This document summarizes a theory seminar on cryptography that covered digital signature schemes. It began with an introduction to hard assumptions like the discrete log problem and computational Diffie-Hellman problem. It then described the ElGamal digital signature scheme, including its key generation, signing, and verification algorithms. It discussed the security of signature schemes in the chosen message attack model and how the ElGamal scheme's unforgeability relies on the hardness of computing discrete logs. It analyzed the probability of an adversary using oracle queries to forge a signature or solve the computational Diffie-Hellman problem. References for the original ElGamal and related signature scheme papers were also provided.
Two further methods for obtaining post-quantum security are discussed, namely code-based and isogeny-based cryptography. Topic 1: Revocable Identity-based Encryption from Codes with Rank Metric (will be presented by Dr. Reza Azarderakhsh) Authors: Donghoon Chang; Amit Kumar Chauhan; Sandeep Kumar; Somitra Kumar Sanadhya Topic 2: An Exposure Model for Supersingular Isogeny Diffie-Hellman Key Exchange Authors: Brian Koziel; Reza Azarderakhsh; David Jao
(Source: RSA Conference USA 2018)
Processing Reachability Queries with Realistic Constraints on Massive Network...BigMine
Massive graphs are ubiquitous in various application domains, such as social networks, road networks, communication networks, biological networks, RDF graphs, and so on. Such graphs are massive (for example, with hundreds of millions of nodes and edges or even more) and contain rich information (for example, node/edge weights, labels and textual contents). In such massive graphs, an important class of problems is to process various graph structure related queries. Graph reachability, as an example, asks whether a node can reach another in a graph. However, the large graph scale presents new challenges for efficient query processing.
In this talk, I will introduce two new yet important types of graph reachability queries: weight constraint reachability that imposes edge weight constraint on the answer path, and k-hop reachability that imposes a length constraint on the answer path. With such realistic constraints, we can find more meaningful and practically feasible answers. These two reachablity queries have wide applications in many real-world problems, such as QoS routing and trip planning.
Sensors and Samples: A Homological ApproachDon Sheehy
In their seminal work on homological sensor networks, de Silva and Ghrist showed the surprising fact that its possible to certify the coverage of a coordinate free sensor network even with very minimal knowledge of the space to be covered. We give a new, simpler proof of the de Silva-Ghrist Topological Coverage Criterion that eliminates any assumptions about the smoothness of the boundary of the underlying space, allowing the results to be applied to much more general problems. The new proof factors the geometric, topological, and combinatorial aspects of this approach. This factoring reveals an interesting new connection between the topological coverage condition and the notion of weak feature size in geometric sampling theory. We then apply this connection to the problem of showing that for a given scale, if one knows the number of connected components and the distance to the boundary, one can also infer the higher betti numbers or provide strong evidence that more samples are needed. This is in contrast to previous work which merely assumed a good sample and gives no guarantees if the sampling condition is not met.
Two further methods for obtaining post-quantum security are discussed, namely code-based and isogeny-based cryptography. Topic 1: Revocable Identity-based Encryption from Codes with Rank Metric (will be presented by Dr. Reza Azarderakhsh) Authors: Donghoon Chang; Amit Kumar Chauhan; Sandeep Kumar; Somitra Kumar Sanadhya Topic 2: An Exposure Model for Supersingular Isogeny Diffie-Hellman Key Exchange Authors: Brian Koziel; Reza Azarderakhsh; David Jao
(Source: RSA Conference USA 2018)
Processing Reachability Queries with Realistic Constraints on Massive Network...BigMine
Massive graphs are ubiquitous in various application domains, such as social networks, road networks, communication networks, biological networks, RDF graphs, and so on. Such graphs are massive (for example, with hundreds of millions of nodes and edges or even more) and contain rich information (for example, node/edge weights, labels and textual contents). In such massive graphs, an important class of problems is to process various graph structure related queries. Graph reachability, as an example, asks whether a node can reach another in a graph. However, the large graph scale presents new challenges for efficient query processing.
In this talk, I will introduce two new yet important types of graph reachability queries: weight constraint reachability that imposes edge weight constraint on the answer path, and k-hop reachability that imposes a length constraint on the answer path. With such realistic constraints, we can find more meaningful and practically feasible answers. These two reachablity queries have wide applications in many real-world problems, such as QoS routing and trip planning.
Sensors and Samples: A Homological ApproachDon Sheehy
In their seminal work on homological sensor networks, de Silva and Ghrist showed the surprising fact that its possible to certify the coverage of a coordinate free sensor network even with very minimal knowledge of the space to be covered. We give a new, simpler proof of the de Silva-Ghrist Topological Coverage Criterion that eliminates any assumptions about the smoothness of the boundary of the underlying space, allowing the results to be applied to much more general problems. The new proof factors the geometric, topological, and combinatorial aspects of this approach. This factoring reveals an interesting new connection between the topological coverage condition and the notion of weak feature size in geometric sampling theory. We then apply this connection to the problem of showing that for a given scale, if one knows the number of connected components and the distance to the boundary, one can also infer the higher betti numbers or provide strong evidence that more samples are needed. This is in contrast to previous work which merely assumed a good sample and gives no guarantees if the sampling condition is not met.
How to make hash functions go fast inside snarks, aka a guided tour through arithmetisation friendly hash functions (useful for all cryptographic protocols where cost is dominated by multiplications -- e.g. anything using R1CS; secret sharing based multiparty computation protocols; etc)
My presentation at University of Nottingham "Fast low-rank methods for solvin...Alexander Litvinenko
Overview of my (with co-authors) low-rank tensor methods for solving PDEs with uncertain coefficients. Connection with Bayesian Update. Solving a coupled system: stochastic forward and stochastic inverse.
What is the difference between a mesh and a net?
What is the difference between a metric space epsilon-net and a range space epsilon-net?
What is the difference between geometric divide-and-conquer and combinatorial divide-and-conquer?
In this talk, I will answer these questions and discuss how these different ideas come together to finally settle the question of how to compute conforming point set meshes in optimal time. The meshing problem is to discretize space into as few pieces as possible and yet still capture the underlying density of the input points. Meshes are fundamental in scientific computing, graphics, and more recently, topological data analysis.
This is joint work with Gary Miller and Todd Phillips
Signyourd digital signature certificate providerKishankant Yadav
a digital code (generated and authenticated by public key encryption) which is attached to an electronically transmitted document to verify its contents and the sender's identity.
This definition explains how digital signatures work and what they are used for. Learn about the mathematical underpinnings of digital signature technology
A digital signature is basically a way to ensure that an electronic document (e-mail, spreadsheet, text file, etc.) is authentic. Authentic means that you know who created the document and you know that it has not been altered in any way since that person created it.
https://signyourdoc.com/
This week, Luke Pearson (Polychain Capital) and Joshua Fitzgerald (Anoma) present their work on Plonkup, a protocol that combines Plookup and PLONK into a single, efficient protocol. The protocol relies on a new hash function, called Reinforced Concrete, written by Dmitry Khovratovich. The three of them will present their work together at this week's edition of zkStudyClub!
Slides:
---
To Follow the Zero Knowledge Podcast us at https://www.zeroknowledge.fm
To the listeners of Zero Knowledge Podcast, if you like what we do:
- Follow us on Twitter - @zeroknowledgefm
- Join us on Telegram - https://t.me/joinchat/TORo7aknkYNLHmCM
- Support our Gitcoin Grant - https://gitcoin.co/grants/329/zero-knowledge-podcast-2
- Support us on Patreon - https://www.patreon.com/zeroknowledge
How to make hash functions go fast inside snarks, aka a guided tour through arithmetisation friendly hash functions (useful for all cryptographic protocols where cost is dominated by multiplications -- e.g. anything using R1CS; secret sharing based multiparty computation protocols; etc)
My presentation at University of Nottingham "Fast low-rank methods for solvin...Alexander Litvinenko
Overview of my (with co-authors) low-rank tensor methods for solving PDEs with uncertain coefficients. Connection with Bayesian Update. Solving a coupled system: stochastic forward and stochastic inverse.
What is the difference between a mesh and a net?
What is the difference between a metric space epsilon-net and a range space epsilon-net?
What is the difference between geometric divide-and-conquer and combinatorial divide-and-conquer?
In this talk, I will answer these questions and discuss how these different ideas come together to finally settle the question of how to compute conforming point set meshes in optimal time. The meshing problem is to discretize space into as few pieces as possible and yet still capture the underlying density of the input points. Meshes are fundamental in scientific computing, graphics, and more recently, topological data analysis.
This is joint work with Gary Miller and Todd Phillips
Signyourd digital signature certificate providerKishankant Yadav
a digital code (generated and authenticated by public key encryption) which is attached to an electronically transmitted document to verify its contents and the sender's identity.
This definition explains how digital signatures work and what they are used for. Learn about the mathematical underpinnings of digital signature technology
A digital signature is basically a way to ensure that an electronic document (e-mail, spreadsheet, text file, etc.) is authentic. Authentic means that you know who created the document and you know that it has not been altered in any way since that person created it.
https://signyourdoc.com/
This week, Luke Pearson (Polychain Capital) and Joshua Fitzgerald (Anoma) present their work on Plonkup, a protocol that combines Plookup and PLONK into a single, efficient protocol. The protocol relies on a new hash function, called Reinforced Concrete, written by Dmitry Khovratovich. The three of them will present their work together at this week's edition of zkStudyClub!
Slides:
---
To Follow the Zero Knowledge Podcast us at https://www.zeroknowledge.fm
To the listeners of Zero Knowledge Podcast, if you like what we do:
- Follow us on Twitter - @zeroknowledgefm
- Join us on Telegram - https://t.me/joinchat/TORo7aknkYNLHmCM
- Support our Gitcoin Grant - https://gitcoin.co/grants/329/zero-knowledge-podcast-2
- Support us on Patreon - https://www.patreon.com/zeroknowledge
Free Space Optics (FSO) communications, also called Free Space Photonics (FSP) or Optical Wireless, refers to the transmission of modulated visible or infrared (IR) beams through the atmosphere to obtain optical communications. Like fiber, Free Space Optics (FSO) uses lasers to transmit data, but instead of enclosing the data stream in a glass fiber, it is transmitted through the air. Free Space Optics (FSO) works on the same basic principle as Infrared television remote controls, wireless keyboards
Cryptography is the science of using mathematics to encrypt and decrypt data.
Cryptography enables you to store sensitive information or transmit it across insecure networks so that it cannot be read by anyone except the intended recipient.
This PPT explains about the term "Cryptography - Encryption & Decryption". This PPT is for beginners and for intermediate developers who want to learn about Cryptography. I have also explained about the various classes which .Net provides for encryption and decryption and some other terms like "AES" and "DES".
We elaborate on hierarchical credal sets, which are sets of probability mass functions paired with second-order distributions. A new criterion to make decisions based on these models is proposed. This is achieved by sampling from the set of mass functions and considering the Kullback-Leibler divergence from the weighted center of mass of the set. We evaluate this criterion in a simple classification scenario: the results show performance improvements when compared to a credal classifier where the second-order distribution is not taken into account.
Error control codes are necessary for transmission and storage of large volumes of date sensitive to errors. BCH codes and Reed Solomon codes are the most important class of multiple error correcting codes for binary and non-binary channels respectively. Peterson and later Berlekamp and Massey discovered powerful algorithms which became viable with the help of new digital technology. Use of Galois fields gave a structured approach to designing of these codes. This presentation deals with above in a very structured and systematic manner.
Hecke Operators on Jacobi Forms of Lattice Index and the Relation to Elliptic...Ali Ajouz
Jacobi forms of lattice index, whose theory can be viewed as extension of the theory of classical Jacobi forms, play an important role in various theories, like the theory of orthogonal modular forms or the theory of vertex operator
algebras. Every Jacobi form of lattice index has a theta expansion which implies, for index of odd rank, a connection to half integral weight modular forms and then via Shimura lifting to modular forms of integral weight, and implies a direct connection to modular forms of integral weight if the rank is
even. The aim of this thesis is to develop a Hecke theory for Jacobi forms of lattice index extending the Hecke theory for the classical Jacobi forms, and to study how the indicated relations to elliptic modular forms behave under Hecke operators. After defining Hecke operators as double coset operators,
we determine their action on the Fourier coefficients of Jacobi forms, and we determine the multiplicative relations satisfied by the Hecke operators, i.e. we study the structural constants of the algebra generated by the Hecke operators. As a consequence we show that the vector space of Jacobi forms
of lattice index has a basis consisting of simultaneous eigenforms for our Hecke operators, and we discover the precise relation between our Hecke algebras and the Hecke algebras for modular forms of integral weight. The
latter supports the expectation that there exist equivariant isomorphisms between spaces of Jacobi forms of lattice index and spaces of integral weight modular forms. We make this precise and prove the existence of such liftings
in certain cases. Moreover, we give further evidence for the existence of such liftings in general by studying numerical examples.
Digital Signatures: Reassessing security of randomizable signaturesPriyanka Aash
Two signature schemes with special properties are discussed: randomizable signatures and deterministic signatures. Topic 1: Reassessing Security of Randomizable Signatures Authors: David Pointcheval; Olivier Sanders Topic 2: Differential Fault Attacks on Deterministic Signatures Authors: Christopher Ambrose; Joppe W. Bos; Bjorn Fay; Marc Joye; Manfred Lochter; Bruce Murray
(Source: RSA Conference USA 2018)
We start with motivation, few examples of uncertainties. Then we discretize elliptic PDE with uncertain coefficients, apply TT format for permeability, the stochastic operator and for the solution. We compare sparse multi-index set approach with full multi-index+TT.
Tensor Train format allows us to keep the whole multi-index set, without any multi-index set truncation.
Multidimensional integrals may be approximated by weighted averages of integrand values. Quasi-Monte Carlo (QMC) methods are more accurate than simple Monte Carlo methods because they carefully choose where to evaluate the integrand. This tutorial focuses on how quickly QMC methods converge to the correct answer as the number of integrand values increases. The answer may depend on the smoothness of the integrand and the sophistication of the QMC method. QMC error analysis may assumes the integrand belongs to a reproducing kernel Hilbert space or may assume that the integrand is an instance of a stochastic process with known covariance structure. These two approaches have interesting parallels. This tutorial also explores how the computational cost of achieving a good approximation to the integral depends on the dimension of the domain of the integrand. Finally, this tutorial explores methods for determining how many integrand values are needed to satisfy the error tolerance. Relevant software is described.
Response Surface in Tensor Train format for Uncertainty QuantificationAlexander Litvinenko
We apply low-rank Tensor Train format to solve PDEs with uncertain coefficients. First, we approximate uncertain permeability coefficient in TT format, then the operator and then apply iterations to solve stochastic Galerkin system.
Köhler, Sven, Bertram Ludäscher, and Yannis Smaragdakis. 2012. “Declarative Datalog Debugging for Mere Mortals.” In Datalog in Academia and Industry, edited by Pablo Barceló and Reinhard Pichler, 111–22. Lecture Notes in Computer Science 7494. Springer Berlin Heidelberg. doi:10.1007/978-3-642-32925-8_12.
Abstract. Tracing why a “faulty” fact A is in the model M = P(I) of program P on input I quickly gets tedious, even for small examples. We propose a simple method for debugging and “logically profiling” P by generating a provenance-enriched rewriting P̂, which records rule firings according to the logical semantics. The resulting provenance graph can be easily queried and analyzed using a set of predefined and ad-hoc queries. We have prototypically implemented our approach for two different Datalog engines (DLV and LogicBlox), demonstrating the simplicity, effectiveness, and system-independent nature of our method.
2024.03.22 - Mike Heddes - Introduction to Hyperdimensional Computing.pdfAdvanced-Concepts-Team
Presentation in Science Coffee of the Advanced Concepts Team of the European Space Agency.
Date: 22.03.2024
Speaker: Mike Heddes (University of California, Irvine)
Topic: Introduction to Hyperdimensional Computing
Abstract:
Hyperdimensional computing (HD), also known as vector symbolic architectures (VSA), is a computing framework capable of forming compositional distributed representations. HD/VSA forms a "concept space" by exploiting the geometry and algebra of high-dimensional spaces. The central idea is to represent information with randomly generated vectors, called hypervectors. Together with a set of operations on these hypervectors, HD/VSA can represent compositional structures, which, in turn, enables features such as reasoning by analogy and cognitive computing. In this introductory talk, I will introduce the high-dimensional spaces and the fundamental operations on hypervectors. I will then cover applications of HD/VSA such as reasoning by analogy and graph classification.
Similar to A Signature Scheme as Secure as the Diffie Hellman Problem (20)
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
A Signature Scheme as Secure as the Diffie Hellman Problem
1. Theory Seminar - Cryptography
A Signature Scheme as Secure as the Diffie
Hellman Problem
Theory Seminar
Eu-Jin Goh and Stanislaw Jarecki
Eurocrypt 2003
Subhashini V
IIT Madras
2. Theory Seminar - Cryptography
Outline
1 Introduction
Hard Assumptions
2 Signature Scheme
Definition
EDL Scheme
3 Security
CMA model
Unforgeability
Forgery
Probability
4 References
3. Theory Seminar - Cryptography
Introduction
Objective of this talk
Introduction to
Hardness assumption - CDH
Reduction techniques
ZKP in cryptosystems
Random oracle model
Signature scheme
4. Theory Seminar - Cryptography
Introduction
Hard Assumptions
Hard Assumption
Discrete log problem
- Given: g, g a Find: a
CDH - Computational Diffie-Hellman
- Given: g, g a , g b Compute: g ab
Reduction to hard assumption
What is tightness?
5. Theory Seminar - Cryptography
Signature Scheme
Definition
Digital Signature Scheme
Key Generation - private key (sk) and public key (pk)
Sign - Sign(M, sk) → σ
Verify - V er(pk, M, σ) Output: Accept or Reject
6. Theory Seminar - Cryptography
Signature Scheme
EDL Scheme
EDL Signature scheme
Proposed originally by [CEVDG88] and [CP93].
Key-generation
sk = x ∈R Zq , pk = y ← g x
7. Theory Seminar - Cryptography
Signature Scheme
EDL Scheme
EDL Signature scheme
Proposed originally by [CEVDG88] and [CP93].
Key-generation
sk = x ∈R Zq , pk = y ← g x
Sign(x, M )
8. Theory Seminar - Cryptography
Signature Scheme
EDL Scheme
EDL Signature scheme
Proposed originally by [CEVDG88] and [CP93].
Key-generation
sk = x ∈R Zq , pk = y ← g x
Sign(x, M )
1 r ∈R {0, 1}nr , h ← H(M, r) , z ← hx
9. Theory Seminar - Cryptography
Signature Scheme
EDL Scheme
EDL Signature scheme
Proposed originally by [CEVDG88] and [CP93].
Key-generation
sk = x ∈R Zq , pk = y ← g x
Sign(x, M )
1 r ∈R {0, 1}nr , h ← H(M, r) , z ← hx
2 NI-ZKP DLh (z) = DLg (y)
10. Theory Seminar - Cryptography
Signature Scheme
EDL Scheme
EDL Signature scheme
Proposed originally by [CEVDG88] and [CP93].
Key-generation
sk = x ∈R Zq , pk = y ← g x
Sign(x, M )
1 r ∈R {0, 1}nr , h ← H(M, r) , z ← hx
2 NI-ZKP DLh (z) = DLg (y)
3 k ∈R Zq , u ← g k , v ← hk
11. Theory Seminar - Cryptography
Signature Scheme
EDL Scheme
EDL Signature scheme
Proposed originally by [CEVDG88] and [CP93].
Key-generation
sk = x ∈R Zq , pk = y ← g x
Sign(x, M )
1 r ∈R {0, 1}nr , h ← H(M, r) , z ← hx
2 NI-ZKP DLh (z) = DLg (y)
3 k ∈R Zq , u ← g k , v ← hk
4 c ← H (g, h, y, z, u, v) ∈ Zq
12. Theory Seminar - Cryptography
Signature Scheme
EDL Scheme
EDL Signature scheme
Proposed originally by [CEVDG88] and [CP93].
Key-generation
sk = x ∈R Zq , pk = y ← g x
Sign(x, M )
1 r ∈R {0, 1}nr , h ← H(M, r) , z ← hx
2 NI-ZKP DLh (z) = DLg (y)
3 k ∈R Zq , u ← g k , v ← hk
4 c ← H (g, h, y, z, u, v) ∈ Zq
5 s ← k + cx
13. Theory Seminar - Cryptography
Signature Scheme
EDL Scheme
EDL Signature scheme
Proposed originally by [CEVDG88] and [CP93].
Key-generation
sk = x ∈R Zq , pk = y ← g x
Sign(x, M )
1 r ∈R {0, 1}nr , h ← H(M, r) , z ← hx
2 NI-ZKP DLh (z) = DLg (y)
3 k ∈R Zq , u ← g k , v ← hk
4 c ← H (g, h, y, z, u, v) ∈ Zq
5 s ← k + cx
6 σ ← (z, r, s, c)
14. Theory Seminar - Cryptography
Signature Scheme
EDL Scheme
EDL Signature scheme
Proposed originally by [CEVDG88] and [CP93].
Key-generation
sk = x ∈R Zq , pk = y ← g x
Sign(x, M )
1 r ∈R {0, 1}nr , h ← H(M, r) , z ← hx
2 NI-ZKP DLh (z) = DLg (y)
3 k ∈R Zq , u ← g k , v ← hk
4 c ← H (g, h, y, z, u, v) ∈ Zq
5 s ← k + cx
6 σ ← (z, r, s, c)
Verify
15. Theory Seminar - Cryptography
Signature Scheme
EDL Scheme
EDL Signature scheme
Proposed originally by [CEVDG88] and [CP93].
Key-generation
sk = x ∈R Zq , pk = y ← g x
Sign(x, M )
1 r ∈R {0, 1}nr , h ← H(M, r) , z ← hx
2 NI-ZKP DLh (z) = DLg (y)
3 k ∈R Zq , u ← g k , v ← hk
4 c ← H (g, h, y, z, u, v) ∈ Zq
5 s ← k + cx
6 σ ← (z, r, s, c)
Verify
h ← H(M, r) , u ← g s y −c , v ← h s z −c
16. Theory Seminar - Cryptography
Signature Scheme
EDL Scheme
EDL Signature scheme
Proposed originally by [CEVDG88] and [CP93].
Key-generation
sk = x ∈R Zq , pk = y ← g x
Sign(x, M )
1 r ∈R {0, 1}nr , h ← H(M, r) , z ← hx
2 NI-ZKP DLh (z) = DLg (y)
3 k ∈R Zq , u ← g k , v ← hk
4 c ← H (g, h, y, z, u, v) ∈ Zq
5 s ← k + cx
6 σ ← (z, r, s, c)
Verify
h ← H(M, r) , u ← g s y −c , v ← h s z −c
?
c = H (g, h , y, z, u , v ). Check c = c
17. Theory Seminar - Cryptography
Signature Scheme
EDL Scheme
Proof of equality of DL
Replacing ZK-proof of knowledge with just a ZKP
k ∈ Zq ; u = g k ; v = hk
s = k + cx; g s = uy c ; hs = vz c
Also, proof of knowledge of x: g x = y; hx = z
x = DLg (y); x = DLh (z)
Possible only if c = (k − k )/(x − x)
where k = DLg (u) and k = DLh (v)
18. Theory Seminar - Cryptography
Security
CMA model
Security Model
Chosen Message Attack (CMA)
Adaptive chosen messages.
Training with oracles (hash, sign)
Adversary A outputs forgery.
19. Theory Seminar - Cryptography
Security
Unforgeability
Unforgeability
Random oracle model - solve CDH. (Proof is from [?])
Setup: y = g a (a is unknown)
H queries: embed - H(M, r) = h = (g b )d , d - random
H queries: all random.
Sign queries:
r ∈R {0, 1}nr . If H(M, r) is queried - abort.
κ ∈R Z . Set, z = y κ , h = g κ and H(M, r) = h
DLh (z) = DLg (y)
c ∈R Zq , s ∈R Zq ,. Set u = g s y −c and v = hs z −c
Store H (g, h, y, z, u, v) = c
σ = (z, r, s, c)
20. Theory Seminar - Cryptography
Security
Forgery
Solving CDH
Forgery passes verification.
h = H(M, r) = g bd
DLh (z) = DLg (y) ⇒ z = ha = g abd
Output : z 1/d = g ab
Solved CDH.
21. Theory Seminar - Cryptography
Security
Probability
Analysis - Probability of solving CDH
Abort cases
1 H(M, r) was queried! ⇒ P r = qH 2−nr
- Aborting in Step1 of signature P r = qsig · qH · 2−nr
2 Abort at Step4 of signature H (g, g k , y, y k , u, uk ) queried!
- Probability of collision (qH + qsig ) · 2−2nq
- Final : P r = qsig · (qH + qsig ) · 2−2nq
Cannot solve CDH on successful forgery (because of DL)
1 Pr[N H ∧ ¬N Q] = 2−nq
2 Pr[N Q] = qH · 2−nq
NH - event that the attacker does not query H-oracle.
NQ - event that DLg (y) = DLh (z)
22. Theory Seminar - Cryptography
Security
Probability
We assume that the attacker can break the signature scheme with
a non-negligible probability of .
Then, if is the probability of challenger(C) solving CDH problem
using attacker.
= −( abort + DL )
−nr
= − qsig · qH · 2 − qsig · (qH + qsig ) · 2−2nq
− 2−nq − qH · 2−nq
is non-negligible and hence C can solve CDH.
23. Theory Seminar - Cryptography
References
References I
David Chaum, Jan-Hendrik Evertse, and Jeroen Van De Graaf.
An improved protocol for demonstrating possession of discrete
logarithms and some generalizations. In Proceedings of the 6th
annual international conference on Theory and application of
cryptographic techniques, EUROCRYPT’87, pages 127–141,
Berlin, Heidelberg, 1988. Springer-Verlag.
David Chaum and Torben P. Pedersen. Wallet databases with
observers. In Proceedings of the 12th Annual International
Cryptology Conference on Advances in Cryptology, CRYPTO
’92, pages 89–105, London, UK, 1993. Springer-Verlag.
24. Theory Seminar - Cryptography
References
References II
Eu-Jin Goh and StanisJarecki. A signature scheme as secure as
the diffie-hellman problem. In Proceedings of the 22nd
international conference on Theory and applications of
cryptographic techniques, EUROCRYPT’03, pages 401–415,
Berlin, Heidelberg, 2003. Springer-Verlag.