DOCSLIB.ORG

Cryptographic Resilience to Continual Information Leakage

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Cryptographic Resilience to Continual Information Leakage by Daniel Wichs A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy Department of Computer Science New York University September, 2011 Professor Yevgeniy Dodis c Daniel Wichs All Rights Reserved, 2011 \It is a very sad thing that nowadays there is so little useless information." Oscar Wilde \BLMAR XnL csG cch BLDng asGL." Minoan Proverb To Elizabeth iv Acknowledgements Foremost, I would like to thank my advisor, Yevgeniy Dodis, for teaching me how to do research. I have always admired and tried to learn from Yevgeniy's enthusiasm in pursuing all kinds of new research problems, finding connections between different areas, and forging better abstractions and ways of understand- ing results. Most of all, I am grateful for the abundance of energy that Yevgeniy brought to our many collaborations. After long brainstorming sessions with Yev- geniy, I would usually emerge exhausted and slightly dazed, but also tremendously excited about the many new problems, ideas and directions that I couldn't wait to pursue. From Yevgeniy, I learned that research can be a lot of fun. Next, I would like to thank my many other mentors and their respective insti- tutions, who supported me both intellectually and financially during my summer internships: Ivan Damg˚ardand Jesper Buus Nielsen at the University of Arhus˚ in Denmark, Juan Garay at Bell Laboratories (now at AT&T), Yael Tauman Kalai at Microsoft Research, and Tal Rabin and the crypto group at IBM Research T.J. Watson. Spending my summers away from NYU allowed me to get a much broader view of research areas, institutions, and approaches, than I would have had oth- erwise. In particular, I thank Ivan and Jesper for having the patience to work with me while I was still learning the most basic concepts of cryptography, Juan for much useful advice on research, espresso, single malt scotch, and many other aspects of life, Yael for her great enthusiasm and encouragement in the research topics relating to this thesis, and Tal for providing a truly fantastic and fun place to do research. I wish to thank Moni Naor at the Weizmann Institute of Science in Israel, Stefan Dziembowski at University of Rome La Sapienza, and Krzysztof Pietrzak at CWI Amsterdam for arranging research visits to their respective insti- tutions. These visits turned out to be highly productive and great deal of fun. I would also like to thank Jo¨elAlwen, with whom I have collaborated on several results related to this thesis and discussed almost every conceivable topic in cryp- tography. I truly enjoyed and learned much from these enlightening conversations. I also thank Victor Shoup and the rest of the NYU cryptography group for all their support. The results in this thesis emerged from joint works with Yevgeniy Dodis, Kristiyan Haralambiev, Adriana L`opez-Alt, Allison Lewko and Brent Waters. I thank them all for the many wonderful discussions and for all their hard work. I thank my parents, Tomas and Adela, and my brother David, who first intro- duced me to the world and its many exciting mysteries. My parents made many sacrifices to ensure that I get a great education, and this thesis would not have been possible otherwise. Last, but certainly not least, I thank Elizabeth for all her love, support, en- couragement, patience and care. v Abstract In this thesis, we study the question of achieving cryptographic security on devices that leak information about their internal secret state to an external at- tacker. This study is motivated by the prevalence of side-channel attacks, where the physical characteristics of a computation (e.g. timing, power-consumption, temperature, radiation, acoustics, etc.) can be measured, and may reveal use- ful information about the internal state of a device. Since some such leakage is inevitably present in almost any physical implementation, we believe that this problem cannot just be addressed by physical countermeasures alone. Instead, it should already be taken into account when designing the mathematical specifica- tion of cryptographic primitives and included in the formal study of their security. In this thesis, we propose a new formal framework for modeling the leakage available to an attacker. This framework, called the continual leakage model, as- sumes that an attacker can continually learn arbitrary information about the inter- nal secret state of a cryptographic scheme at any point in time, subject only to the constraint that the rate of leakage is bounded. More precisely, our model assumes some abstract notion of time periods. In each such period, the attacker can choose to learn arbitrary functions of the current secret state of the scheme, as long as the number of output bits leaked is not too large. In our solutions, cryptographic schemes will continually update their internal secret state at the end of each time period. This will ensure that leakage observed in different time periods cannot be meaningfully combined to break the security of the cryptosystem. Although these updates modify the secret state of the cryptosystem, the desired functionality of the scheme is preserved, and the users can remain oblivious to these updates. We construct signatures, encryption, and secret sharing/storage schemes in this model. vi Contents Dedication................................... iv Acknowledgements..............................v Abstract.................................... vi List of Figures.................................x 1 Introduction1 2 Prior Models and Results4 2.1 Models of Full Leakage.........................4 2.1.1 Threshold Cryptography....................4 2.1.2 Forward Security........................5 2.1.3 Key-Insulated Cryptography..................5 2.2 Models of Partial Leakage.......................6 2.2.1 Oblivious RAMs........................6 2.2.2 Exposure resilient cryptography................6 2.2.3 Private circuits.........................7 2.2.4 Private Circuits for AC0 and Noisy Leakage.........8 2.2.5 Only Computation Leaks Information (OCLI)........9 2.2.6 The Bounded-Leakage Model................. 10 2.3 Tampering and Active Physical Attacks................ 14 3 The Continual-Leakage Model and Overview of Results 16 3.1 Overview of the CLM.......................... 16 3.2 CLR One-Way Relations and Signatures............... 18 3.3 CLR Public-Key Encryption...................... 19 3.4 CLR Secret Sharing (Storage)..................... 20 4 Preliminaries 24 4.1 Statistical Distance, Entropy, Extractors............... 25 4.2 Linear Algebra Notation........................ 27 4.3 Computational Hardness Assumptions................ 28 4.4 Public-Key Encryption......................... 30 vii 4.5 Non-Interactive Zero Knowledge (NIZK)............... 32 5 CLR One-Way Relations, Signatures 34 5.1 Modeling Leakage............................ 34 5.2 Defining CLR-OWR.......................... 35 5.2.1 One-Way Relations....................... 35 5.2.2 OWRs in the Bounded-Leakage Model............ 35 5.2.3 OWRs in the Continual Leakage Model............ 37 5.3 Construction (Part I): Continuous Leakage from Bounded Leakage............. 38 5.4 Construction (Part II): Generic Components............. 43 5.4.1 Syntax of Construction and Hardness Properties....... 43 5.4.2 Re-randomization via Homomorphisms............ 46 5.4.3 Leakage-Indistinguishability.................. 48 5.4.4 Summary of Component Requirements............ 50 5.5 Construction (Part III): Instantiating the Components..................... 51 5.5.1 The encryption scheme E1 ................... 51 5.5.2 The encryption scheme E2 ................... 52 5.5.3 Homomorphic NIZKs...................... 56 5.5.4 The Final CLR-OWR Scheme................. 60 5.6 Security with Leaky Updates...................... 61 5.7 Signatures................................ 65 5.8 Advanced Primitives.......................... 69 5.8.1 Identification Schemes (ID).................. 69 5.8.2 Authenticated Key Agreement(AKA)............. 69 6 CLR Encryption 71 6.1 Definition................................ 71 6.2 Hiding Ranks and Subspaces...................... 73 6.3 Warm Up: Weakly Secure Constructions............... 77 6.3.1 The Bounded Leakage Model................. 77 6.3.2 Secret Leak-Free Updates (\Floppy Model")......... 79 6.3.3 Public Leak-Free Updates................... 82 6.3.4 The Difficulty with Leaking on Updates........... 85 6.4 Construction with Full Security.................... 86 6.5 Proof Part I: Alternate Distributions................. 88 6.6 Proof Part II: (Re)Programming Updates............... 89 6.7 Proof Part III. Series of Hybrids.................... 93 6.7.1 Informal Overview....................... 93 6.7.2 Hybrid Game Definitions.................... 96 viii 6.7.3 Hybrid Indistinguishability Arguments............ 98 6.7.4 Putting It All Together..................... 105 6.8 Generalization to k-Linear....................... 105 6.8.1 Scheme Description....................... 105 6.8.2 The Generalized Proof (Sketch)................ 106 7 CLR Secret Sharing and Storage 109 7.1 Definitions................................ 109 7.1.1 Continual-Leakage-Resilient Sharing (CLRS)......... 109 7.1.2 CLRS-Friendly Encryption................... 111 7.2 Construction.............................. 111 7.3 Proof of Security............................ 114 7.3.1 Hiding Orthogonality...................... 114 7.3.2 Alternate Distributions for Keys, Ciphertexts and Updates. 115 7.3.3 Overview of Hybrid Games..................
Recommended publications
  • Anna Lysyanskaya Curriculum Vitae

    Anna Lysyanskaya Curriculum Vitae

    Anna Lysyanskaya Curriculum Vitae Computer Science Department, Box 1910 Brown University Providence, RI 02912 (401) 863-7605 email: [email protected] http://www.cs.brown.edu/~anna Research Interests Cryptography, privacy, computer security, theory of computation. Education Massachusetts Institute of Technology Cambridge, MA Ph.D. in Computer Science, September 2002 Advisor: Ronald L. Rivest, Viterbi Professor of EECS Thesis title: \Signature Schemes and Applications to Cryptographic Protocol Design" Massachusetts Institute of Technology Cambridge, MA S.M. in Computer Science, June 1999 Smith College Northampton, MA A.B. magna cum laude, Highest Honors, Phi Beta Kappa, May 1997 Appointments Brown University, Providence, RI Fall 2013 - Present Professor of Computer Science Brown University, Providence, RI Fall 2008 - Spring 2013 Associate Professor of Computer Science Brown University, Providence, RI Fall 2002 - Spring 2008 Assistant Professor of Computer Science UCLA, Los Angeles, CA Fall 2006 Visiting Scientist at the Institute for Pure and Applied Mathematics (IPAM) Weizmann Institute, Rehovot, Israel Spring 2006 Visiting Scientist Massachusetts Institute of Technology, Cambridge, MA 1997 { 2002 Graduate student IBM T. J. Watson Research Laboratory, Hawthorne, NY Summer 2001 Summer Researcher IBM Z¨urich Research Laboratory, R¨uschlikon, Switzerland Summers 1999, 2000 Summer Researcher 1 Teaching Brown University, Providence, RI Spring 2008, 2011, 2015, 2017, 2019; Fall 2012 Instructor for \CS 259: Advanced Topics in Cryptography," a seminar course for graduate students. Brown University, Providence, RI Spring 2012 Instructor for \CS 256: Advanced Complexity Theory," a graduate-level complexity theory course. Brown University, Providence, RI Fall 2003,2004,2005,2010,2011 Spring 2007, 2009,2013,2014,2016,2018 Instructor for \CS151: Introduction to Cryptography and Computer Security." Brown University, Providence, RI Fall 2016, 2018 Instructor for \CS 101: Theory of Computation," a core course for CS concentrators.
  • Analysing Secret Sharing Schemes for Audio Sharing

    Analysing Secret Sharing Schemes for Audio Sharing

    International Journal of Computer Applications (0975 – 8887) Volume 137 – No.11, March 2016 Analysing Secret Sharing Schemes for Audio Sharing Seema Vyavahare Sonali Patil, PhD Department of Computer Engineering Department of Computer Engineering Pimpri Chinchwad College of Engineering Pimpri Chinchwad College of Engineering Pune-44 Pune-44 ABSTRACT which if cover data is attacked then the private data which is In various applications such as military applications, hidden may also lost. commercial music systems, etc. audio needs to be transmitted over the network. During transmission, there is risk of attack through wiretapping. Hence there is need of secure transmission of the audio. There are various cryptographic methods to protect such data using encryption key. However, such schemes become single point failure if encryption key get lost or stolen by intruder. That's why many secret sharing schemes came into picture. There are circumstances where an action is required to be executed by a group of people. Secret sharing is the technique in which secret is distributed among n participants. Each participant has unique secret share. Secret can be recovered only after sufficient number of shares (k out of n) combined together. In this way one can secure secret in reliable way. Fig.1 Information Security System In this paper we have proposed Audio Secret Sharing based on Li Bai's Secret Sharing scheme in Matrix Projection. Then Secret sharing scheme (SSS) [4] is the method of sharing the proposed scheme is critically analysed with the strengths secret information in scribbled shares among number of and weaknesses introduced into the scheme by comparing it partners who needs to work together.
  • Arxiv:2102.09041V3 [Cs.DC] 4 Jun 2021

    Arxiv:2102.09041V3 [Cs.DC] 4 Jun 2021

    Reaching Consensus for Asynchronous Distributed Key Generation ITTAI ABRAHAM, VMware Research, Israel PHILIPP JOVANOVIC, University College London, United Kingdom MARY MALLER, Ethereum Foundation, United Kingdom SARAH MEIKLEJOHN, University College London, United Kingdom and Google, United Kingdom GILAD STERN, The Hebrew University in Jerusalem, Israel ALIN TOMESCU, VMware Research, USA < = We give a protocol for Asynchronous Distributed Key Generation (A-DKG) that is optimally resilient (can withstand 5 3 faulty parties), has a constant expected number of rounds, has $˜ (=3) expected communication complexity, and assumes only the existence of a PKI. Prior to our work, the best A-DKG protocols required Ω(=) expected number of rounds, and Ω(=4) expected communication. Our A-DKG protocol relies on several building blocks that are of independent interest. We define and design a Proposal Election (PE) protocol that allows parties to retrospectively agree on a valid proposal after enough proposals have been sent from different parties. With constant probability the elected proposal was proposed by a nonfaulty party. In building our PE protocol, we design a Verifiable Gather protocol which allows parties to communicate which proposals they have and have not seen in a verifiable manner. The final building block to our A-DKG is a Validated Asynchronous Byzantine Agreement (VABA) protocol. We use our PE protocol to construct a VABA protocol that does not require leaders or an asynchronous DKG setup. Our VABA protocol can be used more generally when it is not possible to use threshold signatures. 1 INTRODUCTION In this work we study Decentralized Key Generation in the Asynchronous setting (A-DKG).
  • CHURP: Dynamic-Committee Proactive Secret Sharing

    CHURP: Dynamic-Committee Proactive Secret Sharing

    CHURP: Dynamic-Committee Proactive Secret Sharing Sai Krishna Deepak Maram∗† Cornell Tech Fan Zhang∗† Lun Wang∗ Andrew Low∗ Cornell Tech UC Berkeley UC Berkeley Yupeng Zhang∗ Ari Juels∗ Dawn Song∗ Texas A&M Cornell Tech UC Berkeley ABSTRACT most important resources—money, identities [6], etc. Their loss has We introduce CHURP (CHUrn-Robust Proactive secret sharing). serious and often irreversible consequences. CHURP enables secure secret-sharing in dynamic settings, where the An estimated four million Bitcoin (today worth $14+ Billion) have committee of nodes storing a secret changes over time. Designed for vanished forever due to lost keys [69]. Many users thus store their blockchains, CHURP has lower communication complexity than pre- cryptocurrency with exchanges such as Coinbase, which holds at vious schemes: O¹nº on-chain and O¹n2º off-chain in the optimistic least 10% of all circulating Bitcoin [9]. Such centralized key storage case of no node failures. is also undesirable: It erodes the very decentralization that defines CHURP includes several technical innovations: An efficient new blockchain systems. proactivization scheme of independent interest, a technique (using An attractive alternative is secret sharing. In ¹t;nº-secret sharing, asymmetric bivariate polynomials) for efficiently changing secret- a committee of n nodes holds shares of a secret s—usually encoded sharing thresholds, and a hedge against setup failures in an efficient as P¹0º of a polynomial P¹xº [73]. An adversary must compromise polynomial commitment scheme. We also introduce a general new at least t +1 players to steal s, and at least n−t shares must be lost technique for inexpensive off-chain communication across the peer- to render s unrecoverable.
  • Improved Threshold Signatures, Proactive Secret Sharing, and Input Certification from LSS Isomorphisms

    Improved Threshold Signatures, Proactive Secret Sharing, and Input Certification from LSS Isomorphisms

    Improved Threshold Signatures, Proactive Secret Sharing, and Input Certification from LSS Isomorphisms Diego F. Aranha1, Anders Dalskov2, Daniel Escudero1, and Claudio Orlandi1 1 Aarhus University, Denmark 2 Partisia, Denmark Abstract. In this paper we present a series of applications steming from a formal treatment of linear secret-sharing isomorphisms, which are linear transformations between different secret-sharing schemes defined over vector spaces over a field F and allow for efficient multiparty conversion from one secret-sharing scheme to the other. This concept generalizes the folklore idea that moving from a secret-sharing scheme over Fp to a secret sharing \in the exponent" can be done non-interactively by multiplying the share unto a generator of e.g., an elliptic curve group. We generalize this idea and show that it can also be used to compute arbitrary bilinear maps and in particular pairings over elliptic curves. We include the following practical applications originating from our framework: First we show how to securely realize the Pointcheval-Sanders signature scheme (CT-RSA 2016) in MPC. Second we present a construc- tion for dynamic proactive secret-sharing which outperforms the current state of the art from CCS 2019. Third we present a construction for MPC input certification using digital signatures that we show experimentally to outperform the previous best solution in this area. 1 Introduction A(t; n)-secure secret-sharing scheme allows a secret to be distributed into n shares in such a way that any set of at most t shares are independent of the secret, but any set of at least t + 1 shares together can completely reconstruct the secret.
  • Cryptography Abstracts

    Cryptography Abstracts

    Cryptography Abstracts Saturday 10:15 – 12:15 Shafi Goldwasser, MIT Anna Lysyanskaya, Brown University Alice Silverberg, University of California, Irvine Nadia Heninger, UCSD Sunday 8:30 – 10:30 Tal Rabin, IBM Research Tal Malkin, Columbia University Allison Bishop Lewko, University of Texas, Austin Yael Tauman-Kalai, Microsoft Research – New England Saturday 10:15 – 12:15 On Probabilistic Proofs Shafi Goldwasser, MIT ABSTRACT Flavors and applications of verifiable random functions Anna Lysyanskaya, Brown University A random Boolean function is a function where for every input x, the value f(x) is truly random. A pseudorandom function is one where, even though f(x) can be deterministically computed from a small random "seed" s, no efficient algorithm can distinguish f from a random function upon querying it on inputs x1,...,xn of its choice. A verifiable random function (VRF) is a pseudorandom function that can be verified. That is to say, a VRF consists of four algorithms: Generate, Evaluate, Prove, Verify. Alice chooses uses Generate to pick her function f, Evaluate to evaluate it and compute y=f(x), Prove in order to compute a proof p(x) that y is indeed f(x). Bob can then use Verify in order to ascertain that it is indeed the case that y=f(x). At the same time, whenever Bob is not given a proof p(x) for a particular x, no efficient algorithm allows him to determine whether y=f(x) or is random. In this talk I will give a survey of verifiable random functions and their constructions and applications. Elliptic Curve Primality Tests for Numbers in Special Forms Alice Silverberg, University of California, Irvine In joint work with Alex Abatzoglou and Angela Wong, we use elliptic curves with complex multiplication to give primality proofs for integers of certain forms, generalizing earlier work of B.
  • Speeding-Up Verification of Digital Signatures Abdul Rahman Taleb, Damien Vergnaud

    Speeding-Up Verification of Digital Signatures Abdul Rahman Taleb, Damien Vergnaud

    Speeding-Up Verification of Digital Signatures Abdul Rahman Taleb, Damien Vergnaud To cite this version: Abdul Rahman Taleb, Damien Vergnaud. Speeding-Up Verification of Digital Signatures. Journal of Computer and System Sciences, Elsevier, 2021, 116, pp.22-39. 10.1016/j.jcss.2020.08.005. hal- 02934136 HAL Id: hal-02934136 https://hal.archives-ouvertes.fr/hal-02934136 Submitted on 27 Sep 2020 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Speeding-Up Verification of Digital Signatures Abdul Rahman Taleb1, Damien Vergnaud2, Abstract In 2003, Fischlin introduced the concept of progressive verification in cryptog- raphy to relate the error probability of a cryptographic verification procedure to its running time. It ensures that the verifier confidence in the validity of a verification procedure grows with the work it invests in the computation. Le, Kelkar and Kate recently revisited this approach for digital signatures and pro- posed a similar framework under the name of flexible signatures. We propose efficient probabilistic verification procedures for popular signature schemes in which the error probability of a verifier decreases exponentially with the ver- ifier running time. We propose theoretical schemes for the RSA and ECDSA signatures based on some elegant idea proposed by Bernstein in 2000 and some additional tricks.
  • Asynchronous Verifiable Secret Sharing and Proactive Cryptosystems

    Asynchronous Verifiable Secret Sharing and Proactive Cryptosystems

    Asynchronous Verifiable Secret Sharing and Proactive Ý Cryptosystems£ Christian Cachin Klaus Kursawe Anna LysyanskayaÞ Reto Strobl IBM Research Zurich Research Laboratory CH-8803 R¨uschlikon, Switzerland {cca,kku,rts}@zurich.ibm.com ABSTRACT However, when a threshold cryptosystem operates over a longer Verifiable secret sharing is an important primitive in distributed time period, it may not be realistic to assume that an adversary cor- cryptography. With the growing interest in the deployment of rupts only Ø servers during the entire lifetime of the system. Proac- threshold cryptosystems in practice, the traditional assumption of tive cryptosystems address this problem by operating in phases; a synchronous network has to be reconsidered and generalized to they can tolerate the corruption of up to Ø different servers dur- an asynchronous model. This paper proposes the first practical ing every phase [18]. They rely on the assumption that servers may verifiable secret sharing protocol for asynchronous networks. The erase data and on a special reboot procedure to remove the adver- protocol creates a discrete logarithm-based sharing and uses only sary from a corrupted server. The idea is to proactively reboot all a quadratic number of messages in the number of participating servers at the beginning of every phase, and to subsequently refresh servers. It yields the first asynchronous Byzantine agreement pro- the secret key shares such that in any phase, knowledge of shares tocol in the standard model whose efficiency makes it suitable for from previous phases does not give the adversary an advantage. use in practice. Proactive cryptosystems are another important ap- Thus, proactive cryptosystems tolerate a mobile adversary [20], plication of verifiable secret sharing.
  • September 21-23, 2021 Women in Security and Cryptography Workshop

    September 21-23, 2021 Women in Security and Cryptography Workshop

    September 21-23, 2021 Women in Security and Cryptography Workshop Our WISC- Speakers Our WISC-Speakers Adrienne Porter Felt, Google BIO. Adrienne is a Director of Engineering at Google, where she leads Chrome’s Data Science, content ecosystem, and iOS teams. Previously, Adrienne founded and led Chrome’s usable security team. She is best known externally for her work on moving the web to HTTPS, earning her recognition as one of MIT Technology Review’s Innovators Under 35. Adrienne holds a PhD from UC Berkeley, and most of her academic publications are on usable security for browsers and mobile operating systems. Copyright: Adrienne Porter Felt Carmela Troncoso, École polytechnique fédérale de Lausanne BIO. Carmela Troncoso is an assistant professor at EPFL, Switzerland, where she heads the SPRING Lab. Her work focuses on analyzing, building, and deploying secure and privacy-preserving systems. Carmela holds a PhD in Engineering from KULeuven. Her thesis, Design and Analysis Methods for Privacy Technologies, received the European Research Consortium for Informatics and Mathematics Security and Trust Management Best PhD Thesis Award, and her work on Privacy Engineering received the CNIL-INRIA Privacy Protection Award in 2017. She has been named 40 under 40 in technology by Fortune in 2020. Copyright: Carmela Troncoso Elette Boyle, IDC Herzliya BIO. Elette Boyle is an Associate Professor, and Director of the FACT (Foundations & Applications of Cryptographic Theory) Research Center, at IDC Herzliya, Israel. She received her PhD from MIT, and served as a postdoctoral researcher at Cornell University and at the Technion Israel. Elette's research focuses on secure multi- party computation, secret sharing, and distributed algorithm design.
  • Program of the NIST Workshop on Multi-Party Threshold Schemes MPTS 2020 — Virtual Event (November 4–6, 2020)

    Program of the NIST Workshop on Multi-Party Threshold Schemes MPTS 2020 — Virtual Event (November 4–6, 2020)

    MPTS 2020 program (updated November 20, 2020) Program of the NIST Workshop on Multi-Party Threshold Schemes MPTS 2020 — Virtual event (November 4–6, 2020) https://csrc.nist.gov/events/2020/mpts2020 # Hour Speaker(s) Topic (not the title) — 09:15–09:35 — Virtual arrival 1a1 09:35–10:00 Luís Brandão Workshop introduction 1a2 10:00–10:25 Berry Schoenmakers Publicly verifiable secret sharing Talks 1a3 10:25–10:50 Ivan Damgård Active security with honest majority — 10:50–11:05 — Break 1b1 11:05–11:30 Tal Rabin MPC in the YOSO model 1b2 11:30–11:55 Nigel Smart Threshold HashEdDSA (deterministic) Talks 1b3 11:55–12:20 Chelsea Komlo Threshold Schnorr (probabilistic) November 4 — 12:20–12:30 — Break 1c1 12:30–12:36 Yashvanth Kondi Threshold Schnorr (deterministic) 1c2 12:36–12:42 Akira Takahashi PQ Threshold signatures 1c3 12:42–12:48 Jan Willemson PQ Threshold schemes Briefs 1c4 12:48–12:54 Saikrishna Badrinarayanan Threshold bio-authentication — 12:54–13:00+ — Day closing — 09:15–09:35 — Virtual arrival 2a1 09:35–10:00 Yehuda Lindell Diverse multiparty settings 2a2 10:00–10:25 Ran Canetti General principles (composability, ...) Talks 2a3 10:25–10:50 Yuval Ishai Pseudorandom correlation generators — 10:50–11:05 — Break 2b1 11:05–11:30 Emmanuela Orsini & Peter Scholl Oblivious transfer extension 2b2 11:30–11:55 Vladimir Kolesnikov Garbled circuits Talks 2b3 11:55–12:20 Xiao Wang Global scale threshold AES — 12:20–12:30 — Break November 5 2c1 12:30–12:36 Xiao Wang Garbled circuits 2c2 12:36–12:42 Jakob Pagter MPC-based Key-management 2c3 12:42–12:48
  • Further Simplifications in Proactive RSA Signatures

    Further Simplifications in Proactive RSA Signatures

    Further Simplifications in Proactive RSA Signatures Stanislaw Jarecki and Nitesh Saxena School of Information and Computer Science, UC Irvine, Irvine, CA 92697, USA {stasio, nitesh}@ics.uci.edu Abstract. We present a new robust proactive (and threshold) RSA sig- nature scheme secure with the optimal threshold of t<n/2 corruptions. The new scheme offers a simpler alternative to the best previously known (static) proactive RSA scheme given by Tal Rabin [36], itself a simpli- fication over the previous schemes given by Frankel et al. [18, 17]. The new scheme is conceptually simple because all the sharing and proac- tive re-sharing of the RSA secret key is done modulo a prime, while the reconstruction of the RSA signature employs an observation that the secret can be recovered from such sharing using a simple equation over the integers. This equation was first observed and utilized by Luo and Lu in a design of a simple and efficient proactive RSA scheme [31] which was not proven secure and which, alas, turned out to be completely in- secure [29] due to the fact that the aforementioned equation leaks some partial information about the shared secret. Interestingly, this partial information leakage can be proven harmless once the polynomial sharing used by [31] is replaced by top-level additive sharing with second-level polynomial sharing for back-up. Apart of conceptual simplicity and of new techniques of independent interests, efficiency-wise the new scheme gives a factor of 2 improvement in speed and share size in the general case, and almost a factor of 4 im- provement for the common RSA public exponents 3, 17, or 65537, over the scheme of [36] as analyzed in [36].
  • A Computational Introduction to Number Theory and Algebra: Second Edition Victor Shoup Frontmatter More Information

    A Computational Introduction to Number Theory and Algebra: Second Edition Victor Shoup Frontmatter More Information

    Cambridge University Press 978-0-521-51644-0 - A Computational Introduction to Number Theory and Algebra: Second Edition Victor Shoup Frontmatter More information ACOMPUTATIONALINTRODUCTION TONUMBERTHEORYANDALGEBRA Second Edition © in this web service Cambridge University Press www.cambridge.org Cambridge University Press 978-0-521-51644-0 - A Computational Introduction to Number Theory and Algebra: Second Edition Victor Shoup Frontmatter More information © in this web service Cambridge University Press www.cambridge.org Cambridge University Press 978-0-521-51644-0 - A Computational Introduction to Number Theory and Algebra: Second Edition Victor Shoup Frontmatter More information ACOMPUTATIONAL INTRODUCTIONTONUMBER THEORYANDALGEBRA Second Edition VICTORSHOUP © in this web service Cambridge University Press www.cambridge.org Cambridge University Press 978-0-521-51644-0 - A Computational Introduction to Number Theory and Algebra: Second Edition Victor Shoup Frontmatter More information cambridge university press Cambridge, New York, Melbourne, Madrid, Cape Town, Singapore, São Paulo, Delhi, Mexico City Cambridge University Press The Edinburgh Building, Cambridge cb2 8ru, UK Published in the United States of America by Cambridge University Press, New York www.cambridge.org Information on this title: www.cambridge.org/9780521516440 © V. Shoup 2009 This publication is in copyright. Subject to statutory exception and to the provisions of relevant collective licensing agreements, no reproduction of any part may take place without the written permission of Cambridge University Press. First published 2009 A catalogue record for this publication is available from the British Library isbn 978-0-521-51644-0 Hardback Cambridge University Press has no responsibility for the persistence or accuracy of URLs for external or third-party internet websites referred to in this publication, and does not guarantee that any content on such websites is, or will remain, accurate or appropriate.