Information-theoretic Secrecy A Cryptographic Perspective
|
|
- Charles Andrews
- 5 years ago
- Views:
Transcription
1 Information-theoretic Secrecy A Cryptographic Perspective Stefano Tessaro UC Santa Barbara WCS 2017 April 30, 2017 based on joint works with M. Bellare and A. Vardy
2
3 Cryptography Computational assumptions CRYPTO, EUROCRYPT, STOC, FOCS, Informationtheoretic cryptography key-agreement, privacy amplification, multi-party protocols Information-theory & coding Physical assumptions (e.g., noise) ISIT, ITW, IEEE Trans. in IT, Physical -layer security Work continues to date
4 Parallel dimensions Curious Cryptographer Generic constructions
5 This talk in a nutshell Cryptographic view on the wiretap channel model. (Though really, this extends to information-theoretic secrecy more broadly) M. Bellare, S. Tessaro and A. Vardy. Semantic Security for the Wiretap Channel. Crypto M. Bellare, S. Tessaro and A. Vardy. A Cryptographic Treatment of the Wiretap Channel. Cryptology Eprint Archive 2012/15. M. Bellare and S. Tessaro. Polynomial-time, Semantically-Secure Encryption Achieving the Secrecy Capacity. Cryptology Eprint Archive 2012/22.
6 Physical-layer Security Very low power Very short distance e.g. credit card # Large distance Degraded signal
7 Wyner s Wiretap Channel [W75,CK78] M ENC P Y X C C 0 M 0 ChR DEC ChA noiser than ChR ChA P Z X Z(M) Message privacy Z(M) gives no information about M Correctness M = M with very high probability
8 Example Binary Symmetric Channels BSC e M ENC C C 0 M 0 BSC p DEC p < q BSC q Z(M) Other examples: BECs, Gaussian channels,
9 Rate and capacity M ENC C C 0 M 0 ChR DEC ChA Z(M) Goal: Maximize rate R = M C Capacity = best possible rate for m Asymptotic setting (parameter = message length m) ChR / ChA have finite alphabet, used c(m) times
10 Rate and capacity Cont d I(X; Y )= X x,y M PXY (x, y) P XY (x, y) log ENC CP C 0 X (x)p Y (y) M 0 ChR = H(X) H(X Y ) DEC ChA Z(M) If for all X, we have I(X;ChR(X)) I(X; ChA(X)) C = max P X [I(X;ChR(X)) I(X; ChA(X))] Issues: Existential result + weak security [W75,CK78]
11 Outline 1. Security metrics for the Wiretap Channel 2. Generic construction of capacity-achieving scheme 3. Open directions
12 Secrecy Metrics
13 Traditional secrecy notions Based on Shannon metrics and asymptotic M ENC ChA Z(M) Weak secrecy: Strong secrecy: M m lim m!1 = uniform m-bit message I(M m ; Z(M m )) m =0 lim I(M m; Z(M m )) = 0 m!1 weak notion 1/m vs 2 -m ENC works on arbitrary-length message
14 How secure is a scheme? Many cryptographers have a quantitative approach to security. ENC Next: Which quantity is most suitable? Advantage in R Example: Adv mis-r (ENC; ChA) = I(M; Z(M)) From now on: One-shot Could Later: depend What on a security about parameter M being (e.g., message length), security means adv small as a function of sec parameter. uniform?
15 Statistical distance Definition. The statistical distance of X and Y is SD(X, Y )= 1 2 X P X (x) P Y (y) = 1 2 kp X P Y k 1 x X Y D D 0/1 0/1 distinguishing advantage SD(X, Y ) = max D Pr[D(X) = 1] Pr[D(Y ) = 1]
16 RDS security M KL(XkY )= X x ENC P X (x) log ChA PX (x) P Y (x) Z(M) M M 0 ENC ChA Z(M 0 ) Adv rds (ENC; ChA) = SD((M,Z(M)); (M,Z(M 0 ))) Adv mis-r (ENC; ChA) = KL((M,Z(M))k(M,Z(M 0 )))
17 Example Guessing p g =Pr[ f M = M] ENC ChA Z(M) fm M Adv rds (ENC; ChA) apple p g p 0 g apple p g apple m M 0 ENC ChA Z(M 0 ) f M M p 0 g =Pr[ f M = M] = 1 2 m
18 Semantic security First contact For any f, guessing f(m) from Z(M) is not (substantially) easier than without knowing Z(M)! Examples of f: Identity First, last bit of the message Subset of message bits
19 What about MIS-R security? H(M Z(M)) apple h(p e )+P e log(2 m 1) ENC ChA Z(M) fm M I(M; Z(M)) apple p g =Pr[ f M = M] Hard to estimate Fano inequality gives p g apple 1+ m (Better estimates possible, but hard to work with)
20 Relations [BTV12] Pinsker s inequality Theorem. Adv rds (ENC; ChA) apple q Adv mis-r (ENC; ChA) Caveat: Generally not tight! Exponents matter Theorem. For = Adv rds (ENC; ChA) Adv mis-r (ENC; ChA) apple 2 log 2 c Tight
21 Proof of 2 nd Thm First, show that for any c-bit X, Y with SD e, Then, note Let Easy to see: H(X) Then, by concavity, I(M; Z(M)) apple 2 2 m X H(Y ) apple 2 log(2 c / ) I(M; Z(M)) = 1 X 2 m (H(Z(M)) m2{0,1} m m = SD(Z(M),Z(m)) = 1 X 2 m m m m H(Z(m))) m log(2 c / m ) apple 2 log(2 c / )
22 Lessons learnt The above only advocates SD-based metrics as a target MIS security is asymptotically a good privacy metric, but substantial quantitative losses possible Note: Sometimes Shannon entropy / KL divergence are valuable tools (even when stating end results in terms of SD) e.g. KL(X 4 X 5 Y 4 Y 5 = KL(X 4 Y 4 + KL(X 5 Y 5 )
23 Random plaintext distribution Adv rds (ENC; ChA) = SD((M,Z(M)); (M,Z(M 0 ))) Adv mis-r (ENC; ChA) = I(M; Z(M)) random and uniform Common argument: If data isn t uniform, then just run a compression algorithm to reduce it to a random string with length equal to its entropy! Not true Data may not have entropy to start with! Universal compression not possible Goldwasser-Micali, 1982 Security must hold for all distributions of the plaintext
24 Issues with RDS security Enc 0 (M) = 8 < : Enc(M) M 6= 0 m, 1 m 0 n M =0 m 1 n M =1 m Enc RDS secure Enc RDS secure What if we only ever encrypt 0 m and 1 m?
25 Distinguishing and Semantic security Adv ds (ENC; ChA) = max M 0,M 1 SD(Z(M 0 ); Z(M 1 )) Equivalent to semantic security: f, distributions P M : Computing f(m) given Z(M) is not easier than computing f(m) without Z(M), where M P M Adv ss (Enc; ChA) = max 2 H 1(f(M) Z(M)) f,p M 2 H 1(f(M)) Theorem. Adv ss (Enc; ChA) apple Adv ds (Enc; ChA) apple 2 Adv ss (Enc; ChA)
26 MIS security Adv mis (ENC; ChA) = max P M I(M; Z(M)) Theorem. Adv ds (ENC; ChA) apple q Adv mis (ENC; ChA) Theorem. For = Adv ds (ENC; ChA) Adv mis (ENC; ChA) apple 2 log 2 c
27 From RDS to DS security Key agreement K ENC random session key ChR ChA DEC Z(K) K One-time pad M K ECC ChR ECC-DEC M good code for ChR ChA Z(M K) K Problem: Worse rate than in the RDS case!
28 Constructions
29 Next A construction Generic construction: Analysis does not depend on details of underlying ECC (unlike e.g. [MV10]) Admits poly-time encryption and decryption Achieves SS/DS security Achieves capacity in interesting scenarios Generalizes previous constructions (with no proofs of DS security) [W75,HM10] First semantically-secure capacity-achieving construction with efficient polytime encryption + decryption
30 Seeded encryption SeedGen S M ENC C C 0 M 0 ChR DEC ChA Z(M) public Seed can be recycled, and sent as part of the ciphertext
31 Seeded-encryption scheme ENC S (M) k bits m bits M k m bits Abstraction: Inverting randomness extractor on seed S and output M S GF(2 k ) multiplication Public seed X E Poly-time + injective + linear C n bits
32 Conditional min-entropy M h i H E Z = x Z 1 (X Z) = log X! max Pr[X = x ^ Z = z] xx z S 0 X E Example: ChA = BSC q n H 1 (X Z) k n 1 log 1 1 q C ChA Z
33 Smooth min-entropy [RW04] H 1(X Z) = sup H 1 (X Z) X 0 Z 0 :SD(X 0 Z 0 ;XZ)apple X E Example: ChA = BSC q n H 1(X Z) k n (1 h(q)+o(1)) C ChA =2 O(p n) Z Note: 1 h(q) apple 1 log(1/(1 q))
34 Smooth min-entropy cont d C nq + o(1)
35 Seeded Encryption Security Theorem. [BT12,BTV12] If ChA symmetric, and H e (X Z) m + 2log(1/e) then Adv ds (ENC; ChA) = O( ). For ChA = BSC qn, ChR = BSC pn. Best possible k to allow for decryption over ChR : For some =2 O(p n) k =(1 h(p) o(1))n H 1(X Z) n(h(q) h(p) o(1)) Largest possible message size m =(h(q) h(p) o(1))n optimal rate!
36 Proof Two steps 1. Prove RDS security SD((Z(M),S,M); (Z(M),S,M 0 )) apple O( ) 2. From RDS to DS security
37 Proof RDS Security M M M S -1 0 S -1 0 X X S 0 E S 0 E C C ChA ChA H 1(X Z) Z m + 2 log 1 By the Leftover Hash Lemma [BBR88,ILL89,BBCM95] Z
38 From RDS to DS security In general: Random-message security does not imply DS security. Lemma. If ChA is symmetric, then ENC is DS secure. Proof idea: M Z S (M) is symmetric Z S (M 0 ) Δ S, M: SD(Z S (M); Z S ($)) apple Z S ($) Z S (M) Z S (M 00 )
39 Extensions Above only achieves capacity for limited channels: ChA($) = $ Extension to arbitrary symmetric channels [TV13] Alternative: Better estimates of Smooth-minentropy? [C15] New soft-covering lemma used to obtain existential proof that rate is achievable in the semantic-security regime!
40 Conclusions and Open questions
41 Open questions A crypto wish list Concrete parameters. Given ChA, ChR, message length m, and security level e, find Enc with smallest possible ciphertext length n such that Adv ds (Enc; ChA) apple Cryptanalysis. Do physical assumptions really hold?
42 Thank you! Merci!
Topics. Probability Theory. Perfect Secrecy. Information Theory
Topics Probability Theory Perfect Secrecy Information Theory Some Terms (P,C,K,E,D) Computational Security Computational effort required to break cryptosystem Provable Security Relative to another, difficult
More informationPerformance-based Security for Encoding of Information Signals. FA ( ) Paul Cuff (Princeton University)
Performance-based Security for Encoding of Information Signals FA9550-15-1-0180 (2015-2018) Paul Cuff (Princeton University) Contributors Two students finished PhD Tiance Wang (Goldman Sachs) Eva Song
More informationExplicit Capacity-Achieving Coding Scheme for the Gaussian Wiretap Channel. Himanshu Tyagi and Alexander Vardy
Explicit Capacity-Achieving Coding Scheme for the Gaussian Wiretap Channel Himanshu Tyagi and Alexander Vardy The Gaussian wiretap channel M Encoder X n N(0,σ 2 TI) Y n Decoder ˆM N(0,σ 2 WI) Z n Eavesdropper
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationLecture 6 I. CHANNEL CODING. X n (m) P Y X
6- Introduction to Information Theory Lecture 6 Lecturer: Haim Permuter Scribe: Yoav Eisenberg and Yakov Miron I. CHANNEL CODING We consider the following channel coding problem: m = {,2,..,2 nr} Encoder
More informationLecture 3: Lower bound on statistically secure encryption, extractors
CS 7880 Graduate Cryptography September, 015 Lecture 3: Lower bound on statistically secure encryption, extractors Lecturer: Daniel Wichs Scribe: Giorgos Zirdelis 1 Topics Covered Statistical Secrecy Randomness
More information3F1: Signals and Systems INFORMATION THEORY Examples Paper Solutions
Engineering Tripos Part IIA THIRD YEAR 3F: Signals and Systems INFORMATION THEORY Examples Paper Solutions. Let the joint probability mass function of two binary random variables X and Y be given in the
More informationChapter 4. Data Transmission and Channel Capacity. Po-Ning Chen, Professor. Department of Communications Engineering. National Chiao Tung University
Chapter 4 Data Transmission and Channel Capacity Po-Ning Chen, Professor Department of Communications Engineering National Chiao Tung University Hsin Chu, Taiwan 30050, R.O.C. Principle of Data Transmission
More informationIntroduction to Information Theory. B. Škorić, Physical Aspects of Digital Security, Chapter 2
Introduction to Information Theory B. Škorić, Physical Aspects of Digital Security, Chapter 2 1 Information theory What is it? - formal way of counting information bits Why do we need it? - often used
More informationNear-Optimal Secret Sharing and Error Correcting Codes in AC 0
Near-Optimal Secret Sharing and Error Correcting Codes in AC 0 Kuan Cheng Yuval Ishai Xin Li December 18, 2017 Abstract We study the question of minimizing the computational complexity of (robust) secret
More informationModern symmetric-key Encryption
Modern symmetric-key Encryption Citation I would like to thank Claude Crepeau for allowing me to use his slide from his crypto course to mount my course. Some of these slides are taken directly from his
More informationEE5139R: Problem Set 7 Assigned: 30/09/15, Due: 07/10/15
EE5139R: Problem Set 7 Assigned: 30/09/15, Due: 07/10/15 1. Cascade of Binary Symmetric Channels The conditional probability distribution py x for each of the BSCs may be expressed by the transition probability
More informationLecture 13: Private Key Encryption
COM S 687 Introduction to Cryptography October 05, 2006 Instructor: Rafael Pass Lecture 13: Private Key Encryption Scribe: Ashwin Machanavajjhala Till this point in the course we have learnt how to define
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationProvable Security against Side-Channel Attacks
Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com MCrypt Seminar Aug. 11th 2014 Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky Lecture 4 Lecture date: January 26, 2005 Scribe: Paul Ray, Mike Welch, Fernando Pereira 1 Private Key Encryption Consider a game between
More informationOutline. Computer Science 418. Number of Keys in the Sum. More on Perfect Secrecy, One-Time Pad, Entropy. Mike Jacobson. Week 3
Outline Computer Science 48 More on Perfect Secrecy, One-Time Pad, Mike Jacobson Department of Computer Science University of Calgary Week 3 2 3 Mike Jacobson (University of Calgary) Computer Science 48
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationECE 4400:693 - Information Theory
ECE 4400:693 - Information Theory Dr. Nghi Tran Lecture 8: Differential Entropy Dr. Nghi Tran (ECE-University of Akron) ECE 4400:693 Lecture 1 / 43 Outline 1 Review: Entropy of discrete RVs 2 Differential
More informationPERFECTLY secure key agreement has been studied recently
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 45, NO. 2, MARCH 1999 499 Unconditionally Secure Key Agreement the Intrinsic Conditional Information Ueli M. Maurer, Senior Member, IEEE, Stefan Wolf Abstract
More informationComputer Science A Cryptography and Data Security. Claude Crépeau
Computer Science 308-547A Cryptography and Data Security Claude Crépeau These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308-647A)
More informationCSA E0 235: Cryptography March 16, (Extra) Lecture 3
CSA E0 235: Cryptography March 16, 2015 Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Ajith S 1 Chosen Plaintext Attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which
More informationOn the Randomness Requirements for Privacy
On the Randomness Requirements for Privacy by Carl Bosley A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy Department of Computer Science New York
More informationA Lower Bound on the Key Length of Information-Theoretic Forward-Secure Storage Schemes
A Lower Bound on the Key Length of Information-Theoretic Forward-Secure Storage Schemes Stefan Dziembowski Department of Computer Science University of Rome, La Sapienza Abstract. Forward-Secure Storage
More informationSecret-Key Agreement over Unauthenticated Public Channels Part I: Definitions and a Completeness Result
Secret-Key Agreement over Unauthenticated Public Channels Part I: Definitions and a Completeness Result Ueli Maurer, Fellow, IEEE Stefan Wolf Abstract This is the first part of a three-part paper on secret-key
More informationASPECIAL case of the general key agreement scenario defined
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL 49, NO 4, APRIL 2003 839 Secret-Key Agreement Over Unauthenticated Public Channels Part III: Privacy Amplification Ueli Maurer, Fellow, IEEE, and Stefan Wolf
More informationInformation Leakage of Correlated Source Coded Sequences over a Channel with an Eavesdropper
Information Leakage of Correlated Source Coded Sequences over a Channel with an Eavesdropper Reevana Balmahoon and Ling Cheng School of Electrical and Information Engineering University of the Witwatersrand
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationExtractors and the Leftover Hash Lemma
6.889 New Developments in Cryptography March 8, 2011 Extractors and the Leftover Hash Lemma Instructors: Shafi Goldwasser, Yael Kalai, Leo Reyzin, Boaz Barak, and Salil Vadhan Lecturer: Leo Reyzin Scribe:
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationBounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts
Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts Stefano Tessaro (UC Santa Barbara) David A. Wilson (MIT) Bounded-Collusion IBE from Semantically-Secure
More informationInformation Theoretic Limits of Randomness Generation
Information Theoretic Limits of Randomness Generation Abbas El Gamal Stanford University Shannon Centennial, University of Michigan, September 2016 Information theory The fundamental problem of communication
More information6.892 Computing on Encrypted Data October 28, Lecture 7
6.892 Computing on Encrypted Data October 28, 2013 Lecture 7 Lecturer: Vinod Vaikuntanathan Scribe: Prashant Vasudevan 1 Garbled Circuits Picking up from the previous lecture, we start by defining a garbling
More informationThe Communication Complexity of Correlation. Prahladh Harsha Rahul Jain David McAllester Jaikumar Radhakrishnan
The Communication Complexity of Correlation Prahladh Harsha Rahul Jain David McAllester Jaikumar Radhakrishnan Transmitting Correlated Variables (X, Y) pair of correlated random variables Transmitting
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Takeaway: Crypto is Hard Designing crypto is hard, even experts get it wrong Just because I don t know
More informationScribe for Lecture #5
CSA E0 235: Cryptography 28 January 2016 Scribe for Lecture #5 Instructor: Dr. Arpita Patra Submitted by: Nidhi Rathi 1 Pseudo-randomness and PRG s We saw that computational security introduces two relaxations
More informationLecture 14 February 28
EE/Stats 376A: Information Theory Winter 07 Lecture 4 February 8 Lecturer: David Tse Scribe: Sagnik M, Vivek B 4 Outline Gaussian channel and capacity Information measures for continuous random variables
More informationChapter 2 : Perfectly-Secret Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 2 : Perfectly-Secret Encryption 1 2.1 Definitions and Basic Properties We refer to probability
More informationOn the Secrecy Capacity of Fading Channels
On the Secrecy Capacity of Fading Channels arxiv:cs/63v [cs.it] 7 Oct 26 Praveen Kumar Gopala, Lifeng Lai and Hesham El Gamal Department of Electrical and Computer Engineering The Ohio State University
More informationLecture 2: Perfect Secrecy and its Limitations
CS 4501-6501 Topics in Cryptography 26 Jan 2018 Lecture 2: Perfect Secrecy and its Limitations Lecturer: Mohammad Mahmoody Scribe: Mohammad Mahmoody 1 Introduction Last time, we informally defined encryption
More informationA Fuzzy Sketch with Trapdoor
A Fuzzy Sketch with Trapdoor Julien Bringer 1, Hervé Chabanne 1, Quoc Dung Do 2 1 SAGEM Défense Sécurité, 2 Ecole Polytechnique, ENST Paris. Abstract In 1999, Juels and Wattenberg introduce an effective
More informationDivision Property: a New Attack Against Block Ciphers
Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, 2015 1 / 50 Symmetric-key encryption
More informationA Comment on Gu Map-1
A Comment on Gu Map-1 Yupu Hu and Huiwen Jia ISN Laboratory, Xidian University, 710071 Xi an, China yphu@mail.xidian.edu.cn Abstract. Gu map-1 is a modified version of GGH map. It uses same ideal lattices
More informationSoft Covering with High Probability
Soft Covering with High Probability Paul Cuff Princeton University arxiv:605.06396v [cs.it] 20 May 206 Abstract Wyner s soft-covering lemma is the central analysis step for achievability proofs of information
More informationLecture 2: August 31
0-704: Information Processing and Learning Fall 206 Lecturer: Aarti Singh Lecture 2: August 3 Note: These notes are based on scribed notes from Spring5 offering of this course. LaTeX template courtesy
More informationMetric Pseudoentropy: Characterizations and Applications
Metric Pseudoentropy: Characterizations and Applications Maciej Skorski Cryptology and Data Security Group, University of Warsaw maciej.skorski@gmail.com Abstract. Metric entropy is a computational variant
More informationPublic-Seed Pseudorandom Permutations
Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB Joint work with Pratik Soni (UCSB) DIMACS Workshop New York June 8, 2017 We look at existing class of cryptographic primitives and introduce/study
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationfunctions. E.G.BARDIS*, N.G.BARDIS*, A.P.MARKOVSKI*, A.K.SPYROPOULOS**
Security Analysis of Cryptographic Algorithms by means of Boolean Functions E.G.BARDIS*, N.G.BARDIS*, A.P.MARKOVSKI*, A.K.SPYROPOULOS** * Department of Computer Science National Technical University of
More informationHow many rounds can Random Selection handle?
How many rounds can Random Selection handle? Shengyu Zhang Abstract The construction of zero-knowledge proofs can be greatly simplified if the protocol is only required be secure against the honest verifier.
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationLecture 5: Channel Capacity. Copyright G. Caire (Sample Lectures) 122
Lecture 5: Channel Capacity Copyright G. Caire (Sample Lectures) 122 M Definitions and Problem Setup 2 X n Y n Encoder p(y x) Decoder ˆM Message Channel Estimate Definition 11. Discrete Memoryless Channel
More informationInformation Theory Primer:
Information Theory Primer: Entropy, KL Divergence, Mutual Information, Jensen s inequality Seungjin Choi Department of Computer Science and Engineering Pohang University of Science and Technology 77 Cheongam-ro,
More informationprotocols such as protocols in quantum cryptography and secret-key agreement by public discussion [8]. Before we formalize the main problem considered
Privacy Amplication Secure Against Active Adversaries? Ueli Maurer Stefan Wolf Department of Computer Science Swiss Federal Institute of Technology (ETH Zurich) CH-8092 Zurich, Switzerland E-mail addresses:
More informationSecret Key Agreement: General Capacity and Second-Order Asymptotics. Masahito Hayashi Himanshu Tyagi Shun Watanabe
Secret Key Agreement: General Capacity and Second-Order Asymptotics Masahito Hayashi Himanshu Tyagi Shun Watanabe Two party secret key agreement Maurer 93, Ahlswede-Csiszár 93 X F Y K x K y ArandomvariableK
More informationAn Extended Fano s Inequality for the Finite Blocklength Coding
An Extended Fano s Inequality for the Finite Bloclength Coding Yunquan Dong, Pingyi Fan {dongyq8@mails,fpy@mail}.tsinghua.edu.cn Department of Electronic Engineering, Tsinghua University, Beijing, P.R.
More informationDan Boneh. Stream ciphers. The One Time Pad
Online Cryptography Course Stream ciphers The One Time Pad Symmetric Ciphers: definition Def: a cipher defined over is a pair of efficient algs (E, D) where E is often randomized. D is always deterministic.
More informationPrivacy Amplification Theorem for Noisy Main Channel
Privacy Amplification Theorem for Noisy Main Channel Valeri Korjik 1, Guillermo Morales-Luna 2, and Vladimir B. Balakirsky 3 1 Telecommunications, CINVESTAV-IPN, Guadalajara Campus Prol. López Mateos Sur
More informationSimple and Tight Bounds for Information Reconciliation and Privacy Amplification
Simple and Tight Bounds for Information Reconciliation and Privacy Amplification Renato Renner 1 and Stefan Wolf 2 1 Computer Science Department, ETH Zürich, Switzerland. renner@inf.ethz.ch. 2 Département
More informationIntroduction to Cryptology. Lecture 3
Introduction to Cryptology Lecture 3 Announcements No Friday Office Hours. Instead will hold Office Hours on Monday, 2/6 from 3-4pm. HW1 due on Tuesday, 2/7 For problem 1, can assume key is of length at
More informationQuantum to Classical Randomness Extractors
Quantum to Classical Randomness Extractors Mario Berta, Omar Fawzi, Stephanie Wehner - Full version preprint available at arxiv: 1111.2026v3 08/23/2012 - CRYPTO University of California, Santa Barbara
More informationLecture 11: Quantum Information III - Source Coding
CSCI5370 Quantum Computing November 25, 203 Lecture : Quantum Information III - Source Coding Lecturer: Shengyu Zhang Scribe: Hing Yin Tsang. Holevo s bound Suppose Alice has an information source X that
More informationSmooth Projective Hash Function and Its Applications
Smooth Projective Hash Function and Its Applications Rongmao Chen University of Wollongong November 21, 2014 Literature Ronald Cramer and Victor Shoup. Universal Hash Proofs and a Paradigm for Adaptive
More informationInformation-Theoretic Security: an overview
Information-Theoretic Security: an overview Rui A Costa 1 Relatório para a disciplina de Seminário, do Mestrado em Informática da Faculdade de Ciências da Universidade do Porto, sob a orientação do Prof
More informationChannel Coding for Secure Transmissions
Channel Coding for Secure Transmissions March 27, 2017 1 / 51 McEliece Cryptosystem Coding Approach: Noiseless Main Channel Coding Approach: Noisy Main Channel 2 / 51 Outline We present an overiew of linear
More informationOn Oblivious Transfer Capacity
On Oblivious Transfer Capacity Rudolph Ahlswede 1 and Imre Csiszár 2, 1 University of Bielefeld, Germany 2 Rényi Institute of Mathematics, Budapest, Hungary Abstract. Upper and lower bounds to the oblivious
More informationWilliam Stallings Copyright 2010
A PPENDIX F M EASURES OF S ECRECY AND S ECURITY William Stallings Copyright 2010 F.1 PERFECT SECRECY...2! F.2 INFORMATION AND ENTROPY...8! Information...8! Entropy...10! Properties of the Entropy Function...12!
More informationSeries 7, May 22, 2018 (EM Convergence)
Exercises Introduction to Machine Learning SS 2018 Series 7, May 22, 2018 (EM Convergence) Institute for Machine Learning Dept. of Computer Science, ETH Zürich Prof. Dr. Andreas Krause Web: https://las.inf.ethz.ch/teaching/introml-s18
More informationPr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]
Midterm Review Sheet The definition of a private-key encryption scheme. It s a tuple Π = ((K n,m n,c n ) n=1,gen,enc,dec) where - for each n N, K n,m n,c n are sets of bitstrings; [for a given value of
More informationLecture 8: Shannon s Noise Models
Error Correcting Codes: Combinatorics, Algorithms and Applications (Fall 2007) Lecture 8: Shannon s Noise Models September 14, 2007 Lecturer: Atri Rudra Scribe: Sandipan Kundu& Atri Rudra Till now we have
More informationLecture 4 Channel Coding
Capacity and the Weak Converse Lecture 4 Coding I-Hsiang Wang Department of Electrical Engineering National Taiwan University ihwang@ntu.edu.tw October 15, 2014 1 / 16 I-Hsiang Wang NIT Lecture 4 Capacity
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationECE598: Information-theoretic methods in high-dimensional statistics Spring 2016
ECE598: Information-theoretic methods in high-dimensional statistics Spring 06 Lecture : Mutual Information Method Lecturer: Yihong Wu Scribe: Jaeho Lee, Mar, 06 Ed. Mar 9 Quick review: Assouad s lemma
More informationOutline. CPSC 418/MATH 318 Introduction to Cryptography. Information Theory. Partial Information. Perfect Secrecy, One-Time Pad
Outline CPSC 418/MATH 318 Introduction to Cryptography, One-Time Pad Renate Scheidler Department of Mathematics & Statistics Department of Computer Science University of Calgary Based in part on slides
More informationChapter 2. A Look Back. 2.1 Substitution ciphers
Chapter 2 A Look Back In this chapter we take a quick look at some classical encryption techniques, illustrating their weakness and using these examples to initiate questions about how to define privacy.
More informationThe Indistinguishability of the XOR of k permutations
The Indistinguishability of the XOR of k permutations Benoit Cogliati, Rodolphe Lampe, Jacques Patarin University of Versailles, France Abstract. Given k independent pseudorandom permutations f 1,...,
More informationPublic-seed Pseudorandom Permutations EUROCRYPT 2017
Public-seed Pseudorandom Permutations Pratik Soni UC Santa Barbara Stefano Tessaro UC Santa Barbara EUROCRYPT 2017 Cryptographic schemes often built from generic building blocks Cryptographic schemes often
More informationChosen Ciphertext Security with Optimal Ciphertext Overhead
Chosen Ciphertext Security with Optimal Ciphertext Overhead Masayuki Abe 1, Eike Kiltz 2 and Tatsuaki Okamoto 1 1 NTT Information Sharing Platform Laboratories, NTT Corporation, Japan 2 CWI Amsterdam,
More informationAn instantaneous code (prefix code, tree code) with the codeword lengths l 1,..., l N exists if and only if. 2 l i. i=1
Kraft s inequality An instantaneous code (prefix code, tree code) with the codeword lengths l 1,..., l N exists if and only if N 2 l i 1 Proof: Suppose that we have a tree code. Let l max = max{l 1,...,
More informationAbstract. Often the core diculty in designing zero-knowledge protocols arises from having to
Interactive Hashing Simplies Zero-Knowledge Protocol Design Rafail Ostrovsky Ramarathnam Venkatesan y Moti Yung z (Extended abstract) Abstract Often the core diculty in designing zero-knowledge protocols
More informationMULTITERMINAL SECRECY AND TREE PACKING. With Imre Csiszár, Sirin Nitinawarat, Chunxuan Ye, Alexander Barg and Alex Reznik
MULTITERMINAL SECRECY AND TREE PACKING With Imre Csiszár, Sirin Nitinawarat, Chunxuan Ye, Alexander Barg and Alex Reznik Information Theoretic Security A complementary approach to computational security
More informationLeftovers from Lecture 3
Leftovers from Lecture 3 Implementing GF(2^k) Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x): (1,1,0,1,1) *(0,1,0,1,1) = (1,1,0,0,1) For small size finite
More informationFrom Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes
From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 2001, vol. 2020 of Lecture Notes in Computer
More informationSHARED INFORMATION. Prakash Narayan with. Imre Csiszár, Sirin Nitinawarat, Himanshu Tyagi, Shun Watanabe
SHARED INFORMATION Prakash Narayan with Imre Csiszár, Sirin Nitinawarat, Himanshu Tyagi, Shun Watanabe 2/40 Acknowledgement Praneeth Boda Himanshu Tyagi Shun Watanabe 3/40 Outline Two-terminal model: Mutual
More informationOn the Limitations of Computational Fuzzy Extractors
On the Limitations of Computational Fuzzy Extractors Kenji Yasunaga Kosuke Yuzawa March 15, 2018 Abstract We present a negative result of fuzzy extractors with computational security. Specifically, we
More informationChapter 2: Entropy and Mutual Information. University of Illinois at Chicago ECE 534, Natasha Devroye
Chapter 2: Entropy and Mutual Information Chapter 2 outline Definitions Entropy Joint entropy, conditional entropy Relative entropy, mutual information Chain rules Jensen s inequality Log-sum inequality
More informationIntroduction to Cryptography Lecture 4
Data Integrity, Message Authentication Introduction to Cryptography Lecture 4 Message authentication Hash functions Benny Pinas Ris: an active adversary might change messages exchanged between and M M
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More informationCryptographic Engineering
Cryptographic Engineering Clément PERNET M2 Cyber Security, UFR-IM 2 AG, Univ. Grenoble-Alpes ENSIMAG, Grenoble INP Outline Unconditional security of symmetric cryptosystem Probabilities and information
More informationEntropic Security and the Encryption of High Entropy Messages
Entropic Security and the Encryption of High Entropy Messages Yevgeniy Dodis New York University dodis@cs.nyu.edu Adam Smith Massachusetts Insitute of Technology asmith@theory.csail.mit.edu September 1,
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationPublic-Key Cryptosystems Resilient to Key Leakage
Public-Key Cryptosystems Resilient to Key Leakage Moni Naor Gil Segev Abstract Most of the work in the analysis of cryptographic schemes is concentrated in abstract adversarial models that do not capture
More informationA Public Key Encryption Scheme Based on the Polynomial Reconstruction Problem
A Public Key Encryption Scheme Based on the Polynomial Reconstruction Problem Daniel Augot and Matthieu Finiasz INRIA, Domaine de Voluceau F-78153 Le Chesnay CEDEX Abstract. The Polynomial Reconstruction
More informationLecture Notes. Advanced Discrete Structures COT S
Lecture Notes Advanced Discrete Structures COT 4115.001 S15 2015-01-27 Recap ADFGX Cipher Block Cipher Modes of Operation Hill Cipher Inverting a Matrix (mod n) Encryption: Hill Cipher Example Multiple
More informationand its Extension to Authenticity
EWSCS 06 almse, Estonia 5-10 March 2006 Lecture 1: Shannon s Theory of Secrecy and its Extension to Authenticity James L. Massey rof.-em. ETH Zürich, Adjunct rof., Lund Univ., Sweden, and Tech. Univ. of
More information1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2
Contents 1 Recommended Reading 1 2 Public Key/Private Key Cryptography 1 2.1 Overview............................................. 1 2.2 RSA Algorithm.......................................... 2 3 A Number
More informationNon-malleability under Selective Opening Attacks: Implication and Separation
Non-malleability under Selective Opening Attacks: Implication and Separation Zhengan Huang 1, Shengli Liu 1, Xianping Mao 1, and Kefei Chen 2,3 1. Department of Computer Science and Engineering, Shanghai
More informationDifferentially Private Multi-party Computation
ifferentially Private Multi-party Computation Peter Kairouz, Sewoong Oh, Pramod Viswanath epartment of Electrical and Computer Engineering University of Illinois at Urbana-Champaign {kairouz2, pramodv}@illinois.edu
More information