Presentation is loading. Please wait.

Presentation is loading. Please wait.

Input-shrinking functions: theory and application PhD candidate: Francesco Davì Thesis committee: Dr. Stefan Dziembowski (advisor) Prof. Luigi Vincenzo.

Published byWillis Berry Modified over 8 years ago

Similar presentations

Presentation on theme: "Input-shrinking functions: theory and application PhD candidate: Francesco Davì Thesis committee: Dr. Stefan Dziembowski (advisor) Prof. Luigi Vincenzo."— Presentation transcript:

1 Input-shrinking functions: theory and application PhD candidate: Francesco Davì Thesis committee: Dr. Stefan Dziembowski (advisor) Prof. Luigi Vincenzo Mancini Prof. Alessandro Mei Reviewers: Prof. Mirosław Kutiłowski Dr. Ivan Visconti Rome, 02/03/2012 Computer Science Department Sapienza University of Rome

2 PhD Activity Cryptography on Non-Trusted Machines Project F. Davì, S. Dziembowski and D. Venturi: Leakage-Resilient Storage, J. Garay and R. De Prisco editor, Seventh Conference on Security and Cryptography for Networks (SCN2010), LNCS 6280, Springer 2010; Input-shrinking functions: theory and application Francesco Davì

3 Conferences, workshops and schools Seventh Conference on Security and Cryptography for Networks, (SCN 2010), Amalfi, 13-15 September 2010; Workshop on Provable Security against Physical Attacks, Leiden, 15-19 February 2010; Theory of Cryptography Conference (TCC2010), Zurich, 9-11 February 2010; Summer School On Provable Security, Barcelona, 7-11 September 2009; Bertinoro international Spring School (BiSS 2009), Bertinoro, 2-6 March 2009; Berlin-Poznan Seminar / ASZ Workshop 2008, “Humboldt-Universität", Berlin, 20-21 June 2008. Input-shrinking functions: theory and application Francesco Davì

4 Experiences abroad May - July 2011: visiting student: Cryptography and Data Security Group, "Uniwersytet Warszawski", Warsaw, Poland; May - June 2008: Methods for Discrete Structures (Pre)Doc-Course 2008 on: Random and Quasirandom Graphs, "Humboldt-Universität", Berlin, Germany. Input-shrinking functions: theory and application Francesco Davì

5 Outline 1.Introduction and Motivations 2.Leakage-Resilient Storage 3.Authenticated Key Exchange protocol in the Bounded-Retrieval Model Input-shrinking functions: theory and application Francesco Davì

6 Cryptography Design of secure cryptographic schemes For long time, mostly based on intuition and experience Solutions broken in short time Input-shrinking functions: theory and application Francesco Davì

7 Provable security (1/2) Formal definition of Security and Adversarial model Formal proof of security: no adversary can break the scheme Security: - Information-theoretic (unbounded adversary) - Standard model (reduction from hard problems) - Random Oracle Model (cryptographic hash functions) Input-shrinking functions: theory and application Francesco Davì

8 Provable security (2/2) Security against all known (even future) attacks Developed very fast Attained a large number of secure cryptographic schemes Input-shrinking functions: theory and application Francesco Davì

9 Problem Once implemented, some of the schemes were broken! Easy to step out from the security model Input-shrinking functions: theory and application Francesco Davì

10 Black-box model X Y No information about the internal state of the cryptosystem chooses receives Input-shrinking functions: theory and application Francesco Davì CRYPTO

11 Information leakage X Y, λ During the execution, the adversary can measure: Power consumption Electromagnetic radiation Time Sound MACHINE (PC, Smartcard,…) } Side-channel attacks chooses receives Even partial leakage suffices to completely break a scheme Input-shrinking functions: theory and application Francesco Davì CRYPTO

12 Side-channel attacks Exploit physical measurements on real devices Practitioners: find countermeasures (and exploit new attacks) mostly ad-hoc often without a formal proof of security cannot provide security against all possible attacks Recent trend: extend the realm of provable security Input-shrinking functions: theory and application Francesco Davì

13 Leakage-Resilient Cryptography Design protocols that are secure even if they are implemented on machines that may leak information Input-shrinking functions: theory and application Francesco Davì

14 Leakage-Resilient Cryptography: The Models Only computation leaks Total leakage unbounded All the memory leaks Total leakage bounded All the memory leaks Total leakage unbounded All the memory leaks Computationally hard to recover the secret from the leakage Continual leakage (MR04, DP08, Pie09, FKPR10, FRRTV10, GR10, JV10, DP10, KP10, DF11) Bounded memory-leakage (ISW03, IPSW06, AGV09, ADW09, KV09, NS09, DHLW10, BG10, GKPV10, ADNSWW10, DDV10) Auxiliary input (DKL09, DGKPV10) Continual memory-leakage (BKKV10, DHLW10, BSW11, LRW11, LLW11, DLWW11) Input-shrinking functions: theory and application Francesco Davì

15 Leakage model The adversary is allowed to learn (adaptively) the values of some leakage functions (chosen by her) on the internal state of the cryptographic scheme The adversary is allowed to learn (adaptively) the values of some leakage functions (chosen by her) on the internal state of the cryptographic scheme Input-shrinking functions: theory and application Francesco Davì

16 Examples of assumptions (1/2) S input-shrinking function Λ input-shrinking function Λ the adversary can learn the values on up to t wires boolean circuit Bounded-Retrieval Model “Memory Attacks” [AGV09] “Probing Attacks” [ISW03] Λ (S) Input-shrinking functions: theory and application Francesco Davì

17 S input-shrinking low-complexity Λ input-shrinking low-complexity Λ S0S0 input- shrinking Λ input- shrinking Λ S1S1 input- shrinking Λ input- shrinking Λ [FRRTV10, DDV10][MR04, DP08, DDV10] Examples of assumptions (2/2) Λ (S) Λ(S1)Λ(S1) Λ(S1)Λ(S1) Λ(S0)Λ(S0) Λ(S0)Λ(S0) Input-shrinking functions: theory and application Francesco Davì

18 General goal Design models: realistic (i.e. they correspond to the real-life adversaries) allow to construct secure schemes tradeoff Input-shrinking functions: theory and application Francesco Davì

19 Outline 1.Introduction and Motivations 2.Leakage-Resilient Storage 3.Authenticated Key Exchange protocol in the Bounded-Retrieval Model Input-shrinking functions: theory and application Francesco Davì

20 Contribution: Leakage-Resilient Storage An encoding scheme to securely store data on hardware that may leak information PROS: information-theoretic solution CONS: analysis of concrete parameters does not seem to allow for efficient feasibility in practice Input-shrinking functions: theory and application Francesco Davì

21 Leakage-Resilient Storage Enc(m) Enc Dec Note: no secret key m m Λ 1,…, Λ t chooses (adaptively) t functions Λ i : {0,1} |Enc(m)| → {0,1} λ i є Γ retrieves λ i bits computationally unbounded total leakage < λ very realistic Decode є Γ input-shrinking λ < |Enc(m)| All-Or-Nothing Transform it should be hard to reconstruct a message if not all the bits of its encoding are known m m Input-shrinking functions: theory and application Francesco Davì

22 Security definition A scheme (Enc, Dec) is secure if for every m 0, m 1 no adversary can distinguish Enc(m 0 ) from Enc(m 1 ) A scheme (Enc, Dec) is secure if for every m 0, m 1 no adversary can distinguish Enc(m 0 ) from Enc(m 1 ) we will require that m 0, m 1 are chosen by the adversary Enc(m 0 ) Enc(m 1 ) Input-shrinking functions: theory and application Francesco Davì

23 Adversary model Enc(m):=(Rand, f(Rand) m) Enc m m ΛiΛi Λ i (Rand, f(Rand) m) Enc(m) Λ i (Enc(m)) Λ’iΛ’i Λ ’ i (Rand) adversaryweak adversary Input-shrinking functions: theory and application Francesco Davì

24 Lemma For any family of functions Γ if an encoding scheme is secure for then it is also secure for For any family of functions Γ if an encoding scheme is secure for then it is also secure for Input-shrinking functions: theory and application Francesco Davì security loss 2 α, where α is the length of the message

25 Problem each leakage function can depend only on some restricted part of the memory each leakage function can depend only on some restricted part of the memory the cardinality of Γ is restricted randomness extractors -wise independent hash functions For a fixed family Γ how to construct secure (Enc,Dec)? Input-shrinking functions: theory and application Francesco Davì

26 Two-source Extractor source 1 source 2 Two-Source Extractor extracted string deterministic Independent Random Far from uniform A lot of min-entropy Almost uniformly random Input-shrinking functions: theory and application Francesco Davì

27 Memory divided into 2 parts: construction R0R0 R0R0 R1R1 R1R1 Ext Ext(R 0,R 1 ) Enc(m):=(,, m) R0R0 R0R0 R1R1 R1R1 Ext(R 0,R 1 ) Dec(,, m*):= m*. R0R0 R0R0 R1R1 R1R1 Ext(R 0,R 1 ) M0M0 M1M1 each leakage function can depend only on some restricted part of the memory each leakage function can depend only on some restricted part of the memory remind Input-shrinking functions: theory and application Francesco Davì

28 Proof Idea It suffices to show that (Enc,Dec) is secure against every One can prove that even given Λ ’ 1 ( ),…, Λ ’ t ( ) R0R0 R0R0 R1R1 R1R1 Enc(m):=(,, m) R0R0 R0R0 R1R1 R1R1 Ext(R 0,R 1 ) RiRi RiRi RiRi RiRi are still independent have high min-entropy (with high probability) remind and Input-shrinking functions: theory and application Francesco Davì

29 Problem each leakage function can depend only on some restricted part of the memory each leakage function can depend only on some restricted part of the memory the cardinality of Γ is restricted randomness extractors -wise independent hash functions For a fixed family Γ how to construct secure (Enc,Dec)? Input-shrinking functions: theory and application Francesco Davì

30 -wise independent hash functions H={h s :X→Y} sє I is -wise independent if uniformly random S є I X Y { x 1,…,x } hShS {h S (x 1 ),…, h S (x ) } uniform over Y Input-shrinking functions: theory and application Francesco Davì

31 the cardinality of Γ is restricted Boolean circuits of small size: construction remind the set of functions computable by Boolean circuits of a fixed size Enc s (m):=(R, h S (R) m) Dec s (R, m*):=( h S (R) m*) H={h s :X→Y} sє I is -wise independent R є X is random Input-shrinking functions: theory and application Francesco Davì

32 Outline 1.Introduction and Motivations 2.Leakage-Resilient Storage 3.Authenticated Key Exchange protocol in the Bounded-Retrieval Model Input-shrinking functions: theory and application Francesco Davì

33 Contribution: AKE protocol in the BRM Authenticated Key Exchange (AKE) protocol: provide Client and Server with a short shared key client-to-server authentication security against active attackers PROS: protocol analysis + efficient implementation CONS: Random Oracle model Input-shrinking functions: theory and application Francesco Davì Client and Server share a huge random file The attacker can retrieve a large portion of it

34 Key Exchange protocol CLIENTSERVER Key Exchange protocol Key Input-shrinking functions: theory and application Francesco Davì Problem: Man-in-the-Middle attack Solution: Authentication

35 Authentication CLIENTSERVER Password-based Authenticated Key Exchange protocol Key Input-shrinking functions: theory and application Francesco Davì Password Key Exchange protocol

36 AKE: a general paradigm CLIENTSERVER Weak Key Exchange protocol Input-shrinking functions: theory and application Francesco Davì Low entropy Human memorizable Cash, Ding, Dodis, Lee, Lipton and Walfish “Intrusion-resilient key exchange in the Bounded Retrieval Model". In TCC (2007) Password-based Authenticated Key Exchange protocol Key Password Universally-Composable Password-based Authenticated Key Exchange protocol cannot be implemented in the standard model

37 Contribution: new AKE protocol in the BRM CLIENTSERVER Weak Key Exchange protocol Input-shrinking functions: theory and application Francesco Davì Key Password Universally-Composable Password-based Authenticated Key Exchange protocol input-shrinking function Λ Λ (F) active over the channel Indistinguishable from random Implemented using OpenSSL crypto library Random Oracle model Setup: long shared secret random file F

38 Contribution: Weak Key Exchange protocol (1/3) CLIENTSERVER Weak Key Exchange protocol Input-shrinking functions: theory and application Francesco Davì Password Λ (F) active over the channel We prove that: even given Λ (F) i.e. the shared passwords are individually unpredictable for the adversary Password has high min-entropy (with high probability) Setup: long shared secret random file F

39 Contribution: Weak Key Exchange protocol (2/3) Input-shrinking functions: theory and application Francesco Davì Choose random indexes IDX_CLIENT IDX_SERVER Create password: concatenate the corresponding bits of F Several large numbers 101001001001010101001010100100101001010000100101011010101010010101010111 010110101001010010010110101010110010101001010101011010010101010010010101 010100110010101101010100101010101001010100010101001011010110101010010110 101111101001011001010101011011010101010011101010100101010101010101010100 100101000000000010101010111111110101010101001010101010100101010101010101 010101111111101011001100101010010010100101001010010010010100101101010111 001000010100101011010111001010101010100101001010101000010010101010010100 101010000001110101010100101001110101101001011011010101000101011111010101 0 0 1 0 1 0 IDX_CLIENT IDX_SERVER CLIENTSERVER Setup: long shared secret random file F

40 Contribution: Weak Key Exchange protocol (3/3) Input-shrinking functions: theory and application Francesco Davì Choose random short SEED_CLIENT Choose random short SEED_SERVER SEED_CLIENT SEED_SERVER Calculate indexes: IDX i = H (i|SEED) Public parameter: cryptographic hash function H Create password unpredictable Random Oracle model Setup: long shared secret random file F 101001001001010101001010100100101001010000100101011010101010010101010111 010110101001010010010110101010110010101001010101011010010101010010010101 010100110010101101010100101010101001010100010101001011010110101010010110 101111101001011001010101011011010101010011101010100101010101010101010100 100101000000000010101010111111110101010101001010101010100101010101010101 010101111111101011001100101010010010100101001010010010010100101101010111 001000010100101011010111001010101010100101001010101000010010101010010100 101010000001110101010100101001110101101001011011010101000101011111010101 CLIENTSERVER 0 0 1 0 1 0 0 0 1 0 1 0 Λ (F)

41 AKE: a general paradigm CLIENTSERVER Input-shrinking functions: theory and application Francesco Davì Weak Key Exchange protocol Key Password Universally-Composable Password-based Authenticated Key Exchange protocol

42 UC Password-based AKE protocol Input-shrinking functions: theory and application Francesco Davì Abdalla, Catalano, Chevalier and Pointcheval: Efficient two-party password-based key exchange protocols in the UC framework. CT-RSA (2008) (Modified) Diffie-Hellman Key Exchange: No assumptions on the distribution on the passwords One-flow encrypted Two cryptographic hash functions to compute secret key and provide authentication

43 Forward security CLIENTSERVER Input-shrinking functions: theory and application Francesco Davì Weak Key Exchange protocol Key Password Universally-Composable Password-based Authenticated Key Exchange protocol Setup: long shared secret random file F Λ (F) F Diffie-Hellman Key Exchange encrypted with Password ??

44 Experimental results Input-shrinking functions: theory and application Francesco Davì Security parameter Leakage Shared file size t = number of indexes running time evaluated experimentally on an Intel(R) Core(TM) i5-2410M CPU @ 2.30GHz, with 4GB of RAM, under the 64-bits version of Ubuntu 11.04

45 Number of indexes Input-shrinking functions: theory and application Francesco Davì

46 PAKE protocol running time Input-shrinking functions: theory and application Francesco Davì

47 WKE protocol running time Input-shrinking functions: theory and application Francesco Davì

48 Thank you! Input-shrinking functions: theory and application Francesco Davì

49 Main idea of this line of research To achieve security one assumes that the power of the adversary during the “physical attack” is “limited in some way” this should be justified by some physical characteristics of the device Input-shrinking functions: theory and application Francesco Davì

50 Security definition adversaryoracle chooses m 0,m 1 є {0,1} α m 0,m 1 1.chooses a random b = 0,1 2.calculates τ := Enc(m b ) outputs b’ (Enc,Dec) is ( Γ, λ, t, ε )-secure if no adversary wins the game with probability greater than 1/2 + ε Enc : {0,1} α → {0,1} β Dec : {0,1} β → {0,1} α for i = 1,...,t, chooses Λ i : {0,1} β → {0,1} λ i є Γ calculates Λ i ( τ ) Λi(τ)Λi(τ) ΛiΛi wins if b’ = b advantage Input-shrinking functions: theory and application Francesco Davì

51 Lemma For any Γ, λ, t and ε, if an encoding scheme is ( Γ, λ, t, ε )-secure for then it is also ( Γ, λ, t, ε ˙ 2 α )-secure for For any Γ, λ, t and ε, if an encoding scheme is ( Γ, λ, t, ε )-secure for then it is also ( Γ, λ, t, ε ˙ 2 α )-secure for α is the length of the message Input-shrinking functions: theory and application Francesco Davì

52 Proof Idea wins with advantage δ can simulate replacing f(Rand) m with a random string z є {0,1} α Consider Construct wins with advantage δ ˙ 2 -α = ε ˙2α = ε ˙2α Input-shrinking functions: theory and application Francesco Davì = ε = ε

53 Diffie-Hellman Key Exchange Setup: finite cyclic group G = of order a prime number p CLIENTSERVER a ← [p-1]b ← [p-1] A B ← g b mod p A ← g a mod p B K = B a mod p K = A b mod p g ab mod p Input-shrinking functions: theory and application Francesco Davì

54 Man-in-the-middle attack Setup: finite cyclic group G = of order a prime number p CLIENTSERVER a ← [p-1]b ← [p-1] A B ← g b mod p E← g e mod p B K = E a mod p K = E b mod p e ← [p-1] E E A ← g a mod p KC = A e mod p KS = B e mod p They need authentication! Input-shrinking functions: theory and application Francesco Davì

55 UC Password-based AKE protocol CLIENT SERVER Input-shrinking functions: theory and application Francesco Davì Pwd a ← [p-1] b ← [p-1] A B ← g b mod p A ← g a mod p ENC Pwd (B) DH C = B a mod p DH S = A b mod p B = DEC Pwd (B) KEY C = H 0 (Pwd|DH C ) AUTH = H 1 (Pwd|DH C ) if AUTH = H 1 (Pwd|DH S ) KEY S = H 0 (Pwd|DH S ) else ERROR AUTH Setup: finite cyclic group G = of order a prime number p

56 Proof Idea It suffices to show that (Enc,Dec) is secure against every One can prove that even given Λ ’ 1 (, ),…, Λ ’ t (, ) R0R0 R0R0 R1R1 R1R1 Enc(m):=(,, m) R0R0 R0R0 R1R1 R1R1 Ext(R 0,R 1 ) R0R0 R0R0 R1R1 R1R1 R0R0 R0R0 R1R1 R1R1 are still independent have high min-entropy (with high probability) remind and Input-shrinking functions: theory and application Francesco Davì

57 Authentication CLIENTSERVER Password Password-based Authenticated Key Exchange protocol Key Input-shrinking functions: theory and application Francesco Davì

58 Authentication CLIENTSERVER Password-based Authenticated Key Exchange protocol Key Input-shrinking functions: theory and application Francesco Davì Password Key Exchange protocol

59 AKE: a general paradigm CLIENTSERVER Password Password-based Authenticated Key Exchange protocol Weak Key Exchange protocol Key Input-shrinking functions: theory and application Francesco Davì Low entropy Human memorizable Cash, Ding, Dodis, Lee, Lipton and Walfish “Intrusion-resilient key exchange in the Bounded Retrieval Model". In TCC (2007)

60 Contribution: AKE protocol in the BRM CLIENTSERVER Universally-Composable Password-based Authenticated Key Exchange protocol Weak Key Exchange protocol Setup: long shared secret random file F Implemented using OpenSSL crypto library input-shrinking function Λ Λ (F) active over the channel Key Indistinguishable from random Input-shrinking functions: theory and application Francesco Davì Random Oracle model

61 Contribution: AKE protocol in the BRM CLIENTSERVER Universally-Composable Password-based Authenticated Key Exchange protocol Weak Key Exchange protocol Setup: long shared secret random file F Implemented using OpenSSL crypto library input-shrinking function Λ Λ (F) active over the channel Key Indistinguishable from random Input-shrinking functions: theory and application Francesco Davì Random Oracle model Password

62 Contribution: AKE protocol in the BRM CLIENTSERVER Universally-Composable Password-based Authenticated Key Exchange protocol Weak Key Exchange protocol Setup: long shared secret random file F Implemented using OpenSSL crypto library input-shrinking function Λ Λ (F) active over the channel Key Indistinguishable from random Input-shrinking functions: theory and application Francesco Davì Random Oracle model Password Weak Key Exchange protocol Low entropy Human memorizable Password-based Authenticated Key Exchange protocol Key Password

63 Contribution: Weak Key Exchange protocol (1/3) CLIENTSERVER Weak Key Exchange protocol Input-shrinking functions: theory and application Francesco Davì Password Λ (F) active over the channel We prove that: i.e. the shared passwords are individually unpredictable for the adversary H ∞ (Password| Λ (F)) is high (with high probability) Setup: long shared secret random file F

64 Contribution: Weak Key Exchange protocol (1/3) CLIENTSERVER Weak Key Exchange protocol Setup: long shared secret random file F input-shrinking function Λ Λ (F) Input-shrinking functions: theory and application Francesco Davì Password We prove that: i.e. the shared passwords are individually unpredictable for the adversary H ∞ (Password| Λ (F)) is high (with high probability) Λ (F)

65 Contribution: Weak Key Exchange protocol (2/3) CLIENT SERVER Setup: long shared secret random file F Input-shrinking functions: theory and application Francesco Davì 01 001 1 11 0 13 246 5 79 8 bits indexes Choose random indexes IDX_CLIENT Choose random indexes IDX_SERVER IDX_CLIENT IDX_SERVER Create password: concatenate the corresponding bits of F Several large numbers

66 Contribution: Weak Key Exchange protocol (3/3) Input-shrinking functions: theory and application Francesco Davì Choose random short SEED_CLIENT Choose random short SEED_SERVER SEED_CLIENT SEED_SERVER Calculate indexes: IDX_CLIENT i = H (i|SEED_CLIENT) IDX_SERVER i = H (i|SEED_SERVER) Calculate indexes: IDX_CLIENT i = H (i|SEED_CLIENT) IDX_SERVER i = H (i|SEED_SERVER) Public parameter: cryptographic hash function H Create password unpredictable Random Oracle model Setup: long shared secret random file F 101001001001010101001010100100101001010000100101011010101010010101010111 010110101001010010010110101010110010101001010101011010010101010010010101 010100110010101101010100101010101001010100010101001011010110101010010110 101111101001011001010101011011010101010011101010100101010101010101010100 100101000000000010101010111111110101010101001010101010100101010101010101 010101111111101011001100101010010010100101001010010010010100101101010111 001000010100101011010111001010101010100101001010101000010010101010010100 101010000001110101010100101001110101101001011011010101000101011111010101 CLIENTSERVER 0 0 1 0 1 0 0 0 1 0 1 0 Λ (F)

67 Contribution: Weak Key Exchange protocol (3/3) input-shrinking function Λ Λ (F) Input-shrinking functions: theory and application Francesco Davì Choose random short SEED_CLIENT Choose random short SEED_SERVER SEED_CLIENT SEED_SERVER Calculate indexes: IDX i = H (i|SEED) Calculate indexes: IDX i = H (i|SEED) Public parameter: cryptographic hash function H Create password unpredictable Random Oracle model CLIENT SERVER 01 001 1 11 0 13 246 5 79 8 bits indexes Setup: long shared secret random file F

68 Efficiency Input-shrinking functions: theory and application Francesco Davì File size # bits used by the parties 1 Gb50 Kb 10 Gb55 Kb 100 Gb60 Kb Even if retrieves 99% of the secret huge shared file the parties have to use a small portion of the file to provide security

Download ppt "Input-shrinking functions: theory and application PhD candidate: Francesco Davì Thesis committee: Dr. Stefan Dziembowski (advisor) Prof. Luigi Vincenzo."

Similar presentations

TCC 2006 Research on Password-Authenticated Group Key Exchange Jeong Ok Kwon, Ik Rae Jeong, and Dong Hoon Lee (CIST, Korea Univ.) Kouchi Sakurai (Kyushu.

TCC 2006 Research on Password-Authenticated Group Key Exchange Jeong Ok Kwon, Ik Rae Jeong, and Dong Hoon Lee (CIST, Korea Univ.) Kouchi Sakurai (Kyushu.
An Introduction to Randomness Extractors Ronen Shaltiel University of Haifa Daddy, how do computers get random bits?

An Introduction to Randomness Extractors Ronen Shaltiel University of Haifa Daddy, how do computers get random bits?
Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.

Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.
Cryptanalysis of a Communication-Efficient Three-Party Password Authenticated Key Exchange Protocol Source: Information Sciences in review Presenter: Tsuei-Hung.

Cryptanalysis of a Communication-Efficient Three-Party Password Authenticated Key Exchange Protocol Source: Information Sciences in review Presenter: Tsuei-Hung.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
White-Box Cryptography

White-Box Cryptography
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.

Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)

RECENT PROGRESS IN LEAKAGE-RESILIENT CRYPTOGRAPHY Daniel Wichs (NYU) (China Theory Week 2010)
Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.

Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.
Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.

Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)

TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)
Fuzzy extractor based on universal hashes

Fuzzy extractor based on universal hashes
On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.

Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.
 Secure Authentication Using Biometric Data Karen Cui.

 Secure Authentication Using Biometric Data Karen Cui.

Similar presentations

Ads by Google