Foundation of Cryptography, Lecture 4 Pseudorandom Functions
|
|
- Clement Pearson
- 5 years ago
- Views:
Transcription
1 Foundation of Cryptography, Lecture 4 Pseudorandom Functions Handout Mode Iftach Haitner, Tel Aviv University Tel Aviv University. March 11, 2014 Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27
2 Motivation Discussion 1 We ve seen a small set of objects: {G(x)} x {0,1} n, that looks like" a larger set of objects: {x} x {0,1} 2n. 2 We want small set of objects: efficient function families, that looks like a huge set of objects: the set of all functions. Solution Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27
3 Function families 1 F = {F n } n N, where F n = {f : {0, 1} m(n) {0, 1} l(n) } 2 We write F = {F n : {0, 1} m(n) {0, 1} l(n) } 3 If m(n) = l(n) = n, we omit it from the notation 4 We identify function with their description Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27
4 Random functions Definition 1 (random functions) For n, k N, let Π n,k be the family of all functions from {0, 1} n to {0, 1} k. Let Π n = Π n,n. π R Π n is a random access" source of randomness Parties with access to a common π R Π n can do a lot How long does it take to describe π Π n? 2 n n bits The truth table of π R Π n is a uniform string of length 2 n n For integer function m, we will consider the function family {Π n,m(n) }. Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27
5 Efficient function families Definition 2 (efficient function family) An ensemble of function families F = {F n } n N is efficient, if: Samplable. F is samplable in polynomial-time: there exists a PPT that given 1 n, outputs (the description of) a uniform element in F n. Efficient. There exists a polynomial-time algorithm that given x {0, 1} n and (a description of) f F n, outputs f (x). Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27
6 Pseudorandom Functions Definition 3 (pseudorandom functions (PRFs)) An efficient function family ensemble F = {F n : {0, 1} m(n) {0, 1} l(n) } is pseudorandom, if Pr f R F n [ D f (1 n ) = 1 for any oracle-aided PPT D. ] Pr [D π (1 n ) = 1] = neg(n), π Π R m(n),l(n) C Why oracle-aided"? Easy to construct (no assumption!) with logarithmic input length PRFs of super logarithmic input length, which is the interesting case, imply PRGs We will mainly focus on the case m(n) = l(n) = n We write D F to stand for (D f ) R. f F Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27
7 Section 2 PRF from OWF Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27
8 Naive Construction Let G : {0, 1} n {0, 1} 2n, and for s {0, 1} n define f s : {0, 1} {0, 1} n by Claim 4 f s (0) = G(s) 1,...,n f s (1) = G(s) n1,...,2n. Assume G is a PRG, then {F n = {f s } s {0,1} n} n N is a PRF. Proof: The truth table of f U 2n R F n is G(U n ), where the truth table of π R Π 1,n is Naturally extends to input of length O(log n) :-) Miserably fails for longer length (which is the only interesting case) :-( Problem, we are constructing the whole truth table, even to compute a single output Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27
9 The GGM Construction Construction 5 (GGM) For G : {0, 1} n {0, 1} 2n and s {0, 1} n, G 0 (s) = G(s) 1,...,n G 1 (s) = G(s) n+1,...,2n For x {0, 1} k let f s(x) = G xk (f s(x 1,...,k 1 )), letting f s() = s. 0 s s 00 s s 000 s 001 s 010 s 011 s x = f s(x) s 1 s 1 s 10 s s 100 s s 110 s 111 Example: f s (001) = s 001 = G 1 (s 00 ) = G 1 (G 0 (s 0 )) = G 1 (G 0 (G 0 (s))) G is poly-time = F := {F n = {f s : s {0, 1} n }} is efficient Theorem 6 (Goldreich-Goldwasser-Micali (GGM)) If G is a PRG then F is a PRF. Corollary 7 OWFs imply PRFs. Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27
10 Proof Idea Assume PPT D, p poly and infinite set I N with Pr[D Fn (1 n ) = 1] Pr[D Πn (1 n ) = 1] 1 p(n), (1) for any n I. Fix n N and let t = t(n) be a bound on the running time of D(1 n ). We use D to construct a PPT D such that Pr[D ((U 2n ) t ) = 1] Pr[D (G(U n )) t ) = 1 > 1 np(n), where (U 2n ) t = U (1) 2n,..., U(t) 2n and G(U n) t = G(U (1) n ),..., G(U (t) n ). Hence, D violates the security of G.(?) Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27
11 The Hybrid 0 s 1 s 0 s s 00 s 01 s 10 s s 000 s 001 s 010 s 011 s 100 s 101 s 110 s 111 s x = f s(x) Let T i be the set of all possible trees, in which the i + 1,..., n levels are obtained by applying GGM" to the i th level. Given a tree t, let h t (x) return the x th leaf of t. What family is H 1 = {h t } t T1? F n. What is H n? Π n. For some i {1,..., i 1}, algorithm D distinguishes H i from H i+1 by 1 np(n) Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27
12 The Hybrid cont. We assume wlg. that D distinguishes between H n 1 and H n (?) D distinguishes (via t samples) between R a uniform string of length 2 n n, and P - a string generated by 2 n 1 independent calls to G We would like to use D for breaking the security of G, but R and P seem too long :-( Solution: focus on the part (i.e., cells) that D sees Algorithm 8 (D on y 1,..., y t ({0, 1} 2n ) t ) Emulate D. On the i th query q i made by D: If the cell queries by q i th is empty, fill it with the next y Answer with the content of the q i th cell. D (U 2n ) t ) / D (G(U n)) t ) emulates D with access to R / P Hence, Pr[D ((U 2n ) t ) = 1] Pr[D (G(U n)) t ) = 1 > 1 np(n) Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27
13 Part I Pseudorandom Permutations Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27
14 Formal Definition Let Π n be the set of all permutations over {0, 1} n. Definition 9 (pseudorandom permutations (PRPs)) A permutation ensemble F = {F n : {0, 1} n {0, 1} n } is a pseudorandom permutation, if Pr[D Fn (1 n ) = 1] Pr[D Π n (1 n ) = 1 = neg(n), (2) for any oracle-aided PPT D Eq 2 holds for any PRF (taking the role of F) Hence, PRPs are indistinguishable from PRFs... If no one can distinguish between PRFs and PRPs, let s use PRFs (partial) Perfect security" Inversion Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27
15 Section 3 PRP from PRF Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27
16 Feistel Permutation How does one turn a function into a permutation? Definition 10 (LR) For f : {0, 1} n {0, 1} n, let LR f : {0, 1} 2n {0, 1} 2n be defined by LR f (l, r) = (r, f (r) l). LR f is a permutation: LR 1 f (z, w) = (f (z) w, z) LR f is efficiently computable and invertible given oracle access to f For i N and f 1,..., f i, define LR f 1,...,f i : {0, 1}2n {0, 1} 2n by LR f 1,...,f (l, r) = (r i 1, f i (r i 1 ) l i 1 ), for (l i 1, r i 1 ) = LR i f 1,...,f i 1(l, r). (letting (l 0, r 0 ) = (l, r) Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27
17 Luby-Rackoff Thm. Recall LR f (l, r) = (r, f (r) l). Definition 11 Given a function family F = {F n : {0, 1} n {0, 1} n }, let LR i (F) = {LR i F n = {LR f 1,...,f i : f 1,..., f i F n }}, LR i F is always a permutation family, and is efficient if F is. Is LR 1 F pseudorandom? LR 2 F? LR f 1,f 2(0n, 0 n ) = LR f 2(0 n, f 1 (0 n )) = (f 1 (0 n ), ) and LR f 1,f 2(1n, 0 n ) = LR f 2(0 n, f 1 (0 n ) 1 n ) = (f 1 (0 n ) 1 n, ) LR 3 F? Theorem 12 (Luby-Rackoff) Assuming that F is a PRF, then LR 3 F is a PRP LR 4 (F) is pseudorandom even if inversion queries are allowed Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27
18 Proving Luby-Rackoff It suffices to prove that LR 3 Π n is pseudorandom (?) How would you prove that? Maybe LR 3 (Π n ) Π 2n? description length of element in LR 3 (Π n ) is 2 n 3n, where that of element in Π ( ) 2n is log(2 2n!) > log ( 22n e > 2 2n n )22n Claim 13 For any q-query D, Pr[D LR3 (Π n) (1 n ) = 1] Pr[D Π 2n (1 n ) = 1] O(q 2 /2 n ). We assume for simplicity that D is deterministic, non-repeating and non-adaptive. Let x 0, x 1,..., x q be D s queries. We show (f (x 0 ),..., f (x q )) f R LR 3 (Π n) is O(q2 /2 n ) close (i.e., in statistical distance) to (f (x 0 ),..., f (x q )) f R Π To do that, we show both distributions are O(q 2 /2 n ) close) to Distinct := ((z 1,... z q ) R ({0, 1} 2n ) q i j : (z i ) 0 (z j ) 0. Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27
19 Reminder: Statistical Distance Definition 14 The statistical distance between distributions P and Q over U, is defined by SD(P, Q) = 1 2 P(u) Q(u) = max u U {Pr S U Q [S] Pr P [S]} In case SD(P, Q) ε, we say that P and Q are ε close. Fact 15 Let E be an event (i.e., set) and assume SD(P E, Q) δ 1 and Pr P [E] δ 2. Then SD(P, Q) δ 1 + δ 2 Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27
20 Proving Fact 15 For any set S, it holds that Hence, Thus, SD(P, Q) = max S Pr P Pr Q {Pr [S] = Pr [E] Pr P [S] + Pr P E P (1 δ 2 ) Pr P E [S] [ E] Pr P E [S] (3) [S] Pr [S] Pr [S] (1 δ 2) Pr [S] (4) P Q P E Q [S] Pr P Pr [S] Pr [S] + δ 2 Q P E [S]} max S {Pr Q [S] Pr P E [S]} + δ 2 = δ 1 + δ 2. Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27
21 (f (x 0 ),..., f (x q )) f R Π is close to Distinct Recall Distinct := ((z 1,... z q ) R ({0, 1} 2n ) q i j : (z i ) 0 (z j ) 0 ). For f Π, let Bad(f ) := i j : f (x i ) 0 = f (x j ) 0. Claim 16 Pr R [Bad(f )] (q 2) f Π 2 q2 n 2 n Proof:? Claim 17 ( R (f (x 0 ),..., f (x q )); f Π ) Bad(f ) Distinct Proof:? By Fact 15, (f (x 0 ),..., f (x q )) f R Π is q2 2 n close to Distinct Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27
22 (f (x 0 ),..., f (x q )) R is close to Distinct f LR 3 (Π n) Let (l 0 1, r 0 1 ),..., (l0 q, r 0 q ) = (x 1,..., x k ). The following rv s are defined w.r.t. (f 1, f 2, f 3 ) R Π 3 n. l 0 1 r1 0 l 0 2 r l 0 q rq 0 l 1 1 r1 1 l 1 2 r l 1 q rq 1 l 2 1 r1 2 l 2 2 r l 2 q rq 2 l 3 1 r1 3 l 3 2 r l 3 q rq 3 where l j b = r j 1 b Claim 18 and r j b = f j (r j 1 b ) l j 1 b. ] Pr [Bad f 1 Π R 1 := i j : ri 1 = rj 1 n ( q 2) 2 n Proof: r 0 i = r 0 r 0 i r 0 j = Pr f 1 j = ri 1 rj 1 and [ ] ri 1 = rj 1 = 2 n Claim 19 Pr (f 1,f 2 ) R Π 2 n ( [ ] q 2) Bad 2 := i j : ri 1 = rj 1 ri 2 = rj n O( q2 2 n ) Proof: similar to the above Claim 20 ( l 3 1, r 3 1 ),..., (l3 q, r 3 q ) Bad 2) Distinct Proof:? Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27
23 Proving Claim 20 Let S = {(z 1,..., z q ) ({0, 1} n ) q : i j : z i z j }. Claim 21 ( (l 3 1,..., l3 q) Bad 2) is uniform over S. Proof: For any z = (z 1,..., z q ) ({0, 1} n ) q and π Π n : Pr [ (l 3 1,..., l3 q) = z ] = Pr [ (l 3 1,..., l3 q) = π(z) := (π(z 1 ),..., π(z q )) ] Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27
24 Section 4 Applications Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27
25 General paradigm Design a scheme assuming that you have random functions, and the realize them using PRFs. Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27
26 Private-key Encryption Construction 22 (PRF-based encryption) Given an (efficient) PRF F, define the encryption scheme (Gen, E, D)): Key generation: Gen(1 n ) returns k R F n Encryption: E k (m) returns U n, k(u n ) m Decryption: D k (c = (c 1, c n )) returns k(c 1 ) c 2 Advantages over the PRG based scheme? Proof of security? Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27
27 Conclusion We constructed PRFs and PRPs from length-doubling PRG (and thus from one-way functions) Main question: find a simpler, more efficient construction or at least, a less adaptive one Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27
From Non-Adaptive to Adaptive Pseudorandom Functions
From Non-Adaptive to Adaptive Pseudorandom Functions Itay Berman Iftach Haitner January, 202 Abstract Unlike the standard notion of pseudorandom functions (PRF), a non-adaptive PRF is only required to
More informationFoundation of Cryptography ( ), Lecture 1
Foundation of Cryptography (0368-4162-01), Lecture 1 Iftach Haitner, Tel Aviv University November 1-8, 2011 Section 1 Notation Notation I For t N, let [t] := {1,..., t}. Given a string x {0, 1} and 0 i
More informationFoundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge
Foundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge Handout Mode Iftach Haitner, Tel Aviv University Tel Aviv University. April 1, 2014 Iftach Haitner (TAU) Foundation of Cryptography
More informationIntroduction to Cryptography
B504 / I538: Introduction to Cryptography Spring 2017 Lecture 15 Assignment 3 is due! Assignment 4 is out and is due in three weeks! 1 Recall: One-way functions (OWFs) Intuitively, a one-way function (OWF)
More informationPermutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1
Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Kwangsu Lee A Thesis for the Degree of Master of Science Division of Computer Science, Department
More informationA survey on quantum-secure cryptographic systems
A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum
More information: On the P vs. BPP problem. 18/12/16 Lecture 10
03684155: On the P vs. BPP problem. 18/12/16 Lecture 10 Natural proofs Amnon Ta-Shma and Dean Doron 1 Natural proofs The ultimate goal we have is separating classes (or proving they are equal if they are).
More informationWe begin by recalling the following definition and property from the previous class. The latter will be instrumental in our proof to follow.
CS276: Cryptography September 16, 2015 PRGs ) PRFs, Pseudorandom Permutations, and Feistel Permutations Instructor: Alessandro Chiesa Scribe: Brian Gluzman 1 Introduction Today we will constuct PRFs (Pseudorandom
More informationBEYOND POST QUANTUM CRYPTOGRAPHY
BEYOND POST QUANTUM CRYPTOGRAPHY Mark Zhandry Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical Beyond Post-Quantum Cryptography
More informationPseudorandom Generators
Outlines Saint Petersburg State University, Mathematics and Mechanics 2nd April 2005 Outlines Part I: Main Approach Part II: Blum-Blum-Shub Generator Part III: General Concepts of Pseudorandom Generator
More informationPseudorandom functions and permutations
Introduction Pseudorandom functions and permutations 15-859I Spring 2003 Informally, a Pseudorandom function family (PRF is a collection of functions which are indistinguishable from random functions PRFs
More informationComputational Models Lecture 2 1
Computational Models Lecture 2 1 Handout Mode Ronitt Rubinfeld and Iftach Haitner. Tel Aviv University. March 16/18, 2015 1 Based on frames by Benny Chor, Tel Aviv University, modifying frames by Maurice
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationComputational Models Lecture 2 1
Computational Models Lecture 2 1 Handout Mode Iftach Haitner. Tel Aviv University. October 30, 2017 1 Based on frames by Benny Chor, Tel Aviv University, modifying frames by Maurice Herlihy, Brown University.
More informationIII. Pseudorandom functions & encryption
III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion:
More informationHomework 7 Solutions
Homework 7 Solutions Due: March 22, 2018 CS 151: Intro. to Cryptography and Computer Security 1 Fun with PRFs a. F a s = F 0 k(x) F s (x) is not a PRF, for any choice of F. Consider a distinguisher D a
More informationThe Many Entropies in One-Way Functions
The Many Entropies in One-Way Functions Iftach Haitner and Salil Vadhan Abstract Computational analogues of information-theoretic notions have given rise to some of the most interesting phenomena in the
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationLecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations
CMSC 858K Advanced Topics in Cryptography April 20, 2004 Lecturer: Jonathan Katz Lecture 22 Scribe(s): agaraj Anthapadmanabhan, Ji Sun Shin 1 Introduction to These otes In the previous lectures, we saw
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationLecture 7: CPA Security, MACs, OWFs
CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationQuestion 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +
Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(
More informationPseudorandom Generators
Principles of Construction and Usage of Pseudorandom Generators Alexander Vakhitov June 13, 2005 Abstract In this report we try to talk about the main concepts and tools needed in pseudorandom generators
More informationOn the Construction of Pseudo-Random Permutations: Luby-Rackoff Revisited
On the Construction of Pseudo-Random Permutations: Luby-Rackoff Revisited Moni Naor Omer Reingold Abstract Luby and Rackoff [26] showed a method for constructing a pseudo-random permutation from a pseudo-random
More informationApplication of Information Theory, Lecture 7. Relative Entropy. Handout Mode. Iftach Haitner. Tel Aviv University.
Application of Information Theory, Lecture 7 Relative Entropy Handout Mode Iftach Haitner Tel Aviv University. December 1, 2015 Iftach Haitner (TAU) Application of Information Theory, Lecture 7 December
More informationCS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn
CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, 2014 Instructor: Rachel Lin 1 Recap Lecture 5: RSA OWFs Scribe: Tiawna Cayton Last class we discussed a collection of one-way functions (OWFs),
More informationLecture 1. 1 Introduction to These Notes. 2 Trapdoor Permutations. CMSC 858K Advanced Topics in Cryptography January 27, 2004
CMSC 858K Advanced Topics in Cryptography January 27, 2004 Lecturer: Jonathan Katz Lecture 1 Scribe(s): Jonathan Katz 1 Introduction to These Notes These notes are intended to supplement, not replace,
More informationBootstrapping Obfuscators via Fast Pseudorandom Functions
Bootstrapping Obfuscators via Fast Pseudorandom Functions Benny Applebaum October 26, 2013 Abstract We show that it is possible to upgrade an obfuscator for a weak complexity class WEAK into an obfuscator
More informationIndistinguishability and Pseudo-Randomness
Chapter 3 Indistinguishability and Pseudo-Randomness Recall that one main drawback of the One-time pad encryption scheme and its simple encryption operation Enc k (m) = m k is that the key k needs to be
More informationComputer Science A Cryptography and Data Security. Claude Crépeau
Computer Science 308-547A Cryptography and Data Security Claude Crépeau These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308-647A)
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationIntroduction to Modern Cryptography Recitation 3. Orit Moskovich Tel Aviv University November 16, 2016
Introduction to Modern Cryptography Recitation 3 Orit Moskovich Tel Aviv University November 16, 2016 The group: Z N Let N 2 be an integer The set Z N = a 1,, N 1 gcd a, N = 1 with respect to multiplication
More informationInaccessible Entropy and its Applications. 1 Review: Psedorandom Generators from One-Way Functions
Columbia University - Crypto Reading Group Apr 27, 2011 Inaccessible Entropy and its Applications Igor Carboni Oliveira We summarize the constructions of PRGs from OWFs discussed so far and introduce the
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationPseudorandom Generators
CS276: Cryptography September 8, 2015 Pseudorandom Generators Instructor: Alessandro Chiesa Scribe: Tobias Boelter Context and Summary In the last lecture we have had a loo at the universal one-way function,
More informationLecture 13: Private Key Encryption
COM S 687 Introduction to Cryptography October 05, 2006 Instructor: Rafael Pass Lecture 13: Private Key Encryption Scribe: Ashwin Machanavajjhala Till this point in the course we have learnt how to define
More informationLecture 5: Pseudo-Random Generators and Pseudo-Random Functions
CS 276 Cryptography Sept 22, 2014 Lecture 5: Pseudo-Random Generators and Pseudo-Random Functions Instructor: Sanjam Garg Scribe: Peihan Miao 1 PRG (Pseudo-Random Generator) extension In this section we
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationThe Indistinguishability of the XOR of k permutations
The Indistinguishability of the XOR of k permutations Benoit Cogliati, Rodolphe Lampe, Jacques Patarin University of Versailles, France Abstract. Given k independent pseudorandom permutations f 1,...,
More informationCOS598D Lecture 3 Pseudorandom generators from one-way functions
COS598D Lecture 3 Pseudorandom generators from one-way functions Scribe: Moritz Hardt, Srdjan Krstic February 22, 2008 In this lecture we prove the existence of pseudorandom-generators assuming that oneway
More informationLecture 3: Interactive Proofs and Zero-Knowledge
CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic
More informationLecture 3: Randomness in Computation
Great Ideas in Theoretical Computer Science Summer 2013 Lecture 3: Randomness in Computation Lecturer: Kurt Mehlhorn & He Sun Randomness is one of basic resources and appears everywhere. In computer science,
More informationComputational Models Lecture 8 1
Computational Models Lecture 8 1 Handout Mode Ronitt Rubinfeld and Iftach Haitner. Tel Aviv University. May 11/13, 2015 1 Based on frames by Benny Chor, Tel Aviv University, modifying frames by Maurice
More informationCS 355: TOPICS IN CRYPTOGRAPHY
CS 355: TOPICS IN CRYPTOGRAPHY DAVID WU Abstract. Preliminary notes based on course material from Professor Boneh s Topics in Cryptography course (CS 355) in Spring, 2014. There are probably typos. Last
More informationOn the Power of the Randomized Iterate
On the Power of the Randomized Iterate Iftach Haitner Danny Harnik Omer Reingold August 21, 2006 Abstract We consider two of the most fundamental theorems in Cryptography. The first, due to Håstad et.
More informationLecture 9 - One Way Permutations
Lecture 9 - One Way Permutations Boaz Barak October 17, 2007 From time immemorial, humanity has gotten frequent, often cruel, reminders that many things are easier to do than to reverse. Leonid Levin Quick
More informationA Note on Quantum-Secure PRPs
A Note on Quantum-Secure PRPs Mark Zhandry Princeton University mzhandry@princeton.edu Abstract We show how to construct pseudorandom permutations (PRPs) that remain secure even if the adversary can query
More informationComputational Models - Lecture 5 1
Computational Models - Lecture 5 1 Handout Mode Iftach Haitner and Yishay Mansour. Tel Aviv University. April 10/22, 2013 1 Based on frames by Benny Chor, Tel Aviv University, modifying frames by Maurice
More informationCSA E0 235: Cryptography March 16, (Extra) Lecture 3
CSA E0 235: Cryptography March 16, 2015 Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Ajith S 1 Chosen Plaintext Attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which
More informationSynthesizers and Their Application to the Parallel Construction of Pseudo-Random Functions*
Journal of Computer and System Sciences 58, 336375 (1999) Article ID jcss.1998.1618, available online at http:www.idealibrary.com on Synthesizers and Their Application to the Parallel Construction of Pseudo-Random
More informationEfficiency Improvements in Constructing Pseudorandom Generators from One-way Functions
Efficiency Improvements in Constructing Pseudorandom Generators from One-way Functions Iftach Haitner Microsoft Research New England Campus iftach@microsoft.com Omer Reingold Microsoft Research Silicon
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
More informationExtracted from a working draft of Goldreich s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.
106 CHAPTER 3. PSEUDORANDOM GENERATORS Using the ideas presented in the proofs of Propositions 3.5.3 and 3.5.9, one can show that if the n 3 -bit to l(n 3 ) + 1-bit function used in Construction 3.5.2
More informationBenes and Butterfly schemes revisited
Benes and Butterfly schemes revisited Jacques Patarin, Audrey Montreuil Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract In [1], W. Aiello and R. Venkatesan have
More informationLecture 2: Program Obfuscation - II April 1, 2009
Advanced Topics in Cryptography Lecture 2: Program Obfuscation - II April 1, 2009 Lecturer: S. Goldwasser, M. Naor Scribe by: R. Marianer, R. Rothblum Updated: May 3, 2009 1 Introduction Barak et-al[1]
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Last Time Hardcore Bits Hardcore Bits Let F be a one- way function with domain x, range y Definition: A function h:xà {0,1} is
More informationLecture 11: Hash Functions, Merkle-Damgaard, Random Oracle
CS 7880 Graduate Cryptography October 20, 2015 Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle Lecturer: Daniel Wichs Scribe: Tanay Mehta 1 Topics Covered Review Collision-Resistant Hash Functions
More informationEx1 Ex2 Ex3 Ex4 Ex5 Ex6
Technische Universität München (I7) Winter 2012/13 Dr. M. Luttenberger / M. Schlund Cryptography Endterm Last name: First name: Student ID no.: Signature: If you feel ill, let us know immediately. Please,
More informationFinding Collisions in Interactive Protocols Tight Lower Bounds on the Round and Communication Complexities of Statistically Hiding Commitments
Finding Collisions in Interactive Protocols Tight Lower Bounds on the Round and Communication Complexities of Statistically Hiding Commitments Iftach Haitner Jonathan J. Hoch Omer Reingold Gil Segev December
More informationSecurity of Random Feistel Schemes with 5 or more Rounds
Security of Random Feistel Schemes with 5 or more Rounds Jacques Patarin Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract. We study cryptographic attacks on random
More informationWhere do pseudo-random generators come from?
Computer Science 2426F Fall, 2018 St. George Campus University of Toronto Notes #6 (for Lecture 9) Where do pseudo-random generators come from? Later we will define One-way Functions: functions that are
More informationThe Random Oracle Model and the Ideal Cipher Model are Equivalent
The Random Oracle Model and the Ideal Cipher Model are Equivalent Jean-ébastien Coron 1, Jacques Patarin 2, and Yannick eurin 2,3 (1) Univ. Luxembourg, (2) Univ. Versailles, (3)Orange Labs éminaire EN
More informationComputational Models - Lecture 1 1
Computational Models - Lecture 1 1 Handout Mode Ronitt Rubinfeld and Iftach Haitner. Tel Aviv University. February 29/ March 02, 2016 1 Based on frames by Benny Chor, Tel Aviv University, modifying frames
More informationOn Pseudorandomness w.r.t Deterministic Observers
On Pseudorandomness w.r.t Deterministic Observers Oded Goldreich Department of Computer Science Weizmann Institute of Science Rehovot, Israel. oded@wisdom.weizmann.ac.il Avi Wigderson The Hebrew University,
More informationLecture 18: Zero-Knowledge Proofs
COM S 6810 Theory of Computing March 26, 2009 Lecture 18: Zero-Knowledge Proofs Instructor: Rafael Pass Scribe: Igor Gorodezky 1 The formal definition We intuitively defined an interactive proof to be
More informationPublic-Seed Pseudorandom Permutations
Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB Joint work with Pratik Soni (UCSB) DIMACS Workshop New York June 8, 2017 We look at existing class of cryptographic primitives and introduce/study
More informationNotes for Lecture Decision Diffie Hellman and Quadratic Residues
U.C. Berkeley CS276: Cryptography Handout N19 Luca Trevisan March 31, 2009 Notes for Lecture 19 Scribed by Cynthia Sturton, posted May 1, 2009 Summary Today we continue to discuss number-theoretic constructions
More informationBlock ciphers And modes of operation. Table of contents
Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation
More informationThe Generalized Randomized Iterate and its Application to New Efficient Constructions of UOWHFs from Regular One-Way Functions
The Generalized Randomized Iterate and its Application to New Efficient Constructions of UOWHFs from Regular One-Way Functions Scott Ames 1, Rosario Gennaro 2, and Muthuramakrishnan Venkitasubramaniam
More informationDoubly half-injective PRGs for incompressible white-box cryptography
SESSION ID: CRYP-W02 Doubly half-injective PRGs for incompressible white-box cryptography Estuardo Alpirez Bock Aalto University, Finland Alessandro Amadori, Joppe W. Bos, Chris Brzuska, Wil Michiels White-box
More information6.080/6.089 GITCS Apr 15, Lecture 17
6.080/6.089 GITCS pr 15, 2008 Lecturer: Scott aronson Lecture 17 Scribe: dam Rogal 1 Recap 1.1 Pseudorandom Generators We will begin with a recap of pseudorandom generators (PRGs). s we discussed before
More informationNew and Improved Key-Homomorphic Pseudorandom Functions
New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1 Georgia Institute of Technology CRYPTO 14 19 August 2014 Outline 1 Introduction 2 Construction, Parameters
More informationCryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley dbrumley@cmu.edu Carnegie Mellon University The Landscape Jargon in Cryptography 2 Good News: OTP has perfect secrecy Thm:
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationCS294: Pseudorandomness and Combinatorial Constructions September 13, Notes for Lecture 5
UC Berkeley Handout N5 CS94: Pseudorandomness and Combinatorial Constructions September 3, 005 Professor Luca Trevisan Scribe: Gatis Midrijanis Notes for Lecture 5 In the few lectures we are going to look
More informationLimits on the Stretch of Non-Adaptive Constructions of Pseudo-Random Generators
Limits on the Stretch of Non-Adaptive Constructions of Pseudo-Random Generators Josh Bronson 1, Ali Juma 2, and Periklis A. Papakonstantinou 3 1 HP TippingPoint josh.t.bronson@hp.com 2 University of Toronto
More informationComputational Models Lecture 8 1
Computational Models Lecture 8 1 Handout Mode Ronitt Rubinfeld and Iftach Haitner. Tel Aviv University. April 18/ May 2, 2016 1 Based on frames by Benny Chor, Tel Aviv University, modifying frames by Maurice
More informationParallel Repetition of Zero-Knowledge Proofs and the Possibility of Basing Cryptography on NP-Hardness
Parallel Repetition of Zero-Knowledge Proofs and the Possibility of Basing Cryptography on NP-Hardness Rafael Pass Cornell University rafael@cs.cornell.edu January 29, 2007 Abstract Two long-standing open
More informationComputer Science Dept.
A NOTE ON COMPUTATIONAL INDISTINGUISHABILITY 1 Oded Goldreich Computer Science Dept. Technion, Haifa, Israel ABSTRACT We show that following two conditions are equivalent: 1) The existence of pseudorandom
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationComputational Extractors and Pseudorandomness
Computational Extractors and Pseudorandomness Dana Dachman-Soled Rosario Gennaro Hugo Krawczyk Tal Malkin Abstract Computational extractors are efficient procedures that map a source of sufficiently high
More informationLecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004
CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce
More informationComputational Models - Lecture 3 1
Computational Models - Lecture 3 1 Handout Mode Iftach Haitner and Yishay Mansour. Tel Aviv University. March 13/18, 2013 1 Based on frames by Benny Chor, Tel Aviv University, modifying frames by Maurice
More informationA Note on Negligible Functions
Appears in Journal of Cryptology Vol. 15, 2002, pp. 271 284. Earlier version was Technical Report CS97-529, Department of Computer Science and Engineering, University of California at San Diego, March
More informationOn the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner 1, Alon Rosen 2, and Ronen Shaltiel 3 1 Microsoft Research, New England Campus. iftach@microsoft.com 2 Herzliya Interdisciplinary
More informationCSA E0 235: Cryptography (19 Mar 2015) CBC-MAC
CSA E0 235: Cryptography (19 Mar 2015) Instructor: Arpita Patra CBC-MAC Submitted by: Bharath Kumar, KS Tanwar 1 Overview In this lecture, we will explore Cipher Block Chaining - Message Authentication
More informationLecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge
CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to
More informationLecture 10: Zero-Knowledge Proofs
Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationPRGs for space-bounded computation: INW, Nisan
0368-4283: Space-Bounded Computation 15/5/2018 Lecture 9 PRGs for space-bounded computation: INW, Nisan Amnon Ta-Shma and Dean Doron 1 PRGs Definition 1. Let C be a collection of functions C : Σ n {0,
More informationGeneric Case Complexity and One-Way Functions
Groups-Complexity-Cryptology Volume 1 2009), No. 1, 13 31 Generic Case Complexity and One-Way Functions Alex D. Myasnikov Department of Mathematical Sciences, Stevens Institute of Technology, Hoboken,
More informationChosen Plaintext Attacks (CPA)
Chosen Plaintext Attacks (CPA) Goals New Attacks! Chosen Plaintext Attacks (often CPA) is when Eve can choose to see some messages encoded. Formally she has Black Box for ENC k. We will: 1. Define Chosen
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More information