Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS/ECE 578 Cyber-Security

Published byMeagan Valerie Greene Modified over 6 years ago

Similar presentations

Presentation on theme: "CS/ECE 578 Cyber-Security"— Presentation transcript:

1 CS/ECE 578 Cyber-Security
Hash-based Primitives II Credits: Dr. Peng Ning and Dr. Adrian Perrig Dr. Attila A. Yavuz

2 Symmetric Forward-secure Aggregate Schemes
Discussions on the handnotes

3 Basic Digital Signature Notation
Discussions on the handnotes

4 One-Time Signatures Basis of all digital signatures
Valuable tool to learn the principles Still, the fastest and most secure signature schemes! Quantum computer resistant! Caveat: Impractical for real-life applications They can be used as a “support unit”, seldomly Offline/online signatures Tailoring for application (e.g., smart-grid, vehicular)

5 One-Time Signatures Use one-way functions without trapdoor
Efficient for signature generation and verification Caveat: can only use one time Example: 1-bit one-time signature P0, P1 are public values (public key) S0, S1 are private values (private key) S0 P0 S0 S0’ P S1 P1 S1 S1’

6 Lamport’s One-Time Signature
Uses 1-bit signature construction to sign multiple bits S0 S0’ S0’’ S0* Sign 0 Private values P0 P0’ P0’’ P0* Public values P1 P1’ P1’’ P1* S1 S1’ S1’’ S1* Sign 1 Private values Bit 0 Bit 1 Bit 2 Bit n

7 Improved Construction I
Uses 1-bit signature construction to sign multiple bits S0 S0’ S0’’ S0* c0 c0’ c0* P0 P0’ P0’’ P0* p0 p0’ p0* Bit 0 Bit 1 Bit 2 Bit n Bit 0 Bit 1 Bit log(n) Sign message Checksum bits: encode # of signature bits = 0

8 Improved Construction II
Lamport signature has high overhead Goal: reduce size of public and private key Approach: use one-way hash chains S1 = F( S0 ) Sig(0) Sig(1) Sig(2) Sig(3) Signature chain S0 S1 S2 S3 P C1 C0 C3 C2 Checksum chain P = F( S3 || C0 )

9 Hash to Obtain Random Subset (HORS)
Merkle-Winternitz  Still impractical BiBa (ancestor of HORS, please read) Fast signature verification, but Signing cost is high HORS goal: Develop a one-time signature scheme with Fast signing and verification Still same signature sizes with Merkle-Winternitz

10 Initial Scheme: Based on One-way Functions
Generalization of Bos and Chaum one-time signatures A distant variant of Lamport OTS! Key generation Generate t numbers of random l-bit values Let these be the private key: SK = (s1,…,st) Compute the public key PK = (v1,…,vt), where vi = f(si) and f() is a one-way function

11 Signature Generation and Verification
Chose (t,k) s.t. C(t,k) > 2^b, Sign a b-bit message m, 1 <m 2^b (if not just hash it) Use S to find the m-th k-element subset of T:{i1,…,ik} Interpret these elements as integers to chose keys as below: The corresponding values (si1,…,sik) are the signature of m Verify message m and its signature (s’1,…, s’k) Verify f(s’1) = vi1,…, f(s’k) = vik

12 Efficiency Analysis Key generation Signature generation Verification
Requires t evaluations of the one-way function Secret key size = l*t bits Public key size = fl*t bits fl = length of the one-way function output Signature generation Time to find the m-th k-element subset of T Verification Time to sign + k one-way function operations

13 HORS: Based on Subset-Resilient Functions
Replace the Bijective function S with a subset-resilient function H S(m) has exactly k elements S fully guarantees that no two distinct messages have the same k-element subset of T H(m) has at most k elements H guarantees that it is infeasible to find two distinct messages m1 and m2 such that subset of T selected with H H(m1) ≠ H(m2), implies the infeasibility of subset via H Up to r-time signature generation

14 HORS Operations

15 Influence of HORS Time-valid HORS Several Variants for HORS:
HORSIC, HORS++, HORSE Are they practical? (part of your Take-home) Can you extend HORS with other crypto primitives? One-wayness is not all about hash functions? What about modular exponentiation? RSA? or DLP/ECDLP? (part of your Take-home) A digression with ECDSA (to discuss principles) Structure-Free Rapid Authentication (one of future lecture)

Download ppt "CS/ECE 578 Cyber-Security"

Similar presentations

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Advanced Security Constructions and Key Management Class 16.

Advanced Security Constructions and Key Management Class 16.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
10/11/2013 Attila Altay Yavuz University of Pittsburgh, School of Information Sciences 135 N. Bellefield Avenue, Pittsburgh, PA 15260

10/11/2013 Attila Altay Yavuz University of Pittsburgh, School of Information Sciences 135 N. Bellefield Avenue, Pittsburgh, PA 15260
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Hash-based Primitives Credits: Dr. Peng Ning and Dr. Adrian Perrig.

The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Hash-based Primitives Credits: Dr. Peng Ning and Dr. Adrian Perrig.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Authenticating streamed data in the presence of random packet loss March 17th, 2000. Philippe Golle, Stanford University.

Authenticating streamed data in the presence of random packet loss March 17th, Philippe Golle, Stanford University.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Topic 5 Essential Public Key Crypto Methods.

The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Topic 5 Essential Public Key Crypto Methods.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.
Digital Signatures (DSs) The digital signatures cannot be separated from the message and attached to another The signature is not only tied to signer but.

Digital Signatures (DSs) The digital signatures cannot be separated from the message and attached to another The signature is not only tied to signer but.
XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt |

XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing | TU Darmstadt |
8. Data Integrity Techniques

8. Data Integrity Techniques
The RSA Algorithm Rocky K. C. Chang, March 2014 1.

The RSA Algorithm Rocky K. C. Chang, March
Lecture 15 Lecture’s outline Public algorithms (usually) that are each other’s inverse.

Lecture 15 Lecture’s outline Public algorithms (usually) that are each other’s inverse.
Topic 22: Digital Schemes (2)

Topic 22: Digital Schemes (2)
Basic Cryptography 1. What is cryptography? Cryptography is a mathematical method of protecting information –Cryptography is part of, but not equal to,

Basic Cryptography 1. What is cryptography? Cryptography is a mathematical method of protecting information –Cryptography is part of, but not equal to,

Similar presentations

Ads by Google