Lecture 4: Hardness Amplification: From Weak to Strong OWFs
|
|
- Doris Phillips
- 6 years ago
- Views:
Transcription
1 COM S 687 Introduction to Cryptography September 5, 2006 Lecture 4: Hardness Amplification: From Weak to Strong OWFs Instructor: Rafael Pass Scribe: Jed Liu Review In the previous lecture, we formalised the notion of a strong one-way function that is easy to compute, but hard to invert. Definition (Negligible function) A function ɛ : N R is negligible if for any c N, there is a k 0 N such that we have ɛ(k) < k c for all k > k 0. Definition 2 (Strong one-way function) A function f : {0, } {0, } is strongly one-way if it satisfies the following two conditions.. Easy to compute. There is a probabilistic polytime algorithm C : {0, } {0, } such that C(x) = f(x) on all inputs x {0, }. 2. Hard to invert. Any efficient attempt to invert f on random input will succeed with only negligible probability. Formally, for any probabilistic polytime algorithm A : {0, } {0, }, there exists a negligible function ɛ such that for any input length k N, Pr [ x {0, } k ; y = f(x); A( k, y) = x : f(x ) = y ] ɛ(k). 2 Weak One-Way Functions Consider the function f mult : N 2 N defined by f mult (x, y) = xy, with x = y. Is this a one-way function? Clearly, by the multiplication algorithm, f mult is easy to compute. But f mult is not always hard to invert! If at least one of x and y is even, then their product will be even as well. This happens with probability 3 if the input (x, y) is picked 4 uniformly at random from N 2. So the following attack A will succeed with probability 3: 4 { (2, z ) if z even A(z) = 2 (0, 0) otherwise. Something is not quite right here, since f mult is conjectured to be hard to invert on some, but not all, inputs. Our current definition of a one-way function is too restrictive to 4-
2 capture this notion, so we will define a weaker variant that relaxes the hardness condition on inverting the function. This weaker version only requires that all efficient attempts at inverting will fail with some non-negligible probability. Definition 3 (Weak one-way function) A function f : {0, } {0, } is weakly one-way if it satisfies the following two conditions.. Easy to compute. (Same as that for a strong one-way function.) There is a probabilistic polytime algorithm C : {0, } {0, } such that C(x) = f(x) on all inputs x {0, }. 2. Hard to invert. Any efficient algorithm will fail to invert f on random input with non-negligible probability. More formally, for any probabilistic polytime algorithm A : {0, } {0, }, there exists a polynomial function q : N N such that for any input length k N, Pr [ x {0, } k ; y = f(x); A( k, y) = x : f(x ) = y ] q(k) It is conjectured that f mult is a weak one-way function. 3 Hardness Amplification By falling back on the weak version of a one-way function, we actually haven t lost anything. As we will now show, a weak one-way function can be used to produce a strong one-way function by amplifying hardness. The main insight we will use is if we run a weak one-way function f with enough inputs, with luck, f will be hard to invert on least one of those inputs. Theorem If there is a weak one-way function, then there is a strong one-way function. In particular, given a weak one-way function f : {0, } {0, }, there is a fixed m N, polynomial in the input length n N, such that the following function f : ({0, } n ) m ({0, } n ) m is strongly one-way: f (x, x 2,..., x m ) = (f(x ), f(x 2 ),..., f(x m )). We will prove this theorem by contradiction. We assume that f is not strongly one-way so that there is an algorithm A that inverts it with non-negligible probability. From this, we construct an algorithm A that inverts f with high probability. 4-2
3 Proof. Since f is weakly one-way, let q : N N be a polynomial such that for any probabilistic polytime algorithm A and any input length n N, Pr [x {0, } n ; y = f(x); A( n, y) = x : f(x ) = y] q(n). Define m = 2nq(n), dependent on the input length n N to f. Assume that f as defined in the theorem is not strongly one-way. Then let A be a probabilistic polytime algorithm and p : N N be a polynomial such that for infinitely many input lengths n N to f, A inverts f with probability p (n). i.e., Pr [x i {0, } n ; y i = f(x i ) : f (A (y, y 2,..., y m )) = (y, y 2,..., y m )] > p (m). Since m is polynomial in n, then the function p(n) = p (m) = p (2nq(n)) is also a polynomial. Rewriting the above probability, we have Pr [x i {0, } n ; y i = f(x i ) : f (A (y, y 2,..., y m )) = (y, y 2,..., y m )] > p(n). () Define the algorithm A 0 : {0, } n {0, } n, which will attempt to use A to invert f, as follows. () Input y {0, } n. (2) Pick a random i [, m]. (3) For all j i, pick a random x j {0, } n, and let y j = f(x j ). (4) Let y i = y. (5) Let (z, z 2,..., z m ) = A(y, y 2,..., y m ). (6) If f(z i ) = y, then output z i ; otherwise, fail and output. To improve our chances of inverting f, we will run A 0 multiple times. To capture this, define the algorithm A : {0, } n {0, } n to run A 0 with its input 2nm 2 p(n) times, outputting the first non- result it receives. If all runs of A 0 result in, then A outputs as well. Given this, call an element x {0, } n good if A 0 will successfully invert f(x) with non-negligible probability: otherwise, call x bad. Pr [A 0 (f(x)) ] 4-3 2m 2 p(n) ;
4 Note that the probability of A failing to invert f(x) on a good x is small: Pr [A(f(x)) fails x good] ( ) 2m 2 np(n) e n. 2m 2 p(n) We claim that there are a significant number of good elements enough for A to invert f with sufficient probability to contradict the weakly ) one-way assumption on f. In particular, we claim there are at least 2 ( n good elements in {0, } n. If this holds, then Pr [A(f(x)) fails] = Pr [A(f(x)) fails x good] Pr [x good] + Pr [A(f(x)) fails x bad] Pr [x bad] Pr [A(f(x)) fails x good] + Pr [x bad] ( ) 2m 2 np(n) 2m 2 p(n) + e n + <. q(n) This contradicts the assumption that f is q(n)-weak. ) It remains to be shown that there are at least 2 ( n good elements in {0, } n. ( ) Assume that there are more than 2 n bad elements. We will contradict fact () that with probability p(n), A succeeds in inverting f (x) on a random input x. To do so, we establish an upper bound on the probability by splitting it into two quantities: Pr [x i {0, } n ; y i = f (x i ) : A ( y) succeeds] = Pr [x i {0, } n ; y i = f (x i ) : A ( y) succeeds and some x i is bad] +Pr [x i {0, } n ; y i = f (x i ) : A ( y) succeeds and all x i are good] For each j [, n], we have Pr [x i {0, } n ; y i = f (x i ) : A ( y) succeeds and x j is bad] Pr [x i {0, } n ; y i = f (x i ) : A ( y) succeeds x j is bad] m Pr [A 0 (f(x j )) succeeds x j is bad] m =. 2m 2 p(n) 2mp(n) So taking a union bound, we have Pr [x i {0, } n ; y i = f (x i ) : A ( y) succeeds and some x i is bad] j Pr [x i {0, } n ; y i = f (x i ) : A ( y) succeeds and x j is bad] m =. 2mp(n) 2p(n) 4-4
5 Also, Pr [x i {0, } n ; y i = f (x i ) : A ( y) succeeds and all x i are good] Pr [x i {0, } n : all x i are good] ( ) m ( 2nq(n) < = ) e n. Hence, Pr [x i {0, } n ; y i = f (x i ) : A ( y) succeeds] < + 2p(n) e n <, thus contradicting p(n) (). This theorem indicates that the existence of weak one-way functions is equivalent to that of strong one-way functions. In the next lecture, we will identify a universal one-way function f Levin. This function is universal in the sense that if one-way functions exist, then f Levin is one-way. 4-5
Lecture 4: One Way Functions - II
CSE 594 : Modern Cryptography 05/02/2017 Lecture 4: One Way Functions - II Instructor: Omkant Pandey Scribe: Bharathkrishna G Murali, Swarnima Shrivastava 1 Weak to Strong OWFs Theorem 1 The multiplication
More informationComputational Hardness
Chapter 2 Computational Hardness 2.1 Efficient Computation and Efficient Adversaries We start by formalizing what it means to compute a function. Definition 19.1 (Algorithm). An algorithm is a deterministic
More informationFoundation of Cryptography ( ), Lecture 1
Foundation of Cryptography (0368-4162-01), Lecture 1 Iftach Haitner, Tel Aviv University November 1-8, 2011 Section 1 Notation Notation I For t N, let [t] := {1,..., t}. Given a string x {0, 1} and 0 i
More information1 Rabin Squaring Function and the Factoring Assumption
COMS W461 Introduction to Cryptography October 11, 005 Lecture 11: Introduction to Cryptography Lecturer: Tal Malkin Scribes: Kate McCarthy, Adam Vartanian Summary In this lecture we will prove that Rabin
More informationLecture 13: Private Key Encryption
COM S 687 Introduction to Cryptography October 05, 2006 Instructor: Rafael Pass Lecture 13: Private Key Encryption Scribe: Ashwin Machanavajjhala Till this point in the course we have learnt how to define
More informationLecture 14: Cryptographic Hash Functions
CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is
More informationInaccessible Entropy and its Applications. 1 Review: Psedorandom Generators from One-Way Functions
Columbia University - Crypto Reading Group Apr 27, 2011 Inaccessible Entropy and its Applications Igor Carboni Oliveira We summarize the constructions of PRGs from OWFs discussed so far and introduce the
More informationLecture 9 - One Way Permutations
Lecture 9 - One Way Permutations Boaz Barak October 17, 2007 From time immemorial, humanity has gotten frequent, often cruel, reminders that many things are easier to do than to reverse. Leonid Levin Quick
More informationLecture 8: Computational Indistinguishability and Pseudorandomness
COM S 6830 Cryptography Tuesday, September 22, 2009 Lecture 8: Computational Indistinguishability and Instructor: Rafael Pass Pseudorandomness Scribe: Chin Isradisaikul In this lecture we introduce the
More informationGeneric Case Complexity and One-Way Functions
Groups-Complexity-Cryptology Volume 1 2009), No. 1, 13 31 Generic Case Complexity and One-Way Functions Alex D. Myasnikov Department of Mathematical Sciences, Stevens Institute of Technology, Hoboken,
More informationCOMS W4995 Introduction to Cryptography September 29, Lecture 8: Number Theory
COMS W4995 Introduction to Cryptography September 29, 2005 Lecture 8: Number Theory Lecturer: Tal Malkin Scribes: Elli Androulaki, Mohit Vazirani Summary This lecture focuses on some basic Number Theory.
More informationHomework 7 Solutions
Homework 7 Solutions Due: March 22, 2018 CS 151: Intro. to Cryptography and Computer Security 1 Fun with PRFs a. F a s = F 0 k(x) F s (x) is not a PRF, for any choice of F. Consider a distinguisher D a
More informationNotes for Lecture Decision Diffie Hellman and Quadratic Residues
U.C. Berkeley CS276: Cryptography Handout N19 Luca Trevisan March 31, 2009 Notes for Lecture 19 Scribed by Cynthia Sturton, posted May 1, 2009 Summary Today we continue to discuss number-theoretic constructions
More information1 Distributional problems
CSCI 5170: Computational Complexity Lecture 6 The Chinese University of Hong Kong, Spring 2016 23 February 2016 The theory of NP-completeness has been applied to explain why brute-force search is essentially
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationConcurrent Non-malleable Commitments from any One-way Function
Concurrent Non-malleable Commitments from any One-way Function Margarita Vald Tel-Aviv University 1 / 67 Outline Non-Malleable Commitments Problem Presentation Overview DDN - First NMC Protocol Concurrent
More informationPseudorandom Generators
CS276: Cryptography September 8, 2015 Pseudorandom Generators Instructor: Alessandro Chiesa Scribe: Tobias Boelter Context and Summary In the last lecture we have had a loo at the universal one-way function,
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationLecture 11: Key Agreement
Introduction to Cryptography 02/22/2018 Lecture 11: Key Agreement Instructor: Vipul Goyal Scribe: Francisco Maturana 1 Hardness Assumptions In order to prove the security of cryptographic primitives, we
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 14 October 16, 2013 CPSC 467, Lecture 14 1/45 Message Digest / Cryptographic Hash Functions Hash Function Constructions Extending
More informationReductions for One-Way Functions
Reductions for One-Way Functions by Mark Liu A thesis submitted in partial fulfillment of the requirements for degree of Bachelor of Science (Honors Computer Science) from The University of Michigan 2013
More informationLecture 15: Interactive Proofs
COM S 6830 Cryptography Tuesday, October 20, 2009 Instructor: Rafael Pass Lecture 15: Interactive Proofs Scribe: Chin Isradisaikul In this lecture we discuss a new kind of proofs that involves interaction
More informationTheoretical Cryptography, Lectures 18-20
Theoretical Cryptography, Lectures 18-20 Instructor: Manuel Blum Scribes: Ryan Williams and Yinmeng Zhang March 29, 2006 1 Content of the Lectures These lectures will cover how someone can prove in zero-knowledge
More informationLecture 2: Perfect Secrecy and its Limitations
CS 4501-6501 Topics in Cryptography 26 Jan 2018 Lecture 2: Perfect Secrecy and its Limitations Lecturer: Mohammad Mahmoody Scribe: Mohammad Mahmoody 1 Introduction Last time, we informally defined encryption
More informationLecture 6 : Induction DRAFT
CS/Math 40: Introduction to Discrete Mathematics /8/011 Lecture 6 : Induction Instructor: Dieter van Melkebeek Scribe: Dalibor Zelený DRAFT Last time we began discussing proofs. We mentioned some proof
More information6.080/6.089 GITCS Apr 15, Lecture 17
6.080/6.089 GITCS pr 15, 2008 Lecturer: Scott aronson Lecture 17 Scribe: dam Rogal 1 Recap 1.1 Pseudorandom Generators We will begin with a recap of pseudorandom generators (PRGs). s we discussed before
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More information6.080 / Great Ideas in Theoretical Computer Science Spring 2008
MIT OpenCourseWare http://ocw.mit.edu 6.080 / 6.089 Great Ideas in Theoretical Computer Science Spring 2008 For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms.
More informationLecture 7: CPA Security, MACs, OWFs
CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)
More informationLecture 3: Randomness in Computation
Great Ideas in Theoretical Computer Science Summer 2013 Lecture 3: Randomness in Computation Lecturer: Kurt Mehlhorn & He Sun Randomness is one of basic resources and appears everywhere. In computer science,
More informationImpagliazzo s Hardcore Lemma
Average Case Complexity February 8, 011 Impagliazzo s Hardcore Lemma ofessor: Valentine Kabanets Scribe: Hoda Akbari 1 Average-Case Hard Boolean Functions w.r.t. Circuits In this lecture, we are going
More informationScribe for Lecture #5
CSA E0 235: Cryptography 28 January 2016 Scribe for Lecture #5 Instructor: Dr. Arpita Patra Submitted by: Nidhi Rathi 1 Pseudo-randomness and PRG s We saw that computational security introduces two relaxations
More informationCOMS W4995 Introduction to Cryptography October 12, Lecture 12: RSA, and a summary of One Way Function Candidates.
COMS W4995 Introduction to Cryptography October 12, 2005 Lecture 12: RSA, and a summary of One Way Function Candidates. Lecturer: Tal Malkin Scribes: Justin Cranshaw and Mike Verbalis 1 Introduction In
More informationIntroduction to Cryptography
B504 / I538: Introduction to Cryptography Spring 2017 Lecture 15 Assignment 3 is due! Assignment 4 is out and is due in three weeks! 1 Recall: One-way functions (OWFs) Intuitively, a one-way function (OWF)
More informationRandomized Complexity Classes; RP
Randomized Complexity Classes; RP Let N be a polynomial-time precise NTM that runs in time p(n) and has 2 nondeterministic choices at each step. N is a polynomial Monte Carlo Turing machine for a language
More informationLecture 5: Derandomization (Part II)
CS369E: Expanders May 1, 005 Lecture 5: Derandomization (Part II) Lecturer: Prahladh Harsha Scribe: Adam Barth Today we will use expanders to derandomize the algorithm for linearity test. Before presenting
More informationLecture 2: Program Obfuscation - II April 1, 2009
Advanced Topics in Cryptography Lecture 2: Program Obfuscation - II April 1, 2009 Lecturer: S. Goldwasser, M. Naor Scribe by: R. Marianer, R. Rothblum Updated: May 3, 2009 1 Introduction Barak et-al[1]
More informationLecture 3: AC 0, the switching lemma
Lecture 3: AC 0, the switching lemma Topics in Complexity Theory and Pseudorandomness (Spring 2013) Rutgers University Swastik Kopparty Scribes: Meng Li, Abdul Basit 1 Pseudorandom sets We start by proving
More information6.842 Randomness and Computation Lecture 5
6.842 Randomness and Computation 2012-02-22 Lecture 5 Lecturer: Ronitt Rubinfeld Scribe: Michael Forbes 1 Overview Today we will define the notion of a pairwise independent hash function, and discuss its
More informationLecture 11 - Basic Number Theory.
Lecture 11 - Basic Number Theory. Boaz Barak October 20, 2005 Divisibility and primes Unless mentioned otherwise throughout this lecture all numbers are non-negative integers. We say that a divides b,
More informationLecture 7: Pseudo Random Generators
Introduction to ryptography 02/06/2018 Lecture 7: Pseudo Random Generators Instructor: Vipul Goyal Scribe: Eipe Koshy 1 Introduction Randomness is very important in modern computational systems. For example,
More informationCS6840: Advanced Complexity Theory Mar 29, Lecturer: Jayalal Sarma M.N. Scribe: Dinesh K.
CS684: Advanced Complexity Theory Mar 29, 22 Lecture 46 : Size lower bounds for AC circuits computing Parity Lecturer: Jayalal Sarma M.N. Scribe: Dinesh K. Theme: Circuit Complexity Lecture Plan: Proof
More informationCS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn
CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, 2014 Instructor: Rachel Lin 1 Recap Lecture 5: RSA OWFs Scribe: Tiawna Cayton Last class we discussed a collection of one-way functions (OWFs),
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationBU CAS CS 538: Cryptography Lecture Notes. Fall itkis/538/
BU CAS CS 538: Cryptography Lecture Notes. Fall 2005. http://www.cs.bu.edu/ itkis/538/ Gene Itkis Boston University Computer Science Dept. Notes for Lectures 3 5: Pseudo-Randomness; PRGs 1 Randomness Randomness
More informationPseudorandom Generators
8 Pseudorandom Generators Great Ideas in Theoretical Computer Science Saarland University, Summer 2014 andomness is one of the fundamental computational resources and appears everywhere. In computer science,
More informationFrom Non-Adaptive to Adaptive Pseudorandom Functions
From Non-Adaptive to Adaptive Pseudorandom Functions Itay Berman Iftach Haitner January, 202 Abstract Unlike the standard notion of pseudorandom functions (PRF), a non-adaptive PRF is only required to
More information: On the P vs. BPP problem. 30/12/2016 Lecture 12
03684155: On the P vs. BPP problem. 30/12/2016 Lecture 12 Time Hierarchy Theorems Amnon Ta-Shma and Dean Doron 1 Diagonalization arguments Throughout this lecture, for a TM M, we denote M t to be the machine
More informationLecture 6 : Projected Gradient Descent
Lecture 6 : Projected Gradient Descent EE227C. Lecturer: Professor Martin Wainwright. Scribe: Alvin Wan Consider the following update. x l+1 = Π C (x l α f(x l )) Theorem Say f : R d R is (m, M)-strongly
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Last Time Hardcore Bits Hardcore Bits Let F be a one- way function with domain x, range y Definition: A function h:xà {0,1} is
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationa Course in Cryptography rafael pass abhi shelat
a Course in Cryptography rafael pass abhi shelat LECTURE NOTES 2007 c 2007 Pass/shelat All rights reserved Printed online 11 11 11 11 11 15 14 13 12 11 10 9 First edition: June 2007 Contents Contents List
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 15 October 25, 2017 CPSC 467, Lecture 15 1/31 Primitive Roots Properties of primitive roots Lucas test Special form primes Functions
More informationLecture Notes on Secret Sharing
COMS W4261: Introduction to Cryptography. Instructor: Prof. Tal Malkin Lecture Notes on Secret Sharing Abstract These are lecture notes from the first two lectures in Fall 2016, focusing on technical material
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 10 February 19, 2013 CPSC 467b, Lecture 10 1/45 Primality Tests Strong primality tests Weak tests of compositeness Reformulation
More informationZEROES OF INTEGER LINEAR RECURRENCES. 1. Introduction. 4 ( )( 2 1) n
ZEROES OF INTEGER LINEAR RECURRENCES DANIEL LITT Consider the integer linear recurrence 1. Introduction x n = x n 1 + 2x n 2 + 3x n 3 with x 0 = x 1 = x 2 = 1. For which n is x n = 0? Answer: x n is never
More information2 Completing the Hardness of approximation of Set Cover
CSE 533: The PCP Theorem and Hardness of Approximation (Autumn 2005) Lecture 15: Set Cover hardness and testing Long Codes Nov. 21, 2005 Lecturer: Venkat Guruswami Scribe: Atri Rudra 1 Recap We will first
More informationNotes on Complexity Theory Last updated: November, Lecture 10
Notes on Complexity Theory Last updated: November, 2015 Lecture 10 Notes by Jonathan Katz, lightly edited by Dov Gordon. 1 Randomized Time Complexity 1.1 How Large is BPP? We know that P ZPP = RP corp
More informationCSA E0 235: Cryptography (19 Mar 2015) CBC-MAC
CSA E0 235: Cryptography (19 Mar 2015) Instructor: Arpita Patra CBC-MAC Submitted by: Bharath Kumar, KS Tanwar 1 Overview In this lecture, we will explore Cipher Block Chaining - Message Authentication
More informationCMSC 858K Introduction to Secure Computation October 18, Lecture 19
CMSC 858K Introduction to Secure Computation October 18, 2013 Lecturer: Jonathan Katz Lecture 19 Scribe(s): Alex J. Malozemoff 1 Zero Knowledge Variants and Results Recall that a proof-of-knowledge (PoK)
More informationTopic: Sampling, Medians of Means method and DNF counting Date: October 6, 2004 Scribe: Florin Oprea
15-859(M): Randomized Algorithms Lecturer: Shuchi Chawla Topic: Sampling, Medians of Means method and DNF counting Date: October 6, 200 Scribe: Florin Oprea 8.1 Introduction In this lecture we will consider
More informationLecture 6: The Pigeonhole Principle and Probability Spaces
Lecture 6: The Pigeonhole Principle and Probability Spaces Anup Rao January 17, 2018 We discuss the pigeonhole principle and probability spaces. Pigeonhole Principle The pigeonhole principle is an extremely
More informationIf NP languages are hard on the worst-case then it is easy to find their hard instances
If NP languages are hard on the worst-case then it is easy to find their hard instances Dan Gutfreund School of Computer Science and Engineering, The Hebrew University of Jerusalem, Israel, 91904 danig@cs.huji.ac.il
More informationLecture 4 - Computational Indistinguishability, Pseudorandom Generators
Lecture 4 - Computational Indistinguishability, Pseudorandom Generators Boaz Barak September 27, 2007 Computational Indistinguishability Recall that we defined that statistical distance of two distributions
More informationLecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko
CMSC 858K Advanced Topics in Cryptography February 26, 2004 Lecturer: Jonathan Katz Lecture 10 Scribe(s): Jeffrey Blank Chiu Yuen Koo Nikolai Yakovenko 1 Summary We had previously begun to analyze the
More informationIndistinguishability and Pseudo-Randomness
Chapter 3 Indistinguishability and Pseudo-Randomness Recall that one main drawback of the One-time pad encryption scheme and its simple encryption operation Enc k (m) = m k is that the key k needs to be
More informationLectures One Way Permutations, Goldreich Levin Theorem, Commitments
Lectures 11 12 - One Way Permutations, Goldreich Levin Theorem, Commitments Boaz Barak March 10, 2010 From time immemorial, humanity has gotten frequent, often cruel, reminders that many things are easier
More informationLecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004
CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 16 October 30, 2017 CPSC 467, Lecture 16 1/52 Properties of Hash Functions Hash functions do not always look random Relations among
More informationHow many rounds can Random Selection handle?
How many rounds can Random Selection handle? Shengyu Zhang Abstract The construction of zero-knowledge proofs can be greatly simplified if the protocol is only required be secure against the honest verifier.
More informationSolutions to homework 2
ICS 180: Introduction to Cryptography 4/22/2004 Solutions to homework 2 1 Security Definitions [10+20 points] Definition of some security property often goes like this: We call some communication scheme
More informationCSC 5170: Theory of Computational Complexity Lecture 9 The Chinese University of Hong Kong 15 March 2010
CSC 5170: Theory of Computational Complexity Lecture 9 The Chinese University of Hong Kong 15 March 2010 We now embark on a study of computational classes that are more general than NP. As these classes
More informationWhere do pseudo-random generators come from?
Computer Science 2426F Fall, 2018 St. George Campus University of Toronto Notes #6 (for Lecture 9) Where do pseudo-random generators come from? Later we will define One-way Functions: functions that are
More informationLecture 6: Deterministic Primality Testing
Lecture 6: Deterministic Primality Testing Topics in Pseudorandomness and Complexity (Spring 018) Rutgers University Swastik Kopparty Scribe: Justin Semonsen, Nikolas Melissaris 1 Introduction The AKS
More informationLecture 5: Pseudo-Random Generators and Pseudo-Random Functions
CS 276 Cryptography Sept 22, 2014 Lecture 5: Pseudo-Random Generators and Pseudo-Random Functions Instructor: Sanjam Garg Scribe: Peihan Miao 1 PRG (Pseudo-Random Generator) extension In this section we
More informationU.C. Berkeley CS294: Beyond Worst-Case Analysis Handout 8 Luca Trevisan September 19, 2017
U.C. Berkeley CS294: Beyond Worst-Case Analysis Handout 8 Luca Trevisan September 19, 2017 Scribed by Luowen Qian Lecture 8 In which we use spectral techniques to find certificates of unsatisfiability
More informationLecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations
CMSC 858K Advanced Topics in Cryptography April 20, 2004 Lecturer: Jonathan Katz Lecture 22 Scribe(s): agaraj Anthapadmanabhan, Ji Sun Shin 1 Introduction to These otes In the previous lectures, we saw
More informationLecture 29: Computational Learning Theory
CS 710: Complexity Theory 5/4/2010 Lecture 29: Computational Learning Theory Instructor: Dieter van Melkebeek Scribe: Dmitri Svetlov and Jake Rosin Today we will provide a brief introduction to computational
More information1 Randomized complexity
80240233: Complexity of Computation Lecture 6 ITCS, Tsinghua Univesity, Fall 2007 23 October 2007 Instructor: Elad Verbin Notes by: Zhang Zhiqiang and Yu Wei 1 Randomized complexity So far our notion of
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationLecture 12: Randomness Continued
CS 710: Complexity Theory 2/25/2010 Lecture 12: Randomness Continued Instructor: Dieter van Melkebeek Scribe: Beth Skubak & Nathan Collins In the last lecture we introduced randomized computation in terms
More information1 Randomized Computation
CS 6743 Lecture 17 1 Fall 2007 1 Randomized Computation Why is randomness useful? Imagine you have a stack of bank notes, with very few counterfeit ones. You want to choose a genuine bank note to pay at
More informationCOS598D Lecture 3 Pseudorandom generators from one-way functions
COS598D Lecture 3 Pseudorandom generators from one-way functions Scribe: Moritz Hardt, Srdjan Krstic February 22, 2008 In this lecture we prove the existence of pseudorandom-generators assuming that oneway
More informationNotes for Lecture 11
Stanford University CS254: Computational Complexity Notes 11 Luca Trevisan 2/11/2014 Notes for Lecture 11 Circuit Lower Bounds for Parity Using Polynomials In this lecture we prove a lower bound on the
More informationInput Locality and Hardness Amplification
Input Locality and Hardness Amplification Andrej Bogdanov Alon Rosen Abstract We establish new hardness amplification results for one-way functions in which each input bit influences only a small number
More informationLecture 18: Zero-Knowledge Proofs
COM S 6810 Theory of Computing March 26, 2009 Lecture 18: Zero-Knowledge Proofs Instructor: Rafael Pass Scribe: Igor Gorodezky 1 The formal definition We intuitively defined an interactive proof to be
More informationNotes for Lecture 15
COS 533: Advanced Cryptography Lecture 15 (November 8, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Kevin Liu Notes for Lecture 15 1 Lattices A lattice looks something like the following.
More informationNotes for Lecture 7. 1 Increasing the Stretch of Pseudorandom Generators
UC Bereley Handout N7 CS294: Pseudorandomness and Combinatorial Constructions September 20, 2005 Professor Luca Trevisan Scribe: Constantinos Dasalais Notes for Lecture 7 1 Increasing the Stretch of Pseudorandom
More informationLecture 6: September 22
CS294 Markov Chain Monte Carlo: Foundations & Applications Fall 2009 Lecture 6: September 22 Lecturer: Prof. Alistair Sinclair Scribes: Alistair Sinclair Disclaimer: These notes have not been subjected
More informationFoundation of Cryptography, Lecture 4 Pseudorandom Functions
Foundation of Cryptography, Lecture 4 Pseudorandom Functions Handout Mode Iftach Haitner, Tel Aviv University Tel Aviv University. March 11, 2014 Iftach Haitner (TAU) Foundation of Cryptography March 11,
More informationLecture Examples of problems which have randomized algorithms
6.841 Advanced Complexity Theory March 9, 2009 Lecture 10 Lecturer: Madhu Sudan Scribe: Asilata Bapat Meeting to talk about final projects on Wednesday, 11 March 2009, from 5pm to 7pm. Location: TBA. Includes
More information6.892 Computing on Encrypted Data September 16, Lecture 2
6.89 Computing on Encrypted Data September 16, 013 Lecture Lecturer: Vinod Vaikuntanathan Scribe: Britt Cyr In this lecture, we will define the learning with errors (LWE) problem, show an euivalence between
More informationAverage Case Complexity: Levin s Theory
Chapter 15 Average Case Complexity: Levin s Theory 1 needs more work Our study of complexity - NP-completeness, #P-completeness etc. thus far only concerned worst-case complexity. However, algorithms designers
More informationA Note on Negligible Functions
Appears in Journal of Cryptology Vol. 15, 2002, pp. 271 284. Earlier version was Technical Report CS97-529, Department of Computer Science and Engineering, University of California at San Diego, March
More informationLecture 15: Expanders
CS 710: Complexity Theory 10/7/011 Lecture 15: Expanders Instructor: Dieter van Melkebeek Scribe: Li-Hsiang Kuo In the last lecture we introduced randomized computation in terms of machines that have access
More informationProving languages to be nonregular
Proving languages to be nonregular We already know that there exist languages A Σ that are nonregular, for any choice of an alphabet Σ. This is because there are uncountably many languages in total and
More informationCryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley dbrumley@cmu.edu Carnegie Mellon University The Landscape Jargon in Cryptography 2 Good News: OTP has perfect secrecy Thm:
More information