formal methods and cryptography
play

Formal Methods and Cryptography Lecture 25 Formal Methods Formal - PowerPoint PPT Presentation

Sep 27, 2023 •433 likes •1.67k views

Formal Methods and Cryptography Lecture 25 Formal Methods Formal Methods Logical foundations of computer science Formal Methods Logical foundations of computer science A language that machines can understand Formal Methods Logical

  1. Modeling e.g. Dolev-Yao Term-rewriting algebra: operations that can lead to new events are defined by rules for writing new terms Operations: send/receive terms; pick “nonces”; pair/separate; “encrypt”/“decrypt” For each user X, public operation E X and private operation D X D X (E X (m)) can be rewritten as m Separate(Pair(a,b)) gives a,b No other rewritings; each party can use terms it received and rewrite them (according to the protocol); adversary can obtain the closure of all terms sent out in the network

  2. Security Properties - 1

  3. Security Properties - 1 Valid trace of a system: a sequence of events possible in the system (for the given protocol and an arbitrary adversary)

  4. Security Properties - 1 Valid trace of a system: a sequence of events possible in the system (for the given protocol and an arbitrary adversary) Event: input/output/communication by parties or adversary

  5. Security Properties - 1 Valid trace of a system: a sequence of events possible in the system (for the given protocol and an arbitrary adversary) Event: input/output/communication by parties or adversary Security property is defined for a trace, and a protocol is called secure if all valid traces satisfy the security property

  6. Security Properties - 1 Valid trace of a system: a sequence of events possible in the system (for the given protocol and an arbitrary adversary) Event: input/output/communication by parties or adversary Security property is defined for a trace, and a protocol is called secure if all valid traces satisfy the security property e.g.: For a key-agreement protocol, a trace is insecure if it has Alice outputting a nonce R (i.e., event [Alice:(output,R)] ) and the adversary also outputting R (event [Eve:(output,R)] )

  7. Security Properties - 1 Valid trace of a system: a sequence of events possible in the system (for the given protocol and an arbitrary adversary) Event: input/output/communication by parties or adversary Security property is defined for a trace, and a protocol is called secure if all valid traces satisfy the security property e.g.: For a key-agreement protocol, a trace is insecure if it has Alice outputting a nonce R (i.e., event [Alice:(output,R)] ) and the adversary also outputting R (event [Eve:(output,R)] ) e.g.: (in BAN logic) “(A believes B said X) at some point ⇒ (B said X) before that point”

  8. Security Properties - 2

  9. Security Properties - 2 Security in spi calculus (inherited from pi calculus) essentially same as simulation-based security

  10. Security Properties - 2 Security in spi calculus (inherited from pi calculus) essentially same as simulation-based security Observational Equivalence: Two systems P, Q are observationally equivalent if for all systems (environments) Z, the systems (Z|P) and (Z|Q) produce the same outputs

  11. Security Properties - 2 Security in spi calculus (inherited from pi calculus) essentially same as simulation-based security Observational Equivalence: Two systems P, Q are observationally equivalent if for all systems (environments) Z, the systems (Z|P) and (Z|Q) produce the same outputs To define security of a protocol, define an ideal protocol (think as ideal functionality, combined with a simulator for the “dummy adversary”) and require that the two systems are observationally equivalent

  12. Security Properties - 2 Security in spi calculus (inherited from pi calculus) essentially same as simulation-based security Observational Equivalence: Two systems P, Q are observationally equivalent if for all systems (environments) Z, the systems (Z|P) and (Z|Q) produce the same outputs To define security of a protocol, define an ideal protocol (think as ideal functionality, combined with a simulator for the “dummy adversary”) and require that the two systems are observationally equivalent Limitation: original spi calculus incorporated an ideal shared-key encryption and no other cryptographic features; extensions typically limited to secure communication tasks

  13. An Example

  14. An Example Needham-Schroeder-Lowe (public-key) protocol

  15. An Example Needham-Schroeder-Lowe (public-key) protocol For “mutual authentication”

  16. An Example Needham-Schroeder-Lowe (public-key) protocol For “mutual authentication” Or, for “key agreement”

  17. An Example Needham-Schroeder-Lowe (public-key) protocol For “mutual authentication” Or, for “key agreement” Uses an ideal encryption (or signcryption) to let two parties exchange nonces so that each should know that the nonce came from the other party (whose public-key it already has)

  18. An Example Needham-Schroeder-Lowe (public-key) protocol For “mutual authentication” Or, for “key agreement” Uses an ideal encryption (or signcryption) to let two parties exchange nonces so that each should know that the nonce came from the other party (whose public-key it already has) The nonce should be useful as a secret shared-key

  19. An Example Needham-Schroeder-Lowe (public-key) protocol For “mutual authentication” Or, for “key agreement” Uses an ideal encryption (or signcryption) to let two parties exchange nonces so that each should know that the nonce came from the other party (whose public-key it already has) The nonce should be useful as a secret shared-key Most formal frameworks use this example, to show that they can find the bug in the original Needham-Schroeder protocol (1978)

  20. An Example Needham-Schroeder-Lowe (public-key) protocol For “mutual authentication” Or, for “key agreement” Uses an ideal encryption (or signcryption) to let two parties exchange nonces so that each should know that the nonce came from the other party (whose public-key it already has) The nonce should be useful as a secret shared-key Most formal frameworks use this example, to show that they can find the bug in the original Needham-Schroeder protocol (1978) Or new bugs in extended settings

  21. Initiator ( M init ): Responder ( M resp ): initialize ( self , other ); initialize ( self , other ); newrandom ( na ); receive ( a na enc ); pair ( self , na , a na ); decrypt ( self , a na enc , a na ); encrypt ( other , a na , a na enc ); separate ( a na , a , na ); send ( a na enc ); test ( a == other ); receive ( b na nb enc ); newrandom ( nb ); decrypt ( self , b na nb enc , b na nb ); pair ( other , na , b na ); separate ( b na nb , b , na nb ); pair ( b na , nb , b na nb ); test ( b == other ); encrypt ( other , b na nb , b na nb enc ); separate ( na nb , na2 , nb ); send ( b na nb enc ); test ( na == na2 ); receive ( nb enc ); encrypt ( other , nb , nb enc ); decrypt ( self , nb enc , nb2 ); send ( nb enc ); test ( nb == nb2 ); pair ( self , other , a b ); pair ( self , x , b a x ); pair ( a b , x , a b x ); pair ( Finished , b a x , out ); pair ( Finished , a b x , out ); output ( out ); output ( out ); done ; done ; Version 1: x = na (Initiator’s nonce output as secret key) Version 2: x = nb (Responder’s nonce output as secret key) [NSL protocol, from Canetti-Herzog 2006]

  22. Automated Analysis

  23. Automated Analysis Not necessarily very efficient

  24. Automated Analysis Not necessarily very efficient Often NP-hard (or even P-SPACE hard). Typical algorithms are exponential in the size of the system

  25. Automated Analysis Not necessarily very efficient Often NP-hard (or even P-SPACE hard). Typical algorithms are exponential in the size of the system Typically undecidable when allowing an unbounded number of concurrent sessions

  26. Automated Analysis Not necessarily very efficient Often NP-hard (or even P-SPACE hard). Typical algorithms are exponential in the size of the system Typically undecidable when allowing an unbounded number of concurrent sessions Popular models (Dolev-Yao, BAN logic, spi calculus) have reasonably efficient algorithms for analyzing a variety of security properties, if the system is small (e.g., single session)

  27. Automated Analysis Not necessarily very efficient Often NP-hard (or even P-SPACE hard). Typical algorithms are exponential in the size of the system Typically undecidable when allowing an unbounded number of concurrent sessions Popular models (Dolev-Yao, BAN logic, spi calculus) have reasonably efficient algorithms for analyzing a variety of security properties, if the system is small (e.g., single session) Sometimes state-exploration (using model-checking tools) can be used to discover (some) flaws, but does not prove security

  28. What does Security in a Formal Model mean?

  29. What does Security in a Formal Model mean? “Encryption” as proposed in most of the formal models attributes message secrecy, key-anonymity, non-malleability, circular-encryption security, MAC/signature properties and much more (while requiring it to be deterministic)

  30. What does Security in a Formal Model mean? “Encryption” as proposed in most of the formal models attributes message secrecy, key-anonymity, non-malleability, circular-encryption security, MAC/signature properties and much more (while requiring it to be deterministic) Possibly achievable in random-oracle model or generic-group model

  31. What does Security in a Formal Model mean? “Encryption” as proposed in most of the formal models attributes message secrecy, key-anonymity, non-malleability, circular-encryption security, MAC/signature properties and much more (while requiring it to be deterministic) Possibly achievable in random-oracle model or generic-group model Security guarantee similar in spirit to these heuristic models

  32. What does Security in a Formal Model mean? “Encryption” as proposed in most of the formal models attributes message secrecy, key-anonymity, non-malleability, circular-encryption security, MAC/signature properties and much more (while requiring it to be deterministic) Possibly achievable in random-oracle model or generic-group model Security guarantee similar in spirit to these heuristic models Security against adversaries who use only operations permitted by the formal model

  33. What does Security in a Formal Model mean?

  34. What does Security in a Formal Model mean? Can we develop strong underlying crypto primitives to implement the “encryption” as used in these formal models?

  35. What does Security in a Formal Model mean? Can we develop strong underlying crypto primitives to implement the “encryption” as used in these formal models? Not quite, but maybe strong enough to translate the formal-model guarantees to security guarantees in the computational model

  36. What does Security in a Formal Model mean? Can we develop strong underlying crypto primitives to implement the “encryption” as used in these formal models? Not quite, but maybe strong enough to translate the formal-model guarantees to security guarantees in the computational model A formal model is “sound” if we can do the following:

  37. What does Security in a Formal Model mean? Can we develop strong underlying crypto primitives to implement the “encryption” as used in these formal models? Not quite, but maybe strong enough to translate the formal-model guarantees to security guarantees in the computational model A formal model is “sound” if we can do the following: Translate protocol in computational model to formal model. Get security guarantee for it in formal model. This should imply security of the original protocol in the computational model

  38. What does Security in a Formal Model mean? Can we develop strong underlying crypto primitives to implement the “encryption” as used in these formal models? Not quite, but maybe strong enough to translate the formal-model guarantees to security guarantees in the computational model In a specific A formal model is “sound” if we can do the following: format, using only specific Translate protocol in computational model to formal primitives model. Get security guarantee for it in formal model. This should imply security of the original protocol in the computational model

  39. What does Security in a Formal Model mean? Can we develop strong underlying crypto primitives to implement the “encryption” as used in these formal models? Not quite, but maybe strong enough to translate the formal-model guarantees to security guarantees in the computational model In a specific A formal model is “sound” if we can do the following: format, using only specific Translate protocol in computational model to formal primitives model. Get security guarantee for it in formal model. If primitives This should imply security of the original protocol in the satisfy computational model certain security definitions

  40. What does Security in a Formal Model mean? Can we develop strong underlying crypto primitives to implement the “encryption” as used in these formal models? Not quite, but maybe strong enough to translate the formal-model guarantees to security guarantees in the computational model In a specific A formal model is “sound” if we can do the following: format, using only specific Translate protocol in computational model to formal primitives model. Get security guarantee for it in formal model. If primitives This should imply security of the original protocol in the satisfy computational model certain security Soundness of the formal model and formal security definitions property for the computational task and primitive used

  41. Soundness of Formal Models

  42. Soundness of Formal Models Initiated by Abadi-Rogaway (2001)

  43. Soundness of Formal Models Initiated by Abadi-Rogaway (2001) Shows soundness for a class of protocols/tasks: protocol secure for the task, if formal protocol has a certain security property in the formal model, and protocol uses CCA secure encryption in place of ideal encryptions in the formal model

  44. Soundness of Formal Models Initiated by Abadi-Rogaway (2001) Shows soundness for a class of protocols/tasks: protocol secure for the task, if formal protocol has a certain security property in the formal model, and protocol uses CCA secure encryption in place of ideal encryptions in the formal model Since then extended to various authentication/key-agreement-like tasks (and some computation tasks), against passive and active adversaries, using different formal models (algebras, spi-calculus)

  45. Soundness of Formal Models Initiated by Abadi-Rogaway (2001) Shows soundness for a class of protocols/tasks: protocol secure for the task, if formal protocol has a certain security property in the formal model, and protocol uses CCA secure encryption in place of ideal encryptions in the formal model Since then extended to various authentication/key-agreement-like tasks (and some computation tasks), against passive and active adversaries, using different formal models (algebras, spi-calculus) Recent works incorporate signatures, NIZK proofs etc.

  46. Soundness of Formal Models Initiated by Abadi-Rogaway (2001) Shows soundness for a class of protocols/tasks: protocol secure for the task, if formal protocol has a certain security property in the formal model, and protocol uses CCA secure encryption in place of ideal encryptions in the formal model Since then extended to various authentication/key-agreement-like tasks (and some computation tasks), against passive and active adversaries, using different formal models (algebras, spi-calculus) Recent works incorporate signatures, NIZK proofs etc. Typically each work considers a specific task, develops a security criterion in a specific formal model, and establishes soundness for protocols using specific crypto primitives (like CCA2 encryption)

  47. Soundness of Formal Models Initiated by Abadi-Rogaway (2001) Shows soundness for a class of protocols/tasks: protocol secure for the task, if formal protocol has a certain security property in the formal model, and protocol uses CCA secure encryption in place of ideal encryptions in the formal model Since then extended to various authentication/key-agreement-like tasks (and some computation tasks), against passive and active adversaries, using different formal models (algebras, spi-calculus) Recent works incorporate signatures, NIZK proofs etc. Typically each work considers a specific task, develops a security criterion in a specific formal model, and establishes soundness for protocols using specific crypto primitives (like CCA2 encryption) Somewhat general frameworks: e.g., Backes et al. (CCS 2009)

  48. Soundness of Formal Models

  49. Soundness of Formal Models Several challenges

  50. Soundness of Formal Models Several challenges Traditional models usually deterministic (except for picking nonces, and possibly within the encryption operation), but for many interesting tasks cryptographic protocols typically use more randomness

  51. Soundness of Formal Models Several challenges Traditional models usually deterministic (except for picking nonces, and possibly within the encryption operation), but for many interesting tasks cryptographic protocols typically use more randomness If model is too general, becomes hard/intractable to automatically reason

  52. Soundness of Formal Models Several challenges Traditional models usually deterministic (except for picking nonces, and possibly within the encryption operation), but for many interesting tasks cryptographic protocols typically use more randomness If model is too general, becomes hard/intractable to automatically reason Promising approach: Universal Composition -- require stronger per-session security that will allow decomposing the analysis to be per-session

  53. Soundness of Formal Models Several challenges Traditional models usually deterministic (except for picking nonces, and possibly within the encryption operation), but for many interesting tasks cryptographic protocols typically use more randomness If model is too general, becomes hard/intractable to automatically reason Promising approach: Universal Composition -- require stronger per-session security that will allow decomposing the analysis to be per-session Only a few security properties have been considered (related to authentication and secure communication). Need to identify automatically verifiable (and sufficient) criteria for each new task

  54. Universal Composition

  55. Universal Composition Recall: security guarantee (in computational model) in terms of an ideal functionality (can be used in a formal model)

  56. Universal Composition Recall: security guarantee (in computational model) in terms of an ideal functionality (can be used in a formal model) From [GMW’87]. Used by [Pfitzmann-Waidner’01] and [Canetti’01]

  57. Universal Composition Recall: security guarantee (in computational model) in terms of an ideal functionality (can be used in a formal model) From [GMW’87]. Used by [Pfitzmann-Waidner’01] and [Canetti’01] UC Security [Canetti’01]: security is defined for one session of the protocol, in the presence of an arbitrary environment

  58. Universal Composition Recall: security guarantee (in computational model) in terms of an ideal functionality (can be used in a formal model) From [GMW’87]. Used by [Pfitzmann-Waidner’01] and [Canetti’01] UC Security [Canetti’01]: security is defined for one session of the protocol, in the presence of an arbitrary environment Composition Theorem: UC security of individual sessions automatically implies UC security of multiple concurrent sessions

  59. Universal Composition Recall: security guarantee (in computational model) in terms of an ideal functionality (can be used in a formal model) From [GMW’87]. Used by [Pfitzmann-Waidner’01] and [Canetti’01] UC Security [Canetti’01]: security is defined for one session of the protocol, in the presence of an arbitrary environment Composition Theorem: UC security of individual sessions automatically implies UC security of multiple concurrent sessions Drawback: a strong security requirement that is more “expensive” to realize

  60. Universal Composition Recall: security guarantee (in computational model) in terms of an ideal functionality (can be used in a formal model) From [GMW’87]. Used by [Pfitzmann-Waidner’01] and [Canetti’01] UC Security [Canetti’01]: security is defined for one session of the protocol, in the presence of an arbitrary environment Composition Theorem: UC security of individual sessions automatically implies UC security of multiple concurrent sessions Drawback: a strong security requirement that is more “expensive” to realize Advantages: 1. Security for concurrent sessions. 2. Easy to use as a sub-module in higher level protocols and analyze security. Analysis of higher level protocols often “automatable”

  61. Composition Logic

  62. Composition Logic Ongoing research

  63. Composition Logic Ongoing research Protocol Composition Logic of Mitchell et al.

  64. Composition Logic Ongoing research Protocol Composition Logic of Mitchell et al. Formal model and soundness theorems by Canetti-Herzog

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Formal Methods and Cryptography Lecture 24 1 Formal Methods 2 Formal Methods Logical

Formal Methods and Cryptography Lecture 24 1 Formal Methods 2 Formal Methods Logical

Formal Methods and Cryptography Lecture 24 1 Formal Methods 2 Formal Methods Logical foundations of computer science 2 Formal Methods Logical foundations of computer science A language that machines can understand 2 Formal Methods

1.22k views • 121 slides
T riple Handshake: can cryptography, formal methods, and applied security be friends?

T riple Handshake: can cryptography, formal methods, and applied security be friends?

T riple Handshake: can cryptography, formal methods, and applied security be friends? http://miTLS.org Karthik Bhargavan Markulf Kohlweiss with Antoine Delignat-Lavaud, Cdric Fournet, Alfredo Pironti, Pierre-Yves Strub, Santiago Zanella

639 views • 46 slides
Formal Methods for Cryptography Santiago Zanella-B eguelin santiago@microsoft.com Cambridge,

Formal Methods for Cryptography Santiago Zanella-B eguelin santiago@microsoft.com Cambridge,

Formal Methods for Cryptography Santiago Zanella-B eguelin santiago@microsoft.com Cambridge, UK 2013.03.0408 18th Estonian Winter School in Computer Science EWSCS 2013 EasyCrypt pipeline ProofGeneral Frontend Emacs Shell EasyCrypt

724 views • 47 slides
Formal Methods Michael Collins. 18-849, Section B Spring 1999 Formal Methods Why

Formal Methods Michael Collins. 18-849, Section B Spring 1999 Formal Methods Why

Formal Methods Michael Collins. 18-849, Section B Spring 1999 Formal Methods Why Formalisms? Relationships Flaws Some systems Conclusions Why Formal Methods? We already can build systems. Roman Engineers built

671 views • 12 slides
Lecture Outline 1. The lecturer 2. Introduction to Formal Methods DD2452 Formal Methods 3.

Lecture Outline 1. The lecturer 2. Introduction to Formal Methods DD2452 Formal Methods 3.

Lecture Outline 1. The lecturer 2. Introduction to Formal Methods DD2452 Formal Methods 3. Course syllabus 4. Course objectives Introductory Lecture 5. Course organization 1. Lecturer 2. Formal Methods Name: Dilian Gurov Formal

56 views • 3 slides
Testing/Simulation Formal Analysis Real System Formal Model Partial coverage Complete coverage

Testing/Simulation Formal Analysis Real System Formal Model Partial coverage Complete coverage

Formal Methods Assurance for TTP John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Formal Methods Assurance for TTP: 1 Formal Methods for Analysis and Assurance: The Idea Testing/Simulation Formal

200 views • 6 slides
Specifying circuit properties in PSL Formal methods Mathematical and logical methods used in

Specifying circuit properties in PSL Formal methods Mathematical and logical methods used in

Specifying circuit properties in PSL Formal methods Mathematical and logical methods used in system development Aim to increase confidence in riktighet of system Apply to both hardware and software 1 Formal methods Complement other

524 views • 25 slides
A Review of Formal Methods : 200514170 : (T4) (T4)

A Review of Formal Methods : 200514170 : (T4) (T4)

A Review of Formal Methods : 200514170 : (T4) (T4) Contents INTRODUCTION INTRODUCTION DEFINITION AND OVERVIEW OF FORMAL METHODS SPECIFICATION METHODS LIFE CYCLES AND

317 views • 19 slides
Requirements and Formal Methods Softw are Engineering Overview Overview on the RE process

Requirements and Formal Methods Softw are Engineering Overview Overview on the RE process

Requirements and Formal Methods Softw are Engineering Overview Overview on the RE process What are Formal Methods? Advantages and Disadvantages of Formal Methods Formal Methods in the Requirement Process Mathematical Formulas

561 views • 20 slides
THEY DIDNT KNOW THEY WERE DOING MATHEMATICS INTRODUCING FORMAL METHODS USING REWRITING

THEY DIDNT KNOW THEY WERE DOING MATHEMATICS INTRODUCING FORMAL METHODS USING REWRITING

THEY DIDNT KNOW THEY WERE DOING MATHEMATICS INTRODUCING FORMAL METHODS USING REWRITING LOGIC Peter Olveczky University of Oslo FMfun19, December 3, 2019 OUTLINE How to introduce formal methods to undergraduates? Fun!

1.95k views • 171 slides
Formal Methods at Intel An Overview John Harrison Intel Corporation Second NASA Formal

Formal Methods at Intel An Overview John Harrison Intel Corporation Second NASA Formal

Formal Methods at Intel An Overview John Harrison Intel Corporation Second NASA Formal Methods Symposium NASA HQ, Washington DC 14th April 2010 (09:0010:00) 0 Table of contents Intels diverse verification problems Verifying

834 views • 45 slides
A Formal (proved) Approach to Discrete System Development Modeling J-R. Abrial September 2004

A Formal (proved) Approach to Discrete System Development Modeling J-R. Abrial September 2004

A Formal (proved) Approach to Discrete System Development Modeling J-R. Abrial September 2004 Purpose of the Course - Giving some insights about Formal Methods - Showing that Formal Methods can be made practical - Illustrating Formal Methods

1.25k views • 112 slides
Formal Methods && Tools Group Stefania Gnesi F F F M&&T M&&T

Formal Methods && Tools Group Stefania Gnesi F F F M&&T M&&T

F F F Formal Methods && Tools Group Stefania Gnesi F F F M&&T M&&T M&&T June 27, 03 Formal Methods && Tools Group - ISTI CNR CAF - 1 F F F Outline Overview of the Formal Methods

276 views • 23 slides
Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember

Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember

3BA31 Formal Methods 1 3BA31: Formal Methods Andrew Butterfield Foundations & Methods Group, Software Systems Laboratory Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember This? A Stock

631 views • 33 slides
Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember

Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember

3BA31 Formal Methods 1 3BA31: Formal Methods Andrew Butterfield Foundations & Methods Group, Software Systems Laboratory Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember This? A Stock

1.75k views • 151 slides
1Initial Ideas on Formal Methods UIT2206: The Importance of Being Formal Martin Henz January

1Initial Ideas on Formal Methods UIT2206: The Importance of Being Formal Martin Henz January

Preliminaries Hallmarks of a Formal Approach Formal Systems in Information Technology 1Initial Ideas on Formal Methods UIT2206: The Importance of Being Formal Martin Henz January 15, 2014 Generated on Wednesday 15 th January, 2014, 09:54

517 views • 49 slides
High-speed cryptography, DNSSEC, and DNSCurve D. J. Bernstein University of Illinois at Chicago

High-speed cryptography, DNSSEC, and DNSCurve D. J. Bernstein University of Illinois at Chicago

High-speed cryptography, DNSSEC, and DNSCurve D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 Stealing Internet mail: easy! Given a mail message: Your mail software sends a DNS request, receives a server address, makes

924 views • 61 slides
Metaprogramming in SML: ;; Contents of postfix-fancy-transform.rkt (define (postfix-run pgm args)

Metaprogramming in SML: ;; Contents of postfix-fancy-transform.rkt (define (postfix-run pgm args)

Recall the Racket PostFix Interpreter Metaprogramming in SML: ;; Contents of postfix-fancy-transform.rkt (define (postfix-run pgm args) ) PostFix and S-expressions (define (postfix-exec-commands cmds init-stk) ) (define

306 views • 6 slides
CSE 105 THEORY OF COMPUTATION Fall 2016 http://cseweb.ucsd.edu/classes/fa16/cse105-abc/ Today's

CSE 105 THEORY OF COMPUTATION Fall 2016 http://cseweb.ucsd.edu/classes/fa16/cse105-abc/ Today's

CSE 105 THEORY OF COMPUTATION Fall 2016 http://cseweb.ucsd.edu/classes/fa16/cse105-abc/ Today's learning goals Sipser Sec 3.2 Prove Turing-recognizability using Turing machines Enumerators State and use the Church-Turing thesis.

512 views • 16 slides
The Differential Equation for a Vibrating String Bernd Schr oder logo1 Bernd Schr oder

The Differential Equation for a Vibrating String Bernd Schr oder logo1 Bernd Schr oder

Model Forces The Equation The Differential Equation for a Vibrating String Bernd Schr oder logo1 Bernd Schr oder Louisiana Tech University, College of Engineering and Science The Differential Equation for a Vibrating String Model

697 views • 53 slides
Secure Distributed Computation on Private Inputs David Pointcheval ENS - CNRS - INRIA

Secure Distributed Computation on Private Inputs David Pointcheval ENS - CNRS - INRIA

Secure Distributed Computation on Private Inputs David Pointcheval ENS - CNRS - INRIA Foundations & Practice of Security Clermont-Ferrand, France - October 27th, 2015 The Cloud David Pointcheval Introduction 2 / 30 Access from

761 views • 41 slides
Why Your Encrypted Database Is Not Secure Paul Grubbs Tom Ristenpart Vitaly Shmatikov

Why Your Encrypted Database Is Not Secure Paul Grubbs Tom Ristenpart Vitaly Shmatikov

Why Your Encrypted Database Is Not Secure Paul Grubbs Tom Ristenpart Vitaly Shmatikov Outsourced Applications Today Server data data Encrypt the data! Encrypt the Data App functionality no App functionality no longer works :( longer

1.42k views • 58 slides
High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois

High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois

High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers Unbroken

739 views • 44 slides
Functional Encryption for Inner Product with Full Function Privacy by Sourav Mukhopadhyay joint

Functional Encryption for Inner Product with Full Function Privacy by Sourav Mukhopadhyay joint

Functional Encryption for Inner Product with Full Function Privacy by Sourav Mukhopadhyay joint work with Pratish Datta and Ratna Dutta Department of Mathematics Indian Institute of Technology Kharagpur Kharagpur-721302 India PKC 2016

340 views • 23 slides

More recommend