = true. We combine the first three definitions and now introduce our IdentityBased Encryption scheme which verifies message authentication: 5
12 Definition 4 (1KeyEncryptThenMAC). We define our 1KeyEncryptThen MAC as a septuple of algorithms (Setup, Enc, Dec, KeyExtract, Tag, Ver, SharedKey) in which we use in an IdentityBased Encryption scheme to show authenticity of messages using a MAC, as follows: Setup: on input security parameter 1 k, returns the system parameters and a master secret key. The system parameters include a description of a finite message space M, and a description of a finite ciphertext space C. Enc: on input params, id, and M M computes a ciphertext C Enc id (M). Dec: on input params, C C, and a private key d id returns M or an error symbol. KeyExtract: on input params, a master secret key, and an arbitrary id {0, 1} returns a private key d id. SharedKey: on input params, a private key d ida, and an id B {0, 1}, where id A id B, returns K A,B. Tag: on input M, id A, and id B returns the tag T KA,B (M) where K A,B = SharedKey(d ida, id B, params) is a shared key between id A and id B. Ver: on input M, tag τ, and K A,B returns true if τ is a valid tag for M and false otherwise. 2.2 Security Notions To formalize the security of our 1KeyEncryptThenMAC scheme, we introduce the following definitions pertaining to chosen plaintext security, chosen ciphertext security, and MAC unforgeability. We begin by defining chosen plaintext security: 6
13 Definition 5 (INDIDCPA+MAC). Let θ = (Setup, Enc, Dec, KeyExtract, Tag, Verification, SharedKey) be a 1KeyEncryptThenMAC scheme and let A be a probabilistic polynomial time adversary. Consider the following game: 1. Challenger runs Setup on 1 k and hands public params to A. 2. A is given unrestricted access to a private key extraction oracle which associates an id with its private key d id, a tagging oracle: τ(m, id A, id B ) Tag(M, SharedKey(K A,B )), and a verification oracle: V(M, Tag, id A, id B ) {true, false}. 3. A outputs two plaintexts m 0 m 1 of equal length and some id which was NOT previously sent to the private key extraction oracle. 4. Challenger chooses b {0, 1} randomly and sends A ciphertext. C = (Enc id (M b ) } {{ } =C, Tag(C, K A,B)) 5. A is again given access to the private key extraction oracle, tagging oracle, and verification oracle with the sole restriction that she cannot query the private key extraction oracle on the id, as in Step 3). 6. A guesses b {0, 1} and wins if b = b. 7
14 The advantage Adv A (k) of A is defined as P r(b = b ) 1 2 and θ is (INDIDCPA+MAC) secure if Adv A (k) is negligible for all probabilistic polynomial time adversaries A. Next, we define the security of our MAC in the sense of existential unforgeability: Definition 6 (UFIDCPA+MAC). Let θ = (Setup, Enc, Dec, KeyExtract, Tag, Verification, SharedKey) be a 1KeyEncryptThenMAC scheme and let A be a probabilistic polynomial time adversary. Consider the following game: 1. Challenger runs Setup on 1 k and hands public params to A. 2. A is given unrestricted access to a private key extraction oracle which associates an id with its private key d id, a tagging oracle: τ(m, id A, id B ) Tag(M, SharedKey(K A,B )), and a verification oracle: V(M, Tag, id A, id B ) {true, false}. 3. A outputs a ciphertext C = (C, id A, id B, τ) with the restrictions that neither id A or id B were previously submitted to the private key extraction oracle and (C, id A, id B ) was not previously sent to the tagging oracle. A wins if Dec dida (C). The advantage Adv A (k) of A is defined as P r[dec dida (C)] 8
15 and θ is existentially unforgeable (UFIDCPA+MAC) if Adv A (k) is negligible for all probabilistic polynomial time adversaries A. Finally, we end by defining chosen ciphertext security: Definition 7 (INDIDCCA+MAC). Let θ = (Setup, Enc, Dec, KeyExtract, Tag, Verification, SharedKey) be a 1KeyEncryptThenMAC scheme and let A be a probabilistic polynomial time adversary. Consider the following game: 1. Challenger runs Setup on 1 k and hands public params to A. 2. A is given unrestricted access to a private key extraction oracle which associates an id with its private key d id, a tagging oracle: τ(m, id A, id B ) Tag(M, SharedKey(K A,B )), a verification oracle: V(M, Tag, id A, id B ) {true, false}, and a decryption oracle: Dec(id i, C i ) M i or. 3. A outputs two plaintexts m 0 m 1 of equal length and some id which was NOT previously sent to the private key extraction oracle. 4. Challenger chooses b {0, 1} randomly and sends A the challenge ciphertext C = (Enc id (M b ) } {{ } =C, Tag(C, K A,B)). 9
16 5. A is again given access to the private key extraction oracle, tagging oracle, verification oracle, and decryption oracle, with the restrictions that she cannot query the private key extraction oracle on the id, as in Step 3), and she cannot query the decryption oracle on the challenge ciphertext C. 6. A guesses b {0, 1} and wins if b = b. The advantage Adv A (k) of A is defined as P r(b = b ) 1 2 and θ is (INDIDCCA+MAC) secure if Adv A (k) is negligible for all probabilistic polynomial time adversaries A. 10
17 CHAPTER 3 THE PROPOSED SCHEMES We present our 1KeyEncryptThenMAC scheme in which we wish to use the Identity Based Encryption schemes BasicIdent and FullIdent, as given by Boneh and Franklin in [2], along with a MAC to verify authentication of messages. 3.1 Building on BasicIdent We first consider the scheme BasicIdent, which is given by four algorithms: Setup, Extract, Encrypt, and Decrypt, which model our algorithms Setup, KeyExtract, Enc, and Dec, respectively. Further, we consider an IDNIKD as given by Paterson and Srinivasan in [5], which also shares the Setup and Extract algorithms of BasicIdent. Let G be some BDH parameter generator. Setup: given security parameter k Z +, run G on input 1 k to generate a prime q, two cyclic groups G 1 and G 2 of order q, an admissible bilinear map ê : G 1 G 1 G 2, and three cryptographic hash functions H 1 : {0, 1} G 1, H 2 : G 2 {0, 1} n for some n, and H 3 : {0, 1} {0, 1} k. Choose a random s Z q where s is the master secret key and set P pub = sp, P G 1 a random generator. The system parameters also include a description of a finite message space M, and a description of a finite ciphertext space C. 11
18 KeyExtract: returns a private key d ida = sh 1 (id A ). Enc: computes Q id = H 1 (id A ) G 1, chooses a random r Z q, and sets the ciphertext to be C = (rp, M H 2 (g r id)) where g id = ê(q id, P pub ) G 2 and M M. Dec: returns M or an error message by using d ida G 1 to compute M H 2 (g r id) H 2 (ê(d ida, rp )) = M SharedKey: returns key K A,B = H 2 (ê(d ida, H 1 (id B )) where id B id A. Tag: returns the tag τ = H 3 (M K A,B ) where K A,B is a shared key between id A and id B. Ver: returns true if τ = H 3 (M K A,B ) and false otherwise. 3.2 Building on FullIdent We now consider the scheme FullIdent, which is given by four algorithms: Setup, Extract, Encrypt, and Decrypt. Let G be some BHD parameter generator. Setup: as in the BasicIdent scheme. In addition, we pick a hash function H 4 : {0, 1} n {0, 1} n Z q and H 5 : {0, 1} n {0, 1} n where n is the length of the message to be encrypted. KeyExtract: as in the BasicIdent scheme. 12
19 Enc: computes Q id = H 1 (id A ) G 1, chooses a random σ {0, 1} n, sets r = H 4 (σ, M), and sets the ciphertext to be C = (rp, σ H 2 (g r id), M H 5 (σ)) where g id = ê(q id, P pub ) G 2 and M M. Dec: if rp / G 1, rejects the ciphertext. Otherwise, returns M or an error message by using d ida G 1 to do the following: Computes σ H 2 (g r id) H 2 (ê(d ida, rp )) = σ Then computes M H 5 (σ) H 5 (σ) = M and sets r = H 4 (σ, M). Tests that this r P = rp. If not, rejects the ciphertext. Otherwise, outputs M as the decryption of C. SharedKey: as in the BasicIdent scheme. Tag: as in the BasicIdent scheme. Ver: as in the BasicIdent scheme. This completes the description of our 1KeyEncryptThenMAC scheme. 13
20 CHAPTER 4 SECURITY We now consider the security of BasicIdentMAC. The following theorem shows that BasicIdentMAC is secure in the sense of Definition 5 (INDIDCPA+MAC). We first follow Boneh and Franklin s description of a random oracle model in [1]. A random oracle is a function H : X Y chosen uniformly and at random from the set of all functions {h : X Y } (assuming Y is a finite set). An algorithm can query the random oracle at any point x X and receive the value H(x) in response. Random oracles are used to model cryptographic hash functions such as SHA1. Security proofs in the random oracle model prove security against attackers confined to the random oracle world. Theorem 1. Let H 1, H 2, and H 3 be random oracles. Then BasicIdentMAC is secure in the sense of Definition 5. Proof. Let A be a BasicIdentMAC adversary. We begin by constructing a new INDID CPA adversary B, which attacks the BonehFranklin BasicIdent scheme. B has access to an extract oracle with the sole restriction that any id sent to the extract oracle may not be queried as the challenge id. Setup: Algorithm B gets BasicIdent system parameters (q, G 1, G 2, ê, n, P, P pub, H 1, H 2, H 3 ) 14
21 and gives them to A. B chooses a random index from 1 to p(k), where p(k) is a polynomial upper bound on the number of id s queried to the tag and verification oracles, say i 0, and never sends this id i0 to the extract oracle. B simulates the extract oracle, tag oracle, and verification oracle as follows: Extract Oracle queries: Algorithm A queries an id i to the extract oracle. B responds by forwarding the id i to the extract oracle as in the BonehFranklin scheme and responds to A with d idi, the private key associated with id i. B then has the restriction that she cannot query the same id i during the challenge. Tag Oracle queries: Algorithm A queries the tag oracle with a message M and two id s, say id A and id B. B chooses one of the id s id i0 uniformly and at random, say id A, and sends it to the extract oracle, receiving back private key d ida. B has access to the SharedKey algorithm and runs it on params, id B, and d ida, receiving back K A,B. She next appends K A,B to the message M and sends it through H 3, receiving back the tag τ = H 3 (M K A,B ). B sends A the tag τ. Verification Oracle queries: Algorithm A queries the verification oracle with a message M, two id s, say id A and id B, and a tag τ. B chooses one of the id s id i0 uniformly and at random, say id A, and sends it to the extract oracle, receiving back private key d ida. B runs the SharedKey algorithm and obtains K A,B, appends K A,B to M, and runs it through H 3. If τ = H 3 (M K A,B ), B sends A true. Otherwise, B sends A false. Challenge: Once algorithm A is ready to challenge, the following occurs: 1. Algorithm A outputs two plaintexts m 0 m 1 of equal length, and an id not previously sent by A to the extract oracle. The challenger in the INDIDCPA game chooses b {0, 1} randomly. B chooses the same m 0 m 1 and id as its challenge in the INDIDCPA game and receives back corresponding ciphertext C. When the challenge id has previously been queried by B to the extract oracle, we abort. 15
22 1 Otherwise, with probability at least, B will be able to use the challenge id. B p(k) forwards C to A. 2. Algorithm A is again given access to the extract oracle, tag oracle, and verification oracle with the sole restriction that she cannot query the id she is challenging. 3. Algorithm A guesses b {0, 1}. B outputs the same guess and wins if b = b. Suppose the probability of algorithm A succeeding in breaking the BasicIdentMAC scheme is nonnegligible. Then the probability of algorithm B succeeding in breaking the BasicIdentMAC scheme is at least 1 p(k) P r[succa ], which is nonnegligible. Then P r[succ B ] 1 p(k) P r[succa ] and we have that P r[succ B ] is nonnegligible. But this is a contradiction as B is a BasicIdent adversary and therefore, the P r[succ B ] is proven to be negligible by Boneh Franklin. Therefore, our BasicIdentMAC scheme is (INDIDCPA+MAC) secure. We next consider the unforgeability of the MAC in our BasicIdentMAC scheme. The following theorem shows that the MAC in our BasicIdentMAC scheme is existentially unforgeable in the sense of Definition 6 (UFIDCPA+MAC). Theorem 2. Let H 1, H 2, and H 3 be random oracles. Then BasicIdentMAC is existentially unforgeable in the sense of Definition 6. Proof. Let A be a BasicIdentMAC adversary. We begin by constructing a new INDSK adversary B which attacks the PatersonSrinivasan IDNIKD scheme. B has access to an extract oracle, random H 3 oracle, and test oracle, with the restriction that no query to the extract oracle is allowed on either id involved in the test oracle query. Setup: Algorithm B gets IDNIKD system parameters (1 k, master public key) and gives them to A, keeping the master secret key to herself. B chooses two random indices from 16
23 1 to p(k), where p(k) is a polynomial upper bound on the number of id s queried to the extract oracle, say i 0 and i 1, and never sends id i0 or id i1 to the extract oracle. B simulates the extract oracle, tag oracle, and verification oracle as follows: Extract Oracle queries: Algorithm A queries an id i to the extract oracle. B responds by forwarding the id i to the extract oracle as in the PatersonSrinivasan scheme and responds to A with d idi, the private key associated with id i. B then has the restriction that she cannot query the same id i during the forgery. Tag Oracle queries: Algorithm A queries the tag oracle with a message M and two id s, say id A and id B. If id A = id i0 and id B = id i1, B chooses a random element from the space of shared keys, say SHK, and appends SHK to the message M, sends it through H 3, and receives the tag τ = H 3 (M SHK). We clarify below why this will be sufficient. Otherwise, B chooses one of the id s id i0, id i1 uniformly and at random, say id A, and sends it to the extract oracle, receiving back private key d ida. B has access to the SharedKey algorithm and runs it on params, id B, and d ida, receiving back K A,B. She next appends K A,B to the message M and sends it through H 3, receiving back the tag τ = H 3 (M K A,B ). In each case, B records the tag τ and the id s associated with it on an H list 3. B sends A the tag τ. Verification Oracle queries: Algorithm A queries the verification oracle with a message M, two id s, say id A and id B, and a tag τ. B checks the H list 3 for the τ associated with id A, id B, and M. In the case where id A = id i0 and id B = id i1, if τ = H 3 (M SHK), B sends A true. Otherwise, B sends A false. In all other cases, if τ = H 3 (M K A,B ), B sends A true. Otherwise, B sends A false. Forgery: Once algorithm A is ready to forge a MAC, the following occurs: 1. A outputs ciphertext C = (C, id A, id B, τ) where τ = (C, id A, id B ). When one or both of the forgery id s has previously been queried by B to the extract oracle, we 17
24 abort. Otherwise, with probability at least 1 (p(k)) 2, B will be able to use the forgery id s. 2. B queries the test oracle on id A and id B receiving back either shared key K A,B or a random shared key SHK. B checks the H list 3 for H 3 (M K A,B ). If the entry exists on the H list 3, B outputs real. Otherwise, B outputs random. Suppose that the probability of algorithm A succeeding in forging the MAC in our BasicIdentMAC scheme is nonnegligible. Then the probability of algorithm B succeeding in breaking the IDNIKD scheme is at least 1 (p(k)) 2 P r[succ A ], which is nonnegligible. We further consider the probability of a collision in the random oracles to be q 3 j 1 (1 ( (1 i 2 ))) k j=1 i=0 where q i is an upper bound on the number of queries made to random H j oracle. Therefore, the probability of collision P r[collision] is negligible. Last, we consider the advantage Adv ID NIKD (k) to be a negligible upper bound on the probability of breaking the IDNIKD scheme. Then P r[succ B ] 1 (p(k)) 2 (P r[succa ] P r[collision] Adv ID NIKD (k)) and we have that P r[succ B ] is nonnegligible. But this is a contradiction as B is an IDNIKD adversary and therefore, the P r[succ B ] is proven to be negligible by Paterson Srinivasan. Hence, the MAC in our BasicIdentMAC scheme is existentially unforgeable (UFIDCPA+MAC). Justification of the tag oracle simulation We construct a new adversary B which attacks the PatersonSrinivasan IDNIKD scheme. B has access to an extract oracle, random H 3 oracle, and a test oracle. B simulates the tag oracle and verification oracle 18
25 exactly as B above EXCEPT when A outputs a forgery on id i0 and id i1. Then, B queries the test oracle and receives either the true shared key K i0,i 1 or a random shared key SHK. B computes the tag as B above, using the shared key received from the test oracle, and sends τ to A. Suppose the probability of the difference between the probability of algorithm A succeeding in forging the MAC using the true key, and the probability of algorithm A succeeding in forging the MAC using a random key, is nonnegligible. Then the probability of B succeeding in correctly solving the challenge from the test oracle is P r[succ B ] = 1 2 (P r[succa true] (1 P r[succ A random])) and we have that P r[succ B ] is nonnegligible. But this is a contradiction as B is an IDNIKD adversary; therefore, the P r[succ B ] is proven to be negligible by Paterson Srinivasan. Therefore, the MAC in our BasicIdentMAC scheme is existentially unforgeable (UFIDCPA+MAC). We now consider the security of FullIdentMAC. The following theorem shows that FullIdentMAC is secure in the sense of Definition 7, (INDIDCCA+MAC). Theorem 3. Let H 1, H 2, H 3, H 4, and H 5 be random oracles. Then FullIdentMAC is secure in the sense of Definition 7 (INDIDCCA+MAC). Proof. Let A be a FullIdentMAC adversary. We begin by constructing a new INDID CCA adversary B, which attacks the BonehFranklin FullIdent scheme. B has access to an extract oracle with the sole restriction that any id sent to the extract oracle may not be queried as the challenge id. Setup: Algorithm B gets FullIdent system parameters (q, G 1, G 2, ê, n, P, P pub, H 1, H 2, H 3, H 4, H 5 ) 19
26 and gives them to A. B chooses a random index from 1 to p(k), where p(k) is a polynomial upper bound on the number of id s queried to the tag and verification oracles, say i 0, and never sends this id i0 to the extract oracle. B simulates the extract oracle, tag oracle, verification oracle, and decryption oracle as follows: Extract Oracle queries: as in the BasicIdentMAC scheme. Tag Oracle queries: as in the BasicIdentMAC scheme. Verification Oracle queries: as in the BasicIdentMAC scheme. Decryption Oracle queries: Algorithm A queries the decryption oracle with an id, say id A, and ciphertext C A. B responds by forwarding (id A, C A ) to the decryption oracle as in the BonehFranklin scheme and responds to A with M A or. B then has the restriction that she cannot query the same (id A, C A ) during the challenge. Challenge: Once algorithm A is ready to challenge, the following occurs: 1. Algorithm A outputs two plaintexts m 0 m 1 of equal length, and an id not previously sent by A to the extract oracle. The challenger in the INDIDCCA game chooses b {0, 1} randomly. B chooses the same m 0 m 1 and id as its challenge in the INDIDCCA game and receives back corresponding ciphertext C. When the challenge id has previously been queried by B to the extract oracle, we abort. 1 Otherwise, with probability at least, B will be able to use the challenge id. B p(k) forwards C to A. 2. Algorithm A is again given access to the extract oracle, tag oracle, verification oracle, and decryption oracle with the restrictions that she cannot query the id she is challenging to the extract oracle or the challenge ciphertext and id to the decryption oracle. 3. Algorithm A guesses b {0, 1}. B outputs the same guess and wins if b = b. 20
27 Suppose the probability of algorithm A succeeding in breaking the FullIdentMAC scheme is nonnegligible. Then the probability of algorithm B succeeding in breaking the FullIdentMAC scheme is at least 1 p(k) P r[succa ], which is nonnegligible. Then P r[succ B ] 1 p(k) P r[succa ] and we have that P r[succ B ] is nonnegligible. But this is a contradiction as B is a FullIdent adversary and therefore, the P r[succ B ] is proven to be negligible by Boneh Franklin. Hence, our FullIdentMAC scheme is (INDIDCCA+MAC) secure. 21
28 CHAPTER 5 CONCLUSION In this thesis, we combined an IdentityBased Encryption scheme and a NonInteractive Key Distribution scheme to achieve our goal of message authentication, while maintaining semantic security and unforgeability. We conclude with an open question: Can we build a compiler that takes as input an existentially unforgeable MAC and an IBE, and outputs our 1KeyEncryptThenMAC scheme, while maintaining security in the sense of indistinguishability and unforgability? 22
29 BIBLIOGRAPHY [1] D. Boneh and M. Franklin. IdentityBased Encryption from the Weil Pairing. In J. Kilian, editor, Advances in Cryptology CRYPTO 2001, volume 2139 of Lecture Notes in Computer Science, pages SpringerVerlag, [2] D. Boneh and M. Franklin. IdentityBased Encryption from the Weil Pairing. SIAM Journal of Computing, 32(3): , Available at stanford.edu/ dabo/papers/bfibe.pdf; extended abstract in [1]. [3] R. Guerin M. Bellare and P. Rogaway. XOR MACs: New Methods for Message Authentication Using Finite Pseudorandom Functions. In Advances in Cryptology CRYPTO 95, volume 963 of Lecture Notes in Computer Science, pages Springer BerlinHeidelberg, [4] L. Martin. IdentityBased Encryption: A Closer Look. The Information Systems Security Association Journal, 3(9):22 24, [5] K. Paterson and S. Srinivasan. On the Relations Between NonInteractive Key Distribution, IdentityBased Encryption and Trapdoor Discrete Log Groups. Designs, Codes and Cryptography, 52(2): , August
IdentityBased Encryption from the Weil Pairing
Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages
More informationKey Privacy for Identity Based Encryption
Key Privacy for Identity Based Encryption Internet Security Research Lab Technical Report 20062 Jason E. Holt Internet Security Research Lab Brigham Young University c 2006 Brigham Young University March
More informationCryptography. Identitybased Encryption. JeanSébastien Coron and David Galindo. May 15, 2014. Université du Luxembourg
Identitybased Encryption Université du Luxembourg May 15, 2014 Summary IdentityBased Encryption (IBE) What is IdentityBased Encryption? Difference with conventional PK cryptography. Applications of
More information1 Message Authentication
Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions
More informationIdentity based cryptography
Identity based cryptography The case of encryption schemes David Galindo d.galindo@cs.ru.nl Security of Systems Department of Computer Science Radboud Universiteit Nijmegen Identity based cryptography
More information1 Construction of CCAsecure encryption
CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of secure encryption We now show how the MAC can be applied to obtain a secure encryption scheme.
More informationNew Efficient Searchable Encryption Schemes from Bilinear Pairings
International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang
More informationThreshold Identity Based Encryption Scheme without Random Oracles
WCAN 2006 Threshold Identity Based Encryption Scheme without Random Oracles Jin Li School of Mathematics and Computational Science Sun Yatsen University Guangzhou, P.R. China Yanming Wang Lingnan College
More informationMACs Message authentication and integrity. Table of contents
MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and
More informationMessage Authentication Code
Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBCMAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44
More informationIntroduction. Digital Signature
Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology
More informationLecture 9  Message Authentication Codes
Lecture 9  Message Authentication Codes Boaz Barak March 1, 2010 Reading: BonehShoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,
More informationLecture 25: PairingBased Cryptography
6.897 Special Topics in Cryptography Instructors: Ran Canetti and Ron Rivest May 5, 2004 Lecture 25: PairingBased Cryptography Scribe: Ben Adida 1 Introduction The field of PairingBased Cryptography
More informationCertificate Based Signature Schemes without Pairings or Random Oracles
Certificate Based Signature Schemes without Pairings or Random Oracles p. 1/2 Certificate Based Signature Schemes without Pairings or Random Oracles Joseph K. Liu, Joonsang Baek, Willy Susilo and Jianying
More informationLecture 13: Message Authentication Codes
Lecture 13: Message Authentication Codes Last modified 2015/02/02 In CCA security, the distinguisher can ask the library to decrypt arbitrary ciphertexts of its choosing. Now in addition to the ciphertexts
More informationOutline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures
Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike
More informationLecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture  PRGs for one time pads
CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs
More information1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.
1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks
More information1 Signatures vs. MACs
CS 120/ E177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. KatzLindell 10 1 Signatures vs. MACs Digital signatures
More informationChosenCiphertext Security from IdentityBased Encryption
ChosenCiphertext Security from IdentityBased Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz Abstract We propose simple and efficient CCAsecure publickey encryption schemes (i.e., schemes
More informationImproved Online/Offline Signature Schemes
Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion
More informationencryption Presented by NTU Singapore
A survey on identity based encryption Presented by Qi Saiyu NTU Singapore Outline Introduction of public key encryption Identitybased encryption (IBE) Hierarchical identity based encryption (HIBE) Before
More informationCryptoVerif Tutorial
CryptoVerif Tutorial Bruno Blanchet INRIA ParisRocquencourt bruno.blanchet@inria.fr November 2014 Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 1 / 14 Exercise 1: preliminary definition SUFCMA
More informationFuzzy IdentityBased Encryption
Fuzzy IdentityBased Encryption Janek Jochheim June 20th 2013 Overview Overview Motivation (Fuzzy) IdentityBased Encryption Formal definition Security Idea Ingredients Construction Security Extensions
More informationIDbased Cryptography and SmartCards
IDbased Cryptography and SmartCards Survol des techniques cryptographiques basées sur l identité et implémentation sur carte à puce The Need for Cryptography Encryption! Transform a message so that only
More informationIEEE Draft P1363.3. Identity Based Public Key Cryptography Based On Pairings. Daniel Schliebner. 14. Dezember 2009
Identity Based Public Key Cryptography Based On Pairings 14. Dezember 2009 Gliederung Introduction Identity Based Encryption The Protocol Security Of The Protocol Discussion About The Headline Identity
More informationA Performance Analysis of IdentityBased Encryption Schemes
A Performance Analysis of IdentityBased Encryption Schemes Pengqi Cheng, Yan Gu, Zihong Lv, Jianfei Wang, Wenlei Zhu, Zhen Chen, Jiwei Huang Tsinghua University, Beijing, 084, China Abstract We implemented
More informationDigital Signatures. Prof. Zeph Grunschlag
Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each
More informationAuthenticated encryption
Authenticated encryption Dr. Enigma Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu October 16th, 2013 Active attacks on CPAsecure encryption
More informationCSC474/574  Information Systems Security: Homework1 Solutions Sketch
CSC474/574  Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a oneround Feistel cipher
More informationTalk announcement please consider attending!
Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically
More informationUniversally Composable IdentityBased Encryption
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More information1 Domain Extension for MACs
CS 127/CSCI E127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures KatzLindell Ÿ4.34.4 (2nd ed) and Ÿ12.012.3 (1st ed).
More informationSome Identity Based Strong BiDesignated Verifier Signature Schemes
Some Identity Based Strong BiDesignated Verifier Signature Schemes Sunder Lal and Vandani Verma Department of Mathematics, Dr. B.R.A. (Agra), University, Agra282002 (UP), India. Email sunder_lal2@rediffmail.com,
More informationCh.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis
Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography
More informationIdentitybased Encryption with PostChallenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks
Identitybased Encryption with PostChallenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks Tsz Hon Yuen  Huawei, Singapore Ye Zhang  Pennsylvania State University, USA Siu Ming
More informationEfficient Unlinkable Secret Handshakes for Anonymous Communications
보안공학연구논문지 (Journal of Security Engineering), 제 7권 제 6호 2010년 12월 Efficient Unlinkable Secret Handshakes for Anonymous Communications EunKyung Ryu 1), KeeYoung Yoo 2), KeumSook Ha 3) Abstract The technique
More informationSignature Schemes. CSG 252 Fall 2006. Riccardo Pucella
Signature Schemes CSG 252 Fall 2006 Riccardo Pucella Signatures Signatures in real life have a number of properties They specify the person responsible for a document E.g. that it has been produced by
More informationSimplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings
Simplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings Ernie Brickell Intel Corporation ernie.brickell@intel.com Liqun Chen HP Laboratories liqun.chen@hp.com March
More informationA New and Efficient Signature on Commitment Values
International Journal of Network Security, Vol.7, No., PP.0 06, July 2008 0 A New and Efficient Signature on Commitment Values Fangguo Zhang,3, Xiaofeng Chen 2,3, Yi Mu 4, and Willy Susilo 4 (Corresponding
More informationLecture 2: Complexity Theory Review and Interactive Proofs
600.641 Special Topics in Theoretical Cryptography January 23, 2007 Lecture 2: Complexity Theory Review and Interactive Proofs Instructor: Susan Hohenberger Scribe: Karyn Benson 1 Introduction to Cryptography
More informationMessage Authentication Codes 133
Message Authentication Codes 133 CLAIM 4.8 Pr[Macforge A,Π (n) = 1 NewBlock] is negligible. We construct a probabilistic polynomialtime adversary A who attacks the fixedlength MAC Π and succeeds in
More informationDigital Signatures. What are Signature Schemes?
Digital Signatures Debdeep Mukhopadhyay IIT Kharagpur What are Signature Schemes? Provides message integrity in the public key setting Counterparts of the message authentication schemes in the public
More informationEfficient Hierarchical Identity Based Encryption Scheme in the Standard Model
Informatica 3 (008) 07 11 07 Efficient Hierarchical Identity Based Encryption Scheme in the Standard Model Yanli Ren and Dawu Gu Dept. of Computer Science and Engineering Shanghai Jiao Tong University
More informationChosenCiphertext Security from IdentityBased Encryption
ChosenCiphertext Security from IdentityBased Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz June 13, 2006 Abstract We propose simple and efficient CCAsecure publickey encryption schemes
More informationChapter 12. Digital signatures. 12.1 Digital signature schemes
Chapter 12 Digital signatures In the public key setting, the primitive used to provide data integrity is a digital signature scheme. In this chapter we look at security notions and constructions for this
More informationLecture 3: OneWay Encryption, RSA Example
ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: OneWay Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require
More informationLecture 15  Digital Signatures
Lecture 15  Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations  easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.
More informationKey Refreshing in Identitybased Cryptography and its Application in MANETS
Key Refreshing in Identitybased Cryptography and its Application in MANETS Shane Balfe, Kent D. Boklan, Zev Klagsbrun and Kenneth G. Paterson Royal Holloway, University of London, Egham, Surrey, TW20
More informationProvableSecurity Analysis of Authenticated Encryption in Kerberos
ProvableSecurity Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 303320765
More informationThe Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)
The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) Hugo Krawczyk Abstract. We study the question of how to generically compose symmetric encryption and authentication
More informationAuthentication and Encryption: How to order them? Motivation
Authentication and Encryption: How to order them? Debdeep Muhopadhyay IIT Kharagpur Motivation Wide spread use of internet requires establishment of a secure channel. Typical implementations operate in
More informationCCLAS: A Practical and Compact Certificateless Aggregate Signature with Share Extraction
International Journal of Network Security, Vol.16, No.3, PP.174181, May 2014 174 CCLAS: A Practical and Compact Certificateless Aggregate Signature with Share Extraction Min Zhou 1, Mingwu Zhang 2, Chunzhi
More informationMTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic
More informationAnonymity and Time in PublicKey Encryption
Anonymity and Time in PublicKey Encryption Elizabeth Anne Quaglia Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group Department of Mathematics
More informationPrivacy in Encrypted Content Distribution Using Private Broadcast Encryption
Privacy in Encrypted Content Distribution Using Private Broadcast Encryption Adam Barth 1, Dan Boneh 1, and Brent Waters 2 1 Stanford University, Stanford, CA 94305 {abarth, dabo}@cs.stanford.edu 2 SRI
More informationNetwork Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 81
Network Security Abusayeed Saifullah CS 5600 Computer Networks These slides are adapted from Kurose and Ross 81 Public Key Cryptography symmetric key crypto v requires sender, receiver know shared secret
More informationSymmetric Crypto MAC. PierreAlain Fouque
Symmetric Crypto MAC PierreAlain Fouque Birthday Paradox In a set of D elements, by picking at random D elements, we have with high probability a collision two elements are equal D=365, about 23 people
More informationIdentity Based Undeniable Signatures
Identity Based Undeniable Signatures Benoît Libert JeanJacques Quisquater UCL Crypto Group Place du Levant, 3. B1348 LouvainLaNeuve. Belgium {libert,jjq}@dice.ucl.ac.be http://www.uclcrypto.org/ Abstract.
More informationSECURITY IN NETWORKS
SECURITY IN NETWORKS GOALS Understand principles of network security: Cryptography and its many uses beyond confidentiality Authentication Message integrity Security in practice: Security in application,
More informationAn Introduction to Identitybased Cryptography CSEP 590TU March 2005 Carl Youngblood
An Introduction to Identitybased Cryptography CSEP 590TU March 2005 Carl Youngblood One significant impediment to the widespread adoption of publickey cryptography is its dependence on a publickey infrastructure
More informationEfficient CertificateBased Encryption Scheme Secure Against Key Replacement Attacks in the Standard Model *
JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 0, 55568 (04) Efficient CertificateBased Encryption Scheme Secure Against Key Replacement Attacks in the Standard Model * College of Computer and Information
More informationCIS 5371 Cryptography. 8. Encryption 
CIS 5371 Cryptography p y 8. Encryption  Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: Allornothing secrecy.
More informationPrivacyProviding Signatures and Their Applications. PhD Thesis. Author: Somayeh Heidarvand. Advisor: Jorge L. Villar
PrivacyProviding Signatures and Their Applications PhD Thesis Author: Somayeh Heidarvand Advisor: Jorge L. Villar PrivacyProviding Signatures and Their Applications by Somayeh Heidarvand In fulfillment
More informationAdvanced Cryptography
Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.
More informationAuthenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre
Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense
More informationDemocratic Group Signatures on Example of Joint Ventures
Democratic Group Signatures on Example of Joint Ventures Mark Manulis HorstGörtz Institute RuhrUniversity of Bochum D44801, Germany EMail: mark.manulis@rub.de Abstract. In the presence of economic globalization
More informationCryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs
Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a
More informationCiphertextAuditable Identitybased Encryption
International Journal of Network Security, Vol.17, No.1, PP.23 28, Jan. 2015 23 CiphertextAuditable Identitybased Encryption Changlu Lin 1, Yong Li 2, Kewei Lv 3, and ChinChen Chang 4,5 (Corresponding
More informationCapture Resilient ElGamal Signature Protocols
Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department
More informationVictor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract
Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart
More informationNonBlackBox Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak
NonBlackBox Techniques In Crytpography Introduction Thesis for the Ph.D degree Boaz Barak A computer program (or equivalently, an algorithm) is a list of symbols a finite string. When we interpret a
More informationNetwork Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering
Network Security Gaurav Naik Gus Anderson, Philadelphia, PA Lectures on Network Security Feb 12 (Today!): Public Key Crypto, Hash Functions, Digital Signatures, and the Public Key Infrastructure Feb 14:
More informationIntroduction to Cryptography
Introduction to Cryptography Part 3: real world applications JeanSébastien Coron January 2007 Publickey encryption BOB ALICE Insecure M E C C D channel M Alice s publickey Alice s privatekey Authentication
More informationModular Security Proofs for Key Agreement Protocols
Modular Security Proofs for Key Agreement Protocols Caroline Kudla and Kenneth G. Paterson Information Security Group Royal Holloway, niversity of London, K {c.j.kudla,kenny.paterson}@rhul.ac.uk Abstract.
More informationDigital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem
Digital Signatures Murat Kantarcioglu Based on Prof. Li s Slides Digital Signatures: The Problem Consider the reallife example where a person pays by credit card and signs a bill; the seller verifies
More informationPublic Key Encryption with keyword Search
Public Key Encryption with keyword Search Dan Boneh Stanford University Giovanni Di Crescenzo Telcordia Rafail Ostrovsky Giuseppe Persiano UCLA Università di Salerno Abstract We study the problem of searching
More informationOblivious SignatureBased Envelope
Oblivious SignatureBased Envelope Ninghui Li Department of Computer Science Stanford University Gates 4B Stanford, CA 943059045 ninghui.li@cs.stanford.edu Wenliang Du Department of Electrical Engineering
More informationIdentityBased Encryption from the Weil Pairing
IdentityBased Encryption from the Weil Pairing Dan Boneh 1, and Matt Franklin 2 1 Computer Science Department, Stanford University, Stanford CA 943059045 dabo@cs.stanford.edu 2 Computer Science Department,
More informationUniversal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure PublicKey Encryption
Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure PublicKey Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical publickey
More informationLecture 5  CPA security, Pseudorandom functions
Lecture 5  CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.
More informationIntroduction to Cryptography CS 355
Introduction to Cryptography CS 355 Lecture 30 Digital Signatures CS 355 Fall 2005 / Lecture 30 1 Announcements Wednesday s lecture cancelled Friday will be guest lecture by Prof. Cristina Nita Rotaru
More information9 Digital Signatures: Definition and First Constructions. Hashing.
Leo Reyzin. Notes for BU CAS CS 538. 1 9 Digital Signatures: Definition and First Constructions. Hashing. 9.1 Definition First note that encryption provides no guarantee that a message is authentic. For
More informationIdentityBased Encryption: A 30Minute Tour. Palash Sarkar
IdentityBased Encryption: A 30Minute Tour Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in Palash Sarkar (ISI, Kolkata) IBE: Some Issues ISI, Kolkata,
More informationComputational Soundness of Symbolic Security and Implicit Complexity
Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 37, 2013 Overview
More informationChapter 11. Asymmetric Encryption. 11.1 Asymmetric encryption schemes
Chapter 11 Asymmetric Encryption The setting of publickey cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret
More informationSecurity Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012
Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database
More informationCSCE 465 Computer & Network Security
CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Public Key Cryptogrophy 1 Roadmap Introduction RSA DiffieHellman Key Exchange Public key and
More informationTextbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures
Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures Department of Computer Science and Information Engineering, Chaoyang University of Technology 朝 陽 科 技 大 學 資 工
More informationOverview of Cryptographic Tools for Data Security. Murat Kantarcioglu
UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the
More informationINTERACTIVE TWOCHANNEL MESSAGE AUTHENTICATION BASED ON INTERACTIVECOLLISION RESISTANT HASH FUNCTIONS
INTERACTIVE TWOCHANNEL MESSAGE AUTHENTICATION BASED ON INTERACTIVECOLLISION RESISTANT HASH FUNCTIONS ATEFEH MASHATAN 1 AND DOUGLAS R STINSON 2 Abstract We propose an interactive message authentication
More informationPublic Key Encryption with keyword Search
Public Key Encryption with keyword Search Dan Boneh Stanford University Giovanni Di Crescenzo Telcordia Rafail Ostrovsky Giuseppe Persiano UCLA Università di Salerno Abstract We study the problem of searching
More informationNoninteractive and Reusable Nonmalleable Commitment Schemes
Noninteractive and Reusable Nonmalleable Commitment Schemes Ivan Damgård a Jens Groth b June 16, 2003 Abstract We consider nonmalleable (NM) and universally composable (UC) commitment schemes in the
More informationSecurity Analysis of DRBG Using HMAC in NIST SP 80090
Security Analysis of DRBG Using MAC in NIST SP 80090 Shoichi irose Graduate School of Engineering, University of Fukui hrs shch@ufukui.ac.jp Abstract. MAC DRBG is a deterministic random bit generator
More informationHierarchical IDBased Cryptography
Hierarchical IDBased Cryptography Craig Gentry 1 and Alice Silverberg 2 1 DoCoMo USA Labs San Jose, CA, USA cgentry@docomolabsusa.com 2 Department of Mathematics Ohio State University Columbus, OH, USA
More informationProvably Secure TimedRelease Public Key Encryption
Provably Secure TimedRelease Public Key Encryption JUNG HEE CHEON Seoul National University, Korea and NICHOLAS HOPPER, YONGDAE KIM and IVAN OSIPKOV University of Minnesota  Twin Cities A timedrelease
More informationOverview of PublicKey Cryptography
CS 361S Overview of PublicKey Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.16 slide 2 PublicKey Cryptography public key public key? private key Alice Bob Given: Everybody knows
More informationCIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives
CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; DH key exchange; Hash functions; Application of hash
More informationMessage Authentication Codes. Lecture Outline
Message Authentication Codes Murat Kantarcioglu Based on Prof. Ninghui Li s Slides Message Authentication Code Lecture Outline 1 Limitation of Using Hash Functions for Authentication Require an authentic
More information