DOCSLIB.ORG

Public-Key Cryptography Theory and Practice

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Public-Key Cryptography Theory and Practice Encryption Digital Signatures Entity Authentication Public-key Cryptography Theory and Practice Abhijit Das Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Chapter 5: Cryptographic Algorithms Public-key Cryptography: Theory and Practice Abhijit Das Encryption RSA and ElGamal Encryption Digital Signatures Probabilistic Encryption Entity Authentication Diffie-Hellman Key Exchange Common Encryption Algorithms Encryption algorithm Security depends on RSA encryption Integer factoring problem ElGamal encryption DHP (DLP) Rabin encryption Square-root problem Goldwasser-Micali encryption Quadratic residuosity problem Blum-Goldwasser encryption Square-root problem Chor-Rivest encryption Subset sum problem XTR DLP NTRU Closest vector problem in lattices Public-key Cryptography: Theory and Practice Abhijit Das Encryption RSA and ElGamal Encryption Digital Signatures Probabilistic Encryption Entity Authentication Diffie-Hellman Key Exchange RSA Encryption Key generation The recipient generates two random large primes p, q, computes n = pq and φ(n) = (p 1)(q 1), finds a − − random integer e with gcd(e, φ(n)) = 1, and determines an integer d with ed 1 (mod φ(n)). ≡ Public key: (n, e). Private key: (n, d). Encryption Input: Plaintext m Zn and the recipient’s public key (n, e). ∈ Output: Ciphertext c me (mod n). ≡ Decryption Input: Ciphertext c and the recipient’s private key (n, d). Output: Plaintext m cd (mod n). ≡ Public-key Cryptography: Theory and Practice Abhijit Das Encryption RSA and ElGamal Encryption Digital Signatures Probabilistic Encryption Entity Authentication Diffie-Hellman Key Exchange RSA Encryption: Example Let p = 257, q = 331, so that n = pq = 85067 and φ(n) = (p 1)(q 1)= 84480. Take e = 7, so that − − − d e 1 60343 (mod φ(n)). ≡ ≡ Public key: (85067, 7). Private key: (85067, 60343). Let m = 34152. Then c me (34152)7 53384 (mod n). ≡ ≡ ≡ Recover m cd (53384)60343 34152 (mod n). ≡ ≡ ≡ Decryption by an exponent d ′ other than d does not give back m. For example, take d ′ = 38367. We have ′ m′ cd (53384)38367 71303 (mod n). ≡ ≡ ≡ Public-key Cryptography: Theory and Practice Abhijit Das Encryption RSA and ElGamal Encryption Digital Signatures Probabilistic Encryption Entity Authentication Diffie-Hellman Key Exchange Why RSA Works? Assume that m Z∗. By Euler’s theorem, mφ(n) 1 (mod n). ∈ n ≡ Now, ed 1 (mod φ(n)), that is, ed = 1 + kφ(n) for some integer k.≡ Therefore, k cd med m1+kφ(n) m mφ(n) m 1k m (mod n). ≡ ≡ ≡ × ≡ × ≡ Note: The message can be recovered uniquely even when m / Z∗. ∈ n Public-key Cryptography: Theory and Practice Abhijit Das Encryption RSA and ElGamal Encryption Digital Signatures Probabilistic Encryption Entity Authentication Diffie-Hellman Key Exchange Security of RSA If n can be factored, φ(n) can be computed and so d can be determined from e by extended gcd computation. Once d is known, any ciphertext can be decrypted. At present, no other method is known to decrypt RSA-encrypted messages. RSA derives security from the intractability of the IFP. If e, d, n are known, there exists a probabilistic polynomial-time algorithm to factor n. So RSA key inversion is as difficult as IFP. But RSA decryption without the knowledge of d may be easier than factoring n. In practice, we require the size of n to be > 1024 bits with each of p, q having nearly half the size of n. Public-key Cryptography: Theory and Practice Abhijit Das Encryption RSA and ElGamal Encryption Digital Signatures Probabilistic Encryption Entity Authentication Diffie-Hellman Key Exchange How to Speed Up RSA? Encryption: Take small encryption exponent e (like the smallest prime not dividing φ(n)). Decryption: Small decryption exponents invite many attacks. Store n, e, d, p, q, d1, d2, h, where d1 = d rem (p 1), −1 − d2 = d rem (q 1) and h = q (mod p). − Carry out decryption as: d m1 = c 1 (mod p). d m2 = c 2 (mod q). t = h(m1 m2) (mod p). − m = m2 + tq. A speedup of about 4 is obtained. Public-key Cryptography: Theory and Practice Abhijit Das Encryption RSA and ElGamal Encryption Digital Signatures Probabilistic Encryption Entity Authentication Diffie-Hellman Key Exchange ElGamal Encryption Key generation The recipient selects a random big prime p and a primitive root g modulo p, chooses a random d 2, 3,..., p 2 , ∈ { − } and computes y gd (mod p). ≡ Public key: (p, g, y). Private key: (p, g, d). Encryption Input: Plaintext m Zp and recipient’s public key (p, g, y). ∈ Output: Ciphertext (s, t). Generate a random integer d ′ 2, 3,..., p 2 . ′ ∈ { ′ − } Compute s gd (mod p) and t my d (mod p). ≡ ≡ Decryption Input: Ciphertext (s, t) and recipient’s private key (p, g, d). Output: Recovered plaintext m ts−d (mod p). ≡ Public-key Cryptography: Theory and Practice Abhijit Das Encryption RSA and ElGamal Encryption Digital Signatures Probabilistic Encryption Entity Authentication Diffie-Hellman Key Exchange ElGamal Encryption (contd) ′ Correctness: We have s gd (mod p) and ′ ′ ≡ ′ t my d m(gd )d mgdd (mod p). Therefore, ≡ − ≡′ ′ −≡ − m tg dd t(gd ) d ts d (mod p). ≡ ≡ ≡ Example of ElGamal encryption Take p = 91573 and g = 67. The recipient chooses d = 23632 and so y (67)23632 87955 (mod p). Let m = 29485 be the≡ message to≡ be encrypted. The sender chooses d ′ = 1783 and computes ′ ′ s gd 52958 (mod p) and t my d 1597 (mod p). The≡ recipient≡ retrieves ≡ ≡ m ts−d 1597 (52958)−23632 29485 (mod p). ≡ ≡ × ≡ Public-key Cryptography: Theory and Practice Abhijit Das Encryption RSA and ElGamal Encryption Digital Signatures Probabilistic Encryption Entity Authentication Diffie-Hellman Key Exchange Security of ElGamal Encryption An eavesdropper knows g, p, y, s, t, where y gd (mod p) ′ ≡ and s gd (mod p). Determining m from (s, t) is ≡ ′ equivalent to computing gdd (mod p), since ′ t mgdd (mod p). (Here, m is masked by the quantity ≡′ ′ gdd (mod p).) But d, d are unknown to the attacker. So the ability to solve the DHP lets the eavesdropper break ElGamal encryption. Practically, we require p to be of size > 1024 bits for achieving a good level of security. Public-key Cryptography: Theory and Practice Abhijit Das Encryption RSA and ElGamal Encryption Digital Signatures Probabilistic Encryption Entity Authentication Diffie-Hellman Key Exchange Probabilistic Encryption To generate different ciphertext messages in different runs (for the same public key and plaintext message) Goldwasser-Micali Encryption Quadratic residuosity problem: For a composite integer a n and for an a with n = 1, determine whether a is a quadratic residue modulo n, that is, the whether the congruence x 2 a (mod n) is solvable. ≡ a Suppose n = pq (product of two primes). n = 1 implies a a either p = q = 1 (a is a quadratic residue) or a = a = 1 (a is a quadratic non-residue). p q − We know no methods other than factoring n to solve this problem. Public-key Cryptography: Theory and Practice Abhijit Das Encryption RSA and ElGamal Encryption Digital Signatures Probabilistic Encryption Entity Authentication Diffie-Hellman Key Exchange Goldwasser-Micali Encryption: Key Generation Choose two large primes p and q (of bit size > 512), and let n = pq. Generate random integers a, b with a = b = 1. p q − Use CRT to generate x (mod n) withx a (mod p) and ≡ x b (mod q). ≡ The Public key is (n, x), and the private key is p. Public-key Cryptography: Theory and Practice Abhijit Das Encryption RSA and ElGamal Encryption Digital Signatures Probabilistic Encryption Entity Authentication Diffie-Hellman Key Exchange Goldwasser-Micali Encryption Encryption The input is the r-bit plaintext message m1m2 . mr . Z∗ For each i = 1, 2,..., r, choose ai n randomly and mi 2 ∈ compute ci = x ai (mod n). ∗ r The ciphertext message is the r-tuple (c1, c2,..., cr ) (Z ) . ∈ n Decryption For i = 1, 2,..., r, take ci mi = 0 if p = 1, or m = 1 if ci = 1. i p − Public-key Cryptography: Theory and Practice Abhijit Das Encryption RSA and ElGamal Encryption Digital Signatures Probabilistic Encryption Entity Authentication Diffie-Hellman Key Exchange Goldwasser-Micali Encryption (contd) Correctness 2 If mi = 0, then ci = ai (mod n) is a quadratic residue modulo n (and so modulo p and q also). 2 If mi = 1, then ci = xai (mod n) Is a quadratic non-residue− modulo n (or modulo p and q). Remarks Probabilistic encryption: The ciphertext ci depends on the choice of ai . Message expansion: An r-bit plaintext message generates an rl-bit ciphertext message, where l = n . | | Without the knowledge of p (the private key), we do not know how to determine whether ci is a quadratic residue or not modulo n. Public-key Cryptography: Theory and Practice Abhijit Das Encryption RSA and ElGamal Encryption Digital Signatures Probabilistic Encryption Entity Authentication Diffie-Hellman Key Exchange Goldwasser-Micali Encryption: Example Key generation Take p = 653 and q = 751, so n = pq = 490403. Take a = 159 and b = 432, so x 313599 (mod n). ≡ The public-key is (490403, 313599) and the private key is 653. Encryption Let us encrypt the 3-bit message m1m2m3 = 101. 2 Choose a1 = 356217 and compute c1 xa1 398732 (mod n). ≡ 2 ≡ Choose a2 = 159819 and compute c2 a2 453312 (mod n). ≡ 2≡ Choose a3 = 482474 and compute c3 xa 12380 (mod n). ≡ 3 ≡ Decryption 398732 = 1, so m1 = 1. p − 453312 p = 1, so m2 = 0. 12380 = 1, so m = 1. p − 3 Public-key Cryptography: Theory and Practice Abhijit Das Encryption RSA and ElGamal Encryption Digital Signatures Probabilistic Encryption Entity Authentication Diffie-Hellman Key Exchange Diffie-Hellman Key Exchange Alice and Bob decide about a prime p and a primitive root g modulo p. Alice generates a random a 2, 3,..., p 2 and sends ∈ { − } ga (mod p) to Bob.
Load more

Recommended publications
  • Etsi Gr Qsc 001 V1.1.1 (2016-07)
    ETSI GR QSC 001 V1.1.1 (2016-07) GROUP REPORT Quantum-Safe Cryptography (QSC); Quantum-safe algorithmic framework 2 ETSI GR QSC 001 V1.1.1 (2016-07) Reference DGR/QSC-001 Keywords algorithm, authentication, confidentiality, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 Important notice The present document can be downloaded from: http://www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https://portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI.
    [Show full text]
  • Bilinear Map Cryptography from Progressively Weaker Assumptions
    Full version of an extended abstract published in Proceedings of CT-RSA 2013, Springer-Verlag, Feb. 2013. Available from the IACR Cryptology ePrint Archive as Report 2012/687. The k-BDH Assumption Family: Bilinear Map Cryptography from Progressively Weaker Assumptions Karyn Benson, Hovav Shacham ∗ Brent Watersy University of California, San Diego University of Texas at Austin fkbenson, [email protected] [email protected] February 4, 2013 Abstract Over the past decade bilinear maps have been used to build a large variety of cryptosystems. In addition to new functionality, we have concurrently seen the emergence of many strong assump- tions. In this work, we explore how to build bilinear map cryptosystems under progressively weaker assumptions. We propose k-BDH, a new family of progressively weaker assumptions that generalizes the de- cisional bilinear Diffie-Hellman (DBDH) assumption. We give evidence in the generic group model that each assumption in our family is strictly weaker than the assumptions before it. DBDH has been used for proving many schemes secure, notably identity-based and functional encryption schemes; we expect that our k-BDH will lead to generalizations of many such schemes. To illustrate the usefulness of our k-BDH family, we construct a family of selectively secure Identity-Based Encryption (IBE) systems based on it. Our system can be viewed as a generalization of the Boneh-Boyen IBE, however, the construction and proof require new ideas to fit the family. We then extend our methods to produces hierarchical IBEs and CCA security; and give a fully secure variant. In addition, we discuss the opportunities and challenges of building new systems under our weaker assumption family.
    [Show full text]
  • Circuit-Extension Handshakes for Tor Achieving Forward Secrecy in a Quantum World
    Proceedings on Privacy Enhancing Technologies ; 2016 (4):219–236 John M. Schanck*, William Whyte, and Zhenfei Zhang Circuit-extension handshakes for Tor achieving forward secrecy in a quantum world Abstract: We propose a circuit extension handshake for 2. Anonymity: Some one-way authenticated key ex- Tor that is forward secure against adversaries who gain change protocols, such as ntor [13], guarantee that quantum computing capabilities after session negotia- the unauthenticated peer does not reveal their iden- tion. In doing so, we refine the notion of an authen- tity just by participating in the protocol. Such pro- ticated and confidential channel establishment (ACCE) tocols are deemed one-way anonymous. protocol and define pre-quantum, transitional, and post- 3. Forward Secrecy: A protocol provides forward quantum ACCE security. These new definitions reflect secrecy if the compromise of a party’s long-term the types of adversaries that a protocol might be de- key material does not affect the secrecy of session signed to resist. We prove that, with some small mod- keys negotiated prior to the compromise. Forward ifications, the currently deployed Tor circuit extension secrecy is typically achieved by mixing long-term handshake, ntor, provides pre-quantum ACCE security. key material with ephemeral keys that are discarded We then prove that our new protocol, when instantiated as soon as the session has been established. with a post-quantum key encapsulation mechanism, Forward secret protocols are a particularly effective tool achieves the stronger notion of transitional ACCE se- for resisting mass surveillance as they resist a broad curity. Finally, we instantiate our protocol with NTRU- class of harvest-then-decrypt attacks.
    [Show full text]
  • One-Time and Interactive Aggregate Signatures from Lattices
    One-Time and Interactive Aggregate Signatures from Lattices Dan Boneh Sam Kim Stanford University Stanford University [email protected] [email protected] Abstract An aggregate signature scheme enables one to aggregate multiple signatures generated by different people on different messages into a short aggregate signature. We construct two signature aggregation schemes whose security is based on the standard SIS problem on lattices in the random oracle model. Our first scheme supports public aggregation of signatures, but for a one-time signature scheme. Our second scheme supports aggregation of signatures in a many-time signature scheme, but the aggregation process requires interaction among the signers. In both schemes, the size of the aggregate signature is at most logarithmic in the number of signatures being aggregated. 1 Introduction A signature scheme is a tuple of three algorithms: KeyGen generates a key pair (sk; pk), Sign(sk; m) ! σ signs a message m, and Verify(pk; m; σ) ! 0=1 verifies a signature σ on message m. A one-time signature is a signature scheme that is existentially unforgeable against an adversary that is given the public key and the signature on a single message of its choice. One-time signatures (OTS) have found many applications in cryptography. They are used to transform any existentially unforgeable signature into a strongly unforgeable signature [BS08], in several chosen-ciphertext secure public-key encryption constructions [DDN03, CHK04], in offline/online signatures [EGM96], and for authenticating streaming data [GR01]. The classic OTS scheme of Lamport [Lam79] and its Winternitz variant [BDE+13] shows that one-time signature schemes can be constructed from any one-way function.
    [Show full text]
  • Modern Cryptography: Lecture 13 Digital Signatures
    Modern Cryptography: Lecture 13 Digital Signatures Daniel Slamanig Organizational ● Where to find the slides and homework? – https://danielslamanig.info/ModernCrypto18.html ● ow to conta!t me? – [email protected] ● #utor: Karen Klein – [email protected] ● Offi!ial page at #', )o!ation et!. – https://tiss.tuwien.ac.at/!ourse/!o$rseDetails.+html?dswid=86-2&dsrid,6/0. !ourseNr,102262&semester,2018W ● #utorial, #U site – https://tiss.tuwien.ac.at/!ourse/!o$rseAnnouncement.+html?dswid=4200.dsr id,-51.!ourseNum6er,10206-.!ourseSemester,2018W ● 8+am for the se!ond part: Thursday 31.21.2210 15:00-1/:00 (Tutorial slot; 2/26 Overview Digital Signatures message m / :m( σ; secret key skA Inse!$re !hannel p$bli! key pkA p$bli! key pkA σ σ :, 7igskA:m; 6 :, =rfypkA:m( ; 3: pkA -/26 Digital Signatures: Intuitive Properties Can 6e seen as the p$6li!9key analog$e of M3Cs with p$6li! >erifiability ● Integrity protection: 3ny modifi!ation of a signed message !an 6e detected ● 7o$r!e a$thenti!ity: The sender of a signed message !an be identified ● Non9rep$diation: The signer !annot deny ha>ing signed :sent) a message 7e!$rity :intuition;: sho$ld 6e hard to !ome $p with a signat$re for a message that has not 6een signed by the holder of the pri>ate key 5/26 Digital Signatures: pplications *igital signat$res ha>e many applications and are at the heart of implementing p$6lic9key !ryptography in practice ● <ss$ing !ertifi!ates 6y CAs (?$6lic %ey <nfrastr$!t$res;: 6inding of identities to p$6lic keys ● @$ilding authenticated !hannels: a$thenti!ate parties :ser>ers; in sec$rity proto!ols :e.g.( TL7; or se!$re messaging :Whats3pp( 7ignal, ...; ● Code signing: a$thenti!ate software/firmware :$pdates; ● 7ign do!$ments :e.g.( !ontra!ts;: )egal reg$lations define when digital signat$res are eq$ivalent to handwritten signat$res ● 7ign transa!tions: $sed in the !rypto!$rren!y realm ● et!.
    [Show full text]
  • NSS: an NTRU Lattice –Based Signature Scheme
    ISSN(Online) : 2319 - 8753 ISSN (Print) : 2347 - 6710 International Journal of Innovative Research in Science, Engineering and Technology (An ISO 3297: 2007 Certified Organization) Vol. 4, Issue 4, April 2015 NSS: An NTRU Lattice –Based Signature Scheme S.Esther Sukila Department of Mathematics, Bharath University, Chennai, Tamil Nadu, India ABSTRACT: Whenever a PKC is designed, it is also analyzed whether it could be used as a signature scheme. In this paper, how the NTRU concept can be used to form a digital signature scheme [1] is described. I. INTRODUCTION Digital Signature Schemes The notion of a digital signature may prove to be one of the most fundamental and useful inventions of modern cryptography. A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. The creator of a message can attach a code, the signature, which guarantees the source and integrity of the message. A valid digital signature gives a recipient reason to believe that the message was created by a known sender and that it was not altered in transit. Digital signatures are commonly used for software distribution, financial transactions etc. Digital signatures are equivalent to traditional handwritten signatures. Properly implemented digital signatures are more difficult to forge than the handwritten type. 1.1A digital signature scheme typically consists of three algorithms A key generationalgorithm, that selects a private key uniformly at random from a set of possible private keys. The algorithm outputs the private key and a corresponding public key. A signing algorithm, that given a message and a private key produces a signature.
    [Show full text]
  • The Twin Diffie-Hellman Problem and Applications
    The Twin Diffie-Hellman Problem and Applications David Cash1 Eike Kiltz2 Victor Shoup3 February 10, 2009 Abstract We propose a new computational problem called the twin Diffie-Hellman problem. This problem is closely related to the usual (computational) Diffie-Hellman problem and can be used in many of the same cryptographic constructions that are based on the Diffie-Hellman problem. Moreover, the twin Diffie-Hellman problem is at least as hard as the ordinary Diffie-Hellman problem. However, we are able to show that the twin Diffie-Hellman problem remains hard, even in the presence of a decision oracle that recognizes solutions to the problem — this is a feature not enjoyed by the Diffie-Hellman problem in general. Specifically, we show how to build a certain “trapdoor test” that allows us to effectively answer decision oracle queries for the twin Diffie-Hellman problem without knowing any of the corresponding discrete logarithms. Our new techniques have many applications. As one such application, we present a new variant of ElGamal encryption with very short ciphertexts, and with a very simple and tight security proof, in the random oracle model, under the assumption that the ordinary Diffie-Hellman problem is hard. We present several other applications as well, including: a new variant of Diffie and Hellman’s non-interactive key exchange protocol; a new variant of Cramer-Shoup encryption, with a very simple proof in the standard model; a new variant of Boneh-Franklin identity-based encryption, with very short ciphertexts; a more robust version of a password-authenticated key exchange protocol of Abdalla and Pointcheval.
    [Show full text]
  • Lattice-Based Cryptography - a Comparative Description and Analysis of Proposed Schemes
    Lattice-based cryptography - A comparative description and analysis of proposed schemes Einar Løvhøiden Antonsen Thesis submitted for the degree of Master in Informatics: programming and networks 60 credits Department of Informatics Faculty of mathematics and natural sciences UNIVERSITY OF OSLO Autumn 2017 Lattice-based cryptography - A comparative description and analysis of proposed schemes Einar Løvhøiden Antonsen c 2017 Einar Løvhøiden Antonsen Lattice-based cryptography - A comparative description and analysis of proposed schemes http://www.duo.uio.no/ Printed: Reprosentralen, University of Oslo Acknowledgement I would like to thank my supervisor, Leif Nilsen, for all the help and guidance during my work with this thesis. I would also like to thank all my friends and family for the support. And a shoutout to Bliss and the guys there (you know who you are) for providing a place to relax during stressful times. 1 Abstract The standard public-key cryptosystems used today relies mathematical problems that require a lot of computing force to solve, so much that, with the right parameters, they are computationally unsolvable. But there are quantum algorithms that are able to solve these problems in much shorter time. These quantum algorithms have been known for many years, but have only been a problem in theory because of the lack of quantum computers. But with recent development in the building of quantum computers, the cryptographic world is looking for quantum-resistant replacements for today’s standard public-key cryptosystems. Public-key cryptosystems based on lattices are possible replacements. This thesis presents several possible candidates for new standard public-key cryptosystems, mainly NTRU and ring-LWE-based systems.
    [Show full text]
  • Blind Schnorr Signatures in the Algebraic Group Model
    An extended abstract of this work appears in EUROCRYPT’20. This is the full version. Blind Schnorr Signatures and Signed ElGamal Encryption in the Algebraic Group Model Georg Fuchsbauer1, Antoine Plouviez2, and Yannick Seurin3 1 TU Wien, Austria 2 Inria, ENS, CNRS, PSL, Paris, France 3 ANSSI, Paris, France first.last@{tuwien.ac.at,ens.fr,m4x.org} January 16, 2021 Abstract. The Schnorr blind signing protocol allows blind issuing of Schnorr signatures, one of the most widely used signatures. Despite its practical relevance, its security analysis is unsatisfactory. The only known security proof is rather informal and in the combination of the generic group model (GGM) and the random oracle model (ROM) assuming that the “ROS problem” is hard. The situation is similar for (Schnorr-)signed ElGamal encryption, a simple CCA2-secure variant of ElGamal. We analyze the security of these schemes in the algebraic group model (AGM), an idealized model closer to the standard model than the GGM. We first prove tight security of Schnorr signatures from the discrete logarithm assumption (DL) in the AGM+ROM. We then give a rigorous proof for blind Schnorr signatures in the AGM+ROM assuming hardness of the one-more discrete logarithm problem and ROS. As ROS can be solved in sub-exponential time using Wagner’s algorithm, we propose a simple modification of the signing protocol, which leaves the signatures unchanged. It is therefore compatible with systems that already use Schnorr signatures, such as blockchain protocols. We show that the security of our modified scheme relies on the hardness of a problem related to ROS that appears much harder.
    [Show full text]
  • Implementation and Performance Evaluation of XTR Over Wireless Network
    Implementation and Performance Evaluation of XTR over Wireless Network By Basem Shihada [email protected] Dept. of Computer Science 200 University Avenue West Waterloo, Ontario, Canada (519) 888-4567 ext. 6238 CS 887 Final Project 19th of April 2002 Implementation and Performance Evaluation of XTR over Wireless Network 1. Abstract Wireless systems require reliable data transmission, large bandwidth and maximum data security. Most current implementations of wireless security algorithms perform lots of operations on the wireless device. This result in a large number of computation overhead, thus reducing the device performance. Furthermore, many current implementations do not provide a fast level of security measures such as client authentication, authorization, data validation and data encryption. XTR is an abbreviation of Efficient and Compact Subgroup Trace Representation (ECSTR). Developed by Arjen Lenstra & Eric Verheul and considered a new public key cryptographic security system that merges high level of security GF(p6) with less number of computation GF(p2). The claim here is that XTR has less communication requirements, and significant computation advantages, which indicate that XTR is suitable for the small computing devices such as, wireless devices, wireless internet, and general wireless applications. The hoping result is a more flexible and powerful secure wireless network that can be easily used for application deployment. This project presents an implementation and performance evaluation to XTR public key cryptographic system over wireless network. The goal of this project is to develop an efficient and portable secure wireless network, which perform a variety of wireless applications in a secure manner. The project literately surveys XTR mathematical and theoretical background as well as system implementation and deployment over wireless network.
    [Show full text]
  • On Notions of Security for Deterministic Encryption, and Efficient Constructions Without Random Oracles
    A preliminary version of this paper appears in Advances in Cryptology - CRYPTO 2008, 28th Annual International Cryptology Conference, D. Wagner ed., LNCS, Springer, 2008. This is the full version. On Notions of Security for Deterministic Encryption, and Efficient Constructions without Random Oracles Alexandra Boldyreva∗ Serge Fehr† Adam O’Neill∗ Abstract The study of deterministic public-key encryption was initiated by Bellare et al. (CRYPTO ’07), who provided the “strongest possible” notion of security for this primitive (called PRIV) and con- structions in the random oracle (RO) model. We focus on constructing efficient deterministic encryption schemes without random oracles. To do so, we propose a slightly weaker notion of security, saying that no partial information about encrypted messages should be leaked as long as each message is a-priori hard-to-guess given the others (while PRIV did not have the latter restriction). Nevertheless, we argue that this version seems adequate for certain practical applica- tions. We show equivalence of this definition to single-message and indistinguishability-based ones, which are easier to work with. Then we give general constructions of both chosen-plaintext (CPA) and chosen-ciphertext-attack (CCA) secure deterministic encryption schemes, as well as efficient instantiations of them under standard number-theoretic assumptions. Our constructions build on the recently-introduced framework of Peikert and Waters (STOC ’08) for constructing CCA-secure probabilistic encryption schemes, extending it to the deterministic-encryption setting and yielding some improvements to their original results as well. Keywords: Public-key encryption, deterministic encryption, lossy trapdoor functions, leftover hash lemma, standard model. ∗ College of Computing, Georgia Institute of Technology, 266 Ferst Drive, Atlanta, GA 30332, USA.
    [Show full text]
  • Lecture 14: Elgamal Encryption, Hash Functions from DL, Prgs from DDH 1 Topics Covered 2 Recall 3 Key Agreement from the Diffie
    CS 7880 Graduate Cryptography October 29, 2015 Lecture 14: ElGamal Encryption, Hash Functions from DL, PRGs from DDH Lecturer: Daniel Wichs Scribe: Biswaroop Maiti 1 Topics Covered • Public Key Encryption • A Public Key Encryption from the DDH Assumption • El Gamal Encryption • CRHF from Discrete Log • PRG from DDH 2 Recall Recall the three number theoretic assumptions we saw last time. We will build Crypto- graphic schemes or protocols based on the hardness of these problems. Definition 1 (G; g; q) Groupgen(1n) } Assumption 1 DL Given g; gX , it is hard to find X. Assumption 2 Computational Diffie Hellman Given g; gX ; gY , it is hard to find gXY . Assumption 3 Decisional Diffie Hellman Given g; gX ; gY , it is hard to distinguish between gXY and gZ , where Z is chosen at random. (g; gX ; gY ; gXY ) ≈ (g; gX ; gY ; gZ ) 3 Key Agreement from the Diffie Helman scheme AB x Zq X hA = g −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−£ Y hB = g ¡−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− Y Zq X XY Y XY hB = g hA = g The keys agreed upon by A and B is gXY . Lecture 14, Page 1 It is interesting to note that in this scheme, A and B were able to agree upon a key without communicating about it. Each party generates a puzzle uniformly at random: A X Y generates hA = g , and B generates hB = g . Then, they send their puzzles to each other, and establish the key to be gXY . Proving this scheme is secure is equivalent to showing that the DDH assumption holds. 4 Public Key Encryption The general syntax of Public Key Encryption is the following.
    [Show full text]