ouroboros: a simple, secure and efficient key exchange ... · ouroboros: a simple, secure and e...

Ouroboros: a simple, secure and efficient key exchange protocol basedon coding theory

Jean-Christophe Deneuville<[email protected]>

June the 26th, 2017PQCrypto’17

Utrecht

Joint work with:

P. Gaborit G. ZemorUniversity of Limoges University of Bordeaux

Motivations

[ME78]

Key Sizes

80’s↓

00’s[Nie86] Other variations

Most of them broken

[Ale03]

[Gab05]

[Gab91]

[ABDGZ16]

[Ove07]Attacks

Bottom Line

LackaProof

LackEfficiency

Security reductionto a standardproblem (randomcodes)

RankMetric

Groupaction

[MB09] dyadic[BCGO09] alternant

[BBC08]QC-LDPC

Ntru-like[MTSB13]QC-MDPC

[GMRZ13]QC-LRPCNtru-like

RSBCHGoppaRM

Motivations

[ME78]

Key Sizes

80’s↓

00’s

[Nie86]

Other variationsMost of them broken

[Ale03]

[Gab05]

[Gab91]

[ABDGZ16]

[Ove07]Attacks

Bottom Line

LackaProof

LackEfficiency

RankMetric

Groupaction

[BBC08]QC-LDPC

RSBCHGoppaRM

Motivations

[ME78]

Key Sizes

80’s↓

00’s[Nie86]

[Ale03]

[Gab05]

[Gab91]

[ABDGZ16]

[Ove07]Attacks

Bottom Line

LackaProof

LackEfficiency

RankMetric

Groupaction

[BBC08]QC-LDPC

RSBCHGoppaRM

Motivations

[ME78]

Key Sizes

80’s↓

00’s[Nie86]

[Ale03]

[Gab05]

[Gab91]

[ABDGZ16]

[Ove07]Attacks

Bottom Line

LackaProof

LackEfficiency

RankMetric

Groupaction

[BBC08]QC-LDPC

RSBCHGoppaRM

Motivations

[ME78]

Key Sizes

80’s↓

Most of them broken

[Ale03]

[Gab05]

[Gab91]

[ABDGZ16]

[Ove07]Attacks

Bottom Line

LackaProof

LackEfficiency

Security proof

RankMetric

Groupaction

[BBC08]QC-LDPC

RSBCHGoppaRM

Motivations

[ME78]

Key Sizes

80’s↓

Most of them broken

[Ale03]

[Gab05]

[Gab91]

[ABDGZ16]

[Ove07]Attacks

Bottom Line

LackaProof

LackEfficiency

Security proof

RankMetric

Groupaction

[BBC08]QC-LDPC

RSBCHGoppaRM

Motivations

[ME78]

Key Sizes

80’s↓

Most of them broken

[Ale03]

[Gab05]

[Gab91]

[ABDGZ16]

[Ove07]Attacks

Bottom Line

LackaProof

LackEfficiency

Security proof

RankMetric

Groupaction

[BBC08]QC-LDPC

RSBCHGoppaRM

Motivations

[ME78]

Key Sizes

80’s↓

Most of them broken

[Ale03]

[Gab05]

[Gab91]

[ABDGZ16]

[Ove07]Attacks

Bottom Line

LackaProof

LackEfficiency

Security proof

RankMetric

Groupaction

[BBC08]QC-LDPC

RSBCHGoppaRM

Motivations

[ME78]

Key Sizes

80’s↓

Most of them broken

[Ale03]

[Gab05]

[Gab91]

[ABDGZ16]

[Ove07]Attacks

Bottom Line

LackaProof

LackEfficiency

Security proof

RankMetric

Groupaction

[BBC08]QC-LDPC

RSBCHGoppaRM

Motivations

[ME78]

Key Sizes

80’s↓

Most of them broken

[Ale03]

[Gab05]

[Gab91]

[ABDGZ16]

[Ove07]Attacks

Bottom Line

LackaProof

LackEfficiency

Security proof

RankMetric

Groupaction

[BBC08]QC-LDPC

RSBCHGoppaRM

Motivations

[ME78]

Key Sizes

80’s↓

Most of them broken

[Ale03]

[Gab05]

[Gab91]

[ABDGZ16]

[Ove07]Attacks

Bottom Line

LackaProof

LackEfficiency

Security proof

RankMetric

Groupaction

[BBC08]QC-LDPC

RSBCHGoppaRM

Motivations

[ME78]

Key Sizes

80’s↓

Most of them broken

[Ale03]

[Gab05]

[Gab91]

[ABDGZ16]

[Ove07]Attacks

Bottom Line

LackaProof

LackEfficiency

Security proof

RankMetric

Groupaction

[BBC08]QC-LDPC

RSBCHGoppaRM

Motivations

[ME78]

Key Sizes

80’s↓

Most of them broken

[Ale03]

[Gab05]

[Gab91]

[ABDGZ16]

[Ove07]Attacks

Bottom Line

LackaProof

LackEfficiency

Security proof

RankMetric

Groupaction

[BBC08]QC-LDPC

RSBCHGoppaRM

Motivations

[ME78]

Key Sizes

80’s↓

Most of them broken

[Ale03]

[Gab05]

[Gab91]

[ABDGZ16]

[Ove07]Attacks

Bottom Line

LackaProof

LackEfficiency

Security proof

RankMetric

Groupaction

[BBC08]QC-LDPC

RSBCHGoppaRM

Motivations

[ME78]

Key Sizes

80’s↓

Most of them broken

[Ale03]

[Gab05]

[Gab91]

[ABDGZ16]

[Ove07]Attacks

Bottom Line

LackaProof

LackEfficiency

Security proof

RankMetric

Groupaction

[BBC08]QC-LDPC

RSBCHGoppaRM

Motivations

[ME78]

Key Sizes

80’s↓

Most of them broken

[Ale03]

[Gab05]

[Gab91]

[ABDGZ16]

[Ove07]Attacks

Bottom Line

LackaProof

LackEfficiency

Security proof

RankMetric

Groupaction

[BBC08]QC-LDPC

RSBCHGoppaRM

Motivations

[ME78]

Key Sizes

80’s↓

Most of them broken

[Ale03]

[Gab05]

[Gab91]

[ABDGZ16]

[Ove07]Attacks

Bottom Line

LackaProof

LackEfficiency

Security proof

RankMetric

Groupaction

[BBC08]QC-LDPC

RSBCHGoppaRM

Motivations

[ME78]

Key Sizes

80’s↓

Most of them broken

[Ale03]

[Gab05]

[Gab91]

[ABDGZ16]

[Ove07]Attacks

Bottom Line

Efficiency

Security proof

RankMetric

Groupaction

[BBC08]QC-LDPC

RSBCHGoppaRM

Reminders on HQC Presentation of the Ouroboros protocol Security Parameters Conclusion

Outline

1 Reminders on HQC

2 Presentation of the Ouroboros protocol

3 Security

4 Parameters

J.-C. Deneuville Ouroboros: simple, secure, efficient code-based key exchange June the 26th, 2017 3 / 21

HQC Encryption Scheme [ABD+16]

Encryption scheme in Hamming metric, using Quasi-Cyclic Codes

Notation: Secret data - Public data - One-time Randomness

G is the generator matrix of some public code C.

Alice Bob

seedh$← {0, 1}λ, h

seedh← Fn2

x, y$← Snw (F2), s← x + hy

µ← C.Decode (ρ− vy)

seedh,s−−−−−−−−−→

v,ρ←−−−−−−−

r1, r2$← Snw (F2), ε

$← Sncw (F2)v← r1 + hr2, ρ← µG + sr2 + ε

Alice Bob

seedh$← {0, 1}λ, h

seedh← Fn2

x, y$← Snw (F2), s← x + hy

seedh,s−−−−−−−−−→

v,ρ←−−−−−−−

r1, r2$← Snw (F2), ε

Alice Bob

seedh$← {0, 1}λ, h

seedh← Fn2

x, y$← Snw (F2), s← x + hy

seedh,s−−−−−−−−−→

v,ρ←−−−−−−−

r1, r2$← Snw (F2), ε

Alice Bob

seedh$← {0, 1}λ, h

seedh← Fn2

x, y$← Snw (F2), s← x + hy

seedh,s−−−−−−−−−→

v,ρ←−−−−−−−

r1, r2$← Snw (F2), ε

Correctness

Correctness Property

Decrypt (sk,Encrypt (pk,µ, θ)) = µ

C.Decode correctly decodes ρ− v · y whenever

the error term is not too big

ω (s · r2 − v · y + ε) ≤ δω ((x + h · y) · r2 − (r1 + h · r2) · y + ε) ≤ δω(x · r2 − r1 · y + ε) ≤ δ

Error distribution analysis → Decryption failure probability better understood

Correctness

Outline

1 Reminders on HQC

2 Presentation of the Ouroboros protocolCyclic Error DecodingBitFlipping algorithmDescription of the protocol

3 Security

4 Parameters

A particular decoding

HQC requires x · r2 − r1 · y + ε to be “small” to correctly decodeOuroboros further exploits the shape of the error

Cyclic Error Decoding (CED) Problem

Let x, y, r1, r2$← Snw (F2) with w = O(

√n), and e

$← Sncw (F2) a random error vector.

Given (x, y) ∈ (Snw (F2))2 and ec ← xr2 − yr1 + e such that ω(r1) = ω(r2) = w , find (r1, r2).

This is essentially a noisy SD problem

−y� r2

√n), and e

−y� r2

√n), and e

−y� r2

√n), and e

−y� r2

√n), and e

−y� r2

Outline

1 Reminders on HQC

3 Security

4 Parameters

Hard Decision Decoding: BitFlipping

Introduced by Gallager in 1962

Iterative decoding for Low Density Parity Check codes

Decoding capacity increase linearly with the code length

Intuition

1 Compute the number of unsatisfied parity-check equations for each bit of the message

2 If this number is greater than some threshold, flip the bit and go to 1.

3 Stop when the syndrome is null (or after a certain number of iterations).

Easy to understand

Easy to implement

Pretty efficient

The threshold value is crucial [CS16]

Intuition

Easy to understand

Easy to implement

Pretty efficient

Intuition

Easy to understand

Easy to implement

Pretty efficient

Intuition

Easy to understand

Easy to implement

Pretty efficient

Intuition

Easy to understand

Easy to implement

Pretty efficient

Outline

1 Reminders on HQC

3 Security

4 Parameters

Ouroboros

Requires a hash function Hash : {0, 1}∗ −→ Sncw (F2) [Sen05]

ε of HQC plays the role of the exchanged secret in Ouroboros

CE-Decoder is a modified BitFlipping algorithm to solve the CED problem

Alice Bob

seedh$← {0, 1}λ, h

seedh← Fn2

x, y$← Snw (F2), s← x + hy

ec ← se − ysr = xr2 − yr1 + ε′

(r1, r2)← CE-Decoder(x, y, ec, t,w ,we)ε← ec − xr2 + yr1 − Hash(r1, r2)

h,s−−−−−−→

sr,se←−−−−−−−

SharedSecret

r1, r2$← Snw (F2)

er ← Hash (r1, r2), ε$← Snwe

(F2)sr ← r1 + hr2, se ← sr2 + er + ε

Ouroboros

Alice Bob

seedh$← {0, 1}λ, h

seedh← Fn2

x, y$← Snw (F2), s← x + hy

h,s−−−−−−→

sr,se←−−−−−−−

SharedSecret

r1, r2$← Snw (F2)

(F2)sr ← r1 + hr2, se ← sr2 + er + ε

Ouroboros

Alice Bob

seedh$← {0, 1}λ, h

seedh← Fn2

x, y$← Snw (F2), s← x + hy

h,s−−−−−−→

sr,se←−−−−−−−

SharedSecret

r1, r2$← Snw (F2)

(F2)sr ← r1 + hr2, se ← sr2 + er + ε

Ouroboros

Alice Bob

seedh$← {0, 1}λ, h

seedh← Fn2

x, y$← Snw (F2), s← x + hy

h,s−−−−−−→

sr,se←−−−−−−−

SharedSecret

r1, r2$← Snw (F2)

(F2)sr ← r1 + hr2, se ← sr2 + er + ε

Ouroboros

Alice Bob

seedh$← {0, 1}λ, h

seedh← Fn2

x, y$← Snw (F2), s← x + hy

h,s−−−−−−→

sr,se←−−−−−−−

SharedSecret

r1, r2$← Snw (F2)

(F2)sr ← r1 + hr2, se ← sr2 + er + ε

Ouroboros

Alice Bob

seedh$← {0, 1}λ, h

seedh← Fn2

x, y$← Snw (F2), s← x + hy

h,s−−−−−−→

sr,se←−−−−−−−

SharedSecret

r1, r2$← Snw (F2)

(F2)sr ← r1 + hr2, se ← sr2 + er + ε

Ouroboros

Alice Bob

seedh$← {0, 1}λ, h

seedh← Fn2

x, y$← Snw (F2), s← x + hy

h,s−−−−−−→

sr,se←−−−−−−−

SharedSecret

r1, r2$← Snw (F2)

(F2)sr ← r1 + hr2, se ← sr2 + er + ε

Outline

1 Reminders on HQC

3 SecuritySecurity Model and Hybrid ArgumentOuroboros Security

4 Parameters

Security Model and Hybrid Argument

Key exchange as an encryption scheme

Same as Ding et al. [Din12, DXL12], Peikert’s [Pei14], BCNS [BCNS15] and NewHope [ADPS16]

Usual game:

Expind−bE,A (λ)

1. param← Setup(1λ)2. (pk, sk)← KeyGen(param)3. (ε0, ε1)← A(FIND : pk)4. c∗ ← Encrypt(pk, εb, θ)5. b′ ← A(GUESS : c∗)6. RETURN b′

Hybrid argument:1 Construct a sequence of games transitioning from Enc(ε0) to

Enc(ε1)2 Prove they are indistinguishable one from another

Usual game:

Expind−bE,A (λ)

Usual game:

Expind−bE,A (λ)

Usual game:

Expind−bE,A (λ)

Outline

1 Reminders on HQC

3 SecuritySecurity Model and Hybrid ArgumentOuroboros Security

4 Parameters

Security

Definition (SD Distribution)

For positive integers, n, k, and w , the SD(n, k ,w) Distribution chooses H$← F(n−k)×n and x

$← Fn

such that ω(x) = w , and outputs (H,Hx>).

Definition (Decisional s-QCSD Problem)

For positive integers n, k , w , s, a random parity check matrix H of a QC code C and y$← Fn, the

Decisional s-Quasi-Cyclic SD Problem s-DQCSD(n, k ,w) asks to decide with non-negligible advantagewhether (H, y>) came from the s-QCSD(n, k ,w) distribution or the uniform distribution overF(n−k)×n × Fn−k .

Theorem

Ouroboros is IND-CPA under the 2-DQCSD and 3-DQCSD assumptions. → sketch of proof

Security

$← Fn

Theorem

Security

$← Fn

Theorem

Outline

1 Reminders on HQC

3 Security

4 ParametersReduction CompliantOptimized Parameters

Reduction Compliant Parameters

Ouroboros Parameters

Instance n w we threshold security DFR

Low-I 5, 851 47 94 30 80 0.92·10−5

Low-II 5, 923 47 94 30 80 2.3 · 10−6

Medium-I 13, 691 75 150 45 128 0.96·10−5

Medium-II 14, 243 75 150 45 128 1.09·10−6

Strong-I 40, 013 147 294 85 256 4.20·10−5

Strong-II 40, 973 147 294 85 256 < 10−6

Table : Parameter sets for Ouroboros

Outline

1 Reminders on HQC

3 Security

4 ParametersReduction CompliantOptimized Parameters

Optimized Parameters wrt Best Know Attacks

Ouroboros Optimized Parameters

Instance n w we threshold security DFR

Low-I 4, 813 41 123 27 80 2.23·10−5

Low-II 5, 003 41 123 27 80 2.60·10−6

Medium-I 10, 301 67 201 42 128 1.01·10−4

Medium-II 10, 837 67 201 42 128 < 10−7

Strong-I 32, 771 131 393 77 256 < 10−4

Strong-II 33, 997 131 393 77 256 < 10−7

Table : Optimized parameter sets for Ouroboros in Hamming metric

Conclusion

In this talk

Ouroboros: a secure, simple, and efficient code-based key exchange protocol

Efficient decoding through BitFlipping

Competitive parameters

Further Improvements

Improve BitFlipping threshold [CS16]

Switching to Rank metric drastically improves parameters! → interlude?

Optimize implementation

OpenSSL TLS integration

Conclusion

In this talk

Conclusion

In this talk

Conclusion

In this talk

Conclusion

In this talk

Conclusion

In this talk

Conclusion

In this talk

Conclusion

In this talk

Thanks!

Carlos Aguilar Melchor, Olivier Blazy, Jean Christophe

Deneuville, Philippe Gaborit, and Gilles Zemor.Efficient encryption from random quasi-cyclic codes.CoRR, abs/1612.05572, 2016.

Erdem Alkim, Leo Ducas, Thomas Poppelmann, and

Peter Schwabe.Post-quantum key exchange - A new hope.In Thorsten Holz and Stefan Savage, editors, 25thUSENIX Security Symposium, USENIX Security 16,Austin, TX, USA, August 10-12, 2016., pages327–343. USENIX Association, 2016.

Michael Alekhnovich.

More on average case vs approximation complexity.In 44th Symposium on Foundations of ComputerScience (FOCS 2003), 11-14 October 2003,Cambridge, MA, USA, Proceedings, pages 298–307,2003.

Joppe W. Bos, Craig Costello, Michael Naehrig, and

Douglas Stebila.

Post-quantum key exchange for the TLS protocolfrom the ring learning with errors problem.In 2015 IEEE Symposium on Security and Privacy,pages 553–570. IEEE Computer Society Press, May2015.

Julia Chaulet and Nicolas Sendrier.

Worst case qc-mdpc decoder for mceliececryptosystem.In Information Theory (ISIT), 2016 IEEE InternationalSymposium on, pages 1366–1370. IEEE, 2016.

Jintai Ding.

New cryptographic constructions using generalizedlearning with errors problem.Cryptology ePrint Archive, Report 2012/387, 2012.

Jintai Ding, Xiang Xie, and Xiaodong Lin.

A simple provably secure key exchange scheme basedon the learning with errors problem.Cryptology ePrint Archive, Report 2012/688, 2012.

Rafael Misoczki, Jean-Pierre Tillich, Nicolas Sendrier,

and Paulo SLM Barreto.Mdpc-mceliece: New mceliece variants frommoderate density parity-check codes.In Information Theory Proceedings (ISIT), 2013 IEEEInternational Symposium on, pages 2069–2073. IEEE,2013.

Chris Peikert.

Lattice cryptography for the internet.In Michele Mosca, editor, Post-QuantumCryptography - 6th International Workshop,PQCrypto 2014, Waterloo, ON, Canada, October 1-3,2014. Proceedings, volume 8772 of Lecture Notes inComputer Science, pages 197–219. Springer, 2014.

Nicolas Sendrier.

Encoding information into constant weight words.In Information Theory, 2005. ISIT 2005. Proceedings.International Symposium on, pages 435–438. IEEE,2005.

Paper available @ http://unil.im/ouroboros

Thanks!

Carlos Aguilar Melchor, Olivier Blazy, Jean Christophe

Deneuville, Philippe Gaborit, and Gilles Zemor.Efficient encryption from random quasi-cyclic codes.CoRR, abs/1612.05572, 2016.

Erdem Alkim, Leo Ducas, Thomas Poppelmann, and

Peter Schwabe.Post-quantum key exchange - A new hope.In Thorsten Holz and Stefan Savage, editors, 25thUSENIX Security Symposium, USENIX Security 16,Austin, TX, USA, August 10-12, 2016., pages327–343. USENIX Association, 2016.

Michael Alekhnovich.

More on average case vs approximation complexity.In 44th Symposium on Foundations of ComputerScience (FOCS 2003), 11-14 October 2003,Cambridge, MA, USA, Proceedings, pages 298–307,2003.

Joppe W. Bos, Craig Costello, Michael Naehrig, and

Douglas Stebila.

Post-quantum key exchange for the TLS protocolfrom the ring learning with errors problem.In 2015 IEEE Symposium on Security and Privacy,pages 553–570. IEEE Computer Society Press, May2015.

Julia Chaulet and Nicolas Sendrier.

Worst case qc-mdpc decoder for mceliececryptosystem.In Information Theory (ISIT), 2016 IEEE InternationalSymposium on, pages 1366–1370. IEEE, 2016.

Jintai Ding.

New cryptographic constructions using generalizedlearning with errors problem.Cryptology ePrint Archive, Report 2012/387, 2012.

Jintai Ding, Xiang Xie, and Xiaodong Lin.

A simple provably secure key exchange scheme basedon the learning with errors problem.Cryptology ePrint Archive, Report 2012/688, 2012.

Rafael Misoczki, Jean-Pierre Tillich, Nicolas Sendrier,

and Paulo SLM Barreto.Mdpc-mceliece: New mceliece variants frommoderate density parity-check codes.In Information Theory Proceedings (ISIT), 2013 IEEEInternational Symposium on, pages 2069–2073. IEEE,2013.

Chris Peikert.

Lattice cryptography for the internet.In Michele Mosca, editor, Post-QuantumCryptography - 6th International Workshop,PQCrypto 2014, Waterloo, ON, Canada, October 1-3,2014. Proceedings, volume 8772 of Lecture Notes inComputer Science, pages 197–219. Springer, 2014.

Nicolas Sendrier.

Encoding information into constant weight words.In Information Theory, 2005. ISIT 2005. Proceedings.International Symposium on, pages 435–438. IEEE,2005.

Paper available @ http://unil.im/ouroboros

Rank Metric Interlude (1/2)

Rank metric defined over (finite) extensions of finite fields

Fq a finite field with q a power of a prime.

Fqm an extension of degree m of Fq.

Fqm can be seen as a vector space on Fq.

B = (b1, ..., bm) a basis of Fqm over Fq.

Let v = (v1, . . . , vn) be a word of length n in Fqm .

Any coordinate vj =∑m

i=1 vijbi with vij ∈ Fq.v = (v1, ..., vn)→ V =

v11 v12 . . . v1n

v21 v22 . . . v2n

......

. . ....

vm1 vm2 . . . vmn

Rank weight of word

v has rank r = rank(v) iff the rank of V = (vij)ij is r .Equivalently rank(v) = r ⇔ vj ∈ Vr ⊂ Fn

qm with dim(Vr )=r.

v11 v12 . . . v1n

v21 v22 . . . v2n

......

. . ....

vm1 vm2 . . . vmn

Rank weight of word

qm with dim(Vr )=r.

v11 v12 . . . v1n

v21 v22 . . . v2n

......

. . ....

vm1 vm2 . . . vmn

Rank weight of word

qm with dim(Vr )=r.

Best Known Attacks have worse complexity in rank metric (2O(n2)) than in Hamming metric (2O(n))Consequence: worse attacks ⇒ better parameters

Ouroboros-R Parameters

Instancekey size(bits)

n m q w securitydecoding

failure

Ouroboros-R-I 1,591 37 43 2 5 100 10−4

Ouroboros-R-II 2,809 53 53 2 5 128 10−8

Ouroboros-R-III 3, 953 59 67 2 6 192 10−7

Ouroboros-R-IV 5, 293 67 79 2 7 256 10−5

Ouroboros-R-V 5, 618 53 53 4 6 256 10−10

Parameter sets for Ouroboros-R in rank metric.back to conclusion

failure

Ouroboros-R-I 1,591 37 43 2 5 100 10−4

Ouroboros-R-II 2,809 53 53 2 5 128 10−8

Ouroboros-R-III 3, 953 59 67 2 6 192 10−7

Ouroboros-R-IV 5, 293 67 79 2 7 256 10−5

Ouroboros-R-V 5, 618 53 53 4 6 256 10−10

failure

Ouroboros-R-I 1,591 37 43 2 5 100 10−4

Ouroboros-R-II 2,809 53 53 2 5 128 10−8

Ouroboros-R-III 3, 953 59 67 2 6 192 10−7

Ouroboros-R-IV 5, 293 67 79 2 7 256 10−5

Ouroboros-R-V 5, 618 53 53 4 6 256 10−10

Sketch of proof

Sequence of games from Enc(ε0) to Enc(ε1)

Enc(ε0) Encs?(ε0) Encs?,r?(ε0)

Encs?,r?(ε1)Encs?(ε1)Enc(ε1)

AdvindE,A(λ) ≤ 2 ·

(Adv2-DQCSD(λ) + Adv3-DQCSD(λ)

)back to security

Sketch of proof

)back to security

Sketch of proof

)back to security

Sketch of proof

)back to security

Sketch of proof

)back to security

Sketch of proof

)back to security

Sketch of proof

Encs?(ε0)Enc(ε0) Encs?,r?(ε0)

AdvindE,A(λ)

)back to security

Sketch of proof

Encs?(ε0)Enc(ε0) Encs?,r?(ε0)

AdvindE,A(λ)

)back to security

ouroboros: a simple, secure and efficient key exchange ... · ouroboros: a simple, secure and e...

Documents