Presentation is loading. Please wait.

Presentation is loading. Please wait.

Topics in Cryptography Lecture 8 Side Channels: PKC resilient to key leakage Lecturer: Moni Naor.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Topics in Cryptography Lecture 8 Side Channels: PKC resilient to key leakage Lecturer: Moni Naor."— Presentation transcript:

1 Topics in Cryptography Lecture 8 Side Channels: PKC resilient to key leakage Lecturer: Moni Naor

2 Recap: Side Channels Standard Model vs. physical implementation –Side channel: Any information not captured by the abstract “standard” model Timing attacks against secret exponentiation – With control on timing –Through a network –Protection: blinding Cache Attacks –Exploits which addresses are being accessed –Counter measure: Oblivious RAM Memory Attacks –DRAM retain information longer than thought – Defines a model: any short function of the key

3 3 Adversarial Models STANDARD MODEL: Abstract models of computation Interactive Turing machines Private memory, randomness... Well-defined adversarial access Can model powerful attacks REAL LIFE: Physical implementations leak information Adversarial access not always captured by abstract models E k (m)

4 4 Thesis of this course Many tools developed in the foundations of cryptography are helpful for protecting against side-channel attacks Proof by examples... and not only at implementation time Must incorporate side-channel attacks in the design of systems

5 Homework Timing attack of Kocher against RSA. Suppose: time of each multiplication involving y is distributed according to a normal distribution –With known parameters. – Independent of everything else! –Show that this allows to figure out given the first k-1 bits of the secret exponent the next bit.

6 Basic Timing This takes a while to compute This is instantaneous Whether iteration takes a long time depends on the k th bit of secret exponent Old observation: timing depends on number of 1’s If all multiplication take the same time: all you get

7 Not all multiplications were created equal Different timing given operands Assumption/Heuristic : timings of subsequent multiplications are independent –Given that we know the first k-1 bits of x –Given a guess for the k th bit of x –Time of remaining bits independent Given measurement of total time can see whether there is correlation between events: k th step is long Total time is long Exact timing Exact guess

8 Outline of Kocher’s Attack Idea: guess some bits of the exponent; –Predict how long decryption will take If guess is correct: will observe correlation If incorrect, then prediction will look random –The more bits you already know, the stronger the signal, thus easier to detect (error-correction property) Start by guessing a few top bits, look at correlations for each guess, pick the most promising candidate and continue Works against systems under direct control

9 Homework: Oblivious Permutations Suggest a method for permuting an array obliviously. Array M of size n The CPU has access to a permutation  on n elements. At the end of the process the Array M should be rearranged according to  : –The element that was in M[i] is now in M[  (i)]. The requirement is: for any two permutation  and  ', –an eavesdropper that sees the locations accessed cannot distinguish whether the array is permuted according to or  ', Small (secure) space and time to permute

10 Model CPU Main memory Small private memory qiqi M[q i ]

11 Oblivious RAM Requirements Any sequence of locations i 1, i 2, … induces a distribution on sequences of requests q 1, q 2 … Functionality : should be able to figure out the original content Security : for any two sequence of locations i 1, i 2, … and i’ 1, i’ 2, … induced distributions of requests should be indistinguishable Homework problem much more relaxed: Knowing in advance the order in which elements are accessed Constitute a permutation

12 Open ended Ideas/hints: Routing permutations in networks Sorting networks

13 13 Memory Attacks [HSHCPCFAF 08] Concern: Not only computation leaks information Memory retains its content after power is lost 5 seconds 30 seconds 60 seconds 5 minutes http://citp.princeton.edu/memory

14 14 Model: leakage of any function of the key Would like to allow the adversary to learn any function of the key Cannot withstand learning the full key Idea: limit the length of the function Would like to withstand as long a leakage as possible

15 15 Key-Leakage Attacks Semantic security with key leakage [AGV 09]: For any* leakage f(sk) and for any m 0 and m 1 infeasible to distinguish E pk (m 0 ) and E pk (m 1 ) (sk, pk) pk f Output b’ f(sk) b à {0,1} Clearly, cannot allow f(sk) that easily reveals sk For now f : SK ! {0,1} ¸ for ¸ < |sk| m 0, m 1 E pk (m b ) Akavia, Goldwasser and Vaikuntanathan

16 16 Is this the right model? Noisy leakage as opposed to low-bandwidth leakage Leakage of intermediate values Are intermediate values always erased? Key generation process Decryption process Keys generated using a “weak” random source Not a perfect model, but still a good starting point Discuss extensions later on

17 17 What We Know A generic method for protecting against key-leakage attacks Main building block: Hash Proof Systems [CS 02] Efficient instantiations Based on decisional Diffie-Hellman, few exponentiations Chosen-ciphertext key-leakage attacks A generic CPA-to-CCA transformation Efficient schemes Extensions Noisy leakage Leakage of intermediate values Weak random sources

18 18 Outline of the Talk Some tools The generic construction by examples A simple scheme: ¸ ¼ |sk|/2 Improved schemes: ¸ ¼ |sk| Extensions of the model Conclusions, further work, and some rest...

19 19 Min-Entropy Probability distribution X over {0,1} n H 1 (X) = - log max x Pr[X = x] X is a k -source if H 1 (X) ¸ k (i.e., Pr[X = x] · 2 -k for all x ) Represents the probability of the most likely value of X ¢ (X,Y) =  a  |Pr[X=a] – Pr[Y=a]| Statistical distance :

20 20 Extractors Universal procedure for “purifying” an imperfect source Definition: Ext: {0,1} n £ {0,1} d ! {0,1} ℓ is a (k,  ) -extractor if for any k - source X ¢ (Ext(X, U d ), U ℓ ) ·  d random bits “seed” E XT k -source of length n ℓ almost-uniform bits x s

21 21 Strong Extractors Output looks random even after seeing the seed Definition: Ext: {0,1} n £ {0,1} d ! {0,1} ℓ is a (k,  ) -strong extractor if Ext’(x, s) = s ◦ Ext(x,s) is a (k,  ) -extractor Leftover hash lemma [ILL 89]: Pairwise independent hash functions are strong extractors Example: Ext(x, (a,b)) = first ℓ bits of ax+b over GF[2 n ] Output length ℓ = k – 2log(1/  ) Seed length d = 2n, almost pairwise independence d = O(log n + k)

22 22 Sidebar: Weak Key-Leakage Attacks Semantic security with weak key leakage : For any* leakage f(sk) and for random PK for any m 0 and m 1 infeasible to distinguish E pk (m 0 ) and E pk (m 1 ) (sk, pk) pk f Output b’ f(sk) b à {0,1} Clearly, cannot allow f(sk) that easily reveals sk For now f : SK ! {0,1} ¸ for ¸ < |sk| m 0, m 1 E pk (m b )

23 What About Weak Attacks? Leakage depends on Secret Key only Leakage function chosen by the adversary ahead of time without any knowledge of the public key. Depends only on the properties of the hardware devices used for storing the secret key. Generic construction transforming any encryption scheme (G; E;D) Resilient to any weak leakage of L(1 - o(1)) bits, L secret key length. Parameters : –leakage parameter ¸ –length of the random strings used by generation algorithm G : m Need: Ext: {0,1} k £ {0,1} d ! {0,1} m be (k-,  ) - strong extractor

24 Generic construction transforming any encryption scheme (G; E;D) Ext: {0,1} k £ {0,1} d ! {0,1} m a (k-,  ) - strong extractor Key generation : – Choose x 2 {0,1} k and s 2 {0,1} d – Compute (pk; sk) = G(Ext(x; s)). – Output PK = (pk; s) and SK = x. Encryption: choose r uniformly at random and output ( E(pk;M; r); s). Decryption: ciphertext (c; s), secret key SK = x,: – Compute (pk; sk) = G(Ext(x; s)) and output D(sk; c). Resilient to any weak leakage of L(1 - o(1)) bits Given f(x) distribution of Ext(x; s) close to uniform

25 25 Decisional Diffie-Hellman gxgx gygy AliceBob Both parties compute K = g xy DDH assumption: (g, g x, g y, g xy )  (g, g x, g y, g z ) for random x, y, z 2 Z q (g 1, g 2, g 1 r, g 2 r )  (g 1, g 2, g 1 r 1, g 2 r 2 ) for random g 1, g 2 2 G and r, r 1, r 2 2 Z q

26 26 Outline of the Lecture Some tools The generic construction by examples A simple scheme: ¸ ¼ |sk|/2 Improved schemes: ¸ ¼ |sk| Extensions of the model Conclusions, further work, and some rest...

27 27 G - group of order q Ext : G £ {0,1} d ! {0,1} - strong extractor Choose g 1, g 2 2 G and x 1, x 2 2 Z q Let h = g 1 x 1 g 2 x 2 Output sk = (x 1, x 2 ) and pk = (g 1, g 2, h) Key generation A Simple Scheme: Key Generation MAIN IDEA: Redundancy : any pk corresponds to many possible sk ’s h=g 1 x 1 g 2 x 2 reveals only log(q) bits of information on sk=(x 1,x 2 ) Leakage of ¸ bits ) sk still has min-entropy log(q) - ¸

28 28 G - group of order q Ext : G £ {0,1} d ! {0,1} - strong extractor Choose g 1, g 2 2 G and x 1, x 2 2 Z q Let h = g 1 x 1 g 2 x 2 Output sk = (x 1, x 2 ) and pk = (g 1, g 2, h) Choose r 2 Z q and a seed s 2 {0,1} d Output (g 1 r, g 2 r, s, Ext(h r, s) © m) Output e © Ext(u 1 x 1 u 2 x 2, s) Key generation Enc pk (m) Dec sk (u 1, u 2, s, e) A Simple Scheme: Encryption Decryption u 1 x 1 u 2 x 2 = g 1 rx 1 g 2 rx 2 = (g 1 x 1 g 2 x 2 ) r = h r

29 29 Theorem: The scheme is resilient to any leakage of ¸ ¼ log(q) bits half the size of sk A Simple Scheme: Security Theorem Proof by reduction: Adversary for the encryption scheme Distinguisher for decisional Diffie-Hellman log(q) -|m|

30 30 Theorem: The scheme is resilient to any leakage of ¸ ¼ log(q) bits A Simple Scheme: Security Theorem (sk, pk) pk f Output b’ f(sk) b à {0,1} m 0, m 1 E pk (m b )

31 31 Theorem: The scheme is resilient to any leakage of ¸ ¼ log(q) bits A Simple Scheme: Security Theorem pk (g 1, g 2, g 1 r 1, g 2 r 2 ) b’ r 1  r 2 r 1  r 2 or f f(sk) m 0, m 1 E pk (m b ) Distinguisher for DDH

32 32 Theorem: The scheme is resilient to any leakage of ¸ ¼ log(q) bits MAIN IDEA: Redundancy : any pk corresponds to many possible sk ’s h=g 1 x 1 g 2 x 2 reveals only log(q) bits of information on sk=(x 1,x 2 ) Leakage of ¸ bits ) sk still has min-entropy log(q) - ¸ Extract the remaining entropy and mask the plaintext PROBLEM: Resulting ciphertexts contain no information on the plaintext Cannot be decrypted... TOOL: Hash Proof Systems A Simple Scheme: Security Proof

33 33 (g 1 r, g 2 r, s, Ext(h r, s) © m) h = g 1 x 1 g 2 x 2 Ciphertexts can be generated in two modes Valid: plaintext can be recovered, knowing sk Invalid: no info. on plaintext, given pk computationally indistinguishable not knowing sk A Simple Scheme: Security Proof

34 34 (g 1 r, g 2 r, s, Ext((g 1 r ) x 1 (g 2 r ) x 2, s) © m) A Simple Scheme: Security Proof h = g 1 x 1 g 2 x 2 Ciphertexts can be generated in two modes Valid: plaintext can be recovered, knowing sk Invalid: no info. on plaintext, given pk computationally indistinguishable

35 35 (g 1 r 1, g 2 r 2, s, Ext((g 1 r 1 ) x 1 (g 2 r 2 ) x 2, s) © m) A Simple Scheme: Security Proof Valid ciphertext: r 1 = r 2 Ciphertexts can be generated in two modes Valid: plaintext can be recovered, knowing sk Invalid: no info. on plaintext, given pk computationally indistinguishable

36 36 (g 1 r 1, g 2 r 2, s, Ext((g 1 r 1 ) x 1 (g 2 r 2 ) x 2, s) © m) A Simple Scheme: Security Proof (g 1 r 1 ) x 1 (g 2 r 2 ) x 2 uniformly distributed given pk and (g 1 r 1, g 2 r 2 ) x 1 + wx 2 = log(h) r 1 x 1 + r 2 wx 2 = log(t) Invalid ciphertext: r 1  r 2 Therefore, even given f(sk): min-entropy ¸ log(q) - ¸ Ciphertexts can be generated in two modes Valid: plaintext can be recovered, knowing sk Invalid: no info. on plaintext, given pk computationally indistinguishable h=g 1 x 1 g 2 x 2

37 37 Proof of Security pk (g 1, g 2, u 1, u 2 ) b’ If b’ = b output “r 1 = r 2 ” otherwise “r 1  r 2 ” f f(sk) m 0, m 1 sk = (x 1, x 2 ) = (g 1, g 2, g 1 x 1 g 2 x 2 ) u 1, u 2, s Ext(u 1 x 1 u 2 x 2, s) © m b Case 1: u 1 = g 1 r & u 2 = g 2 r Case 2: u 1 = g 1 r 1 & u 2 = g 2 r 2 Simulation is identical to actual attack Pr[b’ = b] = 1/2 +  Challenge independent of b Pr[b’ = b] = 1/2

38 38 Hash Proof Systems Ciphertexts can be generated in two modes Valid: plaintext can be recovered, knowing sk Invalid: no information on plaintext, given pk computationally indistinguishable Previous scheme relies on a specific HPS many technical details... Known instantiations: Decisional Diffie-Hellman Linear family (bilinear groups) Quadratic residuosity Composite residuosity (Paillier)

39 39 Hash Proof Systems Ciphertexts can be generated in two modes Valid: plaintext can be recovered, knowing sk, Invalid: no information on plaintext, given pk computationally indistinguishable Previous scheme relies on a specific HPS many technical details... Our general construction: HPS + randomness extraction Key-encapsulation mechanism resilient to key leakage

40 40 Outline of the Talk Some tools The generic construction by examples A simple scheme: ¸ ¼ |sk|/2 Improved schemes: ¸ ¼ |sk| Extensions of the model Conclusions, further work, and some rest...

41 41 G - group of order q An Improved Scheme Notation: (x 1,..., x n ) 2 Z q n (g 1,..., g n ) 2 G n (x 1,..., x n ) ¢ (g 1,..., g n ) T  g i x i i=1 n

42 42 G - group of order q Ext : G n-k £ {0,1} d ! {0,1} - strong extractor Choose A 2 G k £ n and x 2 Z q n Let y = Ax Output sk = x and pk = (A, y) Choose R 2 Z q (n-k) £ k and a seed s 2 {0,1} d Output (RA, s, Ext(Ry, s) © m) Output e © Ext(Qx, s) Key generation Enc pk (m) Dec sk (Q, s, e) An Improved Scheme Original scheme: with k=1, n=2

43 43 Theorem: The scheme is resilient to any leakage of length ¸ ¼ (1 – k/n) |sk| 1 – o(1) An Improved Scheme Based on the hardness of k -Linear [BBS 04] 1 -Linear = DDH k -Linear is hard ) (k+1) -Linear is hard k -Linear is easy ; (k+1) -Linear is easy (in generic groups) A new hash proof system Optimizes ratio between secret key and encapsulated key

44 44 An Improved Scheme We show that k -Linear implies indistinguishability of: Random P 2 G n £ n of rank k Random P 2 G n £ n of rank n (rank computed in Z q n £ n relative to a fixed generator g 2 G ) In the simplified scheme: g1g1 g2g2 g1r1g1r1 g2r2g2r2 r 1  r 2 rank 1 r 1  r 2 rank 2 [BHHO 08] proved the case k=1 Proof similar to the simplified scheme

45 45 The Long Scheme Originally proposed by [BHHO 08] as a “circular-secure” scheme Fits into our generic construction Choose g 1,...,g k 2 G and s 1,...,s k 2 {0,1} Let h = g 1 s 1 ¢¢¢ g k s k Output sk = (s 1,...,s k ) and pk = (g 1,...,g k, h) Choose r 2 Z q Output (g 1 r,..., g k r, h r ¢ m) Output e ¢ (u 1 s 1 ¢ u 2 s 2 ¢ ¢ u k s k ) -1 Key generation Enc pk (m) Dec sk (u 1,...,u k,e) “built-in” extractor k ¼ ¸ + 2log(q)

46 46 Proof: a natural extractor DDH implies the computational indistinguishability of: g 1 r,..., g k r for random r g 1 r 1,..., g k r k for random r 1, r 2, … r k pk (g 1,…, g k, u 1, …, u k ) b’ If b’ = b output “ equal r” ow: “ not equal r’ s ” f f(sk) m 0, m 1 sk = (s 1, …, s k ) = (g 1, …, g k, g 1 s 1 g 2 s 2 ¢ g k s k ) u 1,…,u k, (u 1 s 1 ¢ ¢ ¢ u k s k ) m b Case 1: u i = g i r Case 2: u i = g i r i

47 47 Security of Scheme DDH implies the computational indistinguishability of: g 1 r,..., g k r for random r g 1 r 1,..., g k r k for random r 1, r 2, … r k Want to argue that if g 1 r 1,..., g k r k is used, then there is no information about message m The adversary knows: h = g 1 s 1 ¢¢¢ g k s k u 1 = g 1 r 1, u 2 = g 2 r 2,..., u k = g k r k Gets, instead of h r ¢ m b : (u 1 s 1 ¢ u 2 s 2 ¢ ¢ ¢ u k s k ) ¢ m b g 1 r 1 s 1 ¢¢¢ g k r k s 1 Information on  i=1 k w i r i s i Fact:  i=1 k w i r i s i is a pairwise independent family Indexed by r 1, r 2, … r k Can apply the leftover hash lemma! g i =g 1 w i

48 48 Circular Secure Encryption Several public keys (pk 1, sk 1 ), (pk 2, sk 2 ), … (pk k, sk k ) Goal: want to be able to reconstruct all keys from one Provide E pk 1 (sk 2 ), E pk 1 (sk 3 ), …, E pk 1 (sk k ) E pk 2 (sk 1 ), E pk 2 (sk 3 ), …, E pk 2 sk k ) … Is it secure? There are cycles … No known example of insecurity! BHHO: first proof of resiliency

49 Chosen Ciphertext Attacks How to define? When does the leakage take place? How to define CCA2? What is known: The general technique for obtaining CCA – still applicable. Can get 1-o(1) leakage Specific schemes with  (1 ) leakage

50 Recall: NIZK For full specification need to clarify When is x chosen – before or after  ? – Adaptive What does the simulator get? Does soundness need to hold given a simulated  –Cannot hold for simulated (false statement) – Simulation soundness For NP : Can be based on the existence of trapdoor permutations with some structure Relevant for soundness and zk

51 Achieving resistance to CCA with NIZK Two independent keys of some ``good” PKC K P 1 and K P 2 A public random string  for NIZK of the language {(K P 1, K P 2, C 1, C 2 )| C 1 and C 2 encrypt the same message } To encrypt message m: generate ciphertexts C 1 and C 2 and add a proof of consistency  –Ciphertext: C 1, C 2,  To decrypt –Verify proof and then –Decrypt only if ciphertexts passed the consistency checks C2C2 Proof of consistency C1C1 Important point: may decrypt with two different private keys

52 52 Outline of the Lecture Some tools The generic construction by examples A simple scheme: ¸ ¼ |sk|/2 Improved schemes: ¸ ¼ |sk| Extensions of the model Conclusions, further work, and some rest...

53 53 Extensions Noisy leakage Leakage not necessarily of bounded length H 1 (sk | pk, leakage) > H 1 (sk | pk) - ¸ Leakage of intermediate values: Key generation Once the keys are generated, are all intermediate values erased? Leakage depends on the random bits used for generating the keys Crucial for security under composition Hard-to-invert leakage Tauman-Kalai and Vaikuntanathan: The BHHO scheme is resilient to any f(sk) that is sub-exponentially hard to invert

54 54 Extensions Weak random source Keys generated using a low-entropy adversarially chosen source Choose g 1, g 2 2 G and x 1, x 2 2 Z q Let h = g 1 x 1 g 2 x 2 Output sk = (x 1, x 2 ) and pk = (g 1, g 2, h) Key generation (g 1, g 2 ) chosen once and shared by all users Only need H 1 (x 1,x 2 | g 1, g 2 ) ¼ log(q) + |plaintext|

55 55 Extensions Leakage of intermediate values: Decryption Contrived example: First encode sk using a good error-correcting code, then decrypt Not so contrived... Output e ¢ (u 1 s 1 ¢¢¢ u k s k ) -1 Dec sk (u 1,...,u k,e) Decryption has “low bandwidth” Only O(log q) bits at any point in time sk = (s 1,..., s k ) can be much larger

56 56 Conclusions Must incorporate side-channel attacks in the design of systems Many tools developed in the foundations of cryptography are helpful for protecting against side-channel attacks Leakage-resilient encryption from general assumptions? Dealing with “iterative”/continual leakage and refreshed keys? As in leakage-resilient stream-ciphers [DP08, P09] Other primitives? Other side channels? A falsifiable hardware assumption?

57 57 Can leverage the physical world !! Conclusions Visual cryptography [NS94] Timing for concurrent composition [DNS98] Authentication: low-bandwidth human channel [NSS06] Tamper-evident seals (scratch-off cards) [MN06] Randomized response Secure computation using tamper-proof hardware [Katz07, MS08] Human competitive nature and love of games [HN09] Voting

58 58 Modeling Side-Channels Canetti, Dodis, Halevi, Kushilevitz, and Sahai ’00 Exposure-resilient functions: functions that “look” random even if several input bits are leaked Ishai, Prabhakaran, Sahai, and Wagner ’03 ’06 Private circuit evaluation allowing several wires to leak Micali and Reyzin ’04 Computation and only computation leaks information Dziembowski and Pietrzak ’08, Pietrzak ’09 Leakage-resilient stream-ciphers Computation and only computation leaks information, low-bandwidth leakage Akavia, Goldwasser, and Vaikuntanathan ‘09 Memory attacks Regev’s scheme is resilient to leakage of L/polylog(L) bits of the secret key

Download ppt "Topics in Cryptography Lecture 8 Side Channels: PKC resilient to key leakage Lecturer: Moni Naor."

Similar presentations

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.

1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
Topics in Cryptography Lecture 7 Topic: Side Channels Lecturer: Moni Naor.

Topics in Cryptography Lecture 7 Topic: Side Channels Lecturer: Moni Naor.
Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.

Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.
Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.

Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.
Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.

Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.
Topics in Cryptography Lecture 5 Topic: Chosen Ciphertext Security Lecturer: Moni Naor.

Topics in Cryptography Lecture 5 Topic: Chosen Ciphertext Security Lecturer: Moni Naor.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.

Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Similar presentations

Ads by Google