stronger security bounds standard polynomial evaluation
play

Stronger security bounds Standard polynomial-evaluation for - PowerPoint PPT Presentation

Sep 05, 2022 •437 likes •716 views

Stronger security bounds Standard polynomial-evaluation for Wegman-Carter-Shoup MAC: sender sends ) + authenticators (1 1 ( 1 ); 1 ) + (2 2 ( 2 ); 2 D. J. Bernstein

  1. � � � � � ✁ � � � � � � Stronger security bounds Standard polynomial-evaluation for Wegman-Carter-Shoup MAC: sender sends ✁ ) + authenticators (1 1 ( ✂ 1 ); 1 ✁ ) + (2 2 ( ✂ 2 ); 2 D. J. Bernstein ✁ ) + (3 3 ( ✂ 3 ). 3 Thanks to: 3 : polynomials over ; 1 2 University of Illinois at Chicago 2 16 ; univariate; degree NSF CCR–9983950 constant coefficient 0. Alfred P. Sloan Foundation ✂ 3 : elements of ; ✂ 1 ✂ 2 secret; known to sender, receiver. : field of size 2 128 .

  2. � � � � � � � ✁ � � � � � ✂ � ✂ � � � ✁ bounds Standard polynomial-evaluation Wegman-Carter version: rter-Shoup MAC: sender sends ( ✂ 3 ) is a unifo ✂ 1 ✂ 2 ✁ ) + (1 1 ( ✂ 1 ); random element of 1 ✁ ) + 2 512 possibilities, (2 2 ( ✂ 2 ); 2 ✁ ) + (3 3 ( ✂ 3 ). each equally likely. 3 3 : polynomials over ; Wegman-Carter-Shoup 1 2 Illinois at Chicago 2 16 ; univariate; degree ✂ 1 = ✂ 2 ; ✂ 1 = ✂ 3 ; CCR–9983950 constant coefficient 0. otherwise uniform. Foundation 2 256 (2 128 1)(2 128 ✂ 3 : elements of ; ✂ 1 ✂ 2 possibilities, each equally secret; known to sender, receiver. How secure are these : field of size 2 128 .

  3. � � � � ✁ � � � ✁ � � � � � � � � � Standard polynomial-evaluation Wegman-Carter version: MAC: sender sends ( ✂ 3 ) is a uniform ✂ 1 ✂ 2 ✁ ) + 4 . (1 1 ( ✂ 1 ); random element of 1 ✁ ) + 2 512 possibilities, (2 2 ( ✂ 2 ); 2 ✁ ) + (3 3 ( ✂ 3 ). each equally likely. 3 3 : polynomials over ; Wegman-Carter-Shoup version: 1 2 2 16 ; univariate; degree ✂ 1 = ✂ 2 ; ✂ 1 = ✂ 3 ; ✂ 2 = ✂ 3 ; constant coefficient 0. otherwise uniform. 2 256 (2 128 1)(2 128 2) ✂ 3 : elements of ; ✂ 1 ✂ 2 possibilities, each equally likely. secret; known to sender, receiver. How secure are these MACs? : field of size 2 128 .

  4. ✁ � � ✂ � ✂ ✁ � � � � � ✁ � � � � � ✁ ✁ ✂ ✁ � � � � ✁ � � � ✁ � � ✂ ✁ ✂ � � � ✁ � � � olynomial-evaluation Wegman-Carter version: Standard security b sends ( ✂ 3 ) is a uniform for Wegman-Carter: ✂ 1 ✂ 2 4 . ✂ 1 ); random element of “Authenticators reveal 2 512 possibilities, ✂ 2 ); no information about ✂ 3 ). each equally likely. Conditional distribution olynomials over ; Wegman-Carter-Shoup version: � 1 ), (2 given (1 1 2 16 ; degree ✂ 1 = ✂ 2 ; ✂ 1 = ✂ 3 ; ✂ 2 = ✂ 3 ; � 3 ), is unifo (3 3 efficient 0. otherwise uniform. There are 2 128 possible 2 256 (2 128 1)(2 128 2) elements of ; each consistent with possibilities, each equally likely. sender, receiver. unique choice of How secure are these MACs? ✁ ), � 2 128 . ✂ 2 = 2 (

  5. � � ✁ � � � � � � � � � � � � Wegman-Carter version: Standard security bounds ( ✂ 3 ) is a uniform for Wegman-Carter: ✂ 1 ✂ 2 4 . random element of “Authenticators reveal 2 512 possibilities, ✁ .” no information about each equally likely. ✁ , Conditional distribution of Wegman-Carter-Shoup version: � 1 ), (2 � 2 ), given (1 1 2 ✂ 1 = ✂ 2 ; ✂ 1 = ✂ 3 ; ✂ 2 = ✂ 3 ; � 3 ), is uniform. (3 3 otherwise uniform. ✁ ’s, There are 2 128 possible 2 256 (2 128 1)(2 128 2) each consistent with a possibilities, each equally likely. ✁ ), � 1 unique choice of ✂ 1 = 1 ( How secure are these MACs? ✁ ), ✁ ). � 2 � 3 ✂ 2 = 2 ( ✂ 3 = 3 (

  6. � ✁ � � � � � � � � � � � � ✁ � ✂ � � � ✂ � ✂ � ✂ � ✂ � � � ✁ ✂ ✂ � version: Standard security bounds Say attacker attempts � ) with a uniform for Wegman-Carter: (1 = 4 . of (0) = 0; degree “Authenticators reveal ossibilities, ✁ .” no information about Forgery is successful ely. � = ✁ ) + ( ✁ , ✂ 1 Conditional distribution of � = ✁ ) + � 1 rter-Shoup version: ( � 1 ), (2 � 2 ), given (1 1 2 ; ✂ 2 = ✂ 3 ; is a root of � 3 ), is uniform. (3 3 rm. � 1 1 + ✁ ’s, There are 2 128 possible 128 2) polynomial of degree each consistent with a each equally likely. 2 16 roots. so it has ✁ ), � 1 unique choice of ✂ 1 = 1 ( these MACs? ✁ ), ✁ ). � 2 � 3 ✂ 2 = 2 ( ✂ 3 = 3 ( Attempted forgery 2 16 2 128 chance

  7. � � � � � � � � � � � � ✁ � � � � � Standard security bounds Say attacker attempts forgery � ) with for Wegman-Carter: (1 = 1 ; 2 16 . (0) = 0; degree “Authenticators reveal ✁ .” no information about Forgery is successful � = ✁ ) + ( ✁ , ✂ 1 Conditional distribution of � = ✁ ) + ✁ ) � 1 ( 1 ( � 1 ), (2 � 2 ), given (1 � . 1 2 � 1 is a root of 1 + � 3 ), is uniform. (3 3 � 1 1 + is a nonzero ✁ ’s, There are 2 128 possible 2 16 polynomial of degree each consistent with a 2 16 roots. so it has ✁ ), � 1 unique choice of ✂ 1 = 1 ( ✁ ), ✁ ). � 2 � 3 ✂ 2 = 2 ( ✂ 3 = 3 ( Attempted forgery has 2 16 2 128 chance of success.

  8. � � � � � ✂ � � ✁ � � � � � � � � � � � ✁ � � y bounds Say attacker attempts forgery Original security bounds � ) with rter: (1 = 1 ; for Wegman-Carter-Shoup: 2 16 . (0) = 0; degree “Authenticators reveal reveal very little information ✁ .” about Forgery is successful (1996 Shoup) � = ✁ ) + ( ✁ , ✂ 1 distribution of � = ✁ ) + ✁ ) � 1 ( 1 ( Stronger security b � 2 ), ), (2 � . 2 � 1 is a root of 1 + for Wegman-Carter-Shoup: uniform. “Wegman-Carter-Shoup � 1 1 + is a nonzero ✁ ’s, ossible identical to Wegman-Ca 2 16 polynomial of degree with a (bounds, 2004.10 Bernstein; 2 16 roots. so it has ✁ ), � 1 ✂ 1 = 1 ( this proof, 2005.03 ✁ ), ✁ ). � 3 ✂ 3 = 3 ( Attempted forgery has Warning: carelessness 2 16 2 128 chance of success. weaker (“game-pla

  9. � � � � � � � ✁ � Say attacker attempts forgery Original security bounds � ) with (1 = 1 ; for Wegman-Carter-Shoup: 2 16 . (0) = 0; degree “Authenticators reveal ✁ .” very little information about Forgery is successful (1996 Shoup) � = ✁ ) + ( ✂ 1 � = ✁ ) + ✁ ) � 1 ( 1 ( Stronger security bounds � . � 1 is a root of 1 + for Wegman-Carter-Shoup: “Wegman-Carter-Shoup is almost � 1 1 + is a nonzero identical to Wegman-Carter.” 2 16 polynomial of degree (bounds, 2004.10 Bernstein; 2 16 roots. so it has this proof, 2005.03 Bernstein) Attempted forgery has Warning: carelessness leads to 2 16 2 128 chance of success. weaker (“game-playing”) bounds.

  10. � � � � � � � � ✂ � � ✁ � � � ✁ ✁ � ✂ ✁ � � ✁ ✂ � ✁ � � ✂ attempts forgery Original security bounds Fix a deterministic = 1 ; for Wegman-Carter-Shoup: generates 1 ; sees 2 16 . degree “Authenticators reveal generates 2 ; sees ✁ .” very little information about generates 3 ; sees successful (1996 Shoup) generates forgery attempt � ) with ( ✁ ) 1 ( Stronger security bounds = ✁ , (0) = � . � 1 1 + for Wegman-Carter-Shoup: “Wegman-Carter-Shoup is almost (Generalizations: randomized is a nonzero identical to Wegman-Carter.” variable # of chosen 2 16 degree (bounds, 2004.10 Bernstein; arbitrary order of nonces; roots. this proof, 2005.03 Bernstein) variable # of forgery rgery has Warning: carelessness leads to chance of success. weaker (“game-playing”) bounds.

  11. � � � � Original security bounds Fix a deterministic attack that ✁ ) + for Wegman-Carter-Shoup: generates 1 ; sees 1 ( ✂ 1 ; ✁ ) + “Authenticators reveal generates 2 ; sees 2 ( ✂ 2 ; ✁ .” ✁ ) + very little information about generates 3 ; sees 3 ( ✂ 3 ; (1996 Shoup) generates forgery attempt � ) with � 2 � 3 , ( 1 Stronger security bounds 2 16 . = ✁ , (0) = 0, deg for Wegman-Carter-Shoup: “Wegman-Carter-Shoup is almost (Generalizations: randomized ; identical to Wegman-Carter.” variable # of chosen messages; (bounds, 2004.10 Bernstein; arbitrary order of nonces; this proof, 2005.03 Bernstein) variable # of forgery attempts.) Warning: carelessness leads to weaker (“game-playing”) bounds.

  12. ✂ � � ✂ ✂ � � ✁ ✂ � � ✂ � � bounds Fix a deterministic attack that Apply to Wegman-Ca ✁ ) + rter-Shoup: generates 1 ; sees 1 ( ✂ 1 ; � = ✁ ) + Pr[ ( ✁ ] ✁ ) + reveal generates 2 ; sees 2 ( ✂ 2 ; Proved this earlier. ✁ .” ✁ ) + rmation about generates 3 ; sees 3 ( ✂ 3 ; 3 : For each generates forgery attempt � ) with conditional probabilit � 2 � 3 , ( 1 bounds � = ✁ ) + that ( 2 16 . = ✁ , (0) = 0, deg rter-Shoup: given that ( ✂ 1 ✂ 2 rter-Shoup is almost (Generalizations: randomized ; � = ✁ ) + Pr[ ( ✁ ] egman-Carter.” variable # of chosen messages; = Pr[( 2004.10 Bernstein; arbitrary order of nonces; ✂ 1 ✂ 2 � 384 ( ). = 2 2005.03 Bernstein) variable # of forgery attempts.) � 384 ( Thus 2 relessness leads to (“game-playing”) bounds.

Recommend

Stronger Connections Between Circuit Analysis and Circuit Lower Bounds, via PCPs of Proximity

Stronger Connections Between Circuit Analysis and Circuit Lower Bounds, via PCPs of Proximity

Stronger Connections Between Circuit Analysis and Circuit Lower Bounds, via PCPs of Proximity Lijie Chen Ryan Williams Context: The Algorithmic Method for Proving Circuit Lower Bounds Proving limitations on non-uniform circuits is extremely

796 views • 31 slides
Polynomial Identity Testing and Circuit Lower Bounds Robert Spalek, CWI based on papers by

Polynomial Identity Testing and Circuit Lower Bounds Robert Spalek, CWI based on papers by

Polynomial Identity Testing and Circuit Lower Bounds Robert Spalek, CWI based on papers by Nisan & Wigderson, 1994 Kabanets & Impagliazzo, 2003 1 Randomised algorithms For some problems (polynomial identity testing) we know an

304 views • 15 slides
Private Outsourcing of Polynomial Evaluation and Matrix Multiplication using Multilinear Maps

Private Outsourcing of Polynomial Evaluation and Matrix Multiplication using Multilinear Maps

Private Outsourcing of Polynomial Evaluation and Matrix Multiplication using Multilinear Maps Liang Feng Zhang, Reihaneh Safavi-Naini Institute for Security, Privacy and Information Assurance Department of Computer Science University of

197 views • 19 slides
IT Security Evaluation Why do we need security evaluation To provide a basis for specifying

IT Security Evaluation Why do we need security evaluation To provide a basis for specifying

IT Security Evaluation Why do we need security evaluation To provide a basis for specifying security expectations To verify that a computer product/system fulfills the requirements imposed on it To establish a metric for the degree

535 views • 19 slides
Non-commutative computations: lower bounds and polynomial identity testing Guillaume Malod Joint

Non-commutative computations: lower bounds and polynomial identity testing Guillaume Malod Joint

Non-commutative computations: lower bounds and polynomial identity testing Guillaume Malod Joint work with G. Lagarde, S. Perifel IMSc Workshop on Arithmetic Complexity March 1st, 2017 Table of contents 1. Introduction 2. Nisans results

1.14k views • 44 slides
Stronger guarantees for standard-library com- ponents Jyrki Katajainen (University of Copenhagen)

Stronger guarantees for standard-library com- ponents Jyrki Katajainen (University of Copenhagen)

Stronger guarantees for standard-library com- ponents Jyrki Katajainen (University of Copenhagen) Main external sources: British Standards Institute, The C ++ Standard: Incorporating Tech- nical Corrigendum 1 , BS ISO/IEC 14882:2003 (2nd Ed.),

475 views • 35 slides
How to multiply big integers Standard idea: Use polynomial with coefficients in { 0 ; 1 ; : : : ;

How to multiply big integers Standard idea: Use polynomial with coefficients in { 0 ; 1 ; : : : ;

1 How to multiply big integers Standard idea: Use polynomial with coefficients in { 0 ; 1 ; : : : ; 9 } to represent integer in radix 10. Example of representation: 839 = 8 10 2 + 3 10 1 + 9 10 0 = value (at t = 10) of polynomial 8 t 2

447 views • 29 slides
Polynomial bounds for decoupling, with applications Ryan ODonnell, Yu Zhao Carnegie Mellon

Polynomial bounds for decoupling, with applications Ryan ODonnell, Yu Zhao Carnegie Mellon

Polynomial bounds for decoupling, with applications Ryan ODonnell, Yu Zhao Carnegie Mellon University Block-multilinearity A homogeneous polynomial function with degree is Block-multilinear Block-multilinearity A homogeneous

604 views • 34 slides
On Multi-Domain Polynomial Interpolation Error Bounds S AMUEL M UTUA , P ROF . S.S. M OTSA The 40

On Multi-Domain Polynomial Interpolation Error Bounds S AMUEL M UTUA , P ROF . S.S. M OTSA The 40

Aim Error bound theorems Numerical experiment Results Conclusions On Multi-Domain Polynomial Interpolation Error Bounds S AMUEL M UTUA , P ROF . S.S. M OTSA The 40 th South African Symposium of Numerical and Applied Mathematics 22 - 24 March

728 views • 25 slides
The Complexity of Privacy and Polynomial Approxima7ons or: How

The Complexity of Privacy and Polynomial Approxima7ons or: How

The Complexity of Privacy and Polynomial Approxima7ons or: How I Learned to Stop Worrying and Love Lower Bounds Mark Bun, Harvard January 11, 2016

399 views • 7 slides
On the Influence of Message Length in PMACs Security Bounds Atul Luykx 1 Bart Preneel 1 Alan

On the Influence of Message Length in PMACs Security Bounds Atul Luykx 1 Bart Preneel 1 Alan

On the Influence of Message Length in PMACs Security Bounds Atul Luykx 1 Bart Preneel 1 Alan Szepieniec 1 Kan Yasuda 2 1 COSIC, KU Leuven, Belgium 2 NTT Secure Platform Laboratories, Japan May 11, 2016 1 Security Bounds Factors: 1.

877 views • 64 slides
Polynomial bounds for decoupling, with applica8ons Ryan ODonnell, Yu Zhao Carnegie Mellon

Polynomial bounds for decoupling, with applica8ons Ryan ODonnell, Yu Zhao Carnegie Mellon

Polynomial bounds for decoupling, with applica8ons Ryan ODonnell, Yu Zhao Carnegie Mellon University Boolean func8ons f :{ 1,1} n ! if at least two inputs are 1 = 1 Maj 3 ( x 1 , x 2 , x 3 ) if at least two inputs are -1

1.26k views • 50 slides
Why do we need security evaluation To provide a basis for specifying security expectations

Why do we need security evaluation To provide a basis for specifying security expectations

Why do we need security evaluation To provide a basis for specifying security expectations IT Security Evaluation To verify that a computer product/system fulfills the requirements imposed on it To establish a metric for the degree

70 views • 4 slides
Some Consequences about Oblivious Polynomial Evaluation from Existence of the Homomorphic and Non

Some Consequences about Oblivious Polynomial Evaluation from Existence of the Homomorphic and Non

Some Consequences about Oblivious Polynomial Evaluation from Existence of the Homomorphic and Non Committing Encryption Chunhua Su*, Tadashi Araragi $ , Takashi Nishide *, Kouichi Sakurai* *Department of Computer Science and Communication

260 views • 6 slides
Stronger guarantees for standard-library containers Jyrki Katajainen (University of Copenhagen)

Stronger guarantees for standard-library containers Jyrki Katajainen (University of Copenhagen)

Stronger guarantees for standard-library containers Jyrki Katajainen (University of Copenhagen) These slides are available at http://www.cphstl.dk Performance Engineering Laboratory c Talk at Mathematisches Forchungsinstitut Oberwolfach, May

574 views • 21 slides
Automatic Synthesis of Fast and Certified Code for Polynomial Evaluation through the example of

Automatic Synthesis of Fast and Certified Code for Polynomial Evaluation through the example of

ANR MetaLibm kick-off meeting Lyon, 22 January, 2014 Automatic Synthesis of Fast and Certified Code for Polynomial Evaluation through the example of the CGPE tool Guillaume Revy quipe-projet DALI, Univ. Perpignan Via Domitia LIRMM, CNRS:

570 views • 30 slides
Salvaging Weak Security Bounds for Blockcipher-based Constructions Thomas Shrimpton (University

Salvaging Weak Security Bounds for Blockcipher-based Constructions Thomas Shrimpton (University

Salvaging Weak Security Bounds for Blockcipher-based Constructions Thomas Shrimpton (University of Florida) Seth Terashima (Qualcomm Technologies, inc.) What weak bounds? ...from encrypting lots of data Intel Hardware RNG: Single-machine

246 views • 23 slides
BEYOND THE STANDARD COURSE EVALUATION: EFFECTIVE PEER EVALUATION MODELS Moderator: Kelly Hogan

BEYOND THE STANDARD COURSE EVALUATION: EFFECTIVE PEER EVALUATION MODELS Moderator: Kelly Hogan

BEYOND THE STANDARD COURSE EVALUATION: EFFECTIVE PEER EVALUATION MODELS Moderator: Kelly Hogan 9:00 9:55am Associate Dean of Instructional Innovation, College A&S Please feel free to make comments/ask questions via pollev.com/carolina

499 views • 37 slides
INSTITUTIONAL SELF Eligibility Requirements (ERs) EVALUATION Standard I-IV: 128 Standards

INSTITUTIONAL SELF Eligibility Requirements (ERs) EVALUATION Standard I-IV: 128 Standards

College history NAVIGATING Self-evaluation process THE Data INSTITUTIONAL SELF Eligibility Requirements (ERs) EVALUATION Standard I-IV: 128 Standards REPORT Quality Focus Essay (QFE) FALL FLEX SURVEY RESULTS ANONYMOUS AND OPEN TO

482 views • 17 slides
Interactive Verifiable Polynomial Evaluation Saeid Sahraei, Mohammad Ali Maddah-Ali and Salman

Interactive Verifiable Polynomial Evaluation Saeid Sahraei, Mohammad Ali Maddah-Ali and Salman

Interactive Verifiable Polynomial Evaluation Saeid Sahraei, Mohammad Ali Maddah-Ali and Salman Avestimehr ISIT, June 2020 Motivation Cloud computing enables users to delegate computationally heavy tasks to commercial servers. But, how

550 views • 19 slides
ANNUAL GENERAL MEETING 17 MARCH 2011 FY10 Highlights Three consecutive years of security

ANNUAL GENERAL MEETING 17 MARCH 2011 FY10 Highlights Three consecutive years of security

ANNUAL GENERAL MEETING 17 MARCH 2011 FY10 Highlights Three consecutive years of security sales in excess of 1.1m Stronger gross margin of 55% arising on sales of standard security systems Appointment of UK sales manager in May 2010

388 views • 15 slides
Stronger Security Variants of GCMSIV Kazuhiko Minematsu (NEC Corporation) Joint work with

Stronger Security Variants of GCMSIV Kazuhiko Minematsu (NEC Corporation) Joint work with

Stronger Security Variants of GCMSIV Kazuhiko Minematsu (NEC Corporation) Joint work with Tetsu Iwata (Nagoya University) To appear at FSE 2017 Recent Advances in Authenticated Encryption 2016 Kolkata, India 1 NonceBased AE

617 views • 44 slides
NC TEACHER EVALUATION PROCESS NC Standards for Teachers Standard 1: Teachers demonstrate

NC TEACHER EVALUATION PROCESS NC Standards for Teachers Standard 1: Teachers demonstrate

NC TEACHER EVALUATION PROCESS NC Standards for Teachers Standard 1: Teachers demonstrate leadership Standard 2: Teachers establish a respectful environment for a diverse population of students Standard 3: Teachers know the content

321 views • 11 slides
Chapter 1 Linear Programming Paragraph 6 LPs in Polynomial Time What we did so far We

Chapter 1 Linear Programming Paragraph 6 LPs in Polynomial Time What we did so far We

Chapter 1 Linear Programming Paragraph 6 LPs in Polynomial Time What we did so far We developed a standard form in which all linear programs can be formulated. We developed a group of algorithms that solves LPs in that standard form.

558 views • 16 slides

More recommend