Presentation is loading. Please wait.

Presentation is loading. Please wait.

On Non-Black-Box Proofs of Security Boaz Barak Princeton.

Published byMackenzie Wallace Modified over 11 years ago

Similar presentations

Presentation on theme: "On Non-Black-Box Proofs of Security Boaz Barak Princeton."— Presentation transcript:

1 On Non-Black-Box Proofs of Security Boaz Barak Princeton

2 9 OWF ) 9 signature schemes [NaorYung,Rompel] Prototypical Crypto Thm: If problem X is hard then scheme Y is secure. Examples: DDH hard ) 9 CCA-secure encryption [CramerShoup98] Contrapositive: 9 poly-alg A breaking Y ) 9 poly-alg B for X Typical proof: Show generic B using A as subroutine. B A x: instance of Xsolution for x We call this a black-box proof of security. In a non-black-box proof, B can use the code of A (not to be confused w/ black-box vs. non-black-box constructions)

3 More Formally: (Strongly) Black-Box Reductions (for OWF KA ) eff. (Alice, Bob), eff. Adv s.t. f and Eve [ Eve breaks (Alice f,Bob f ) ) Adv f, Eve inverts f ] f (Alice, Bob) Eve Adv f Security proof Underlying primitive. Adversary Non-black-box proofs of security: 1. Security proof may use code of underlying primitive (i.e., f) (examples: using specific assumptions, Cook-Levin) 2. Security proof may use code of adversary (this talk)

4 Non-Black-Box Security Proofs Advantages: More general proof technique, can prove more thms. Bypass proven limitations of black-box proofs. Disadvantages: Less robust proofs, more dependence on model. E.g.: Uniform TMs vs. circuits, quantum algorithms. Seem to come at steep cost in efficiency. (Somewhat surprisingly, without real understanding of computation.)

5 Applications of Non-BB Proofs: O(1)-round bounded concurrent zero-knowledge (ZK) Resettable ZK proof of knowledge [B.GoldwasserGoldreichLindell01] ZK with strict poly-time simulation & extraction [B.Lindell02] [B.01] [B.02], [PassRosen05a], [PassRosen05b] O(1)-round general multiparty computation [KatzOstrovskySmith03],[Pass04] [Lindell03],[PassRosen03],[Pass04], [B.Sahai05] O(1)-round concurrent, non-malleable commitments Concurrent, non-malleable general computation Composable protocols: Strong Forms of Zero Knowledge: Resettably-sound ZK

6 Plan I Basic Non-BB ZK Protocol [B.01] II Making it bounded-concurrent [B.01] III Making it bounded non-malleable. IV Unbounded concurrency and non-malleability using super-polynomial simulation. [Pass.04] [B.Sahai.04] V Limitations and open questions.

7 I Non-Black-Box Zero Knowledge P proves to V that stmt x is true.Zero Knowledge Proof: (e.g., x = string y is encryption of 0 x = graph G is 3-colorable ) P Stmt: x 2 {0,1} n V Witness: c:[n] {R,G,B} accept/reject

8 I Non-Black-Box Zero Knowledge P proves to V that stmt x is true.Zero Knowledge Proof: (e.g., x = string y is encryption of 0 x = graph G is 3-colorable ) P runs in poly-time given witness w for x. Completeness: Soundness:If x false, V accepts w.p. < negl(n)=n - (1) 8 (possibly cheating) V *, 9 S s.t. S(x) » V * s view in exec with P(w) Zero Knowledge: PV*V* » S( )

9 I Non-Black-Box Zero Knowledge P proves to V that stmt x is true.Zero Knowledge Proof: (e.g., x = string y is encryption of 0 x = graph G is 3-colorable ) 8 (possibly cheating) V *, 9 S s.t. S(x) » V * s view in exec with P(w) Zero Knowledge: PV*V* » S( ) V*V* Non-BB ZK:S uses the code of V * Black-Box ZK:S uses V * as a black-box subroutine. (i.e. uses subroutine for V * s next-message function),

10 x Some Tools Commitments: Efficient func Com:{0,1} k £ {0,1} n {0,1} m Hiding: 8 x,x Com(x,U n ) » Com(x,U n ) Binding: x x Com(x,{0,1} n ), Com(x,{0,1} n ) disjoint (Notation: Com(x) = Com(x,U n ) ) [Blum84],[Naor91] Collision Resistant Hash (CRH): Collection H of efficient functions {0,1} * {0,1} n s.t. for random h 2H hard to find x x w/ h(x)=h(x) (implies CRH from {0,1} 2n to {0,1} n ) [GoldwasserMicaliRivest84], SHA1,AES,… Witness Indistinguishable Proofs (WI): [FeigeShamir90] When proving x 1 Ç x 2, verifier cant tell witness used. Implied by zero knowledge. Closed under concurrent composition.

11 A Flawed Zero Knowledge Protocol PV Stmt: x 2 {0,1} n z=Com(r) r 2 R {0,1} n UAWI either 1) x is true. 2) r=r or Completeness: Prover has efficient strategy using witness for x Soundness: Suppose x is false. Let z be provers message. Denote r =Com -1 (z) Pr[ r = r ] = 2 -n Zero Knowledge: V*V* Let V * be possibly cheating ver. Assume w.l.o.g V * deterministic r=V * (z) Sims goal: z=Com(r) Problem: could take 2 n guesses. Find r s.t. r=V*(Com(r))

12 Flawed Protocol – High Level View PV Stmt: x 2 {0,1} n z=Com(r) r 2 R {0,1} n UAWI either 1) x is true. 2) r=r or r=V * (z) PV Stmt: x 2 {0,1} n guess r r 2 R {0,1} n Stmt true or I guessed r

13 Main Tool – Universal Arguments Interactive proof system for super-polynomial languages. [Kilian92],[Micali94],[B.Goldreich02] Based on following variant of PCP thm: [BabaiFortnowLevinSzegedy91] Verifier c queries 2 - (c) error Mx n bits description T running time T O(1) long proof c ¢ polylog(T) time Statement: M(x)=1 ( M can be deterministic/non-det) Every statement verifiable in T time deterministically, can be proven in polylog(T) time in prob. proof in sky (PCP) model.

14 [Merkle] Universal Arguments Mx n bits description T running time PV T O(1) long proof h col-res hash h:{0,1} 2k {0,1} k = root of hash tree of invoke h root … = q 1,…,q c PCP ver queries Answers + paths in tree Prover time: poly(T) Soundness: negl(k) Communication: k ¢ polylog(T) Verifier time:k ¢ polylog(T)+poly(n) [Kilian92,Micali94],… Using commitments and ZK/WI proofs for NP can get UAZK/UAWI w/ same parameters. Is proof of knowledge [B.Goldreich02]

15 Basic Non-BB Zero Knowledge PV CRH h:{0,1} * {0,1} n Stmt: x 2 {0,1} n z=Com(h(M)) r 2 R {0,1} n UAWI either 1) x is true. 2) M(z)=r (in · n log n steps) or Completeness: Prover has efficient strategy using witness for x Soundness: Suppose x is false. Let z be provers message. Assume it binds to a single TM M. Denote r =M(z) Pr[ r = r ] = 2 -n Zero Knowledge: M: Turing machine. Honest prover uses junk TM: always outputs 0 V*V* Let V * be possibly cheating ver. Assume w.l.o.g V * deterministic r=V * (z) z=Com(h(V * )) Sim uses z=Com(h(V * )) Inherently non-BB simulator. Note use of UA property. [GoldreichKrawczyck86] [B.01]

16 High Level View: Basic Non-BB ZK PV CRH h:{0,1} * {0,1} n Stmt: x 2 {0,1} n z=Com(h(M)) r 2 R {0,1} n UAWI either 1) x is true. 2) M(z)=r (in · n log n steps) or [B.01] PV Stmt: x 2 {0,1} n implicitly guess r r 2 R {0,1} n Stmt true I guessed r or

17 II Bounded-Concurrent ZK Concurrent ZK: [DworkNaorSahai98],[RichardsonKilian99],… Coordinated attack of several verifiers against concurrently scheduled ZK proofs. Bounded Concurrent: P1P1 V1V1 P2P2 V2V2 P3P3 V3V3 t sessions. Protocol communication and time poly(t,n). V*V* Challenging because typical rewinding technique blows up simulation time. Requires ~ (log n) rounds for BB ZK. [CanettiKilianPetrankRosen01] …,[PrabhakaranRosenSahai03]

18 P1P1 h Stmt: x 2 {0,1} n UAWI either 1) x is true. 2) M(z)=r V*V* r=V * (z) z=Com(h(V * )) Is Basic Protocol Concurrent ZK? P2P2 Stmt: x 2 {0,1} n h V*V* z=Com(h(V * )) trans r=V * (z,trans) UAWI either 1) x is true. 2) M(z)=r ?

19 Is Basic Protocol Concurrent ZK? P1P1 h Stmt: x 2 {0,1} n UAWI either 1) x is true. 2) M(z)=r V*V* r=V * (z) z=Com(h(V * )) P2P2 Stmt: x 2 {0,1} n h V*V* z=Com(h(V * )) trans r=V * (z,trans) UAWI either 1) x is true. 2) M(z)=r ?

20 Is Basic Protocol Concurrent ZK? P1P1 h Stmt: x 2 {0,1} n UAWI either 1) x is true. 2) M(z)=r V*V* r=V * (z) z=Com(h(V * )) P2P2 Stmt: x 2 {0,1} n h V*V* z=Com(h(V * )) trans r=V * (z,trans) UAWI either 1) x is true. 2) M(z)=r ? Idea: relax the definition of guessing r Change (2) to M(z,trans)=r for some |trans| < |r|/2 That is: z is implicit guess for 2 |trans| possibilities for r. (notation: guess |trans| r ) Crucial point: can ensure all prover verifier msgs have length << |r| Corollary: O(1)-round bounded ZK (bcZK) for all NP. [B.01]

21 III Non-Malleable ZK [DworkDolevNaor90] Adversary is man-in-middle between prover & verifier. PV1V1 P2P2 V V*V* Bounded non-malleability:ids come from set of size t, protocol communication and time poly(t,n) [DDN] : O(logn)-rounds [B.02] : O(1)-rounds [Pass04] : O(1)-rounds bounded non-mal [PassRosen05a] : make [Pass04] unbounded NM (simpler, weaker assump) A bit different non-BB technique. Security goal:Ensure proof to honest verifiers is sound even when simulating honest prover – simulation soundness. [Sahai00] 2 sessions with unique id. Arbitrary scheduling. (synchronized is hardest)

22 Is Simulation Soundness Trivial? x,id P V1V1 P2P2 V V*V* To simulate – consider V and V * as one standalone verifier V, and use simulator for V. First, note that in real MIM interaction, right session is sound. (otherwise combine V * and P to prover contradicting standalone soundness) But, since simulators output ~ real interaction, how can simulation differ? Note: known not to hold for some protocols, but why does naïve proof fail? Naive attempt to prove that every ZK protocol is simulation sound: The event that x is true is not efficiently observable. Simulator uses coins of V, so right session not necessarily sound.

23 Passs Bounded-NMZK Protocol PV1V1 imp. guess r 1 r 1 2 R {0,1} Stmt true or guessed m1 r 1 m1m1 [Pass04] Crucial observation: use bcZK to get one-directional simulation soundness. P2P2 V imp. guess r 2 r 2 2 R {0,1} Stmt true or guessed m2 r 2 m2m2 If m 1 >> |right session| then can simulate left w/o right verifiers coins! Passs Protocol: 1. Use |r| = id*B (B bound on all other comm in all sessions, note ids bounded) 2. Run another iteration w/ id = max{id} - id 3. Prove in WI that at least one of the iterations succeeded.

24 IV Concurrent+Non-Malleable ZK Many concurrent executions. Adversary corrupts both verifiers and provers. Bad News:[PS] construction uses non-standard tailored assumptions. V*V* P1P1 P2P2 P3P3 V1V1 V2V2 V3V3 Goal: simulation soundness: proofs to honest verifiers valid even in simulation. Sufficient for concurrent secure computation of any task.Good News: [CanettiLindellOstrovskySahai02],[GoldreichMicaliWigderson87] Impossible to achieve natural definition (UC). Bad News: [Lindell03],[Lindell04] Good News:Maybe can achieve relaxed def: quasi-polynomial simulation. Implies: securely computing any task w/ qpoly simulation. [PrabhakaranSahai04] Good News:Using non-BB obtain same result under standard assumptions (i.e., implied by factoring is subexp hard) [B.Sahai05]

25 Isnt qpoly simulation trivial? PV Stmt: x 2 {0,1} n N = pretty large random composite WI proof either 1) x is true. Completeness: As always. Soundness: From hardness of factoring Com(p) Concurrent ZK: 2) p prime factor of N Straight-line simulation. [Pass03] Simulation soundness?? V1V1 P2P2 V*V* PV Nsame N z=Com(p)same z x true or p|N Stmt: x 2 {0,1} n x true or p|N In simulation V * can ensure 2 nd condition is true. No reason for right session to be sound! Brute Force Op Broke BFOP

26 Starting point: Passs protocol for bounded-NM zero knowledge 1 st Step: Change it to handle #ids to t=n log n Problem: In Passs protocol communication>t Solution: Compress the long messages. r 1 2 R {0,1} m1m1 m1m1 Com(h(r 1 )) Know r 1 UAZK r 1 =0 n Is it (stand-alone) sound? Is it (stand-alone) zero knowledge? Concurrent Non-Mal qZK Protocol [B.Sahai05] If proof succssesful, have qpoly-time knowledge extractor can obtain r 1 by rewinding Implicitly send r 1

27 Completeness: As before. Soundness: Will follow from simulation soundness. ZK+Simulation Soundness: Straightline simulator breaking BFOP (4). Why is that simulation sound?? P V Stmt: x 2 {0,1} n imp guess r 1 imp send r 1 UAWI either 1) stmt true 2) guessed m1 r 1 id 2 [t] 3) guessed m2 r 2 BFOP 4) broke BFOP m 1 = n logn id, m 2 = n logn (t-id) imp guess r 2 imp send r 2 Concurrent Non-Mal qZK Protocol* [B.Sahai05]

28 ZK+Simulation Soundness: Straightline simulator breaking BFOP (4) Change: Make option (1) weakly indist – observable in qpoly time. Not an immediate solution: simulator now only weakly indist from real prover. Idea: build auxiliary simulator that: 1) Strongly indist from real simulator. 2) Satisfies simulation soundness. Why we need the real simulator? Auxiliary simulator uses the witness. P V Stmt: x 2 {0,1} n imp guess r 1 imp send r 1 UAWI either 1) stmt true 2) guessed m1 r 1 id 2 [t] 3) guessed m2 r 2 BFOP 4) broke BFOP m 1 = n logn id, m 2 = n logn (t-id) imp guess r 2 imp send r 2 Concurrent Non-Mal qZK Protocol* [B.Sahai05]

29 ZK+Simulation Soundness: Real Prover: Uses:witness(1) Sim-sound: yes Real Simulator: Uses: time (4) Sim-sound: ? ~ (weak) ~~ (strong) Aux Simulator: Uses: witness,non-BB (2,3) Sim-sound: yes P V Stmt: x 2 {0,1} n imp guess r 1 imp send r 1 UAWI either 1) stmt true 2) guessed m1 r 1 id 2 [t] 3) guessed m2 r 2 BFOP 4) broke BFOP m 1 = n logn id, m 2 = n logn (t-id) imp guess r 2 imp send r 2 Concurrent Non-Mal qZK Protocol* [B.Sahai05] Yes!

30 ZK+Simulation Soundness: Constructing the auxiliary simulator. Execution we need to simulate: V1V1 V3V3 V*V* P1P1 P2P2 P3P3 V2V2 Useful observation: Can assume only one honest verifier. m 1 = n logn id, m 2 = n logn (t-id) P V Stmt: x 2 {0,1} n imp guess r 1 imp send r 1 UAWI either 1) stmt true 2) guessed m1 r 1 id 2 [t] 3) guessed m2 r 2 BFOP 4) broke BFOP imp guess r 2 imp send r 2 Concurrent Non-Mal qZK Protocol* [B.Sahai05] Aux Simulator: Uses: witness,non-BB (2,3) Sim-sound: yes

31 The auxiliary simulator: P*V imp guess r 1 imp send r 1 2) guessed m1 r 1 BFOP UAWI either 1) stmt true 3) guessed m2 r 2 4) broke BFOP imp guess r 2 imp send r 2 V* imp guess r 1 imp send r 1 BFOP 2) guessed m1 r 1 UAWI either 1) stmt true 3) guessed m2 r 2 4) broke BFOP imp guess r 2 imp send r 2 P Honest ver uses r 1 =0 n Well use r 1 2 R {0,1} m1 Need program s.t. ( )=r 1 for | 1 |<< r 1 Can now simulate this part w/o access to vers coins. Build using V* + r 1 + UA knowledge extractor

32 P2P2 P3P3 PmPm … The auxiliary simulator: P*V imp guess r 1 imp send r 1 2) guessed m1 r 1 BFOP UAWI either 1) stmt true 3) guessed m2 r 2 4) broke BFOP imp guess r 2 imp send r 2 V* imp guess r 1 imp send r 1 BFOP 2) guessed m1 r 1 UAWI either 1) stmt true 3) guessed m2 r 2 4) broke BFOP imp guess r 2 imp send r 2 P Build using V* + r 1 + UA knowledge extractor To run extractor need to simulate other sessions. To simulate other sessions, need to run extractor. When building use witness to sim other sessions! never sent in clear – still strongly indist!

33 Questions: All these use universal args. Are there different non-BB techniques? Random oracle model also used to achieve non-malleability and concurrent security. Can we justify this? (so far mostly negative results [CanettiGoldreichHalevi98],[GoldwasserTa03] ) Is there ZK system w/ O(1)-rounds and public coin verifier? Related to both these questions. Are these non-BB techniques inherently unpractical? Two problematic components: general ZK and PCP theorem. On other hand:PCP get simpler, more efficient Maybe can push complexity to simulation? [BenSassonSudan05],[Dinur05] Handling quantum adversaries? [B.Sahai05]

34 V*V* V h Stmt: x 2 {0,1} n z 1 =Com(h(M 1 )) UACom(r 1 ) UAWI either 1) x is true. 2) 9 |t 1 |<k 1 -n s.t. M 1 (z 1,t 1 )=r 1 id 2 [t] 3) 9 |t 2 |<k 2 -n s.t. M 2 (z 2,t 2 )=r 2 z 2 =Com(h(M 1 )) UACom(r 2 ) BFOP 4) Broke BFOP. k 1 = n logn id, k 2 = n logn (t-id) P1P1 P2P2 Rules of engagement: Simulate execution s.t.: 1) Never use option #1 in UAWI 2) No use of time between dotted lines. 2) No use of ver. coins after green line. Use M 1 = V * program + r 1 + extractor for UA To rewind, M 1 uses witness! Use random r 1 of length k 1

35 V*V* V h Stmt: x 2 {0,1} n z 1 =Com(h(M 1 )) UACom(r 1 ) UAWI either 1) x is true. 2) 9 |t 1 |<k 1 -n s.t. M 1 (z 1,t 1 )=r 1 id 2 [t] 3) 9 |t 2 |<k 2 -n s.t. M 2 (z 2,t 2 )=r 2 z 2 =Com(h(M 1 )) UACom(r 2 ) BFOP 4) Broke BFOP. k 1 = n logn id, k 2 = n logn (t-id) P1P1 P2P2 Rules of engagement: Simulate execution s.t.: 1) Never use option #1 in UAWI 2) No use of time between dotted lines. 2) No use of ver. coins after green line. Use M 1 = V * program + r 1 + extractor for UA To rewind, M 1 uses witness! Use random r 1 of length k 1

Download ppt "On Non-Black-Box Proofs of Security Boaz Barak Princeton."

Similar presentations

Merkle Puzzles Are Optimal

Merkle Puzzles Are Optimal
QMA/qpoly PSPACE/poly: De-Merlinizing Quantum Protocols Scott Aaronson University of Waterloo.

QMA/qpoly PSPACE/poly: De-Merlinizing Quantum Protocols Scott Aaronson University of Waterloo.
On Black-Box Separations in Cryptography

On Black-Box Separations in Cryptography
Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Ronen Shaltiel, University of Haifa Chris Umans, Caltech.

Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Ronen Shaltiel, University of Haifa Chris Umans, Caltech.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Coin Tossing With A Man In The Middle Boaz Barak.

Coin Tossing With A Man In The Middle Boaz Barak.
Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.

Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.
Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,

Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,
Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.

Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.
Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.

Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:

Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Quantum Information and the PCP Theorem Ran Raz Weizmann Institute.

Quantum Information and the PCP Theorem Ran Raz Weizmann Institute.
OPENING THE BLACK BOX Boaz Barak Institute for Advanced Study Princeton, NJ New Techniques in Cryptography.

OPENING THE BLACK BOX Boaz Barak Institute for Advanced Study Princeton, NJ New Techniques in Cryptography.
Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.

Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Similar presentations

Ads by Google