Separations in Circular Security for Arbitrary Length Key Cycles. Venkata Koppula! Kim Ramchen! Brent Waters
Size: px
Start display at page:

Download "Separations in Circular Security for Arbitrary Length Key Cycles. Venkata Koppula! Kim Ramchen! Brent Waters"

Transcription

1 Separations in Circular Security for Arbitrary Length Key Cycles Venkata Koppula! Kim Ramchen! Brent Waters

2 Circular Security

3 Circular Security

4 Circular Security Choose pk, sk! Encrypt using pk!

5 Circular Security Choose pk, sk! Encrypt using pk!

6 Circular Security sk Choose pk, sk! Encrypt using pk!

7 Circular Security sk Choose pk, sk! Encrypt using pk! Choose pk, sk'! Encrypt using pk!

8 Circular Security sk sk Choose pk, sk! Encrypt using pk! Choose pk, sk'! Encrypt using pk!

9 Circular Security sk sk Choose pk, sk! Encrypt using pk! Choose pk, sk'! Encrypt using pk!

10 Circular Security

11 Circular Security pk pk

12 Circular Security pk pk Enc(pk, sk ) Enc(pk, sk)

13 Circular Security pk pk Enc(pk, sk ) Enc(pk, sk) Optimistic Enc(pk, sk ), Enc(pk, sk)! " Enc(pk, 0), Enc(pk, 0)

14 Circular Security pk pk Enc(pk, sk ) Enc(pk, sk) Optimistic Enc(pk, sk ), Enc(pk, sk)! " Enc(pk, 0), Enc(pk, 0) Does not learn sk/sk

15 n-circular Security [CL01] pk 1,, pk n Enc(pk 1, sk 2 ) Enc(pk 2, sk 3 ).!.!. Enc(pk n, sk 1 )

16 n-circular Security [CL01]

17 n-circular Security [CL01] Challenger Adversary

18 n-circular Security [CL01] Challenger Adversary Choose bit b.

19 n-circular Security [CL01] Challenger Adversary Choose bit b. Choose n key pairs (pk i, sk i ).

20 n-circular Security [CL01] Challenger Adversary Choose bit b. Choose n key pairs (pk i, sk i ). y i = Enc(pk i, 0) or Enc(pk i, sk i+1 )

21 n-circular Security [CL01] Challenger Adversary Choose bit b. Choose n key pairs (pk i, sk i ). y i = Enc(pk i, 0) or Enc(pk i, sk i+1 ) (pk 1,, pk n, y 1,, y n )

22 n-circular Security [CL01] Challenger Adversary Choose bit b. Choose n key pairs (pk i, sk i ). y i = Enc(pk i, 0) or Enc(pk i, sk i+1 ) (pk 1,, pk n,! (pk 1,, pk n, y 1,, y n ) y 1,, y n )

23 n-circular Security [CL01] Challenger Adversary Choose bit b. Choose n key pairs (pk i, sk i ). y i = Enc(pk i, 0) or Enc(pk i, sk i+1 ) (pk 1,, pk n,! (pk 1,, pk n, y 1,, y n ) y 1,, y n ) b

24 n-circular Security [CL01] Challenger Adversary Choose bit b. Choose n key pairs (pk i, sk i ). y i = Enc(pk i, 0) or Enc(pk i, sk i+1 ) (pk 1,, pk n,! (pk 1,, pk n, y 1,, y n ) y 1,, y n ) b

25 Applications of n-circular Security

26 Applications of n-circular Security Disk Encryption Utilities

27 Applications of n-circular Security Disk Encryption Utilities Anonymous Credential System - Camenisch & Lysyanskaya [CL01]

28 Applications of n-circular Security Disk Encryption Utilities Anonymous Credential System - Camenisch & Lysyanskaya [CL01] Bootstrapping HE - Gentry [G09]

29 n - Circular Secure Schemes

30 n - Circular Secure Schemes Boneh, Hamburg, Halevi & Ostrovsky! DDH based construction [BHHO08]

31 n - Circular Secure Schemes Boneh, Hamburg, Halevi & Ostrovsky! DDH based construction [BHHO08] Applebaum, Cash, Peikert & Sahai! LWE based construction [ACPS09]

32 n - Circular Secure Schemes Boneh, Hamburg, Halevi & Ostrovsky! DDH based construction [BHHO08] Applebaum, Cash, Peikert & Sahai! LWE based construction [ACPS09] Extending Functionalities - [BG10, BHHI10, BGK11, App11, MTY11, BV11, AP12]

33 Is circular security implied by semantic security?

34 Circular Security - Negative Results

35 Circular Security - Negative Results n=1

36 Circular Security - Negative Results n=1 Folklore: Any IND-CPA secure encryption scheme can be transformed into one that is IND-CPA secure, but not 1-circular secure.

37 Circular Security - Negative Results n=2

38 Circular Security - Negative Results n=2 Acar, Belenkiy, Bellare & Cash [ABBC10]! Semantic Security circular security

39 Circular Security - Negative Results n=2 Acar, Belenkiy, Bellare & Cash [ABBC10]! Semantic Security circular security Cash, Green & Hohenberger [CGH12]! Semantic Security weak circular security

40 Circular Security - Negative Results n=2 Acar, Belenkiy, Bellare & Cash [ABBC10]! Semantic Security circular security Bilinear Groups Cash, Green & Hohenberger [CGH12]! Semantic Security weak circular security

41 Is circular security implied by semantic security for n>2?

42 Our Results

43 Our Results Theorem 1: (io + PRGs) (Semantic Security n-circular Security).

44 Our Results Theorem 1: (io + PRGs) (Semantic Security n-circular Security). Theorem 2: (io + PRGs) (Semantic Security n-circular Security for bit encryption).

45 Our Results Theorem 1: (io + PRGs) (Semantic Security n-circular Security). Theorem 2: (io + PRGs) (Semantic Security n-circular Security for bit encryption). Theorem 3: ( IND-CPA secure, n-circular insecure scheme) ( IND-CPA secure scheme where cycle results in key recovery)

46 Circular Security pk pk Enc(pk, sk ) Enc(pk, sk) Optimistic Enc(pk, sk ), Enc(pk, sk)! " Enc(pk, 0), Enc(pk, 0) Does not learn sk/sk

47 Circular Security pk pk Enc(pk, sk ) Enc(pk, sk) Optimistic Enc(pk, sk ), Enc(pk, sk)! " Enc(pk, 0), Enc(pk, 0) Does not learn sk/sk Theorem 1

48 Circular Security pk pk Enc(pk, sk ) Enc(pk, sk) Optimistic Enc(pk, sk ), Enc(pk, sk)! " Enc(pk, 0), Enc(pk, 0) Does not learn sk/sk Theorem 1 Theorem 1 & 3

49 Our Results Theorem 1: (io + PRGs) (Semantic Security n-circular Security). This talk!

50 Code Obfuscation

51 Code Obfuscation Goal: Make programs maximally unintelligible.

52 Code Obfuscation Goal: Make programs maximally unintelligible. P

53 Code Obfuscation Goal: Make programs maximally unintelligible. P Obfuscator

54 Code Obfuscation Goal: Make programs maximally unintelligible. P Obfuscator P

55 Code Obfuscation Goal: Make programs maximally unintelligible. P Obfuscator P

56 Code Obfuscation Goal: Make programs maximally unintelligible. P Virtual Black Box Obfuscator! Having obfuscated code!! Having black box access to code Obfuscator P

57 Code Obfuscation Goal: Make programs maximally unintelligible. P Virtual Black Box Obfuscator! Having obfuscated code!! Having black box access to code [BGIRSVY01] Obfuscator P

58 Code Obfuscation Goal: Make programs maximally unintelligible.

59 Code Obfuscation Goal: Make programs maximally unintelligible. Indistinguishability Obfuscator! C 0, C 1 functionally identical circuits.! io(c 0 ) io(c 1 )

60 Code Obfuscation Goal: Make programs maximally unintelligible. [BGIRSVY01] negative result does not apply for io. Indistinguishability Obfuscator! C 0, C 1 functionally identical circuits.! io(c 0 ) io(c 1 )

61 Code Obfuscation Goal: Make programs maximally unintelligible. [BGIRSVY01] negative result does not apply for io. Indistinguishability Obfuscator! C 0, C 1 functionally identical circuits.! io(c 0 ) io(c 1 ) [GGHRSW13] gave a candidate construction for io.

62

63 Transform IND-CPA scheme E to n-circular insecure scheme E.

64 Transform IND-CPA scheme E to n-circular insecure scheme E. Prove E is IND-CPA secure

65 Transform IND-CPA scheme E to n-circular insecure scheme E. Prove E is IND-CPA secure Using VBB obfuscation

66 Transform IND-CPA scheme E to n-circular insecure scheme E. Prove E is IND-CPA secure Using VBB obfuscation Modify E to use Indistinguishability Obfuscation

67

68 IND-CPA Scheme E Setup Enc(pk, m) Dec(sk, ct) pk sk ct m

69 IND-CPA Scheme E Scheme E Setup Enc(pk, m) Dec(sk, ct) pk sk ct m

70 IND-CPA Scheme E Scheme E Setup pk sk Setup pk sk Enc(pk, m) ct Dec(sk, ct) m

71 IND-CPA Scheme E Scheme E Setup pk sk Setup pk sk Enc(pk, m) ct Enc (pk, m) ct Dec(sk, ct) m

72 IND-CPA Scheme E Scheme E Setup pk sk Setup pk sk Enc(pk, m) ct Enc (pk, m) ct aux Dec(sk, ct) m

73 IND-CPA Scheme E Scheme E Setup pk sk Setup pk sk Enc(pk, m) ct Enc (pk, m) ct aux Dec(sk, ct) m Dec(sk, ct) m

74 IND-CPA Scheme E Scheme E Setup pk sk Setup pk sk Enc(pk, m) ct Enc (pk, m) ct aux Dec(sk, ct) m Dec(sk, ct) m Helps detect cycles, but shouldn t break IND-CPA!

75 IND-CPA Scheme E Scheme E Setup pk sk Setup pk sk Enc(pk, m) ct Enc (pk, m) ct aux Dec(sk, ct) m Dec(sk, ct) m Helps detect cycles, but shouldn t break IND-CPA!

76 Scheme E Setup pk sk Enc (pk, m) ct aux Dec(sk, ct) m Helps detect cycles, but shouldn t break IND-CPA!

77 Scheme E Setup pk sk Enc (pk, m) ct aux Dec(sk, ct) m Helps detect cycles, but shouldn t break IND-CPA!

78 Scheme E Setup pk sk Enc (pk, m) ct io(p) Dec(sk, ct) m Helps detect cycles, but shouldn t break IND-CPA!

79 Scheme E Program P Setup pk sk Enc (pk, m) ct io(p) Dec(sk, ct) m Helps detect cycles, but shouldn t break IND-CPA!

80 Scheme E Program P Constants: m, pk Setup pk sk Enc (pk, m) ct io(p) Dec(sk, ct) m Helps detect cycles, but shouldn t break IND-CPA!

81 Scheme E Program P Constants: m, pk Setup pk sk Inputs: ct 1,, ct n Enc (pk, m) ct io(p) Dec(sk, ct) m Helps detect cycles, but shouldn t break IND-CPA!

82 Scheme E Program P Constants: m, pk Setup pk sk Inputs: ct 1,, ct n Enc (pk, m) ct io(p) 1. sk 2 = m. Dec(sk, ct) m Helps detect cycles, but shouldn t break IND-CPA!

83 Scheme E Program P Constants: m, pk Setup pk sk Inputs: ct 1,, ct n Enc (pk, m) Dec(sk, ct) ct m io(p) 1. sk 2 = m. 2. For i=2 to n sk i+1 = Dec(sk i, ct i ). Helps detect cycles, but shouldn t break IND-CPA!

84 Scheme E Program P Constants: m, pk Setup pk sk Inputs: ct 1,, ct n Enc (pk, m) Dec(sk, ct) ct m io(p) Helps detect cycles, but shouldn t break IND-CPA! 1. sk 2 = m. 2. For i=2 to n sk i+1 = Dec(sk i, ct i ). 3. Check sk n+1 is secret key for pk. If yes, output 1.

85 Program P! Constants: m, pk!! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

86 E is n-circular insecure Program P! Constants: m, pk!! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

87 E is n-circular insecure Program P! Constants: m, pk!! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

88 E is n-circular insecure pk 1, Enc (pk 1, sk 2 ) = (ct 1*, io(p 1 )) pk 2, Enc (pk 2, sk 3 ) = (ct 2*, io(p 2 )). pk n, Enc (pk n, sk 1 ) = (ct n*, io(p n )) Program P! Constants: m, pk!! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

89 E is n-circular insecure pk 1, Enc (pk 1, sk 2 ) = (ct 1*, io(p 1 )) pk 2, Enc (pk 2, sk 3 ) = (ct 2*, io(p 2 )). pk n, Enc (pk n, sk 1 ) = (ct n*, io(p n )) Program P! Constants: m, pk!! Inputs: ct 1,, ct n! P 1! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

90 E is n-circular insecure pk 1, Enc (pk 1, sk 2 ) = (ct 1*, io(p 1 )) pk 2, Enc (pk 2, sk 3 ) = (ct 2*, io(p 2 )). pk n, Enc (pk n, sk 1 ) = (ct n*, io(p n )) Program P! Constants: m, pk!! sk 2 Inputs: ct 1,, ct n! P 1! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

91 E is n-circular insecure pk 1, Enc (pk 1, sk 2 ) = (ct 1*, io(p 1 )) pk 2, Enc (pk 2, sk 3 ) = (ct 2*, io(p 2 )). pk n, Enc (pk n, sk 1 ) = (ct n*, io(p n )) Program P! Constants: m, pk!! sk 2 pk 1 Inputs: ct 1,, ct n! P 1! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

92 E is n-circular insecure Program P! Constants: m, pk! sk 2 pk 1! P 1 pk 1, Enc (pk 1, sk 2 ) = (ct 1*, io(p 1 )) pk 2, Enc (pk 2, sk 3 ) = (ct 2*, io(p 2 )). pk n, Enc (pk n, sk 1 ) = (ct n*, io(p n )) Inputs: ct 1,, ct n!! ct * 1 ct * n 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

93 E is n-circular insecure Program P! Constants: m, pk! sk 2 pk 1! P 1 pk 1, Enc (pk 1, sk 2 ) = (ct 1*, io(p 1 )) pk 2, Enc (pk 2, sk 3 ) = (ct 2*, io(p 2 )). pk n, Enc (pk n, sk 1 ) = (ct n*, io(p n )) Inputs: ct 1,, ct n!! ct * 1 ct * n 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

94 Program P! Constants: m, pk!! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

95 E is n-circular insecure Program P! Constants: m, pk!! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

96 E is n-circular insecure pk 1, Enc (pk 1, 0) = (ct 1*, io(p 1 )) pk 2, Enc (pk 2, 0) = (ct 2*, io(p 2 )). pk n, Enc (pk n, 0) = (ct n*, io(p n )) Program P! Constants: m, pk!! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

97 E is n-circular insecure pk 1, Enc (pk 1, 0) = (ct 1*, io(p 1 )) pk 2, Enc (pk 2, 0) = (ct 2*, io(p 2 )). pk n, Enc (pk n, 0) = (ct n*, io(p n )) Program P! Constants: m, pk!! Inputs: ct 1,, ct n! P 1! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

98 E is n-circular insecure pk 1, Enc (pk 1, 0) = (ct 1*, io(p 1 )) pk 2, Enc (pk 2, 0) = (ct 2*, io(p 2 )). pk n, Enc (pk n, 0) = (ct n*, io(p n )) Program P! Constants: m, pk!! 0 Inputs: ct 1,, ct n! P 1! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

99 E is n-circular insecure pk 1, Enc (pk 1, 0) = (ct 1*, io(p 1 )) pk 2, Enc (pk 2, 0) = (ct 2*, io(p 2 )). pk n, Enc (pk n, 0) = (ct n*, io(p n )) Program P! Constants: m, pk!! 0 pk 1 Inputs: ct 1,, ct n! P 1! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

100 E is n-circular insecure Program P! Constants: m, pk! 0 pk 1! P 1 pk 1, Enc (pk 1, 0) = (ct 1*, io(p 1 )) pk 2, Enc (pk 2, 0) = (ct 2*, io(p 2 )). pk n, Enc (pk n, 0) = (ct n*, io(p n )) Inputs: ct 1,, ct n!! ct * 1 ct * n 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

101 E is n-circular insecure Program P! Constants: m, pk! 0 pk 1! P 1 pk 1, Enc (pk 1, 0) = (ct 1*, io(p 1 )) pk 2, Enc (pk 2, 0) = (ct 2*, io(p 2 )). pk n, Enc (pk n, 0) = (ct n*, io(p n )) Inputs: ct 1,, ct n!! ct * 1 ct * n 1. sk 2 = m.! Fails w.h.p. 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

102 E is n-circular insecure Program P! Constants: m, pk! 0 pk 1! P 1 pk 1, Enc (pk 1, 0) = (ct 1*, io(p 1 )) pk 2, Enc (pk 2, 0) = (ct 2*, io(p 2 )). pk n, Enc (pk n, 0) = (ct n*, io(p n )) Inputs: ct 1,, ct n!! ct * 1 ct * n 1. sk 2 = m.! Fails w.h.p. 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

103 Program P! Constants: m, pk!! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

104 Program P! Constants: m, pk!! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

105 Is E IND-CPA secure? Program P! Constants: m, pk!! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

106 Is E IND-CPA secure? Assuming io is a virtual black box obfuscator? Program P! Constants: m, pk!! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

107 Is E IND-CPA secure? Assuming io is a virtual black box obfuscator? Program P! Constants: m, pk!! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

108 Is E IND-CPA secure? Assuming io is a virtual black box obfuscator? Program P! Constants: m, pk!! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

109 Is E IND-CPA secure? Assuming io is a virtual black box obfuscator? Assuming io is indistinguishability obfuscator?? Program P! Constants: m, pk!! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

110

111 Scheme E

112 Scheme E Setup (sk, r) (pk, t=prg(r))

113 Scheme E Setup Enc (pk, m) (sk, r) (pk, t=prg(r)) ct, io(p )

114 Scheme E Setup Enc (pk, m) (sk, r) (pk, t=prg(r)) ct, io(p ) Dec(sk, ct) m

115 Scheme E Program P Setup Enc (pk, m) (sk, r) (pk, t=prg(r)) ct, io(p ) Dec(sk, ct) m

116 Scheme E (sk, r) Setup (pk, t=prg(r)) Program P Constants: m, pk t PRG(r) Enc (pk, m) ct, io(p ) Dec(sk, ct) m

117 Scheme E (sk, r) Setup (pk, t=prg(r)) Program P Constants: m, pk t PRG(r) Inputs: ct 1,, ct n Enc (pk, m) ct, io(p ) Dec(sk, ct) m

118 Scheme E (sk, r) Setup (pk, t=prg(r)) Program P Constants: m, pk t PRG(r) Inputs: ct 1,, ct n Enc (pk, m) ct, io(p ) 1. sk 2 = m. Dec(sk, ct) m

119 Scheme E (sk, r) Setup (pk, t=prg(r)) Program P Constants: m, pk t PRG(r) Inputs: ct 1,, ct n Enc (pk, m) Dec(sk, ct) ct, io(p ) m 1. sk 2 = m. 2. For i=2 to n (sk i+1, r i+1 ) = Dec(sk i, ct i ).

120 Scheme E (sk, r) Setup (pk, t=prg(r)) Program P Constants: m, pk t PRG(r) Inputs: ct 1,, ct n Enc (pk, m) Dec(sk, ct) ct, io(p ) m 1. sk 2 = m. 2. For i=2 to n (sk i+1, r i+1 ) = Dec(sk i, ct i ). 3. Check sk n+1 is secret key for pk. Check PRG(r n+1 ) = t. If yes, output 1.

121

122 Proving E n-circular insecure: Same as E

123 Proving E n-circular insecure: Same as E Proving E IND-CPA secure: Follows from io + PRG security

124

125 Theorem 1: Assuming io + PRGs exist, there exists a scheme E that is IND-CPA secure but not n-circular secure.

126 Theorem 1: Assuming io + PRGs exist, there exists a scheme E that is IND-CPA secure but not n-circular secure. Related concurrent work: [MO13] showed a different construction using VBB obfuscation.

127 Conclusions and Open Problems

128 Conclusions and Open Problems IND-CPA security does not imply n-circular security.

129 Conclusions and Open Problems IND-CPA security does not imply n-circular security. Our solution uses indistinguishability obfuscation.

130 Conclusions and Open Problems IND-CPA security does not imply n-circular security. Our solution uses indistinguishability obfuscation. Can we get these counterexamples from weaker assumptions? From multilinear maps?

131 Conclusions and Open Problems IND-CPA security does not imply n-circular security. Our solution uses indistinguishability obfuscation. Can we get these counterexamples from weaker assumptions? From multilinear maps? Rothblum s counterexample [R13] for bit encryption comes close.

132 Thank you! Questions?

133

134 IND-CPA Adversary

135 IND-CPA Adversary public key = (pk, t=prg(r)) Enc (m, pk)= (ct, io(p )) Program P! Constants: m, t! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! (sk i+1, r i+1 ) = Dec(sk i, ct i ).! 3. Check PRG(r n+1 ) = t. If yes, output 1.

136 IND-CPA Adversary public key = (pk, t=prg(r)) Enc (m, pk)= (ct, io(p )) Program P! Constants: m, t! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! (sk i+1, r i+1 ) = Dec(sk i, ct i ).! 3. Check PRG(r n+1 ) = t. If yes, output 1.

137 public key = (pk, t=prg(r)) Enc (m, pk)= (ct, io(p )) Program P! Constants: m, t! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! (sk i+1, r i+1 ) = Dec(sk i, ct i ).! 3. Check PRG(r n+1 ) = t. If yes, output 1.

138 public key = (pk, t=prg(r)) Enc (m, pk)= (ct, io(p )) Program P! Constants: m, t! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! (sk i+1, r i+1 ) = Dec(sk i, ct i ).! 3. Check PRG(r n+1 ) = t. If yes, output 1.

139 public key = (pk, t=prg(r)) Enc (m, pk)= (ct, io(p )) Program P! Constants: m, t! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! (sk i+1, r i+1 ) = Dec(sk i, ct i ).! 3. Check PRG(r n+1 ) = t. If yes, output 1. public key = (pk, t : random) Enc (m, pk)= (ct, io(p )) Program P! Constants: m, t! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! (sk i+1, r i+1 ) = Dec(sk i, ct i ).! 3. Check PRG(r n+1 ) = t. If yes, output 1.

140 public key = (pk, t=prg(r)) Enc (m, pk)= (ct, io(p )) Program P! Constants: m, t! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! (sk i+1, r i+1 ) = Dec(sk i, ct i ).! 3. Check PRG(r n+1 ) = t. If yes, output 1. PRG public key = (pk, t : random) Enc (m, pk)= (ct, io(p )) Program P! Constants: m, t! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! (sk i+1, r i+1 ) = Dec(sk i, ct i ).! 3. Check PRG(r n+1 ) = t. If yes, output 1.

141 public key = (pk, t=prg(r)) Enc (m, pk)= (ct, io(p )) Program P! Constants: m, t! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! (sk i+1, r i+1 ) = Dec(sk i, ct i ).! 3. Check PRG(r n+1 ) = t. If yes, output 1. PRG public key = (pk, t : random) Enc (m, pk)= (ct, io(p )) Program P! Constants: m, t! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! (sk i+1, r i+1 ) = Dec(sk i, ct i ).! 3. Check PRG(r n+1 ) = t. If yes, output 1.

142 public key = (pk, t : random) Enc (m, pk)= (ct, io(p )) Program P! Constants: m, t! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! (sk i+1, r i+1 ) = Dec(sk i, ct i ).! 3. Check PRG(r n+1 ) = t. If yes, output 1.

143 public key = (pk, t : random) Enc (m, pk)= (ct, io(p )) Program P! Constants: m, t! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! (sk i+1, r i+1 ) = Dec(sk i, ct i ).! 3. Check PRG(r n+1 ) = t. If yes, output 1.

144 public key = (pk, t : random) Enc (m, pk)= (ct, io(p )) Program P! Constants: m, t! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! (sk i+1, r i+1 ) = Dec(sk i, ct i ).! 3. Check PRG(r n+1 ) = t. If yes, output 1. Fails w.h.p.

145 public key = (pk, t : random) Enc (m, pk)= (ct, io(p )) Program P! Constants: m, t! Inputs: ct 1,, ct n!! 1. sk 2 = m.! public key = (pk, t : random) Enc (m, pk)= (ct, io(p )) Program P! Constants: m, t! Inputs: ct 1,, ct n!! 1. Output. 2. For i=2 to n! (sk i+1, r i+1 ) = Dec(sk i, ct i ).! 3. Check PRG(r n+1 ) = t. If yes, output 1. Fails w.h.p.

146 public key = (pk, t : random) Enc (m, pk)= (ct, io(p )) Program P! Constants: m, t! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! (sk i+1, r i+1 ) = Dec(sk i, ct i ).! 3. Check PRG(r n+1 ) = t. If yes, output 1. Fails w.h.p. io public key = (pk, t : random) Enc (m, pk)= (ct, io(p )) Program P! Constants: m, t! Inputs: ct 1,, ct n!! 1. Output.

Similar documents

Recongurable Cryptography: A exible approach to long-term security

Recongurable Cryptography: A exible approach to long-term security Recongurable Cryptography: A exible approach to long-term security Julia Hesse and Dennis Hofheinz and Andy Rupp Karlsruhe Institute of Technology, Germany {julia.hesse, dennis.hofheinz, andy.rupp}@kit.edu

More information

1 Construction of CCA-secure encryption

1 Construction of CCA-secure encryption CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.

More information

Identity-Based Encryption from the Weil Pairing

Identity-Based Encryption from the Weil Pairing Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages

More information

CryptoVerif Tutorial

CryptoVerif Tutorial CryptoVerif Tutorial Bruno Blanchet INRIA Paris-Rocquencourt [email protected] November 2014 Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 1 / 14 Exercise 1: preliminary definition SUF-CMA

More information

Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak

Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak Non-Black-Box Techniques In Crytpography Introduction Thesis for the Ph.D degree Boaz Barak A computer program (or equivalently, an algorithm) is a list of symbols a finite string. When we interpret a

More information

Boosting Linearly-Homomorphic Encryption to Evaluate Degree-2 Functions on Encrypted Data

Boosting Linearly-Homomorphic Encryption to Evaluate Degree-2 Functions on Encrypted Data Boosting Linearly-Homomorphic Encryption to Evaluate Degree-2 Functions on Encrypted Data Dario Catalano 1 and Dario Fiore 2 1 Dipartimento di Matematica e Informatica, Università di Catania, Italy. [email protected]

More information

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

More information

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

More information

Lecture 15 - Digital Signatures

Lecture 15 - Digital Signatures Lecture 15 - Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations - easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.

More information

Lecture 3: One-Way Encryption, RSA Example

Lecture 3: One-Way Encryption, RSA Example ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require

More information

Foundations of Group Signatures: The Case of Dynamic Groups

Foundations of Group Signatures: The Case of Dynamic Groups A preliminary version of this paper appears in Topics in Cryptology CT-RSA 05, Lecture Notes in Computer Science Vol.??, A. Menezes ed., Springer-Verlag, 2005. This is the full version. Foundations of

More information

Lecture 17: Re-encryption

Lecture 17: Re-encryption 600.641 Special Topics in Theoretical Cryptography April 2, 2007 Instructor: Susan Hohenberger Lecture 17: Re-encryption Scribe: Zachary Scott Today s lecture was given by Matt Green. 1 Motivation Proxy

More information

1 Message Authentication

1 Message Authentication Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

More information

Post-Quantum Cryptography #4

Post-Quantum Cryptography #4 Post-Quantum Cryptography #4 Prof. Claude Crépeau McGill University http://crypto.cs.mcgill.ca/~crepeau/waterloo 185 ( 186 Attack scenarios Ciphertext-only attack: This is the most basic type of attack

More information

Simplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings

Simplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings Simplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings Ernie Brickell Intel Corporation [email protected] Liqun Chen HP Laboratories [email protected] March

More information

Secure Attribute Based Mechanism through Access cipher policy in Outsourced Cloud Data

Secure Attribute Based Mechanism through Access cipher policy in Outsourced Cloud Data Secure Attribute Based Mechanism through Access cipher policy in Outsourced Cloud Data V.Abinaya PG Scholar Kalasalingam Institute of Technology Krishnankoil. V.Ramesh Assistant professor Kalasalingam

More information

New Efficient Searchable Encryption Schemes from Bilinear Pairings

New Efficient Searchable Encryption Schemes from Bilinear Pairings International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang

More information

NEW CRYPTOGRAPHIC CHALLENGES IN CLOUD COMPUTING ERA

NEW CRYPTOGRAPHIC CHALLENGES IN CLOUD COMPUTING ERA THE PUBLISHING HOUSE PROCEEDINGS OF THE ROMANIAN ACADEMY, Series A, OF THE ROMANIAN ACADEMY Volume 14, Number 1/2013, pp. 72 77 NEW CRYPTOGRAPHIC CHALLENGES IN CLOUD COMPUTING ERA Laurenţiu BURDUŞEL Politehnica

More information

Arnab Roy Fujitsu Laboratories of America and CSA Big Data WG

Arnab Roy Fujitsu Laboratories of America and CSA Big Data WG Arnab Roy Fujitsu Laboratories of America and CSA Big Data WG 1 Security Analytics Crypto and Privacy Technologies Infrastructure Security 60+ members Framework and Taxonomy Chair - Sree Rajan, Fujitsu

More information

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1 SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K,E,D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2 Correct

More information

A New and Efficient Signature on Commitment Values

A New and Efficient Signature on Commitment Values International Journal of Network Security, Vol.7, No., PP.0 06, July 2008 0 A New and Efficient Signature on Commitment Values Fangguo Zhang,3, Xiaofeng Chen 2,3, Yi Mu 4, and Willy Susilo 4 (Corresponding

More information

Computational Soundness of Symbolic Security and Implicit Complexity

Computational Soundness of Symbolic Security and Implicit Complexity Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 3-7, 2013 Overview

More information

Secure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment

Secure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment Secure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment Chih Hung Wang Computer Science and Information Engineering National Chiayi University Chiayi City 60004,

More information

Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz Abstract We propose simple and efficient CCA-secure public-key encryption schemes (i.e., schemes

More information

Adaptively-Secure, Non-Interactive Public-Key Encryption

Adaptively-Secure, Non-Interactive Public-Key Encryption Adaptively-Secure, Non-Interactive Public-Key Encryption Ran Canetti 1, Shai Halevi 1, and Jonathan Katz 2 1 IBM T.J. Watson Research Center, NY, USA. 2 Department of Computer Science, University of Maryland.

More information

Computing on Encrypted Data

Computing on Encrypted Data Computing on Encrypted Data Secure Internet of Things Seminar David Wu January, 2015 Smart Homes New Applications in the Internet of Things aggregation + analytics usage statistics and reports report energy

More information

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) Hugo Krawczyk Abstract. We study the question of how to generically compose symmetric encryption and authentication

More information

Provable-Security Analysis of Authenticated Encryption in Kerberos

Provable-Security Analysis of Authenticated Encryption in Kerberos Provable-Security Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 30332-0765

More information

Information Security Theory vs. Reality

Information Security Theory vs. Reality Information Security Theory vs. Reality 0368-4474-01, Winter 2011 Lecture 14: More on vulnerability and exploits, Fully homomorphic encryption Eran Tromer Slides credit: Vinod Vaikuntanathan (U. Toronto)

More information

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense

More information

Hosting Services on an Untrusted Cloud

Hosting Services on an Untrusted Cloud Hosting Services on an Untrusted Cloud Dan Boneh 1(B), Divya Gupta 2, Ilya Mironov 3, and Amit Sahai 2 1 Stanford University, Stanford, CA, USA [email protected] 2 UCLA and Center for Encrypted Functionalities,

More information

Efficient Unlinkable Secret Handshakes for Anonymous Communications

Efficient Unlinkable Secret Handshakes for Anonymous Communications 보안공학연구논문지 (Journal of Security Engineering), 제 7권 제 6호 2010년 12월 Efficient Unlinkable Secret Handshakes for Anonymous Communications Eun-Kyung Ryu 1), Kee-Young Yoo 2), Keum-Sook Ha 3) Abstract The technique

More information

Lecture 2 August 29, 13:40 15:40

Lecture 2 August 29, 13:40 15:40 Lecture 2 August 29, 13:40 15:40 Public-key encryption with keyword search Anonymous identity-based encryption Identity-based encryption with wildcards Public-key encryption with keyword search & anonymous

More information

Secure and Efficient Data Retrieval Process based on Hilbert Space Filling Curve

Secure and Efficient Data Retrieval Process based on Hilbert Space Filling Curve Secure and Efficient Data Retrieval Process based on Hilbert Space Filling Curve N.S. Jeya karthikka PG Scholar Sri Ramakrishna Engg Collg S.Bhaggiaraj Assistant Professor Sri Ramakrishna Engg Collg V.Sumathy

More information

Practical Yet Universally Composable Two-Server Password-Authenticated Secret Sharing

Practical Yet Universally Composable Two-Server Password-Authenticated Secret Sharing Practical Yet Universally Composable Two-Server Password-Authenticated Secret Sharing Jan Camenisch (IBM Research Zurich) Anna Lysyanskaya (Brown University) Gregory Neven (IBM Research Zurich) Password

More information

Secure Deduplication of Encrypted Data without Additional Independent Servers

Secure Deduplication of Encrypted Data without Additional Independent Servers Secure Deduplication of Encrypted Data without Additional Independent Servers Jian Liu Aalto University [email protected] N. Asokan Aalto University and University of Helsinki [email protected] Benny Pinkas

More information

A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem

A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem Jintai Ding, Xiang Xie, Xiaodong Lin University of Cincinnati Chinese Academy of Sciences Rutgers University Abstract.

More information

Indistinguishability Obfuscation for Turing Machines with Unbounded Memory

Indistinguishability Obfuscation for Turing Machines with Unbounded Memory Indistinguishability Obfuscation for Turing Machines with Unbounded Memory Venkata Koppula [email protected] Allison Bishop Lewko [email protected] Brent Waters [email protected] Abstract

More information

MTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu

MTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic

More information

Verifiable Delegation of Computation over Large Datasets

Verifiable Delegation of Computation over Large Datasets Verifiable Delegation of Computation over Large Datasets Siavosh Benabbas University of Toronto Rosario Gennaro IBM Research Yevgeniy Vahlis AT&T Cloud Computing Data D Code F Y F(D) Cloud could be malicious

More information

Authentication and Encryption: How to order them? Motivation

Authentication and Encryption: How to order them? Motivation Authentication and Encryption: How to order them? Debdeep Muhopadhyay IIT Kharagpur Motivation Wide spread use of internet requires establishment of a secure channel. Typical implementations operate in

More information

Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

More information

Privacy and Security in Cloud Computing

Privacy and Security in Cloud Computing Réunion CAPPRIS 21 mars 2013 Monir Azraoui, Kaoutar Elkhiyaoui, Refik Molva, Melek Ӧnen Slide 1 Cloud computing Idea: Outsourcing Ø Huge distributed data centers Ø Offer storage and computation Benefit:

More information

Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm

Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm An extended abstract of this paper appears in Tatsuaki Okamoto, editor, Advances in Cryptology ASIACRYPT 2000, Volume 1976 of Lecture Notes in Computer Science, pages 531 545, Kyoto, Japan, December 3

More information

CS155. Cryptography Overview

CS155. Cryptography Overview CS155 Cryptography Overview Cryptography Is n A tremendous tool n The basis for many security mechanisms Is not n The solution to all security problems n Reliable unless implemented properly n Reliable

More information

Introduction. Digital Signature

Introduction. Digital Signature Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

More information

Authenticated encryption

Authenticated encryption Authenticated encryption Dr. Enigma Department of Electrical Engineering & Computer Science University of Central Florida [email protected] October 16th, 2013 Active attacks on CPA-secure encryption

More information

Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks

Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks Tsz Hon Yuen - Huawei, Singapore Ye Zhang - Pennsylvania State University, USA Siu Ming

More information

CS558. Network Security. Boston University, Computer Science. Midterm Spring 2014.

CS558. Network Security. Boston University, Computer Science. Midterm Spring 2014. CS558. Network Security. Boston University, Computer Science. Midterm Spring 2014. Instructor: Sharon Goldberg March 25, 2014. 9:30-10:50 AM. One-sided handwritten aid sheet allowed. No cell phone or calculators

More information

Digital Signatures. Prof. Zeph Grunschlag

Digital Signatures. Prof. Zeph Grunschlag Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each

More information

3-6 Toward Realizing Privacy-Preserving IP-Traceback

3-6 Toward Realizing Privacy-Preserving IP-Traceback 3-6 Toward Realizing Privacy-Preserving IP-Traceback The IP-traceback technology enables us to trace widely spread illegal users on Internet. However, to deploy this attractive technology, some problems

More information

Practical Yet Universally Composable Two-Server Password-Authenticated Secret Sharing

Practical Yet Universally Composable Two-Server Password-Authenticated Secret Sharing Practical Yet Universally Composable Two-Server Password-Authenticated Secret Sharing Jan Camenisch IBM Research Zurich [email protected] Anna Lysyanskaya Brown University [email protected] Gregory Neven

More information

1 Signatures vs. MACs

1 Signatures vs. MACs CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures

More information

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6. 1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

More information

Computing Blindfolded: New Developments in Fully Homomorphic Encryption

Computing Blindfolded: New Developments in Fully Homomorphic Encryption Computing Blindfolded: New Developments in Fully Homomorphic Encryption Vinod Vaikuntanathan University of Toronto Abstract A fully homomorphic encryption scheme enables computation of arbitrary functions

More information

On the Security of the Tor Authentication Protocol

On the Security of the Tor Authentication Protocol On the Security of the Tor Authentication Protocol Ian Goldberg David R. Cheriton School of Computer Science, University of Waterloo, 00 University Ave W, Waterloo, ON NL 3G1 [email protected] Abstract.

More information

Chapter 11. Asymmetric Encryption. 11.1 Asymmetric encryption schemes

Chapter 11. Asymmetric Encryption. 11.1 Asymmetric encryption schemes Chapter 11 Asymmetric Encryption The setting of public-key cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret

More information

Efficient and Secure Authenticated Key Exchange Using Weak Passwords

Efficient and Secure Authenticated Key Exchange Using Weak Passwords Efficient and Secure Authenticated Key Exchange Using Weak Passwords Jonathan Katz Rafail Ostrovsky Moti Yung Abstract Mutual authentication and authenticated key exchange are fundamental techniques for

More information

Victor Shoup Avi Rubin. fshoup,[email protected]. Abstract

Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,[email protected] Abstract In this paper, we investigate a method by which smart

More information

QUT Digital Repository: http://eprints.qut.edu.au/

QUT Digital Repository: http://eprints.qut.edu.au/ QUT Digital Repository: http://eprints.qut.edu.au/ Suriadi, Suriadi and Foo, Ernest and Josang, Audun (2009) A user-centric federated single sign-on system. Journal of Network and Computer Applications,

More information

Digital Signatures. What are Signature Schemes?

Digital Signatures. What are Signature Schemes? Digital Signatures Debdeep Mukhopadhyay IIT Kharagpur What are Signature Schemes? Provides message integrity in the public key setting Counter-parts of the message authentication schemes in the public

More information

Certificate Based Signature Schemes without Pairings or Random Oracles

Certificate Based Signature Schemes without Pairings or Random Oracles Certificate Based Signature Schemes without Pairings or Random Oracles p. 1/2 Certificate Based Signature Schemes without Pairings or Random Oracles Joseph K. Liu, Joonsang Baek, Willy Susilo and Jianying

More information

Patient Controlled Encryption: Ensuring Privacy of Electronic Medical Records

Patient Controlled Encryption: Ensuring Privacy of Electronic Medical Records Patient Controlled Encryption: Ensuring Privacy of Electronic Medical Records Josh Benaloh, Melissa Chase, Eric Horvitz, and Kristin Lauter Microsoft Research Redmond, WA, USA {benaloh,melissac,horvitz,klauter}@microsoft.com

More information

Multi-Channel Broadcast Encryption

Multi-Channel Broadcast Encryption Multi-Channel Broadcast Encryption Duong Hieu Phan 1,2, David Pointcheval 2, and Viet Cuong Trinh 1 1 LAGA, University of Paris 8 2 ENS / CNRS / INRIA Abstract. Broadcast encryption aims at sending a content

More information

An Application of the Goldwasser-Micali Cryptosystem to Biometric Authentication

An Application of the Goldwasser-Micali Cryptosystem to Biometric Authentication The 12th Australasian Conference on Information Security and Privacy (ACISP 07). (2 4 july 2007, Townsville, Queensland, Australia) J. Pieprzyk Ed. Springer-Verlag, LNCS????, pages??????. An Application

More information

DAC-MACS: Effective Data Access Control for Multiauthority Cloud Storage Systems

DAC-MACS: Effective Data Access Control for Multiauthority Cloud Storage Systems 1 DAC-MACS: Effective Data Access Control for Multiauthority Cloud Storage Systems Kan Yang Student Member IEEE Xiaohua Jia Fellow IEEE Kui Ren Senior Member IEEE Bo Zhang Student Member IEEE and Ruitao

More information

Talk announcement please consider attending!

Talk announcement please consider attending! Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically

More information

ANONIZE: A Large-Scale Anonymous Survey System

ANONIZE: A Large-Scale Anonymous Survey System ANONIZE: A Large-Scale Anonymous Survey System Susan Hohenberger Johns Hopkins University [email protected] Steven Myers Indiana University [email protected] Rafael Pass Cornell University [email protected]

More information

Advanced Cryptography

Advanced Cryptography Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

More information
2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback | Do Not Sell My Personal Information