Presentation is loading. Please wait.

Presentation is loading. Please wait.

Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT.

Published byFerdinand McKenzie Modified over 9 years ago

Similar presentations

Presentation on theme: "Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT."— Presentation transcript:

1 Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT

2 2 Typical Scenario in Cryptography Want to maintain secrecy in communication Alice and bob talk while Eve tries to listen AliceBob Eve

3 3 Modeling an Attack Foundations of Cryptography: Rigorous specification of security of protocols The power of the adversary Access to the system Computational power What it means to break the system “Standard model” E k (m)

4 4 Adversarial Models STANDARD MODEL: Abstract models of computation Interactive Turing machines Private memory, randomness... Well-defined adversarial access Can model powerful attacks REAL LIFE: Physical implementations leak information Adversarial access not always captured by abstract models E k (m)

5 5 Adversarial Models E k (m) Attacks - standard model: Chosen-plaintext attacks Chosen-ciphertext attacks Composition Self-referential encryption Circular encryption.... Attacks outside standard model: Timing attacks [Kocher 96] Fault detection [BDL 97, BS 97] Power analysis [KJJ 99] Cache attacks [OST 05] Memory attacks [HSHCPCFAF 08]... Halderman, Schoen, Heninger, Clarkson, Paul, Calandrino, Feldman, Appelbaum and Felten

6 6 Adversarial Models Attacks - standard model: Chosen-plaintext attacks Chosen-ciphertext attacks Composition Self-referential encryption Circular encryption.... Attacks outside standard model: Timing attacks [Kocher 96] Fault detection [BDL 97, BS 97] Power analysis [KJJ 99] Cache attacks [OST 05] Memory attacks [HSHCPCFAF 08]... Side channel: Any information not captured by the abstract “standard” model

7 7 Adversarial Models http://xkcd.com/538/

8 8 Two approaches for dealing with side channels 1. Make the world similar to the standard model Minimizing electromagnetic leakage, “tamper-proof” devices,... Fixed timing (indep. of input), Oblivious RAM,... Typically expensive or inefficient Require precise modeling 2. Make sure the underlying cryptosystem is robust to modification of standard model Not mutually exclusive appraoches!

9 9 Thesis of this talk Many tools developed in the foundations of cryptography are helpful for protecting against side-channel attacks Proof by example... and not only at implementation time Incorporate side-channel attacks in the design of systems and workshop?

10 10 Modeling Side-Channels Canetti, Dodis, Halevi, Kushilevitz, and Sahai ’00 Exposure-resilient functions: functions that “look” random even if several input bits are leaked Ishai, Prabhakaran, Sahai, and Wagner ’03 ’06 Private circuit evaluation allowing several wires to leak Micali and Reyzin ’04 Computation and only computation leaks information Dziembowski and Pietrzak ’08, Pietrzak ’09 Leakage-resilient stream-ciphers Computation and only computation leaks information low-bandwidth leakage

11 11 “Outside of a few classified military programs, side- channel attacks have been largely ignored by computer security researchers, who have instead focused on creating ever more robust encryption schemes and network protocols.” W. Wayt Gibbs, Scientific American, May 2009

12 12 Memory Attacks [HSHCPCFAF 08] Not only computation leaks information Memory retains its content after power is lost 5 seconds 30 seconds 60 seconds 5 minutes http://citp.princeton.edu/memory Halderman, Schoen, Heninger, Clarkson, Paul, Calandrino, Feldman, Appelbaum and Felten

13 13 Not only computation leaks information Memory retains its content after power is lost Recover “noisy” keys Cold boot attacks Completely compromise popular disk encryption systems Reconstruct DES, AES, and RSA keys http://citp.princeton.edu/memory Memory content can even last for several minutes Memory Attacks [HSHCPCFAF 08] Can exploit redundancy in round keys Extended and further analyzed by Heninger & Shacham 09

14 14 Model: leakage of any function of the key Would like to allow the adversary to learn any function of the key Cannot withstand learning the full key Idea: limit the length of the function Would like to withstand as long a leakage as possible Want a functional definition – what the adversary cannot succeed in doing as a result of the attack

15 15 Public-Key Encryption Semantic Security against Chosen Plaintext Attacks [GM82]: For any m 0 and m 1 infeasible to distinguish E pk (m 0 ) and E pk (m 1 ) (sk, pk) pk m 0, m 1 Output b’ E pk (m b ) b à {0,1}

16 16 Key-Leakage Attacks Semantic security with key leakage [AGV 09]: For any* leakage f(sk) and for any m 0 and m 1 infeasible to distinguish E pk (m 0 ) and E pk (m 1 ) (sk, pk) pk f Output b’ f(sk) b à {0,1} Clearly, cannot allow f(sk) that easily reveals sk For now f : SK ! {0,1} ¸ for ¸ < |sk| m 0, m 1 E pk (m b ) Akavia, Goldwasser and Vaikuntanathan [AGV 09]: Regev’s lattice- based scheme is resilient to such leakage

17 17 Is this the right model? Noisy leakage as opposed to low-bandwidth leakage DRAM remanence effect s Leakage of intermediate values Are intermediate values always erased? Key generation process Decryption process Keys generated using a “weak” random source Not a perfect model, but still a good starting point Discuss extensions later on Crucial for composition

18 18 Our Results A generic construction for protecting against key leakage Based on any Hash Proof System [CS 02] Efficient instantiations Various number-theoretic assumptions (DDH, d -Linear, QR, Paillier) A new hash proof system Resulting scheme resilient to leakage of L – o(L) bits Based on either DDH or d -Linear The [BHHO 08] circular-secure scheme Fits into our generic approach Resilient to leakage of L – o(L) bits Trade-off in efficiency Decisional Diffie Hellman Boneh, Halevi, Hamburg and Ostrovsky

19 19 Our Results Chosen-ciphertext security Theoretical side A generic CPA-to-CCA transformation Leakage of L – o(L) bits Practical side Efficient variants of Cramer-Shoup CCA1 : Leakage of L/4 bits CCA2 : Leakage of L/6 bits Satisfied by our schemes Extensions of the [AGV 09] model Noisy leakage Leakage of intermediate values Keys generated using a “weak” random source Related & independent work: Tauman-Kalai and Vaikuntanathan [BHHO 08] with hard-to-invert leakage

20 20 Outline of the Talk Some tools The generic construction by examples A simple scheme: ¸ ¼ |sk|/2 Improved schemes: ¸ ¼ |sk| Extensions of the model Conclusions, further work, and some rest...

21 21 Min-Entropy Probability distribution X over {0,1} n H 1 (X) = - log max x Pr[X = x] X is a k -source if H 1 (X) ¸ k i.e., Pr[X = x] · 2 -k for all x Represents the probability of the most likely value of X ¢ (X,Y) =  a  |Pr[X=a] – Pr[Y=a]| Statistical distance : Example: U n – uniform distribution on {0,1} n H 1 (U n ) = n

22 22 Extractors Universal procedure for “purifying” an imperfect source Definition: Ext: {0,1} n £ {0,1} d ! {0,1} ℓ is a (k,  ) -extractor if for every k -source X result is close to uniform ¢ (Ext(X, U d ), U ℓ ) ·  d random bits “seed” E XT k -source of length n ℓ almost-uniform bits x s

23 23 Strong Extractors Output looks random even after seeing the seed Definition: Ext: {0,1} n £ {0,1} d ! {0,1} ℓ is a (k,  ) -strong extractor if Ext’(x, s) = s ◦ Ext(x,s) is a (k,  ) -extractor Leftover hash lemma [ILL 89]: Pairwise independent hash functions are strong extractors Example: Ext(x, (a,b)) = first ℓ bits of ax+b over GF[2 n ] Output length ℓ = k – 2log(1/  ) Seed length d = 2n, almost pairwise independence d = O(log n + k)

24 24 Sidebar: Weak Key-Leakage Attacks weak Semantic security with weak key leakage : For any* leakage f(sk) and for random PK for any m 0 and m 1 infeasible to distinguish E pk (m 0 ) and E pk (m 1 ) (sk, pk) pk f Output b’ f(sk) b à {0,1} Clearly, cannot allow f(sk) that easily reveals sk For now f : SK ! {0,1} ¸ for ¸ < |sk| m 0, m 1 E pk (m b )

25 Weak Attacks: Leakage depending on secret Key only Leakage function chosen by the adversary ahead of time without any knowledge of the public key. Depends only on properties of hardware devices –used for storing the secret key. Generic construction transforming any encryption scheme Resilient to any weak leakage of L(1 - o(1)) bits. Parameters : –leakage parameter: ¸ –length of the random string used by generation algorithm G : m Need: Ext: {0,1} k £ {0,1} d ! {0,1} m be (k-,  ) - strong extractor L secret key length

26 Generic construction from any scheme Encryption scheme: (G,E,D) Ext: {0,1} L £ {0,1} d ! {0,1} m a (L-,  ) - strong extractor Key generation : – Choose x 2 {0,1} L and s 2 {0,1} d – Compute (pk; sk) = G(Ext(x; s)). – Output PK = (pk; s) and SK = x. Encryption: choose r uniformly at random and output ( E(pk;M; r), s). Decryption: ciphertext (c, s), secret key SK = x : – Compute (pk; sk) = G(Ext(x; s)) and output D(sk; c). weakResilient to any weak leakage of L(1 - o(1)) bits Given f(x) distribution of Ext(x; s) close to uniform Key generation algorithm G: {0,1} m  {0,1} w

27 27 Decisional Diffie-Hellman gxgx gygy AliceBob Both parties compute K = g xy DDH assumption: (g, g x, g y, g xy )  (g, g x, g y, g z ) for random x, y, z 2 Z q (g 1, g 2, g 1 r, g 2 r )  (g 1, g 2, g 1 r 1, g 2 r 2 ) for random g 1, g 2 2 G and r, r 1, r 2 2 Z q

28 28 Outline of the Talk Some tools The generic construction by examples A simple scheme: ¸ ¼ |sk|/2 Improved schemes: ¸ ¼ |sk| Extensions of the model Conclusions, further work, and some rest...

29 29 G - group of order q where DDH is hard Ext : G £ {0,1} d ! {0,1} - strong extractor Choose g 1, g 2 2 G and x 1, x 2 2 Z q Let h = g 1 x 1 g 2 x 2 Output sk = (x 1, x 2 ) and pk = (g 1, g 2, h) Key generation A Simple Scheme MAIN IDEA: Redundancy : any pk corresponds to many possible sk ’s h=g 1 x 1 g 2 x 2 reveals only log(q) bits of information on sk=(x 1, x 2 ) Leakage of ¸ bits ) sk still has min-entropy log(q) - ¸

30 30 G - group of order q Ext : G £ {0,1} d ! {0,1} - strong extractor Choose g 1, g 2 2 G and x 1, x 2 2 Z q Let h = g 1 x 1 g 2 x 2 Output sk = (x 1, x 2 ) and pk = (g 1, g 2, h) Choose r 2 Z q and a seed s 2 {0,1} d Output (g 1 r, g 2 r, s, Ext(h r, s) © m) Output e © Ext(u 1 x 1 u 2 x 2, s) Key generation Enc pk (m) Dec sk (u 1, u 2, s, e) A Simple Scheme Correctness: u 1 x 1 u 2 x 2 = (g 1 x 1 g 2 x 2 ) r = h r

31 31 Theorem: The scheme is resilient to leakage of ¸ ¼ log(q) bits half the size of sk A Simple Scheme: Security Theorem Proof by reduction: Adversary for the encryption scheme Distinguisher for Decisional Diffie-Hellman log(q) -|m|

32 32 Theorem: The scheme is resilient to leakage of ¸ ¼ log(q) bits A Simple Scheme (sk, pk) pk f Output b’ f(sk) b à {0,1} m 0, m 1 E pk (m b ) Suppose b’=b with probability ½+   > 1/poly

33 33 Theorem: The scheme is resilient to leakage of ¸ ¼ log(q) bits A Simple Scheme pk (g 1, g 2, g 1 r 1, g 2 r 2 ) b’ r 1  r 2 r 1  r 2 or f f(sk) m 0, m 1 E pk (m b ) Distinguisher for DDH

34 34 (g 1 r, g 2 r, s, Ext(h r, s) © m) h = g 1 x 1 g 2 x 2 Ciphertexts can be generated in two modes Valid: plaintext can be recovered, knowing sk Invalid: no info. on plaintext, given pk computationally indistinguishable not knowing sk Simple Scheme: Security Proof

35 35 (g 1 r, g 2 r, s, Ext((g 1 r ) x 1 (g 2 r ) x 2, s) © m) Simple Scheme: Security Proof h = g 1 x 1 g 2 x 2 Ciphertexts can be generated in two modes Valid: plaintext can be recovered, knowing sk Invalid: no info. on plaintext, given pk computationally indistinguishable

36 36 (g 1 r 1, g 2 r 2, s, Ext((g 1 r 1 ) x 1 (g 2 r 2 ) x 2, s) © m) Simple Scheme: Security Proof Valid ciphertext: r 1  r 2 Ciphertexts can be generated in two modes Valid: plaintext can be recovered, knowing sk Invalid: no info. on plaintext, given pk computationally indistinguishable

37 37 (g 1 r 1, g 2 r 2, s, Ext((g 1 r 1 ) x 1 (g 2 r 2 ) x 2, s) © m) Simple Scheme: Security Proof (g 1 r 1 ) x 1 (g 2 r 2 ) x 2 uniformly distributed given pk and (g 1 r 1, g 2 r 2 ) x 1 + wx 2 = log(h) r 1 x 1 + r 2 wx 2 = log(t) Invalid ciphertext: r 1  r 2 Therefore, even given f(sk): min-entropy ¸ log(q) - ¸ Ciphertexts can be generated in two modes Valid: plaintext can be recovered, knowing sk Invalid: no info. on plaintext, given pk computationally indistinguishable h=g 1 x 1 g 2 x 2 By applying the extractor we get back a random string

38 38 Proof of Security pk (g 1, g 2, u 1, u 2 ) b’ If b’  b output “r 1  r 2 ” otherwise “r 1  r 2 ” f f(sk) m 0, m 1 sk = (x 1, x 2 ) = (g 1, g 2, g 1 x 1 g 2 x 2 ) h u 1, u 2, s, Ext(u 1 x 1 u 2 x 2, s) © m b i Case 1: u 1 = g 1 r & u 2 = g 2 r Case 2: u 1 = g 1 r 1 & u 2 = g 2 r 2 Simulation is identical to actual attack Pr[b’ = b] = 1/2 +  Challenge independent of b Pr[b’ = b] = 1/2 up to 

39 39 Hash Proof Systems Key-encapsulation mechanism with an additional property: Knowing sk, can encapsulate in two modes Valid: Encapsulated key can be recovered Invalid: Encapsulated key is random computationally indistinguishable Leakage reduces the min-entropy by at most ¸, extract and mask the plaintext Our general construction: Hash proof system + strong extractor Key-encapsulation mechanism resilient to key leakage

40 40 Hash Proof Systems Key-encapsulation mechanism with an additional property: Knowing sk, can encapsulate in two modes Valid: Encapsulated key can be recovered Invalid: Encapsulated key is random computationally indistinguishable Leakage reduces the min-entropy by at most ¸, extract and mask the plaintext Known instantiations: Decisional Diffie-Hellman Linear family (bilinear groups) Quadratic residuosity Composite residuosity (Paillier)

41 41 Outline of the Talk Some tools The generic construction by examples A simple scheme: ¸ ¼ |sk|/2 Improved schemes: ¸ ¼ |sk| Extensions of the model Conclusions, further work, and some rest...

42 42 G - group of order q An Improved Scheme Notation: (x 1,..., x n ) 2 Z q n (g 1,..., g n ) 2 G n (x 1,..., x n ) ¢ (g 1,..., g n ) T  g i x i i=1 n

43 43 G - group of order q Ext : G n-k £ {0,1} d ! {0,1} - strong extractor Choose A 2 G k £ n and x 2 Z q n Let y = Ax Output sk = x and pk = (A, y) Choose R 2 Z q (n-k) £ k and a seed s 2 {0,1} d Output (RA, s, Ext(Ry, s) © m) Output e © Ext(Qx, s) Key generation Enc pk (m) Dec sk (Q, s, e) An Improved Scheme

44 44 Theorem: The scheme is resilient to any leakage of length ¸ ¼ (1 – k/n) |sk| 1 – o(1) An Improved Scheme Based on the hardness of k -Linear [BBS 04] 1 -Linear = DDH k -Linear is hard ) (k+1) -Linear is hard k -Linear is easy ; (k+1) -Linear is easy (in generic groups) A new hash proof system Optimizes ratio between secret key and encapsulated key

45 45 An Improved Scheme We show that k -Linear implies indistinguishability of: Random P 2 G n £ n of rank k Random P 2 G n £ n of rank n (rank computed in Z q n £ n relative to a fixed generator g 2 G ) In the simplified scheme: g1g1 g2g2 g1r1g1r1 g2r2g2r2 r 1  r 2 rank 1 r 1  r 2 rank 2 [BHHO 08] proved the case k=1 Proof similar to the simplified scheme

46 46 The “Long” Scheme Originally proposed by [BHHO 08] as a “circular-secure” scheme Fits into our generic construction Choose g 1,...,g k 2 G and s 1,...,s k 2 {0,1} Let h = g 1 s 1 ¢¢¢ g k s k Output sk = (s 1,...,s k ) and pk = (g 1,...,g k, h) Choose r 2 Z q Output (g 1 r,..., g k r, h r ¢ m) Output e ¢ (u 1 s 1 ¢¢¢ u k s k ) -1 Key generation Enc pk (m) Dec sk (u 1,...,u k,e) “built-in” extractor k ¼ ¸ +2log(q) Boneh, Halevi, Hamburg and Ostrovsky

47 47 Outline of the Talk Some tools The generic construction by examples A simple scheme: ¸ ¼ |sk|/2 Improved schemes: ¸ ¼ |sk| Extensions of the model Conclusions, further work, and some rest...

48 48 Extensions Noisy leakage Leakage not necessarily of bounded length H 1 (sk | pk, leakage) > H 1 (sk | pk) - ¸ Leakage of intermediate values: Key generation Once the keys are generated, are all intermediate values erased? Leakage depends on the random bits used for generating the keys Crucial for security under composition Hard-to-invert leakage Tauman-Kalai and Vaikuntanathan: The BHHO scheme is resilient to any f(sk) that is sub-exponentially hard to invert

49 49 Extensions Weak random source Keys generated using a low-entropy adversarially chosen source Choose g 1, g 2 2 G and x 1, x 2 2 Z q Let h = g 1 x 1 g 2 x 2 Output sk = (x 1, x 2 ) and pk = (g 1, g 2, h) Key generation (g 1, g 2 ) chosen once and shared by all users Only need H 1 (x 1,x 2 | g 1, g 2 ) ¼ log(q) + |plaintext|

50 50 Extensions Leakage of intermediate values: Decryption Contrived example: First encode sk using a good error-correcting code, then decrypt Not so contrived... Output e ¢ (u 1 s 1 ¢¢¢ u k s k ) -1 Dec sk (u 1,...,u k,e) Decryption has “low bandwidth” Only O(log q) bits at any point in time sk = (s 1,..., s k ) can be much larger

51 51 Outline of the Talk Some tools The generic construction by examples A simple scheme: ¸ ¼ |sk|/2 Improved schemes: ¸ ¼ |sk| Extensions of the model Conclusions, further work, and some rest...

52 52 Must incorporate side-channel attacks in the design of systems Conclusions Many tools developed in the foundations of cryptography are helpful for protecting against side-channel attacks We can build efficient cryptosystems resilient to a wide range of side-channel attacks Leakage-resilient encryption from general assumptions? Dealing with “iterative”/continual leakage and refreshed keys? As in leakage-resilient stream-ciphers [DP08, P09] Other primitives? Other side channels? Signature Scheme [Katz Vaikuntanathan 09] Bounded Retrieval Model [Alwen, Dodis, Walfish, Wichs 09] Hard-to-invert leakage [DKL09, KV09] Block Cipher?? falsifiable A falsifiable assumption with side channels?

53 53 Can leverage the physical world !! Conclusions Visual cryptography [NS94] Timing for concurrent composition [DNS98] Authentication: low-bandwidth human channel [NSS06] Tamper-evident seals (scratch-off cards) [MN06] Randomized response Secure computation using tamper-proof hardware [Katz07, MS08] Human competitive nature and love of games [HN09] Voting

54 54 תודה רבה Thank You To appear, Crypto 2009 Available: www.wisdom.weizmann.ac.il/~naor/PAPERS/leakage_abs.html IACR Archive

Download ppt "Public-Key Cryptosystems Resilient to Key Leakage Weizmann Institute of Science Moni NaorGil Segev Crypto in the Clouds, August 2009, MIT."

Similar presentations

Chapter 3 Public Key Cryptography and Message authentication.

Chapter 3 Public Key Cryptography and Message authentication.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.

1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.
White-Box Cryptography

White-Box Cryptography
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
Topics in Cryptography Lecture 7 Topic: Side Channels Lecturer: Moni Naor.

Topics in Cryptography Lecture 7 Topic: Side Channels Lecturer: Moni Naor.
Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.

Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.
Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.

Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.
7. Asymmetric encryption-

7. Asymmetric encryption-
TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)

TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)
Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.

Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Similar presentations

Ads by Google