This paper constructs an efficient information-theoretically secure non-malleable code for one-bit messages in the split-state model. The code encodes a bit as a pair of vectors (L,R) from a large finite field such that orthogonal vectors encode 0 and non-orthogonal vectors encode 1. Manipulating L and R independently cannot change the encoded bit with probability greater than 1/2, providing security against tampering. This solves an open problem and relies on the inner product being a two-source extractor.
BLIND SIGNATURE SCHEME BASED ON CHEBYSHEV POLYNOMIALSIJNSA Journal
A blind signature scheme is a cryptographic protocol to obtain a valid signature for a message from a signer such that signer’s view of the protocol can’t be linked to the resulting message signature pair.This paper presents blind signature scheme using Chebyshev polynomials. The security of the given scheme depends upon the intractability of the integer factorization problem and discrete logarithms of Chebyshev polynomials.
Message Embedded Cipher Using 2-D Chaotic Mapijccmsjournal
This paper constructs two encryption methods using 2-D chaotic maps, Duffings and Arnold’s cat maps
respectively. Both of the methods are designed using message embedded scheme and are analyzed for
their validity, for plaintext sensitivity, key sensitivity, known plaintext and brute-force attacks. Due to the
less key space generally many chaotic cryptosystem developed are found to be weak against Brute force
attack which is an essential issue to be solved. For this issue, concept of identifiability proved to be a
necessary condition to be fulfilled by the designed chaotic cipher to resist brute force attack, which is a
basic attack. As 2-D chaotic maps provide more key space than 1-D maps thus they are considered to be
more suitable. This work is accompanied with analysis results obtained from these developed cipher.
Moreover, identifiable keys are searched for different input texts at various key values.
On the Usage of Chained Codes in CryptographyCSCJournals
This document summarizes a research paper on using randomized chained linear codes for digital signatures. The summary is:
1) Randomized chained linear codes are proposed to address attacks on previous signature schemes that used regular chained codes. Random vectors are concatenated to the generator matrix of a chained code to create randomized chained codes.
2) A digital signature scheme is presented that uses randomized chained codes. The private key consists of the generator matrix and randomization matrices. The public key is the randomized parity check matrix. Signatures are created using the chain code decoding algorithm.
3) Security analysis shows the scheme is secure if the code length is over 1350 bits, preventing an attacker from determining the private key from the public information
Evaluation of Performance Characteristics of Polynomial based and Lattice bas...IDES Editor
In order to achieve the security for the e-business
application, generally, the organizations follow the
cryptographic methods. The two widely accepted and used
cryptographic methods are symmetric and asymmetric. The
DES ideally belongs to the category of symmetric key
cryptosystem and RSA, NTRU[3] belongs to the category of
asymmetric key cryptosystem. NTRU (Nth degree truncated
polynomial ring units) is a collection of mathematical
algorithms based on manipulating lists of very small integers.
NTRU is the first secure public key cryptosystem not based on
factorization or discrete logarithmic problems. The keys are
generated by having small potent polynomials from the ring
of truncated polynomials. NTRU can also be implemented
using matrices instead of polynomials [4, 5]. We proceed with
the encryption and decryption of the plain text required by
implementing the algorithms of both the approaches of NTRU
cryptosystems. It is already shown that the matrix approach is
algorithmically better than the polynomial approach of NTRU
cryptosystem [5]. We propose and test both the methods for
variable sized text files, using polynomial and matrix
cryptosystems. This paper presents the comparative study of
polynomial NTRU and matrix NTRU algorithms for variable
sized text files as input. The final results were observed using
Mathematica5.1, analyzed and compared so as to identify which
method is appropriate to the business needs.
A Public-Key Cryptosystem Based On Discrete Logarithm Problem over Finite Fie...IOSR Journals
This document presents a public-key cryptosystem based on the discrete logarithm problem over finite fields. The security of the system relies on the difficulty of finding discrete logarithms in the function field Fp^n. The system uses a primitive polynomial f(x) of degree n over the finite field Fp as the base polynomial. The public key consists of f(x) and another primitive polynomial fk(x) with a root that is the kth power of the root of f(x), where k is the secret key. Encryption involves multiplying the message polynomial by a term related to fk(x) or f(x) depending on the secret key. Decryption uses the secret key to recover the message
What is cryptography,its types,two algorithms i.e RSA and DES.
explained well and referenced the slide share too to give more precise presentation. Thank you.
Somewhat Homomorphic Encryption TechniqueNaishil Shah
This document summarizes the implementation of a somewhat homomorphic encryption technique. It describes modifying an existing somewhat homomorphic encryption scheme to enable addition, subtraction, and multiplication of integers. The key changes include replacing the modulo 2 operation in decryption with modulo X, where X is the maximum value for supported computations. AES encryption is used to securely transmit the homomorphically encrypted data between a client and server, which perform operations on the encrypted integers and return the encrypted result to the client for decryption. Several challenges arose during implementation related to the data types and block sizes supported by AES encryption.
This document introduces a new security notion called constrained chosen-ciphertext security (IND-CCCA) for key encapsulation mechanisms (KEMs). The document proves that any IND-CCCA secure KEM combined with an authenticated symmetric encryption scheme provides indistinguishability against chosen-ciphertext attacks (IND-CCA) secure hybrid encryption. This answers an open question from previous work. The document also presents new KEM constructions that achieve IND-CCCA security based on the decision Diffie-Hellman assumption and weaker n-Linear assumptions.
BLIND SIGNATURE SCHEME BASED ON CHEBYSHEV POLYNOMIALSIJNSA Journal
A blind signature scheme is a cryptographic protocol to obtain a valid signature for a message from a signer such that signer’s view of the protocol can’t be linked to the resulting message signature pair.This paper presents blind signature scheme using Chebyshev polynomials. The security of the given scheme depends upon the intractability of the integer factorization problem and discrete logarithms of Chebyshev polynomials.
Message Embedded Cipher Using 2-D Chaotic Mapijccmsjournal
This paper constructs two encryption methods using 2-D chaotic maps, Duffings and Arnold’s cat maps
respectively. Both of the methods are designed using message embedded scheme and are analyzed for
their validity, for plaintext sensitivity, key sensitivity, known plaintext and brute-force attacks. Due to the
less key space generally many chaotic cryptosystem developed are found to be weak against Brute force
attack which is an essential issue to be solved. For this issue, concept of identifiability proved to be a
necessary condition to be fulfilled by the designed chaotic cipher to resist brute force attack, which is a
basic attack. As 2-D chaotic maps provide more key space than 1-D maps thus they are considered to be
more suitable. This work is accompanied with analysis results obtained from these developed cipher.
Moreover, identifiable keys are searched for different input texts at various key values.
On the Usage of Chained Codes in CryptographyCSCJournals
This document summarizes a research paper on using randomized chained linear codes for digital signatures. The summary is:
1) Randomized chained linear codes are proposed to address attacks on previous signature schemes that used regular chained codes. Random vectors are concatenated to the generator matrix of a chained code to create randomized chained codes.
2) A digital signature scheme is presented that uses randomized chained codes. The private key consists of the generator matrix and randomization matrices. The public key is the randomized parity check matrix. Signatures are created using the chain code decoding algorithm.
3) Security analysis shows the scheme is secure if the code length is over 1350 bits, preventing an attacker from determining the private key from the public information
Evaluation of Performance Characteristics of Polynomial based and Lattice bas...IDES Editor
In order to achieve the security for the e-business
application, generally, the organizations follow the
cryptographic methods. The two widely accepted and used
cryptographic methods are symmetric and asymmetric. The
DES ideally belongs to the category of symmetric key
cryptosystem and RSA, NTRU[3] belongs to the category of
asymmetric key cryptosystem. NTRU (Nth degree truncated
polynomial ring units) is a collection of mathematical
algorithms based on manipulating lists of very small integers.
NTRU is the first secure public key cryptosystem not based on
factorization or discrete logarithmic problems. The keys are
generated by having small potent polynomials from the ring
of truncated polynomials. NTRU can also be implemented
using matrices instead of polynomials [4, 5]. We proceed with
the encryption and decryption of the plain text required by
implementing the algorithms of both the approaches of NTRU
cryptosystems. It is already shown that the matrix approach is
algorithmically better than the polynomial approach of NTRU
cryptosystem [5]. We propose and test both the methods for
variable sized text files, using polynomial and matrix
cryptosystems. This paper presents the comparative study of
polynomial NTRU and matrix NTRU algorithms for variable
sized text files as input. The final results were observed using
Mathematica5.1, analyzed and compared so as to identify which
method is appropriate to the business needs.
A Public-Key Cryptosystem Based On Discrete Logarithm Problem over Finite Fie...IOSR Journals
This document presents a public-key cryptosystem based on the discrete logarithm problem over finite fields. The security of the system relies on the difficulty of finding discrete logarithms in the function field Fp^n. The system uses a primitive polynomial f(x) of degree n over the finite field Fp as the base polynomial. The public key consists of f(x) and another primitive polynomial fk(x) with a root that is the kth power of the root of f(x), where k is the secret key. Encryption involves multiplying the message polynomial by a term related to fk(x) or f(x) depending on the secret key. Decryption uses the secret key to recover the message
What is cryptography,its types,two algorithms i.e RSA and DES.
explained well and referenced the slide share too to give more precise presentation. Thank you.
Somewhat Homomorphic Encryption TechniqueNaishil Shah
This document summarizes the implementation of a somewhat homomorphic encryption technique. It describes modifying an existing somewhat homomorphic encryption scheme to enable addition, subtraction, and multiplication of integers. The key changes include replacing the modulo 2 operation in decryption with modulo X, where X is the maximum value for supported computations. AES encryption is used to securely transmit the homomorphically encrypted data between a client and server, which perform operations on the encrypted integers and return the encrypted result to the client for decryption. Several challenges arose during implementation related to the data types and block sizes supported by AES encryption.
This document introduces a new security notion called constrained chosen-ciphertext security (IND-CCCA) for key encapsulation mechanisms (KEMs). The document proves that any IND-CCCA secure KEM combined with an authenticated symmetric encryption scheme provides indistinguishability against chosen-ciphertext attacks (IND-CCA) secure hybrid encryption. This answers an open question from previous work. The document also presents new KEM constructions that achieve IND-CCCA security based on the decision Diffie-Hellman assumption and weaker n-Linear assumptions.
This document summarizes a research paper on a Probabilistic Data Encryption Scheme (PDES). The paper presents a probabilistic encryption scheme that combines the security of Goldwasser and Micali's probabilistic encryption with the efficiency of deterministic schemes. The scheme is based on the assumption that solving the quadratic residuacity problem is computationally infeasible without knowing the factorization of the composite integer. An example is provided to illustrate how the encryption and decryption algorithms work using quadratic residues modulo a composite integer. The paper concludes that the scheme provides semantic security similar to Goldwasser-Micali under the assumption that the quadratic residuacity problem is hard.
The document discusses polygraphic substitution ciphers and the Hill cipher. The Hill cipher is a polygraphic cipher that represents letters as numbers and encrypts blocks of text by multiplying them by a random key matrix. To decrypt, the cipher text is multiplied by the inverse of the key matrix. An example is given showing how a 3x3 key matrix is used to encrypt the plaintext "ACT" into ciphertext and then decrypt it back by multiplying the ciphertext by the inverse key matrix. The steps of encrypting a message using a Hill cipher are outlined.
Data security and privacy techniques for on-premises, public, and private clo...Ulf Mattsson
A common question is how to choose data protection techniques for different deployment models. Unfortunately, such a simple question is rather difficult to answer. An information security professional might respond with “it depends,” which is quite reasonable but sadly unhelpful. Many data protection techniques share similarities and have differences. This article compares data protection techniques and deployment models to help answer the conundrum: how to protect data when using the different deployment models.
Things to consider include whether the data is being protected from unauthorized ac¬cess when stored, when being transmitted, or when being processed and the operational need from different business use cases. A Risk Adjusted Computation model can provide separation of duties and balance requirements between security and operational needs on-premises, in public or private cloud.
Applied parallel coordinates for logs and network traffic attack analysisUltraUploader
This document summarizes a research paper that explores using parallel coordinate plots (PCC) to visualize large datasets for cybersecurity analysis. PCC allows high-dimensional event data to be visualized in 2D. The paper introduces the mathematical foundations of PCC and describes an open-source software called Picviz that generates PCC images from log and network traffic data. Examples are provided of how PCC revealed security issues in Cray system logs and detected botnet attacks. In particular, PCC can identify patterns indicating events like distributed denial-of-service attacks.
Public-key cryptography uses two keys, a public key that can be shared widely, and a private key that is kept secret. It allows for both encryption and digital signatures. The most widely used public-key cryptosystem is RSA, which relies on the difficulty of factoring large prime numbers. Diffie-Hellman key exchange allows two parties to securely exchange a secret key over an insecure channel without any prior secrets.
This document summarizes a paper on the comparison-based complexity of multi-objective optimization. It outlines that the paper presents complexity upper and lower bounds for finding the Pareto front and Pareto set in multi-objective optimization problems. For upper bounds, it shows the complexity is O(Nd log(1/e)) for finding the whole Pareto set and O(N+1-d log(1/e)) for finding a single point, where N is the dimension and d is the number of objectives. For lower bounds, it applies a proof technique using packing numbers from the mono-objective case to the multi-objective case to derive tight complexity bounds.
Information and network security 32 principles of public key cryptosystemsVaibhav Khanna
Public-key cryptography, or asymmetric cryptography, is an encryption scheme that uses two mathematically related, but not identical, keys - a public key and a private key. Unlike symmetric key algorithms that rely on one key to both encrypt and decrypt, each key performs a unique function.
1) DES was adopted as a federal standard in 1977 and uses a 56-bit key to encrypt 64-bit blocks of data. It was based on the earlier Lucifer cipher developed by IBM but had a reduced key size to fit on a single chip.
2) Cryptanalysis techniques like differential cryptanalysis and linear cryptanalysis have demonstrated theoretical attacks on DES requiring as few as 247 chosen plaintexts, but collecting that many plaintext-ciphertext pairs would be impractical.
3) DES is now considered insecure due to the reduced key size and demonstrated attacks breaking it in a matter of days using specialized hardware, prompting the development of alternatives like AES and triple DES.
The document discusses authentication protocols to securely prove identity between two parties communicating over a network. Protocol ap5.0 uses public key cryptography and a nonce (random number) to authenticate, but it is vulnerable to a man-in-the-middle attack where an attacker can pose as both parties to intercept and alter communications. The document explores several authentication protocols and their vulnerabilities to illustrate challenges in securely authenticating identities over an open network.
NEW SYMMETRIC ENCRYPTION SYSTEM BASED ON EVOLUTIONARY ALGORITHMijcsit
In this article, we present a new symmetric encryption system which is a combination of our ciphering evolutionary system SEC [1] and a new ciphering method called “fragmentation”. This latter allows the alteration of the appearance frequencies of characters from a given text. Our system has at its disposed two keys, the first one is generated by the evolutionary algorithm, the second one is generated after “fragmentation” part. Both of them are symmetric, session keys and strengthening the security of our
system.
Presentation on Cryptography_Based on IEEE_PaperNithin Cv
The document summarizes a seminar report on a hybrid cryptography architecture that uses multiple cryptographic algorithms. It discusses Elliptic Curve Cryptography (ECC), Elliptic Curve Diffie-Hellman (ECDH), Elliptic Curve Digital Signature Algorithm (ECDSA), and Dual-RSA. ECC is used to encrypt data onto an elliptic curve. ECDH generates shared secret keys between two parties for use in symmetric encryption. ECDSA allows digital signatures using elliptic curve parameters. Dual-RSA improves decryption efficiency using the Chinese Remainder Theorem to split computations between prime factors p and q. The hybrid architecture combines the strengths of these algorithms to provide secure encryption, authentication, and key exchange.
This document discusses using threshold cryptography and maximum distance separable (MDS) codes for key management in mobile ad hoc networks (MANETs). It begins with an introduction to MANETs and the need for distributed key management approaches. It then provides background on threshold cryptography and MDS codes. The document proposes using threshold cryptography combined with MDS codes to create a distributed cooperative key management system for MANETs that generates and distributes encryption keys among network nodes in a secure and fault-tolerant manner.
The document summarizes adversarial machine learning. It discusses how small perturbations can cause machine learning models to misclassify inputs while remaining imperceptible to humans. Various white-box and black-box attack algorithms are described that generate adversarial examples to fool models, including fast gradient sign method, Jacobian saliency map attack, and generative adversarial networks. Defenses against adversarial attacks include adversarial training to make models more robust, input sanitization to remove perturbations, and detection-based approaches.
The document discusses different types of attention mechanisms used in neural machine translation and image captioning models. It describes global attention which considers all encoder hidden states when deriving context vectors, and local attention which selectively focuses on a small window of context. Hard attention selects a single location to focus on, while soft attention takes a weighted average over locations. The document also discusses input feeding which makes the model aware of previous alignment choices.
This document discusses Monte Carlo simulations in Stata to verify statistical properties like the weak law of large numbers and the central limit theorem. It introduces generating random numbers, simulations to prove the weak law using coin tosses, and simulations to demonstrate the central limit theorem using samples from a uniform distribution. The simulations allow investigating the theoretical properties of estimators by defining the data generating process.
This document discusses enhancing security in DNA-based cryptography. It describes how DNA can be used to store encrypted data by encoding messages in DNA strands using an alphabet of short DNA sequences. The document outlines several methods for DNA-based cryptography including DNA steganography systems that hide encrypted messages within collections of DNA strands. It also summarizes the RSA encryption algorithm and describes challenges in DNA-based cryptography systems like preventing unauthorized access and protecting against cryptanalysis. The document concludes that initial investigations show DNA cryptography methods can in principle be unbreakable but also discusses ways to improve security.
This document outlines the key concepts that will be covered in Lecture 2 on Bayesian modeling. It introduces the likelihood function and how it can be used to determine the most likely parameter values given observed data. It provides examples of applying Bayesian modeling to proportions, normal distributions, linear regression with one predictor, and linear regression with multiple predictors. The lecture aims to give students a basic understanding of how Bayesian analysis works and prepare them for fitting linear mixed models.
This project aims to evaluate and analyze the RSA algorithm as a security policy. The objective is to analyze conventional security policies, evaluate RSA, and perform performance analysis and measurement. The methodology uses random padding schemes as an outer layer of protection for the core RSA policy to make it unbreakable. It also aims to minimize computational complexity of RSA. The project implements RSA encryption and decryption in C++ and C# with a graphical user interface. It analyzes performance in Matlab and models the project using UML.
2014 vulnerability assesment of spatial network - models and solutionsFrancisco Pérez
This document proposes models and optimization problems to assess the vulnerability of spatial networks to disruptions. It defines problems such as the Max-Cost Single-Failure Shortest Path Problem (MCSFSPP) and Max-Cost Multiple-Failure Shortest Path Problem (MCMFSPP) to determine the maximum increase in shortest path length between two nodes due to failures. Failure is modeled by disruption disks of a given radius that can be placed throughout the network space. The problems are formulated as mixed integer programs to find vulnerabilities. Computational results on realistic networks are used to show how the models can characterize network robustness.
FAST DETECTION OF DDOS ATTACKS USING NON-ADAPTIVE GROUP TESTINGIJNSA Journal
Network security has become more important role today to personal users and organizations. Denial-ofService (DoS) and Distributed Denial-of-Service (DDoS) attacks are serious problem in network. The major challenges in design of an efficient algorithm in data stream are one-pass over the input, poly-log space, poly-log update time and poly-log reporting time. In this paper, we use strongly explicit construction d-disjunct matrices in Non-adaptive group testing (NAGT) to adapt these requirements and propose a solution for fast detecting DoS and DDoS attacks based on NAGT approach.
FAST DETECTION OF DDOS ATTACKS USING NON-ADAPTIVE GROUP TESTINGIJNSA Journal
This document proposes a method for fast detection of DDoS attacks using non-adaptive group testing (NAGT). It begins with background on DDoS attacks and group testing techniques. It then describes using a strongly explicit d-disjunct matrix in NAGT to map IP addresses to "tests" performed by routers. The router counters would indicate potential hot items (attackers or victims). Two decoding algorithms are presented to identify the hot items from the test results with poly-log time complexity meeting data stream requirements. The method aims to provide early warning of DDoS attacks through efficient group testing of IP packets.
This document summarizes a research paper on a Probabilistic Data Encryption Scheme (PDES). The paper presents a probabilistic encryption scheme that combines the security of Goldwasser and Micali's probabilistic encryption with the efficiency of deterministic schemes. The scheme is based on the assumption that solving the quadratic residuacity problem is computationally infeasible without knowing the factorization of the composite integer. An example is provided to illustrate how the encryption and decryption algorithms work using quadratic residues modulo a composite integer. The paper concludes that the scheme provides semantic security similar to Goldwasser-Micali under the assumption that the quadratic residuacity problem is hard.
The document discusses polygraphic substitution ciphers and the Hill cipher. The Hill cipher is a polygraphic cipher that represents letters as numbers and encrypts blocks of text by multiplying them by a random key matrix. To decrypt, the cipher text is multiplied by the inverse of the key matrix. An example is given showing how a 3x3 key matrix is used to encrypt the plaintext "ACT" into ciphertext and then decrypt it back by multiplying the ciphertext by the inverse key matrix. The steps of encrypting a message using a Hill cipher are outlined.
Data security and privacy techniques for on-premises, public, and private clo...Ulf Mattsson
A common question is how to choose data protection techniques for different deployment models. Unfortunately, such a simple question is rather difficult to answer. An information security professional might respond with “it depends,” which is quite reasonable but sadly unhelpful. Many data protection techniques share similarities and have differences. This article compares data protection techniques and deployment models to help answer the conundrum: how to protect data when using the different deployment models.
Things to consider include whether the data is being protected from unauthorized ac¬cess when stored, when being transmitted, or when being processed and the operational need from different business use cases. A Risk Adjusted Computation model can provide separation of duties and balance requirements between security and operational needs on-premises, in public or private cloud.
Applied parallel coordinates for logs and network traffic attack analysisUltraUploader
This document summarizes a research paper that explores using parallel coordinate plots (PCC) to visualize large datasets for cybersecurity analysis. PCC allows high-dimensional event data to be visualized in 2D. The paper introduces the mathematical foundations of PCC and describes an open-source software called Picviz that generates PCC images from log and network traffic data. Examples are provided of how PCC revealed security issues in Cray system logs and detected botnet attacks. In particular, PCC can identify patterns indicating events like distributed denial-of-service attacks.
Public-key cryptography uses two keys, a public key that can be shared widely, and a private key that is kept secret. It allows for both encryption and digital signatures. The most widely used public-key cryptosystem is RSA, which relies on the difficulty of factoring large prime numbers. Diffie-Hellman key exchange allows two parties to securely exchange a secret key over an insecure channel without any prior secrets.
This document summarizes a paper on the comparison-based complexity of multi-objective optimization. It outlines that the paper presents complexity upper and lower bounds for finding the Pareto front and Pareto set in multi-objective optimization problems. For upper bounds, it shows the complexity is O(Nd log(1/e)) for finding the whole Pareto set and O(N+1-d log(1/e)) for finding a single point, where N is the dimension and d is the number of objectives. For lower bounds, it applies a proof technique using packing numbers from the mono-objective case to the multi-objective case to derive tight complexity bounds.
Information and network security 32 principles of public key cryptosystemsVaibhav Khanna
Public-key cryptography, or asymmetric cryptography, is an encryption scheme that uses two mathematically related, but not identical, keys - a public key and a private key. Unlike symmetric key algorithms that rely on one key to both encrypt and decrypt, each key performs a unique function.
1) DES was adopted as a federal standard in 1977 and uses a 56-bit key to encrypt 64-bit blocks of data. It was based on the earlier Lucifer cipher developed by IBM but had a reduced key size to fit on a single chip.
2) Cryptanalysis techniques like differential cryptanalysis and linear cryptanalysis have demonstrated theoretical attacks on DES requiring as few as 247 chosen plaintexts, but collecting that many plaintext-ciphertext pairs would be impractical.
3) DES is now considered insecure due to the reduced key size and demonstrated attacks breaking it in a matter of days using specialized hardware, prompting the development of alternatives like AES and triple DES.
The document discusses authentication protocols to securely prove identity between two parties communicating over a network. Protocol ap5.0 uses public key cryptography and a nonce (random number) to authenticate, but it is vulnerable to a man-in-the-middle attack where an attacker can pose as both parties to intercept and alter communications. The document explores several authentication protocols and their vulnerabilities to illustrate challenges in securely authenticating identities over an open network.
NEW SYMMETRIC ENCRYPTION SYSTEM BASED ON EVOLUTIONARY ALGORITHMijcsit
In this article, we present a new symmetric encryption system which is a combination of our ciphering evolutionary system SEC [1] and a new ciphering method called “fragmentation”. This latter allows the alteration of the appearance frequencies of characters from a given text. Our system has at its disposed two keys, the first one is generated by the evolutionary algorithm, the second one is generated after “fragmentation” part. Both of them are symmetric, session keys and strengthening the security of our
system.
Presentation on Cryptography_Based on IEEE_PaperNithin Cv
The document summarizes a seminar report on a hybrid cryptography architecture that uses multiple cryptographic algorithms. It discusses Elliptic Curve Cryptography (ECC), Elliptic Curve Diffie-Hellman (ECDH), Elliptic Curve Digital Signature Algorithm (ECDSA), and Dual-RSA. ECC is used to encrypt data onto an elliptic curve. ECDH generates shared secret keys between two parties for use in symmetric encryption. ECDSA allows digital signatures using elliptic curve parameters. Dual-RSA improves decryption efficiency using the Chinese Remainder Theorem to split computations between prime factors p and q. The hybrid architecture combines the strengths of these algorithms to provide secure encryption, authentication, and key exchange.
This document discusses using threshold cryptography and maximum distance separable (MDS) codes for key management in mobile ad hoc networks (MANETs). It begins with an introduction to MANETs and the need for distributed key management approaches. It then provides background on threshold cryptography and MDS codes. The document proposes using threshold cryptography combined with MDS codes to create a distributed cooperative key management system for MANETs that generates and distributes encryption keys among network nodes in a secure and fault-tolerant manner.
The document summarizes adversarial machine learning. It discusses how small perturbations can cause machine learning models to misclassify inputs while remaining imperceptible to humans. Various white-box and black-box attack algorithms are described that generate adversarial examples to fool models, including fast gradient sign method, Jacobian saliency map attack, and generative adversarial networks. Defenses against adversarial attacks include adversarial training to make models more robust, input sanitization to remove perturbations, and detection-based approaches.
The document discusses different types of attention mechanisms used in neural machine translation and image captioning models. It describes global attention which considers all encoder hidden states when deriving context vectors, and local attention which selectively focuses on a small window of context. Hard attention selects a single location to focus on, while soft attention takes a weighted average over locations. The document also discusses input feeding which makes the model aware of previous alignment choices.
This document discusses Monte Carlo simulations in Stata to verify statistical properties like the weak law of large numbers and the central limit theorem. It introduces generating random numbers, simulations to prove the weak law using coin tosses, and simulations to demonstrate the central limit theorem using samples from a uniform distribution. The simulations allow investigating the theoretical properties of estimators by defining the data generating process.
This document discusses enhancing security in DNA-based cryptography. It describes how DNA can be used to store encrypted data by encoding messages in DNA strands using an alphabet of short DNA sequences. The document outlines several methods for DNA-based cryptography including DNA steganography systems that hide encrypted messages within collections of DNA strands. It also summarizes the RSA encryption algorithm and describes challenges in DNA-based cryptography systems like preventing unauthorized access and protecting against cryptanalysis. The document concludes that initial investigations show DNA cryptography methods can in principle be unbreakable but also discusses ways to improve security.
This document outlines the key concepts that will be covered in Lecture 2 on Bayesian modeling. It introduces the likelihood function and how it can be used to determine the most likely parameter values given observed data. It provides examples of applying Bayesian modeling to proportions, normal distributions, linear regression with one predictor, and linear regression with multiple predictors. The lecture aims to give students a basic understanding of how Bayesian analysis works and prepare them for fitting linear mixed models.
This project aims to evaluate and analyze the RSA algorithm as a security policy. The objective is to analyze conventional security policies, evaluate RSA, and perform performance analysis and measurement. The methodology uses random padding schemes as an outer layer of protection for the core RSA policy to make it unbreakable. It also aims to minimize computational complexity of RSA. The project implements RSA encryption and decryption in C++ and C# with a graphical user interface. It analyzes performance in Matlab and models the project using UML.
2014 vulnerability assesment of spatial network - models and solutionsFrancisco Pérez
This document proposes models and optimization problems to assess the vulnerability of spatial networks to disruptions. It defines problems such as the Max-Cost Single-Failure Shortest Path Problem (MCSFSPP) and Max-Cost Multiple-Failure Shortest Path Problem (MCMFSPP) to determine the maximum increase in shortest path length between two nodes due to failures. Failure is modeled by disruption disks of a given radius that can be placed throughout the network space. The problems are formulated as mixed integer programs to find vulnerabilities. Computational results on realistic networks are used to show how the models can characterize network robustness.
FAST DETECTION OF DDOS ATTACKS USING NON-ADAPTIVE GROUP TESTINGIJNSA Journal
Network security has become more important role today to personal users and organizations. Denial-ofService (DoS) and Distributed Denial-of-Service (DDoS) attacks are serious problem in network. The major challenges in design of an efficient algorithm in data stream are one-pass over the input, poly-log space, poly-log update time and poly-log reporting time. In this paper, we use strongly explicit construction d-disjunct matrices in Non-adaptive group testing (NAGT) to adapt these requirements and propose a solution for fast detecting DoS and DDoS attacks based on NAGT approach.
FAST DETECTION OF DDOS ATTACKS USING NON-ADAPTIVE GROUP TESTINGIJNSA Journal
This document proposes a method for fast detection of DDoS attacks using non-adaptive group testing (NAGT). It begins with background on DDoS attacks and group testing techniques. It then describes using a strongly explicit d-disjunct matrix in NAGT to map IP addresses to "tests" performed by routers. The router counters would indicate potential hot items (attackers or victims). Two decoding algorithms are presented to identify the hot items from the test results with poly-log time complexity meeting data stream requirements. The method aims to provide early warning of DDoS attacks through efficient group testing of IP packets.
This paper proposes a (k,n) threshold scheme for dividing a secret data D into n pieces in such a way that D can be reconstructed from any k pieces, but k-1 pieces reveal no information about D. The scheme uses polynomial interpolation: a random polynomial q(x) of degree k-1 is chosen where q(0)=D, and the pieces are D1=q(1), ..., Dn=q(n). Given any k pieces, q(x) can be interpolated; with k-1 pieces, all possible values of D are equally likely. This threshold scheme enables robust secret sharing and key management even if half the pieces are destroyed or k-1 are exposed.
A NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENTijcisjournal
In this paper, we consider an RSA modulus N=pq, where the prime factors p, q are of the same size. We
present an attack on RSA when the decryption exponent d is in the form d=Md1+d0 where M is a given
positive integer and d1 and d0 are two suitably small unknown integers. In 1999, Boneh and Durfee
presented an attack on RSA when
0.292 d < N . When d=Md1+d0, our attack enables one to overcome
Boneh and Durfee's bound and to factor the RSA modulus
MESSAGE EMBEDDED CIPHER USING 2-D CHAOTIC MAPijccmsjournal
This paper constructs two encryption methods using 2-D chaotic maps, Duffings and Arnold’s cat maps
respectively. Both of the methods are designed using message embedded scheme and are analyzed for their validity, for plaintext sensitivity, key sensitivity, known plaintext and brute-force attacks. Due to the
less key space generally many chaotic cryptosystem developed are found to be weak against Brute force attack which is an essential issue to be solved. For this issue, concept of identifiability proved to be a necessary condition to be fulfilled by the designed chaotic cipher to resist brute force attack, which is a basic attack. As 2-D chaotic maps provide more key space than 1-D maps thus they are considered to be more suitable. This work is accompanied with analysis results obtained from these developed cipher. Moreover, identifiable keys are searched for different input texts at various key values.
The methods are found to have good key sensitivity and possess identifiable keys thus concluding that they can resist linear attacks and brute-force attacks.
1. The document discusses message authentication codes (MACs) and how to construct them from block ciphers and hash functions.
2. A simple construction of MACs directly from a block cipher is presented, but it has weaknesses that are addressed by using counters or nonces. The CBC-MAC construction is also introduced.
3. Hash functions are defined in terms of collision resistance, and it is shown how to construct MACs by applying a block cipher to the hash of a message. The security of this approach relies on the underlying hash function and block cipher being secure.
IET Information Security - 2022 - Ikematsu - Recent progress in the security ...MisbaahNaz
This document reviews recent progress in the security analysis of multivariate public-key cryptography (MPKC). It first explains efficient algorithms for solving the multivariate quadratic (MQ) problem, which is central to MPKC security. It then surveys recent results on analyzing the security of the Rainbow signature scheme, a leading MPKC candidate. In particular, it describes analyses of the complexity of solving bi-graded polynomial systems related to the Rainbow-Band-Separation attack, and the rectangular MinRank attack against Rainbow proposed by Beullens.
A comparative analysis of the possible attacks on rsa cryptosystemIAEME Publication
The document summarizes various attacks on the RSA cryptosystem. It discusses two main categories of attacks: 1) Mathematical attacks that exploit weaknesses in the mathematical structure of RSA, such as factoring the modulus or using a small private key. 2) Implementation attacks that take advantage of flaws in how RSA is implemented, like timing attacks. It then proposes a new attack algorithm that claims to be able to recover the private exponent d and factor the modulus n given only the public key (e,n), potentially breaking RSA without factoring.
Cryptanalysis of Key Exchange Method Using Computational Intelligence Guided ...aciijournal
In this paper, a cryptanalysis of key exchange method using multilayer perceptron (CKEMLP) has been
proposed in wireless communication of data/information. In this proposed CKEMLP technique both sender
and receiver uses an identical multilayer perceptrons for synchronization between them. After achieving
the full synchronization weights vectors of both the parties’ becomes identical and this identical weight
vector is used as a secret session key for encryption/decryption. Different types of possible attacks during
synchronization phase are introduced in this paper. Among different types of attacks some of them can be
easily prevented by increasing the synaptic depth L. But few attacks are also there which has a great
success rate.
Black-Box attacks against Neural Networks - technical project reportRoberto Falconi
This document summarizes a technical report on practical black-box attacks against machine learning. It describes how the authors implemented black-box attacks against deep neural network classifiers without any knowledge of the model's architecture or parameters. The attack strategy involves training a substitute model using synthetic inputs generated from the target model's outputs, then crafting adversarial examples using the substitute model that are misclassified by the target model. The authors validated the attacks on MNIST and CIFAR classifiers using two different attack techniques and also tested attacks on a locally trained dataset. Defenses such as adversarial training and defensive distillation were discussed.
This document summarizes security definitions for searchable symmetric encryption (SSE) schemes. It reviews the indistinguishability and semantic security game definitions, noting that attacks have succeeded against published schemes. It then proposes a new security game definition against distribution-based query recovery attacks, to better capture practical adversary capabilities. The goal is to define security in a way that implies the current indistinguishability and semantic security definitions.
LITTLE DRAGON TWO: AN EFFICIENT MULTIVARIATE PUBLIC KEY CRYPTOSYSTEMIJNSA Journal
In 1998 [8], Patarin proposed an efficient cryptosystem called Little Dragon which was a variant a variant of Matsumoto Imai cryptosystem C*. However Patarin latter found that Little Dragon cryptosystem is not secure [8], [3]. In this paper we propose a cryptosystem Little Dragon Two which is as efficient as Little Dragon cryptosystem but secure against all the known attacks. Like Little Dragon cryptosystem the public key of Little Dragon Two is mixed type that is quadratic in plaintext and cipher text variables. So the public key size of Little Dragon Two is equal to Little Dragon Cryptosystem. Our public key algorithm is bijective and can be used for both encryption and signatures.
A new RSA public key encryption scheme with chaotic maps IJECEIAES
Public key cryptography has received great attention in the field of information exchange through insecure channels. In this paper, we combine the Dependent-RSA (DRSA) and chaotic maps (CM) to get a new secure cryptosystem, which depends on both integer factorization and chaotic maps discrete logarithm (CMDL). Using this new system, the scammer has to go through two levels of reverse engineering, concurrently, so as to perform the recovery of original text from the cipher-text has been received. Thus, this new system is supposed to be more sophisticated and more secure than other systems. We prove that our new cryptosystem does not increase the overhead in performing the encryption process or the decryption process considering that it requires minimum operations in both. We show that this new cryptosystem is more efficient in terms of performance compared with other encryption systems, which makes it more suitable for nodes with limited computational ability.
Abstracting Strings For Model Checking Of C ProgramsMartha Brown
This document summarizes a research paper that introduces a new abstract domain called M-String for abstracting strings in C programs. M-String approximates null-terminated character arrays and tracks both the shape of the array structure and the values of characters. It is parameterized based on the representation of array indices and the abstraction of element values. The paper formalizes the concrete and abstract semantics of basic string operations, proves soundness, and describes an implementation within a model checker to automatically analyze C programs and detect bugs related to string handling.
A Novel Method for Preventing Selective Jamming Attacks in Wireless NetworksIJMER
The document proposes three novel methods to prevent selective jamming attacks in wireless networks:
1. Strong Hiding Commitment Scheme (SHCS) which uses asymmetric cryptography to commit a sender to a value while keeping it hidden.
2. Cryptographic Puzzle Hiding Scheme which generates puzzles that force attackers to spend time solving before obtaining secret keys.
3. Hiding based on All-Or-Nothing Transformation which partitions messages into blocks that are meaningless individually, preventing selective jamming until all blocks are received.
A study of detecting computer viruses in real infected files in the n-gram re...UltraUploader
This document discusses detecting computer viruses in real-infected executable files using machine learning methods and n-gram representations. It created three datasets: benign files, virus loader files, and real infected executable files. Experiments showed that while machine learning methods can detect viruses in small virus loader files, detecting viruses is nearly impossible in real infected executable files when represented as n-grams due to the high dimensionality and low information content of the n-gram vectors. The document explores this limitation from an information theoretic perspective and through classification experiments.
Lightweight Cryptography for Distributed PKI Based MANETSIJCNCJournal
This document proposes a lightweight cryptography solution for secure communication in mobile ad hoc networks (MANETs). It describes creating a distributed public key infrastructure (PKI) using Shamir's secret sharing to decentralize the certificate authority role among MANET nodes. Each node holds a share of the private key. It then proposes using Tiny Encryption Algorithm (TEA), an efficient symmetric-key cipher, along with elliptic curve Diffie-Hellman key exchange to establish secure communication between nodes with limited resources. The system initializes by having founding MANET nodes act as dealers to distribute secret shares. Nodes then use Diffie-Hellman to independently derive a secret key to encrypt communications.
Detection of Various Attacks using Zero Knowledge Protocol in Wireless Securityijceronline
The security mechanism are not used directly in wireless sensor networks compare to wired networks, there is no user control and insufficient energy resources. In wireless environment, proposing the scheme of detection of distributed sensor cloning attacks and Zero knowledge protocols (ZKP) are used to verifying authenticity of the sender sensor nodes. Cloning attack is concentrate on by attaching fingerprint which is unique that depends on the set of neighboring nodes and itself. Every message contains a finger print which sensor node sends.ZKP is used to avoid man in the middle attack and reply attacks from the important cryptographic information in wireless networks.
THE KEY EXCHANGE CRYPTOSYSTEM USED WITH HIGHER ORDER DIOPHANTINE EQUATIONSIJNSA Journal
One-way functions are widely used for encrypting the secret in public key cryptography, although they are regarded as plausibly one-way but have not been proven so. Here we discuss the public key cryptosystem based on the system of higher order Diophantine equations. In this system those Diophantine equations are used as public keys for sender and recipient, and both sender and recipient can obtain the shared secret through a trapdoor, while attackers must solve those Diophantine equations without trapdoor. Thus the scheme of this cryptosystem might be considered to represent a possible one-way function. We also discuss the problem on implementation, which is caused from additional complexity necessary for constructing Diophantine equations in order to prevent from attacking by tamperers.
Trusted Execution Environment for Decentralized Process MiningLucaBarbaro3
Presentation of the paper "Trusted Execution Environment for Decentralized Process Mining" given during the CAiSE 2024 Conference in Cyprus on June 7, 2024.
5th LF Energy Power Grid Model Meet-up SlidesDanBrown980551
5th Power Grid Model Meet-up
It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology.
Power Grid Model
The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services.
Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability.
Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization.
What to expect
For the upcoming meetup we are organizing, we have an exciting lineup of activities planned:
-Insightful presentations covering two practical applications of the Power Grid Model.
-An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024.
-An interactive brainstorming session to discuss and propose new feature requests.
-An opportunity to connect with fellow Power Grid Model enthusiasts and users.
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
This presentation provides valuable insights into effective cost-saving techniques on AWS. Learn how to optimize your AWS resources by rightsizing, increasing elasticity, picking the right storage class, and choosing the best pricing model. Additionally, discover essential governance mechanisms to ensure continuous cost efficiency. Whether you are new to AWS or an experienced user, this presentation provides clear and practical tips to help you reduce your cloud costs and get the most out of your budget.
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframePrecisely
Inconsistent user experience and siloed data, high costs, and changing customer expectations – Citizens Bank was experiencing these challenges while it was attempting to deliver a superior digital banking experience for its clients. Its core banking applications run on the mainframe and Citizens was using legacy utilities to get the critical mainframe data to feed customer-facing channels, like call centers, web, and mobile. Ultimately, this led to higher operating costs (MIPS), delayed response times, and longer time to market.
Ever-changing customer expectations demand more modern digital experiences, and the bank needed to find a solution that could provide real-time data to its customer channels with low latency and operating costs. Join this session to learn how Citizens is leveraging Precisely to replicate mainframe data to its customer channels and deliver on their “modern digital bank” experiences.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyScyllaDB
Freshworks creates AI-boosted business software that helps employees work more efficiently and effectively. Managing data across multiple RDBMS and NoSQL databases was already a challenge at their current scale. To prepare for 10X growth, they knew it was time to rethink their database strategy. Learn how they architected a solution that would simplify scaling while keeping costs under control.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3Data Hops
Free A4 downloadable and printable Cyber Security, Social Engineering Safety and security Training Posters . Promote security awareness in the home or workplace. Lock them Out From training providers datahops.com
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
1. Non-Malleable Codes from Two-Source
Extractors
Stefan Dziembowski1
and Tomasz Kazana2
and Maciej Obremski2
1
University of Warsaw and Sapienza University of Rome
2
University of Warsaw
Abstract. We construct an efficient information-theoretically non-mall-
eable code in the split-state model for one-bit messages. Non-malleable
codes were introduced recently by Dziembowski, Pietrzak and Wichs
(ICS 2010), as a general tool for storing messages securely on hardware
that can be subject to tampering attacks. Informally, a code (Enc : M →
L × R, Dec : L × R → M) is non-malleable in the split-state model if
any adversary, by manipulating independently L and R (where (L, R)
is an encoding of some message M), cannot obtain an encoding of a
message M that is not equal to M but is “related” M in some way.
Until now it was unknown how to construct an information-theoretically
secure code with such a property, even for M = {0, 1}. Our construction
solves this problem. Additionally, it is leakage-resilient, and the amount
of leakage that we can tolerate can be an arbitrary fraction ξ < 1/4 of
the length of the codeword. Our code is based on the inner-product two-
source extractor, but in general it can be instantiated by any two-source
extractor that has large output and has the property of being flexible,
which is a new notion that we define.
We also show that the non-malleable codes for one-bit messages have
an equivalent, perhaps simpler characterization, namely such codes can
be defined as follows: if M is chosen uniformly from {0, 1} then the
probability (in the experiment described above) that the output message
M is not equal to M can be at most 1/2 + .
1 Introduction
Real-life attacks on cryptographic devices often do not break their mathematical
foundations, but exploit vulnerabilities in their implementations. Such “physi-
cal attacks” are usually based on passive measurements such as running-time,
electromagnetic radiation, power consumption (see e.g. [24]), or active tamper-
ing where the adversary maliciously modifies some part of the device (see e.g.
[3]) in order to force it to reveal information about its secrets. A recent trend
This work was partly supported by the WELCOME/2010-4/2 grant founded within
the framework of the EU Innovative Economy (National Cohesion Strategy) Opera-
tional Programme. The European Research Council has provided financial support
for this work under the European Community’s Seventh Framework Programme
(FP7/2007-2013) / ERC grant agreement no CNTM-207908.
2. in theoretical cryptography, initiated by [34, 31, 30] is to design cryptographic
schemes that already on the abstract level guarantee that they are secure even
if implemented on devices that may be subject to such physical attacks. Con-
trary to the approach taken by the practitioners, security of these constructions
is always analyzed formally in a well-defined mathematical model, and hence
covers a broad class of attacks, including those that are not yet known, but may
potentially be invented in the future. Over the last few years several models
for passive and active physical attacks have been proposed and schemes secure
in these models have been constructed (see e.g. [31, 30, 22, 2, 35, 7, 15, 25]). In
the passive case the proposed models seem to be very broad and correspond to
large classes of real-life attacks. Moreover, several constructions secure in these
models are known (including even general compliers [27] for any cryptographic
functionality). The situation in the case of active attacks is much less satisfac-
tory, usually because the proposed models include an assumption that some part
of the device is tamper-proof (e.g. [26]) or because the tampering attacks that
they consider are very limited (e.g. [30] or [13] consider only probing attacks, and
in [37] the tampering functions are assumed to be as linear). Hence, providing
realistic models for tampering attacks, and constructing schemes secure in these
models is an interesting research direction.
In a recent paper [23] the authors consider a very basic question of storing
messages securely on devices that may be subject to tampering. To this end they
introduce a new primitive that they call the non-malleable codes. The motivating
scenario for this concept is as follows. Imagine we have a secret message m ∈ M
and we want to store it securely on some hardware D that may be subject to the
tampering attacks. In order to increase the security, we will encode the message
m by some (randomized) function Enc and store the codeword x := Enc(m) on
D. Since we later want to recover m from D we obviously also need a decoding
function Dec : X → M∪{⊥} such that for every m ∈ M we have Dec(Enc(m)) =
m. Now, suppose the adversary can tamper with the device in some way, which
we model by allowing him to choose a function F : X → X, from some fixed
set F of tampering functions and substitute the contents of D by F(x). Let
m := Dec(F(Enc(m))) be the result of decoding such modified codeword.
Let us now think what kind of security properties one could expect from
such an encoding scheme. Optimistically, e.g., one could hope to achieve tamper-
detection by which we would mean that m = ⊥ if F(x) = x. Unfortunately this
is usually unachievable, as, e.g., if the adversary chooses F to be a constant
function equal to Enc( ˜m) then m = ˜m. Hence, even for very restricted classes F
(containing only the constant functions), the adversary can force m to be equal
to some message of his choice. Therefore, if one hopes to get any meaningful
security notion, one should weaken the tamper-detection requirement.
In [23] the authors propose such a weakening based on the concept of non-
malleability introduced in the seminal paper of Dolev et al. [19]. Informally, we
say that a code (Enc, Dec) is non-malleable if either (1) the decoded message m
is equal to m, or (2) the decoded message m is “independent” from m. The
formal definition appears in Section 3, and for an informal discussion of this
3. concept the reader may consult [23]. As argued in [23] the non-malleable codes
can have vast applications to tamper-resistant cryptography. We will not discuss
them in detail here, but let us mention just one example, that looks particularly
appealing to us. A common practical way of breaking cryptosystems is based
on the so-called related-key attacks (see, e.g. [5, 4]), where the adversary that
attacks some device D(K) (where K is the secret key) can get access to an
identical device containing a related key K = F(K) (by for example tampering
with K). Non-malleable codes provide an attractive solution to this problem. If
(Enc, Dec) is a non-malleable code secure with respect to same family F, then
we can store the key K on D in an encoded form, and prevent the related key
attacks as long as the “relation F” is in F. This is because, the only thing that
the adversary can achieve by applying F to Enc(K) is to produce encoding of
either a completely unrelated key K , or to keep K = K. It is clear that both
cases do not help him in attacking D(K).
It is relatively easy to see that if the family F of tampering functions is
equal to the entire space of functions from X to X then it is impossible to
construct such a non-malleable code secure against F. This is because in this
case the adversary can always choose F(x) = Enc(H(Dec(x))) for any function
H : M → M, which yields m = Dec(x) = Dec(Enc(H(Dec(Enc(m))))) = H(m),
and therefore he can relate m to m in an arbitrary way. Therefore non-malleable
codes can exist only with respect to restricted classes F of functions. The authors
of [23] propose some classes like this and provide constructions of non-malleable
codes secure with respect to them. One example is the class of bit-wise tamper-
ing functions, which tamper with every bit of x “independently”, more precisely:
the ith bit xi of x is a function of xi, and does not depend on any xj for j = i.
This is a very strong assumption and it would be desirable to weaken it. One
natural idea for such weakening would be to allow xi to depend on the bits of
x from positions on some larger subset Ii {1, . . . , |x|}. Observe that I always
needs to be a proper subset of {1, . . . , |x|}, as, for the reasons described above,
allowing xi to depend on entire x would render impossible any secure construc-
tion. It is of course not clear what would be the right “natural” subsets Si that
one could use here. The authors of [23] solve this problem in the following sim-
ple way. They assume that the codeword consists of two parts (usually of equal
size), i.e.: x = (L, R) ∈ L×R, and the adversary can tamper in an arbitrary way
with both parts, i.e., F consists of all functions Mallf,g
that can be defined as
Mallf,g
(L, R) = (f(L), g(R)) (for some f : L → L and g : R → R). In practical
applications this corresponds to a scenario in which L and R are stored on two
separate memory parts that can be tampered independently. A similar model
has been used before in the context of leakages and is called a split-state model
[22, 14, 28, 16]. The authors of [23] show existence of non-malleable codes secure
in this model in a non-constructive way (via the probabilistic argument). They
also provide a construction of such codes in a random oracle model, and leave
constructing explicit information-theoretically secure codes as an open problem.
A very interesting partial solution to this problem came recently from Liu and
Lysyanskaya [33] who constructed such codes with computationally-security, as-
4. suming a common reference string. Their construction comes with an additional
feature of being leakage-resilient, i.e. they allow the adversary to obtain some
partial information about the codeword via memory leakage (the amount of leak-
age that they can tolerate is a 1
2 − o(1) fraction of the length of the codeword).
However, constructing the information-theoretically secure nonmalleable codes
in this model remained an open problem, even if messages are of length 1 only
(i.e. M = {0, 1}).
Our contribution We show a construction of efficient information-theoretically
secure non-malleable codes in the split-state model for M = {0, 1}. Additionally
to being non-malleable, our code is also leakage-resilient and the amount of
leakage that we can tolerate is an arbitrary constant ξ < 1
4 of the length of
the codeword (cf. Thm. 2). Our construction is fairly simple. The codeword is
divided into two parts, L and R, which are vectors from a linear space Fn
, where
F is a field of exponential size (and hence log |F| is linear). Essentially, to encode
a bit B = 0 one chooses at a random pair (L, R) ∈ Fn
× Fn
of orthogonal
vectors (i.e. such that L, R = 0), and to encode B = 1 one chooses a random
pair of non-orthogonal vectors (clearly both encoding and decoding can be done
very efficiently in such a code). Perhaps surprisingly, the assumption that F is
large is important, as our construction is not secure for small F’s. An interesting
consequence is that our code is “non-balanced”, in the sense that a random
element of the codeword space with an overwhelming probability encodes 1. We
actually use this property in the proof.
Our proof also very strongly relies on the fact that the inner product over
finite field is a two-source extractor (cf. Sect. 2). We actually show that in general
a split-state non-malleable code for one-bit messages can be constructed from any
two source-extractor with sufficiently strong parameters (we call such extractors
flexible, cf. Sect. 2).
We also provide a simple argument that shows that our scheme is secure
against affine mauling functions (that look at the entire codeword, hence not in
the split-state model).
Typically in information-theoretic cryptography solving a certain task for
one-bit messages automatically gives a solution for multi-bit messages. Unfor-
tunately, it is not the case for the non-malleable codes. Consider for example a
naive idea of encoding n bits “in parallel” using the one bit encoding function
Enc, i.e. letting Enc (m1, . . . , mn) := ((L1, . . . , Ln), (R1, . . . , Rn)), where each
(Li, Ri) = Enc(mi). This encoding is obviously malleable, as the adversary can,
e.g., permute the bits of m by permuting (in the same way) the blocks L1, . . . , Ln
and R1, . . . , Rn. Nevertheless we believe that our solution is an important step
forward, as it may be useful as a building blocks for other, more advanced con-
structions, like, e.g., tamper-resilient generic compilers (in the spirit of [31, 30,
13, 20, 27]). This research direction looks especially promising since many of the
leakage-resilient compliers (e.g. [20, 27]) are based on the same inner-product
extractor.
We also show that for one-bit messages non-malleable codes can be defined
in an alternative, and perhaps simpler way. Namely we show (cf. Lemma 2) that
5. any code (Enc, Dec) (not necessarily defined in the split-state model) in non-
malleable with respect to some family F of functions if and only if “it is hard to
negate the encoded bit B with functions from F”, by which we mean that for a
bit B chosen uniformly from {0, 1} any F ∈ F we have that
P [Dec(F(Enc(B))) = B] ≤
1
2
. (1)
(the actual lemma that we prove involves also some small error parameter
both in the non-malleability definition and in (1), but for the purpose of this
informal discussion let us omit them). Therefore, the problem of constructing
non-malleable bit encoding in the split state model can be translated to a much
simpler and perhaps more natural question: can one encode a random bit B as
(L, R) in such a way that independent manipulation of L and R produces an
encoding (L , R ) of B with probability at most 1/2? Observe that, of course, it
is easy to negate a random bit with probability exactly 1/2, by deterministically
setting (L , R ) to be an encoding of a fixed bit, 0, say. Informally speaking,
(Enc, Dec) is non-malleable if this is the best that the adversary can achieve.
In the full version of this paper [21] we analyze the general relationship
between the two-source extractors and the non-malleable codes in the split state
model pointing out some important differences. We also compare the notion of
the non-malleable codes with the leakage-resilient storage [14] also showing that
they are fundamentally different.
Related and subsequent work Some of the related work was already described
in the introduction. There is no space here to mention all papers that propose
theoretical countermeasures against tampering. This research was initiated by
Ishai et al. [30, 26]. Security against both tampering and leakage attacks were
also recently considered in [32]. Unlike us, they construct concrete cryptosystems
(not encoding schemes) secure against such attacks. Another difference is that
their schemes are computationally secure, while in this work we are interested
in the information-theoretical security.
The notion of non-malleability (introduced in [19]) is used in cryptography
in several contexts. In recent years it was also analyzed in the context of ran-
domness extractors, starting from the work of Dodis and Wichs [18] on non-
malleable extractors (see also [17, 12]). Informally speaking an extractor ext is
non-malleable if its output ext(S, X) is (almost) uniform even if one knows the
value ext(F(S), X) for some “related” seed F(S) (such that F(S) = S). Un-
fortunately, it does not look like this primitive can be used to construct the
non-malleable codes in the split-state model, as this definition does not capture
the situation when X is also modified.
Constructions of non-malleable codes secure in different (not split-state)
models were recently proposed in [8–10].
Recently, Aggarwal, Dodis and Lovett [1] solved the main open problem
left in this paper, by showing a non-malleable code that works for messages of
arbitrary length. This exciting result is achieved by combining the inner-product
based encoding with sophisticated methods from the additive combinatorics.
6. Acknowledgments We are very grateful to Divesh Aggarwal and to the anony-
mous CRYPTO reviewer for pointing out errors in the proof of Lemma 3 in
the previous versions of this paper. We also thank Yevgeniy Dodis for helpful
discussions.
2 Preliminaries
If Z is a set then Z ← Z will denote a random variable sampled uniformly from
Z. We start with some standard definitions and lemmas about the statistical
distance. Recall that if A and B are random variables over the same set A then
the statistical distance between A and B is denoted as ∆(A; B), and defined as
∆(A; B) = 1
2 a∈A |P [A = a] − P [B = a] |. If the variables A and B are such
that ∆(A, B) ≤ then we say that A is -close to B, and write A ≈ B. If
X, Y are some events then by ∆(A|X ; B|Y) we will mean the distance between
variables A and B , distributed according to the conditional distributions PA|X
and PB|Y .
If B is a uniform distribution over A then d(A|X) := ∆(A|X; B) is called
statistical distance of A from uniform given the event X. If moreover C is inde-
pendent from B then d(A|C) := ∆((A, C); (B, C)) is called statistical distance
of A from uniform given the variable C. More generally, if X is an event then
d(A|C, X) := ∆((A, C)|X; (B, C)|X). It is easy to see that d(A|C) is equal to
c P [C = c] · d(A|C = c).
Extractors As described in the introduction, the main building block of our
construction is a two-source randomness extractor based on the inner product
over finite fields. The two source extractors were introduced (implicitly) by Chor
and Goldreich [11], who also showed that the inner product over Z2 is a two-
source extractor. The generalization to any field is shown in [36].
Our main theorem (Thm. 1) does not use any special properties of the inner
product (like, e.g., the linearity), besides of the fact that it extracts randomness,
and hence it will be stated in a general form, without assuming that the un-
derlying extractor is necessarily an inner product. The properties that we need
from our two-source extractor are slightly non-standard. Recall that a typical
way to define a strong two-source extractor3
(cf. e.g. [36]) is to require that
d(ext(L, R)|L) and d(ext(L, R)|R) are close to uniform, provided that L and R
have min-entropy at least m (for some parameter m). For the reasons that we
explain below, we need a slightly stronger notion, that we call flexible extrac-
tors. Essentially, instead of requiring that H∞(L) ≥ m and H∞(R) ≥ m we
will require only that H∞(L) + H∞(R) ≥ k (for some k). Note that if k = 2m
then this requirement is obviously weaker than the standard once, and hence the
flexibility strengthens the standard definition.
Formally, let L, R and C be some finite sets. A function ext : L × R → C is a
strong flexible (k, )-two source extractor if for every L ∈ L and R ∈ R such that
3
Recall also that a random variable A has min-entropy k, denoted H∞(A) = k if
k = mina (− log P [A = a]).
7. H∞(L) + H∞(R) ≥ k we have that d(ext(L, R)|L) ≤ and d(ext(L, R)|R) ≤ .
Since we are not going to use any weaker version of this notion we will often
simply call such extractors “flexible” without explicitly stating that they are
strong. As it turns out the inner product over finite fields is such an extractor.
Lemma 1. For every finite field F and any n we have that ext : Fn
× Fn
→ F
defined as extn
F (L, R) = L, R is a strong flexible (k, )-extractor for any k and
such that
log (1/ ) =
k − (n + 4) log |F|
3
− 1. (2)
Although this lemma appears to be folklore, at least in case of the “weak”
flexible extractors (i.e. when we require only that d(ext(L, R)) ≤ ), we were not
able to find it in the literature for the strong flexible extractors. Therefore for
completeness in the full version of this paper [21] we provide a proof of it (which
is straightforward adaptation of the proof of Theorem 3.1 in [36]).
Note that since can be at most 1, hence (2) makes sense only if k ≥ 6+4 |F|+
n log |F|. It is easy to see that it cannot be improved significantly, as in any flex-
ible (k, )-extractor ext : L × R → C we need to have k > max (log |L| , log |R|).
To see why it is the case, suppose we have such a flexible (k, )-extractor ext
for k = log |L| (the case k = log |R| is obviously symmetric). Now let L be a
random variable uniformly distributed over L and let R ∈ R be constant. Then
obviously H∞(L ) + H∞(R ) = log |L| + 0 = k, but ext(L , R ) is a deterministic
function of L , and hence d(ext(L , R )|L ) is large. Therefore, in terms of the en-
tropy threshold k, the inner product is optimal in the class of flexible extractors
(up to a small additive constant). Note that this is in contrast with the situation
with the “standard” two-source extractors where a better extractor is known [6].
The reason why we need the “flexibility” property is as follows. In the proof
of Lemma 3 we will actually use in two different ways the fact that ext is an
extractor. In one case (in the proof of Claim 2 within the proof of Lemma 3)
we will use it in the “standard” way, i.e. we will apply it to two independent
random variables with high min-entropy. In the other case (proof of Claim 1) we
will use the fact that d(ext(L, R)|R) ≤ even if L has relatively low min-entropy
(H∞(L) = k−|R|) while R is completely uniform (and hence H∞(L)+H∞(R) =
k).4
Hence we will treat ext as standard seeded extractor. It should not be
surprising that we can use the inner product in this way, as it is easy to see
that the inner product is a universal hash function, and hence the fact that it
is a seeded strong extractor follows from the leftover hash lemma [29]. Hence
Lemma 1 in some sense “packs” these two properties of the inner product into
one simple statement.
The observation that the inner product extractor is flexible allows us as also
to talk about the sum of leakages in Section 5, instead of considering bounded
leakage from L and R separately (as it is done, e.g., in [14]). We would like to
stress that this is actually not the main reason for introducing the “flexibility”
property, as it would be needed even if one does not incorporate leakages into
the model.
4
We will also use a symmetric fact for d(ext(L, R)|L).
8. 3 Non-malleable codes and the hardness of negation
In this section we review the definition of the non-malleable codes from [23],
which has already been discussed informally in the introduction. Formally, let
(Enc : M → X, Dec : X → M ∪ {⊥}) be an encoding scheme. For F : X → X
and for any m ∈ M define the experiment TamperF
m as:
TamperF
m =
X ← Enc(m),
X := F(X),
m := Dec(X )
output: m
Let F be a family of functions from X to X. We say that an encoding scheme
(Enc, Dec) is -non-malleable with respect to F if for every function F ∈ F there
exists distribution DF
on M ∪ {same∗
, ⊥} such that for every m ∈ M we have
TamperF
m ≈
d ← DF
if d = same∗
then output m
otherwise output d.
(3)
The idea behind the “⊥” symbol is that it should correspond to the situation
when the decoding function detects tampering and outputs an error message.
Since the codes that we construct in this paper do not need this feature, we will
usually drop this symbol and have Dec : X → M. The “⊥” symbol is actually
more useful for the strong non-malleable codes (another notion defined in [23])
where it is required that any tampering with X should be either “detected” or
should produce encoding of an unrelated message. Our codes do not have this
property. This is because, for example, permuting the elements of the vectors L
and R in the same manner does change these vectors, but does not change their
inner product. Fortunately, for all applications that we are aware of this stronger
notion is not needed. The following lemma, already informally discussed in Sect.
1, states that for one-bit messages non-malleability is equivalent to the hardness
of negating a random encoded bit. It turns out that such a characterization of
the non-malleable codes is much simpler to deal with. We also believe that it
may be of independent interest.
Lemma 2. Suppose M = {0, 1}. Let F be any family of functions from X to
X. An encoding scheme (Enc : M → X, Dec : X → M) is -non-malleable with
respect to F if and only if for any F ∈ F and B ← {0, 1} we have
P [Dec (F(Enc(B))) = B] ≤
1
2
+ . (4)
The proof of this lemma appears in the full version of this paper [21]. In this
paper we are interested in the split-state codes. A split-state code is a pair
(Enc : M → L × R, Dec : L × R → M). We say that it is -non-malleable
if it is -non-malleable with respect to a family of all functions Mallf,g
defined
as Mallf,g
(L, R) = (f(L), g(R)).
9. 4 The construction
In this section we present a construction of a non-malleable code in the split-state
model, together with a security proof. Before going to the technical details, let us
start with some intuitions. First, it is easy to see that any such code (Enc, Dec)
needs to be a 2-out-of-2 secret sharing scheme, where Enc is the sharing function,
Dec is the reconstruction function, and (L, R) = Enc(M) are shares of a secret
M. Informally speaking, this is because if one of the “shares”, L, say, reveals some
non-trivial information about M then by modifying L we can “negate” stored
secret M with probability significantly higher than 1/2. More precisely, suppose
that M = {0, 1} and that we know that there exist some values 0, 1 ∈ L such
that for b = 0, 1 if L = b then M is significantly more likely to be equal to b.
Then (f, g) where g is an identity and f is such that f( 0) = 1 and f( 1) = 0
would lead to M = Dec(f(L), g(R)) = 1 − M with probability significantly
higher than 1/2 (this argument is obviously informal, but it can be formalized).
It is also easy to see that not every secret sharing scheme is a non-malleable
code in the split-state model. As an example consider Enc : Za → Za × Za (for
some a ≥ 2) defined as Enc(M) := (L, L + M (mod a)), where L ← Za, and
Dec(L, R) := L + R mod m. Obviously it is a good 2-out-of-2 secret sharing
scheme. However, unsurprisingly, it is malleable, as an adversary can, e.g., easily
add any constant w ∈ Za to a encoded message, by choosing an identity function
as f, and letting g be such that that g(R) = R+w mod a. Obviously in this case
for every L and R that encode some M we have Dec(f(L), g(R)) = M +w mod a.
We therefore need to use a secret sharing scheme with some extra security
properties. A natural idea is to look at the two-source randomness extractors, as
they may be viewed exactly as “2-out-of-2 secret sharing schemes with enhanced
security”, and since they have already been used in the past in the context of
the leakage-resilient cryptography. The first, natural idea, is to take the inner
product extractor ext : Fn
× Fn
→ F and use it as a code as follows: to encode
a message M ∈ F take a random pair (L, R) ∈ Fn
× Fn
such that L, R = M
(to decode (L, R) simply compute L, R ). This way of encoding messages is a
standard method to provide leakage-resilience in the split-state model (cf. e.g.
[14]). Unfortunately, it is easy to see that this scheme can easily be broken by
exploiting the linearity attacks of the inner product. More precisely, if the adver-
sary chooses f(L) := a·L and g(R) := R (for any a ∈ F) then the encoded secret
gets multiplied by a. Obviously, this attack does not work for F = Z2, as in this
case the only choices are a = 0 (which means that the secret is deterministically
transformed to 0) and a = 1 (which leaves the secret unchanged). Sadly, it turns
out that for F = Z2 another attack is possible. Consider f and g that leave their
input vectors unchanged except of setting the first coordinate of the vector to
1, i.e.: f (L1, . . . , Ln) := (1, L2, . . . , Ln) and g (R1, . . . , Rn) := (1, R2, . . . , Rn).
Then it is easy to see that f(L), g(R) = L, R if and only if L1 ·R1 = 0, which
happens with probability 3/4 both for M = 0 and for M = 1.
Note that the last attack is specific for small F’s, as over larger fields the
probability that L1 ·R1 = 0 is negligible. At the first glance, this fact should not
bring any hope for a solution, since, as described above, for larger fields another
10. attack exists. Our key observation is that for one-bit messages it is possible to
combine the benefits of the “large field” solution with those of the “small field”
solution in such a way that the resulting scheme is secure, and in particular
both attacks are impossible! Our solution works as follows. The codewords are
pairs of vectors from Fn
for a large F. The encoding of 0 remains as before –
i.e. we encode it as a pair (L, R) of orthogonal vectors. To encode 1 we choose a
random pair (L, R) of non-orthogonal vectors, i.e. such that L, R is a random
non-zero element of F. Before going to the technical details let us first “test” this
construction against the attacks described above. First, observe that multiplying
L (or R) by some constant a = 0 never changes the encoded bit as a · L, R =
a L, R which is equal to 0 if and only if L, R = 0. On the other hand if a = 0
then a · L, R = 0, and hence the secret gets deterministically transformed to
0, which is also ok. It is also easy to see that the second attack (setting the first
coordinates of both the vectors to 1) results in f(L), g(R) close to uniform (no
matter what was the value of L, R ), and hence Dec(f(L), g(R)) = 1 with an
overwhelming probability.
Let us now define our encoding scheme formally. As already mentioned in
Sect. 2 our construction uses a strong flexible two-source extractor ext : L×R →
C in a black-box way (later we show how to instantiate it with an inner product
extractor, cf. Thm. 2). This in particular means that we do not use any special
properties of the inner product, like the linearity. Also, since C does not need to
be a field, hence obviously the choice to encode 0 is by a pair of vectors such
that L, R = 0 (in the informal discussion above) was arbitrary, and one can
encode 0 as any pair (L, R) such that L, R = c, for some fixed c ∈ F. Let
ext : L × R → C be a strong flexible (k, )-extractor, for some parameters k
and , and let c ∈ C be arbitrary. We first define the decoding function. Let
Dc
ext : L × R → {0, 1} be defined as:
Dc
ext(L, R) =
0 if ext(X) = c
1 otherwise.
Now, let Ec
ext : {0, 1} → L × R be an encoding function defined as Ec
ext(b) :=
(L, R), where (L, R) is a pair chosen uniformly at random from the set {(L, R) :
Dc
ext(L, R) = b}. We also make a small additional assumption about ext. Namely,
we require that ˜L and ˜R are completely uniform over L and R (resp.) then
ext(˜L, ˜R) is completely uniform. More formally
for ˜L ← L and ˜R ← R we have d(ext(˜L, ˜R)) = 0. (5)
The reason why we impose this assumption is that it significantly simplifies the
proof, thanks to the following fact. It is easy to see that if ext satisfies (5), then
for every x ∈ C the cardinality of each set {( , r) : ext( , r) = x} is exactly 1/ |F|
fraction of the cardinality of L × R. Hence, if B ← {0, 1} and (L, R) ← Ec
ext(B),
then in the distribution of (L, R) every ( , r) such that ext( , r) = c is exactly
(|C| − 1) more likely than any ( , r ) such that ext( , r ) = c. Formally:
P [(L, R) = ( , r)] = (|C| − 1) · P [(L, R) = ( , r )] . (6)
11. It is also straightforward to see that every extractor can be easily converted to
an extractor that satisfies (5)5
. Lemma 3 below is the main technical lemma of
this paper. It states that (Ec
ext, Dc
ext) is non-malleable, for an appropriate choice
of ext. Since later (in Sect. 5) we will re-use this lemma in the context of non-
malleability with leakages, we prove it in a slightly more general form. Namely,
(cf. (8)) we show that it is hard to negate an encoded bit even if one knows that
the codeword (L, R) happens to be an element of some set L × R ⊆ L × R.
Note that we do not explicitly assume any lower bound on the cardinality of
L ×R . This is not needed, since this cardinality is bounded implicitly in (7) by
the fact that in any flexible extractor the parameter k needs to be larger than
max (log |L| , log |R|) (cf. Sect. 2). If one is not interested in leakages then one
can read Lemma 3 and its proof assuming that L × R = L × R. Lemma 3 is
stated abstractly, but one can, of course, obtain a concrete non-malleable code,
by using as ext the two-source extractor extn
F . We postpone presenting the choice
of concrete parameters F and n until Section 5, where it is done in a general
way, also taking into account leakages.
Lemma 3. Let L and R be some subsets of L and R respectively. Suppose
ext : L × R → C is a strong flexible (k, )-extractor that satisfies (5), where, for
some parameter δ we have:
k =
2
3
· (log |L | + log |R |) −
2
3
· log(1/δ). (7)
Take arbitrary functions f : L → L and g : R → R, let B be chosen uniformly
at random from {0, 1} and let (L, R) ← Ec
ext(B). Then
P [Dc
ext(f(L), g(R)) = B | (L, R) ∈ (L , R )] ≤
1
2
+
3
2
|C|
−1
+ 6 |C|
2
+ δ/(|C|
−1
− ), (8)
and, in particular (Ec
ext, Dc
ext) is 3
2 |C|
−1
+6 |C|
2
+δ/(|C|
−1
− ) -non-malleable.
Proof. Before presenting the main proof idea let us start with some simple obser-
vations. First, clearly it is enough to show (8), as then the fact that (Ec
ext, Dc
ext) is
|C|
−1
+ 2 |C|
2
+δ/(|C|
−1
− ) -non-malleable can be obtained easily by assum-
ing that L × R = L × R and applying Lemma 2. Observe also that (8) implies
that log |L |+log |R | ≥ k, and hence, from the fact that ext is a (k, )-two source
extractor we obtain that if ˜L ← L and ˜R ← ˜R then
d(ext(˜L, ˜R)) ≤ . (9)
We will use this fact later. The basic idea behind the proof is a as follows. Denote
B := Mallf,g
(Enc(B)). Recall that our code is “non-balanced” in the sense that
5
The inner-product extractor satisfies (5) if we assume, e.g., that the fist coordinate
of L and the last coordinate of R are non-zero. In general, if ext : L × R → C is
any extractor, then ext : (L × C) × R → C defined as ext((C, L), R) = ext(L, R) + C
(assuming that (C, +) is a group) satisfies (5).
12. a random codeword (L, R) ∈ L × R with only negligible probability encodes 0.
We will exploit this fact. Very informally speaking, we would like to prove that
if B = 1 then the adversary cannot force B to be equal to 0, as any independent
modifications of L and R that encode 1 are unlikely to produce an encoding of
0. In other words, we would hope to show that P [B = 0|B = 1] is small. Note
that if we managed to show it, then we would obviously get that P [B = B]
cannot be much larger than 1/2 (recall that B is uniform), and then the proof
would be finished. Unfortunately, this is too good to be true, as the adversary
can choose f and g to be constant such that always Dc
ext(f(L), g(R)) = 0, which
would result in B = 0 for any value of B. Intuitively, what we will actually
manage to prove is that the only way to obtain B = 0 if B = 1 is to apply
such a “constant function attack”. Below we show how to make this argument
formal.
Let us first observe that any attack where f and g are constant will never work
against any encoding scheme, as in this case (f(L), g(R)) carries no information
about the initial value of B. Our first key observation is that for our scheme,
thanks to the fact that it is based on extractor, this last statement holds even if
any of f and g is only “sufficiently close to constant”. Formalizing this property
is a little bit tricky, as, of course, the adversary can apply “mixed” strategies,
e.g., setting f to be constant on some subset of L and to be injective (and hence
“very far from constant”) on the rest of L . In order to deal with such cases we
will define subsets LFFC ⊆ L and RFFC ⊆ R on which f and g (resp.) are “very
far from constant”. Formally, for ˜L ← L and ˜R ← R let
LFFC := ∈ L : H∞(˜L | f(˜L) = f( )) < k + 1 − log |R | ,
and
RFFC := r ∈ R : H∞( ˜R | g( ˜R) = g(r)) < k + 1 − log |L | ,
where FFC stands for “far from constant”. Hence, in some sense, we define a
function to be “very far from constant on some argument x” if there are only
a few other arguments of this function that collide with x. We now state the
following claim (whose proof appears in the full version of this paper [21]) that
essentially formalizes the intuition outlined above, by showing that if either
L ∈ LFFC or R ∈ RFFC then (f, g) cannot succeed in negating B.
Claim 1 Let B ← {0, 1} and (L, R) ← Ec
ext(B). Then:
P Dc
ext(Mallf,g
(L, R)) = B | L ∈ LFFC ∨ R ∈ RFFC ≤
1
2
+
3
4
· |C|
−1
+ 6 |C|
2
.
(10)
Hence, what remains is to analyze the case when (L, R) ∈ LFFC × RFFC. We will
do it only for the case B = 1, and when LFFC × RFFC is relatively large, more
precisely we will assume that
|LFFC × RFFC| ≥ δ · |L × R | . (11)
13. This will suffice since later we will show (cf. (23)) that the probability that
Enc(B) ∈ LFFC × RFFC is small for small δ’s (note that this is not completely
trivial as (L, R) does not have a uniform distribution over L ×R ). We now have
the following claim whose proof appears in the full version of this paper [21].
Claim 2 Let (L1
, R1
) ← Ec
ext(1) and suppose LFFC and RFFC are such that (11)
holds. Then
P Dc
ext Dec(f(L1
), g(R1
)) = 0 |(L1
, R1
) ∈ LFFC × RFFC ≤ 2 |C|
−1
+ 2 . (12)
To finish the proof we need to combine the two above claims. A small technical
difficulty, that we need still to deal with, comes from the fact that Claim 2 was
proven only under the assumption (11). Let us first expand the left-hand-side of
(8). We have
P Dc
ext(Mallf,g
(L, R) = B|(L, R) ∈ L × R (13)
=
(∗)
P Dc
ext(Mallf,g
(L, R) = B | L ∈ LFFC ∨ R ∈ RFFC (14)
· P [L ∈ LFFC ∨ R ∈ RFFC]
+
(∗∗)
P Dc
ext(Mallf,g
(L, R) = B | (L, R) ∈ LFFC × RFFC
· P [(L, R) ∈ LFFC × RFFC] (15)
From Claim 1 we get that (∗) is at most 1
2 + 1
2 · |C|
−1
+ 2 |C|
2
. Now consider
two cases.
Case 1 First, suppose that (11) holds (i.e. |LFFC × RFFC| ≥ δ · |L × R|). In this
case we get that (∗∗) is a equal to
≤ 2|C|−1
+2 by Claim 2
P Dc
ext(Mallf,g
(L, R) = B|B = 0 ∧ (L, R) ∈ LFFC × RFFC
·
≥ 1
2 −|C|
P [B = 0|(L, R) ∈ LFFC × RFFC] + (16)
P Dc
ext(Mallf,g
(L, R) = B|B = 1 ∧ (L, R) ∈ LFFC × RFFC
≤1
· P [B = 1|(L, R) ∈ LFFC × RFFC]
≤ 1
2 +|C|
(17)
≤
1
2
+ |C|
−1
− + |C| ( − 2
) ≤
1
2
+ |C|
−1
+ |C| . (18)
The inequalities in (16) and (18) follow from the fact that LFFC × RFFC is a
large set and the fact that B depends on ext(L, R), where ext is a randomness
14. extractor. The detailed proof of these inequalities appears in the full version of
this paper [21]. Now, since (13) is a weighted average of (∗) and (∗∗), hence
obviously
(13) (19)
≤ max
1
2
+
3
2
· |C|
−1
+ 6 |C|
2
,
1
2
+ |C|
−1
+ |C| (20)
≤
1
2
+
3
2
|C|
−1
+ 6 |C|
2
. (21)
Case 2 Now consider the case when (11) does not hold, i.e.:
|LFFC × RFFC| < δ · |L × R| (22)
We now give a bound on the probability that (L, R) is a member of LFFC ×RFFC.
P [(L, R) ∈ LFFC × RFFC]
=
1
2
· P [Ec
ext(0) ∈ LFFC × RFFC] +
1
2
· P [Ec
ext(1) ∈ LFFC × RFFC]
=
1
2
· P (˜L, ˜R) ∈ LFFC × RFFC | ext(˜L, ˜R) = c +
1
2
· P (˜L, ˜R) ∈ LFFC × RFFC | ext(˜L, ˜R) = c
≤
1
2
·
P (˜L, ˜R) ∈ LFFC × RFFC
P ext(˜L, ˜R) = c
+
1
2
·
P (˜L, ˜R) ∈ LFFC × RFFC
P ext(˜L, ˜R) = c
≤
1
2
·
P (˜L, ˜R) ∈ LFFC × RFFC
|C|
−1
−
+
1
2
·
P (˜L, ˜R) ∈ LFFC × RFFC
(|C| − 1) · |C|
−1
−
(23)
≤ δ/(|C|
−1
− ),
where in (23) we used (9). Hence, in this case, (15) is at most equal to δ/(|C|
−1
−
), and therefore, altogether, we can bound (13) by
(13) ≤ (∗) + δ/(|C|
−1
− ) (24)
=
1
2
+
3
2
|C|
−1
+ 6 |C|
2
+ δ/(|C|
−1
− ) (25)
Since analyzing both cases gave us bounds (21) and (25), hence all in all we can
bound (13) by their maximum, which is at most
1
2
+
3
2
|C|
−1
+ 6 |C|
2
+ δ/(|C|
−1
− ).
Hence (8) is proven.
15. 5 Adding Leakages
In this section we show how to incorporate leakages into our result. First, we
need to extend the non-malleability definition. We do it in the following, straight-
forward way. Observe that we can restrict ourselves to the situation when the
leakages happen before the mauling process (as it is of no help to the adversary
to leak from (f(L), g(R) if he can leak already from (L, R)). For any split-state
encoding scheme (Ec
ext : M → L × R, Dc
ext : L × R → M), a family of func-
tions F, any m ∈ M and any adversary A define a game TamperA
m (where λ
is some parameter) as follows. First, let (L, R) ← Ec
ext(m). Then the adversary
A chooses a sequence of functions (v1
, w1
, . . . , vt
, wt
), where each vi
has a type
vi
: L → {0, 1}λi
and each wi
has a type wi
: R → {0, 1}ρi
where the λ’s and
ρ’s are some parameters such that
λ1 + · · · + λt + ρ1 + · · · ρt ≤ λ. (26)
He learns Leak(L, R) = v1
(L), w1
(R), . . . , vt
(L), wt
(R) . Moreover this process
is adaptive, i.e. the choice of an ith function in the sequence (26) can depend on
the i − 1 first values in the sequence Leak(L, R). Finally the adversary chooses
functions f : L → L and g : R → R. Now define the output of the game as:
TamperA
m := (f(L), g(R)). We say that the encoding scheme (Ec
ext, Dc
ext) is -non-
malleable with leakage λ if for every adversary A there exists distribution DA
on M ∪ {same∗
} such that for every m ∈ M we have
TamperA
m ≈
d ← DA
if d = same∗
then output m,
otherwise output d.
Theorem 1. Suppose ext : L × R → C is a flexible (k, )-extractor that satisfies
(5), where, for some parameters δ and λ we have
k =
2
3
· (log |L| + log |R| − λ) −
4
3
· log(1/δ). (27)
Then the encoding scheme is 3
2 |C|
−1
+ 6 |C|
2
+ 2δ/(|C|
−1
− ) -non-malleable
with leakage λ.
The proof of this theorem appears in the full version of this paper [21]. We
now show how to instantiate Theorem 1 with the inner-product extractor from
Sect. 2.
Theorem 2. Take any ξ ∈ [0, 1/4) and γ > 0 then there exist an explicit split-
state code (Enc : {0, 1} → {0, 1}N/2
× {0, 1}N/2
, Dec : {0, 1}N/2
× {0, 1}N/2
→
{0, 1}) that is γ-non-malleable with leakage λ := ξN such that N = O(log(1/γ) ·
(1/4 − ξ)
−1
). The encoding and decoding functions are computable in O(N ·
log2
(log(1/γ))) and the constant hidden under the O-notation in the formula
for N is around 100.
16. The proof of this theorem appears in the full version of this paper [21]. We would
like to remark that it does not look like we could prove, with our current proof
techniques, a better relative leakage bound than ξ < 1
4 . Very roughly speaking
it is because we used the fact that the inner product is an extractor twice in the
proof. On the other hand we do not know any attack on our scheme for relative
leakage ξ ∈ 1
4 , 1
2 (recall that for ξ = 1
2 obviously any scheme is broken). Hence,
it is quite possible, that with a different proof strategy (perhaps relying on some
special features of the inner product function) one could show a higher leakage
tolerance of our scheme.
6 Security against affine mauling
Interestingly, we can also show that our encoding scheme (Ec
ext, Dc
ext), instantiated
with the inner product extractor, is secure in the model where (L, R) ∈ Fn
× Fn
can be mauled simultaneously (i.e. we do not use the split-model assumption),
but the class of the mauling functions is restricted to the affine functions over
F, i.e. each mauling function h is of a form
h((L1, . . . , Ln), (R1, . . . , Rn)) = M · (L1, . . . , Ln, R1, . . . , Rn)T
+ V T
, (28)
where M is an (2n × 2n)-matrix over F and V ∈ F2n
. We now argue informally
why it is the case, by showing that every h that breaks the non-malleability of
this scheme can be transformed into a pair of functions (f, g) that breaks the
non malleability of the scheme
Ec
ext : Fn+2
× Fn+2
→ {0, 1}, Dc
ext : {0, 1} → Fn+2
× Fn+2
in the split-state model. Let (L, R) ∈ Fn+2
× Fn+2
denote the codeword in this
scheme. Our attack works only under the assumption that it happened that
(L, R) ∈ L × R , where L × R := (Fn
× {0} × {0}) × (Fn
× {0} × {0}) (in
other words: the two last coordinates of both L and R are zero). Since L ×R is
large, therefore this clearly suffices to obtain the contradiction with the fact that
our scheme is secure even if (L, R) happen to belong to some large subdomain
of the set of all codewords (cf. Lemma 3). Clearly, to finish the argument it is
enough to construct the functions f and g such that
f(L), g(R) = (L1, . . . , Ln+2), (R1, . . . , Rn+2) ,
where (L1, . . . , Ln+2, R1, . . . , Rn+2) = h(L1, . . . , Ln, R1, . . . , Rn). It is easy to
see that, since h is affine, hence the value of (L1, . . . , Ln+2), (R1, . . . , Rn+2)
can be represented as a sum of monomials over variables Li and Rj where each
variable appears in power at most 1. Hence it can be rewritten as the following
sum:
n
i=1
Li ·
j∈Ji
Rj
+
j∈Jn+1
Lj +
i,j∈Kn+1
LiLj + y +
j∈Jn+2
Rj +
i,j∈Kn+2
RiRj,
17. where each Ji is a subset of the indices {1, . . . , n} and y ∈ F is a constant. It is
also easy to see that the above sum is equal to the inner product of vectors V
and W defined as:
V := L1, . . . , Ln,
j∈Jn+1
Lj +
i,j∈Kn+1
LiLj, 1
W :=
j∈J1
Rj, . . . ,
j∈Jn
Rj, 1, y +
j∈Jn+2
Rj +
i,j∈Kn+2
RiRj .
Now observe that V depends only on the vector L, and similarly, W depends
only on R. We can therefore set f(L) := V and g(R) := W. This finishes the
argument.
References
1. D. Aggarwal, Y. Dodis, and S. Lovett. Non-malleable codes from additive combina-
torics. Cryptology ePrint Archive, Report 2013/201, 2013. http://eprint.iacr.org/.
2. A. Akavia, S. Goldwasser, and V. Vaikuntanathan. Simultaneous hardcore bits
and cryptography against memory attacks. TCC, pages 474–495, 2009.
3. R. Anderson and M. Kuhn. Tamper resistance - a cautionary note. In The Second
USENIX Workshop on Electronic Commerce Proceedings, November 1996.
4. M. Bellare and T. Kohno. A theoretical treatment of related-key attacks: Rka-prps,
rka-prfs, and applications. EUROCRYPT 2003, pages 647–647, 2003.
5. E. Biham. New types of cryptanalytic attacks using related keys. Journal of
Cryptology, 7(4):229–246, 1994.
6. J. Bourgain. More on the sum-product phenomenon in prime fields and its appli-
cations. International Journal of Number Theory, 1(01):1–32, 2005.
7. Z. Brakerski, Y. T. Kalai, J. Katz, and V. Vaikuntanathan. Overcoming the hole
in the bucket: Public-key cryptography resilient to continual memory leakage. In
51st Annual IEEE Symposium on Foundations of Computer Science (FOCS), pages
501–510. IEEE, 2010.
8. H. Chabanne, G. Cohen, J. Flori, and A. Patey. Non-malleable codes from the
wire-tap channel. In Information Theory Workshop (ITW), 2011 IEEE, pages
55–59. IEEE, 2011.
9. H. Chabanne, G. Cohen, and A. Patey. Secure network coding and non-malleable
codes: Protection against linear tampering. In Information Theory Proceedings
(ISIT), 2012 IEEE International Symposium on, pages 2546–2550, 2012.
10. S. Choi, A. Kiayias, and T. Malkin. Bitr: built-in tamper resilience. ASIACRYPT
2011, pages 740–758, 2011.
11. B. Chor and O. Goldreich. Unbiased bits from sources of weak randomness and
probabilistic communication complexity. SIAM Journal on Computing, 17(2):230–
261, 1988.
12. G. Cohen, R. Raz, and G. Segev. Non-malleable extractors with short seeds and
applications to privacy amplification. In Computational Complexity (CCC), pages
298–308, 2012.
13. D. Dachman-Soled and Y. Kalai. Securing circuits against constant-rate tampering.
CRYPTO 2012, pages 533–551, 2012.
14. F. Dav`ı, S. Dziembowski, and D. Venturi. Leakage-resilient storage. Security and
Cryptography for Networks, pages 121–137, 2010.
18. 15. Y. Dodis, K. Haralambiev, A. Lopez-Alt, and D. Wichs. Cryptography against
continuous memory attacks. In 51st Annual IEEE Symposium on Foundations of
Computer Science (FOCS), pages 511–520. IEEE Computer Society, 2010.
16. Y. Dodis, A. Lewko, B. Waters, and D. Wichs. Storing secrets on continually leaky
devices. In Foundations of Computer Science (FOCS), 2011 IEEE 52nd Annual
Symposium on, pages 688–697. IEEE, 2011.
17. Y. Dodis, X. Li, T. Wooley, and D. Zuckerman. Privacy amplification and non-
malleable extractors via character sums. In FOCS 2011, pages 668–677, 2011.
18. Y. Dodis and D. Wichs. Non-malleable extractors and symmetric key cryptography
from weak secrets. In STOC, pages 601–610, 2009.
19. D. Dolev, C. Dwork, and M. Naor. Nonmalleable cryptography. SIAM review,
45(4):727–784, 2003.
20. S. Dziembowski and S. Faust. Leakage-resilient circuits without computational
assumptions. TCC, pages 230–247, 2012.
21. S. Dziembowski, T. Kazana, and M. Obremski. Non-malleable codes from two-
source extractors. Cryptology ePrint Archive, 2013. Full version of this paper,
http://eprint.iacr.org/.
22. S. Dziembowski and K. Pietrzak. Leakage-resilient cryptography. In FOCS’08,
pages 293–302. IEEE, 2008.
23. S. Dziembowski, K. Pietrzak, and D. Wichs. Non-malleable codes. ICS, pages
434–452, 2010.
24. ECRYPT. European Network of Excellence. Side Channel Cryptanalysis Lounge.
http://www.emsec.rub.de/research/projects/sclounge.
25. S. Faust, K. Pietrzak, and D. Venturi. Tamper-proof circuits: How to trade leakage
for tamper-resilience. In ICALP 2011, volume 6755 of Lecture Notes in Computer
Science, pages 391–402. Springer, 2011.
26. R. Gennaro, A. Lysyanskaya, T. Malkin, S. Micali, and T. Rabin. Algorithmic
tamper-proof (atp) security: Theoretical foundations for security against hardware
tampering. TCC, pages 258–277, 2004.
27. S. Goldwasser and G. Rothblum. How to compute in the presence of leakage. In
FOCS 2012, pages 31–40, 2012.
28. S. Halevi and H. Lin. After-the-fact leakage in public-key encryption. TCC, pages
107–124, 2011.
29. J. H˚astad, R. Impagliazzo, L. Levin, and M. Luby. A pseudorandom generator
from any one-way function. SIAM Journal on Computing, 28(4):1364–1396, 1999.
30. Y. Ishai, M. Prabhakaran, A. Sahai, and D. Wagner. Private circuits ii: Keeping
secrets in tamperable circuits. EUROCRYPT, pages 308–327, 2006.
31. Y. Ishai, A. Sahai, and D. Wagner. Private circuits: Securing hardware against
probing attacks. CRYPTO, pages 463–481, 2003.
32. Y. Kalai, B. Kanukurthi, and A. Sahai. Cryptography with tamperable and leaky
memory. CRYPTO 2011, pages 373–390, 2011.
33. F. Liu and A. Lysyanskaya. Tamper and leakage resilience in the split-state model.
CRYPTO 2012, pages 517–532, 2012.
34. S. Micali and L. Reyzin. Physically observable cryptography. TCC, pages 278–296,
2004.
35. M. Naor and G. Segev. Public-key cryptosystems resilient to key leakage. CRYPTO
2009, pages 18–35, 2009.
36. A. Rao. An exposition of bourgain 2-source extractor. In Electronic Colloquium
on Computational Complexity (ECCC), volume 14, page 034, 2007.
37. H. Wee. Public key encryption against related key attacks. PKC 2012, pages
262–279, 2012.