Cryptography 2017 Lecture 2

Size: px
Start display at page:

Download "Cryptography 2017 Lecture 2"

Transcription

1 Cryptography 2017 Lecture 2 One Time Pad - Perfect Secrecy Stream Ciphers November 3, / 39

2 What have seen? What are we discussing today? Lecture 1 Course Intro Historical Ciphers Lecture 2 One Time Pad (OTP) Perfect Secrecy Stream Ciphers Pseudo Random Generators (PRG) (unpredictable) Attacks!! November 3, / 39

3 Secret Key Cryptography: An intuition Alice Plaintext See you today at 5pm Secret key Encryption Secret key Decryption See you today at 5pm Ciphertext Ciphertext Bob The same key is used to encrypt and to decrypt messages! November 3, / 39

4 Symmetric Ciphers: Definition K Key space (i.e., set of all possible keys) M Message space (i.e., set of all possible messages) C Ciphertext space (i.e., set of all possible ciphertexts) Definition A cipher defined over (K,M,C) is a pair of efficient algorithms (E, D) where E : K M C, D : K C M such that m M,k K it holds: E(k,m) = c and D(k,c) = m The last equation also known as Correctness property can be rewritten as: D(k,E(k,m)) = m November 3, / 39

5 Symmetric Ciphers: The One Time Pad (OTP) (Vernam 1917) The OTP cipher K = M = C = {0,1} n i.e., the key, the message and the ciphertext have all the same length n E : K M C, E(k,m) = k m D : K C M, D(k,c) = k c Correctness of the OTP D(k,E(k,m)) =? m Indeed since: D(k,E(k,m)) = k E(k,m) = k (k m) = m Example msg k C November 3, / 39

6 Quiz question! Go to: and use the code below or scan the QR code. Student Login Classroom: CRYPTOCHALMERS Question - Key of OTP You are given a message (m) and its OTP encryption (c) Can you compute the OTP key from m and c? A No, I cannot compute the key. B Yes the key is k = m c. C I can only compute half the bits of the key D Yes, the key is k = m m. Why? m c = m (k m) = m m k = k November 3, / 39

7 What is a good cipher? The Fundamental Properties of a (Good) Cipher 1. Correctness: D(k, E(k, m)) = m. 2. Efficiency: the algorithms E and D are efficient, i.e., run in polynomial time. in polynomial time : there exists a polynomial p() such that the algorithms E and D run in time p(n), where n is the length of the algorithm s input. 3. Security: the cipher is secure against some attacks (see next slide). Principles of Modern Cryptography Describe clearly what you want to achieve so that you know if and when you have achieved it! Formal Definitions Precise Assumptions Proof of Security November 3, / 39

8 Information Theoretic Security - Perfect Secrecy (Shannon 1949) Perfect secrecy (Intuition) The ciphertext should reveal no info about the plaintext Definition A cipher (E,D) defined over (K,M,C) has perfect secrecy if: (for any) m 0,m 1 M, len(m 0) = len(m 1) and c C P[E(k,m 0 ) = c] = P[E(k,m 1 ) = c] where k is chosen uniformly at random from K (i.e., k R K) (What does this mean?) The adversary that sees only the ciphertext c is not able to determine whether c is an encryption of m 0 or m 1. November 3, / 39

9 What does uniformly at random mean? Definition A probability distribution P over a finite set X is a function P : X [0,1] such that x X P(x) = 1 A probability distribution is called uniform U if its value U(x) is the same for all x in X. Example - Uniform distribution When flipping a coin the probability of getting head is 1/2 and equal to the probability of getting tails where X = [head,tails] and U(head) = U(tails) = 1/2 When throwing a dice the probability to get any side of the dice (1,2,3,4,5,6) is equal to 1/6. November 3, / 39

10 Quiz question! Go to: and use the code below or scan the QR code. Student Login Classroom: CRYPTOCHALMERS Question - OTP Let m M and c C. How many OTP keys k K map m to c. A None B 1 C 2 D Depends on m November 3, / 39

11 The OTP has perfect secrecy Lemma The OTP has perfect secrecy! i.e., it holds: (for any) m 0,m 1 M, len(m 0) = len(m 1) and c C P[E(k,m 0) = c] = P[E(k,m 1) = c] where k is chosen uniformly at random from K Proof m,c : P k [E(k,m) = c] = number of keys k K s.t. E(k,m) = c K Suppose that m,c : { number of keys k K s.t. E(k,m) = c} = constant cipher has perfect secrecy - For OTP : if E(k,m) = c k m = c k = m c #{k K : E(k,m) = c} = 1 m,c OTP has perfect secrecy November 3, / 39

12 The OTP has perfect secrecy Shannon s Theorem Perfect secrecy implies that K M i.e., key length message length the length of the key must be at least as long as the length of the message we want to encrypt. Corollary Suppose that K = M = C. We have perfect secrecy if each key is used with equal probability 1/ K and for any m M and for any c C, there exists a unique key k K such that E(k,m) = c. November 3, / 39

13 OTP - The Venona Project ( ) A program of the USA Signal Intelligence Service (i.e., NSA) run to decrypt messages encrypted by the Russian intelligence services (e.g., KGB) during the World War II. Encryption: The Russians used a code (ASCII) to convert letters to numbers and the OTP to encrypt the messages. Reminder: The OTP when used correctly is unbreakable! But... The Russians generated the one-time pads (keys) with a very laborious process. A human was throwing a dice & collected the dice throws to generate the one time keys! Mistake: They used some one-time-pads (keys) twice! The NSA was able to intercept and decrypt about 3000 messages! November 3, / 39

14 The Verona Project: How was the Russian s OTP broken? Lets assume that the same key is used to encrypt two messages: c 1 = m 1 k and c 2 = m 2 k. Then we have: c 1 c 2 = (m 1 k) (m 2 k) = (m 1 m 2) (k k) Gene Grabeel the first crypto analyst of the Venona project = m 1 m 2 If we have m 1 m 2 we can easily recover m 1 and m 2 Why? Redundancy in English language Not all combinations of letters are likely or possible. Remember: Never use the same key in OTP! Most code breakers were women Example Let language L = {00100, 10011, 11100, 10100} If we have m 1 m 2 = then we can deduce that: m 1 = and m 2 = 10011, since only by XORing m 1 and m 2 we get m 1 m 2 November 3, / 39

15 Quiz Question! OTP malleability Let m be a message and c = m k its OTP encryption. If an attacker performs c a what will Bob (receiver) decrypt? mm a kk a Alice Plaintext m k Encryption c=m k Ciphertext k c a k m a Decryption c a New ciphertext Bob November 3, / 39

16 Is OTP a good cipher? Pros Very very fast encryption/decryption! Perfect secrecy (when K M ) PROS CONS Cons Very long keys (at least as long as the message)! Difficult to use in practice! Malleable: modifications in the ciphertext have impact on the plaintext November 3, / 39

17 Stream Ciphers: Can we make the OTP more practical? s G k PSEUDORANDOM GENERATOR G(s) = k m (plaintext) c c = E(s,m) = m G(s) D(s,c) = c G(s) STREAM CIPHERS Replace the random key (k) by a pseudorandom key (k ) Instead of using a long (uniformly at random) key k use a short seed s Use s to generate a long pseudorandom key k with a pseudorandom generator G. MORE FORMALLY: Pseudorandom Generator (PRG:) is a function G : {0,1} l {0,1} n, n >> l (n much bigger than l) Example: seed 128 bits expand to Gbytes. November 3, / 39

18 Examples of Stream Ciphers! RC4: Used in WEP and TLS Protocol A5/1: Used in GSM (Global System for Communications) E0: Used in Bluetooth All badly Broken! Badly Broken! November 3, / 39

19 Quiz Question! Go to: and use the code below or scan the QR code. Student Login Classroom: CRYPTOCHALMERS Stream ciphers & perfect secrecy Can a stream cipher have perfect secrecy? A Yes, if the PRG is really secure B No, there are no ciphers with perfect secrecy C Yes, every cipher has perfect secrecy D No, since the key is shorter than the message Stream ciphers cannot have perfect secrecy!!! The security of stream cipher depends on the specific PRG. November 3, / 39

20 November 3, / 39

21 PRG: Pseudo Random Generators Intuition A PRG is a function that takes as input a short random number (seed) and outputs a long string that looks random. Definition A function G : {0,1} l {0,1} n with l n (i.e., l much smaller than n), is a secure Pseudo Random Generator (PRG), if for any efficient statistical test D (Distinguisher), it holds that: P[D(G(s)) = 1] P[D(r) = 1] is negligible (i.e., too small) for every s R {0,1} l r R {0,1} n selected uniformly at random. STATISTICAL TEST Distinguisher { 1, if x is truly random D(x) = 0, if x is pseudorandom int D (int x) { if x is truly random return 1; else return 0; } November 3, / 39

22 PRG: Pseudo Random Generators space of output k space of key s G k 2 s k 1 k 1 image s 1 x Does x belong in the image or not? {0,1} l {0,1} n What does it mean that G(s) = k is indistinguishable from random? An adversary D that sees the output of G cannot distinguish it from something completely random (i.e., coming from the uniform distribution). November 3, / 39

23 Unpredictable PRGs A good/secure PRG must be unpredictable!!! What does unpredictable mean? Given a part of the output of G(s) = k, it is impossible to predict the rest output. G(s) = k Given the first i bits G(k) 1,...,i attackera cannot predict the rest G(k) i+1,...,n ?????? Definition Hard to formally define unpredictable PRGs. Lets define predictable PRGs! A PRG G : {0,1} l {0,1} n is predictable if there exists an efficient algorithm A and an index 1 i n such that it holds: for some non-negligible value ǫ [ ) ] Pr A (G(s) 1,...,i = G(s) i+1 1 +ǫ 2 Programming assignment: Break a weak PRG! Yao (in 1982) proved that if a PRG is unpredictable then it is secure! November 3, / 39

24 What if a PRG is predictable?? Attacks!! Let A (adversary) be the algorithm that can efficiently compute G(s) i+1 given G(s) 1,...,i c m G(k) If A knows the ciphertext and the beginning of the plaintext (e.g., headers). Then A can recover part of the predictable PRG, and subsequently decrypt! November 3, / 39

25 Quiz Question! Is this PRG predictable? Suppose G : K {0,1} n is such that for all k K it holds XOR ( G(k) ) = 1. Is G predictable? A Yes, given the first bit I can predict the second B No, G is unpredictable C Yes, given the first (n 1) bits I can predict the last bit D No it is impossible! Example: If n = 5 and G(k 1 ) = g 1 g 2 g 3 g 4 g 5 where g i is the i-th bit of G(k 1 ) i {1,2,3,4,5} then, I know that g 1 g 2 g 3 g 4 g 5 = 1. If I know g 1,g 2,g 3,g 4, then I can predict g 5. For instance: G(k 1 )= 0110? Then, we have: g 5 = 1 and g 5 = 1. November 3, / 39

26 WEP attacks k Sender Wifi Communication m PRG(IV k) CRC(m) IV c (ciphetext) k Receiver Access Point - Has k - Receives IV, c - Can compute PRG(IV k), m Badly Broken! WEP attack - Two Time Pad The key should be used only once (to encrypt) Lets change the key using IV. Length of IV = 24 bits. Problem 1: 2 24 possible IVs, repeated after some frames! Problem 2: in some WEP cards IV resets to 0 after a power cycle! Remember: Never use the same key to encrypt a message (for one time pad ciphers)! November 3, / 39

27 How can we define the security of a cipher? Step 1: Decide what the attacker can do (power) & what he wants to achieve (goal). Power See ciphertexts? Encrypt some chosen messages? Decrypt some chosen messages? Step 2: Select the approach to secure the cipher: Information theoretic security Even if the attacker had infinite time & computational power to try all possible keys he can determine the key only with probability 1 # of all possible keys. Example: One Time Pad Goal Decrypt messages. Encrypt messages. Find the secret key. Complexity-based security Used often in crypto. An attacker that can perform an attack can also break a very complex/hard problem! November 3, / 39

28 What is a secure cipher? Attacker s power Can get one ciphertext Attacker s Goal Break the cipher! How to define a secure cipher? Attempt 1 The attacker should not be able to recover the key! E(k,m) = m Attempt 2 The attacker should not be able to recover the whole plaintext! E(k,m 0 m 1) = m 0 (k m 1) Security requirement satisfied! Encryption algorithm not secure! Security requirement satisfied! Encryption algorithm not secure! November 3, / 39

29 Recall Shannon s perfect secrecy Shannon s idea: The ciphertext should reveal no info about the plaintext! SEEN IN SLIDE 7 Definition A cipher (E,D) defined over (K,M,C) has perfect secrecy if: (for any) m 0,m 1 M, len(m 0) = len(m 1) and c C P[E(k,m 0 ) = c] = P[E(k,m 1 ) = c] where k is chosen uniformly at random from K (i.e., k R K) (What does this mean?) The adversary that sees only the ciphertext c is not able to determine whether c is an encryption of m 0 or m 1. i.e., If c 0 is the encryption of m 0 and c 1 is the encryption of m 1 then c 0 and c 1 have the same distribution. November 3, / 39

30 Relaxing the notion of perfect secrecy Fact: Only OTP has perfect secrecy! Shannon s definition is too strong (strict)! Let s relax it so that more ciphers can satisfy it! Instead of saying that c 0 and c 1 (encryptions of m 0 and m 1) have identical distributions, we say that the adversary cannot distinguish them. Instead of saying that m 0 and m 1 are completely random, we say that the adversary has chosen them! November 3, / 39

31 The Semantic Security Game (one time key) Attacker A Challenger C m 0,m 1 c D m 0,m 1 M k K chosen len(m 0 )=len(m 1 ) c=e(k,m b ) uniformly at random b R {0,1} Useful for the exercises/exams!! Output b {0,1} a guess for b Definition if b=0, c is the encryption of m 0 if b=1, c is the encryption of m 1 A cipher (E,D) is semantically secure (with one time key) if for any efficient adversary, it holds: P(b = b) < 1 2 +negligible negligible < , non negligible > November 3, / 39

32 Where is the definition of semantic security useful? Useful for the exercises/exams!! Let s define with W 0 : the event that C chooses b = 0, and A chooses b = 0. Let s define with W 1 : the event that C chooses b = 1, and A chooses b = 0. Show that P(W 0 ) P(W 1 ) is negligible (very very small) or non-negligible (not that small). Example: i.e., P(W 0 ) P(W 1 ) is non-negligible Prove that the encryption scheme E(k,m 00 m 01 ) = m 00 (k m 01 ) is not semantically secure. m 00 denotes the first bit of a message m 0 and m 01 denotes the second bit of a message m 0. Correspondingly for m 1. We need to show that A can win the security game (described in the previous slide): Let A choose: m 0 = m 00 m 01 = 0 0 and m 1 = m 10 m 11 = 1 1 If C chooses b = 0, then m b = m 0 and c = m 00 (k m 01 ) = 0 c 0 c = 0 c 0 then b = 0 If C chooses b = 1, then m b = m 1 and c = m 10 (k m 11 ) = 1 c 1 c = 1 c 1 then b = 1 A can output b = {first bit of c} as a guess for b. Then, we have: P(W 0 ) P(W 1 ) = 1 0 = 1 November 3, / 39

33 The Advantage of an Adversary Remember: The value P(W 0) P(W 1) is called advantage of the adversary A and it is denoted as: Adv SEM.SEC [A,E] Notations SEM.SEC: Security notion we are considering. E: name of scheme we are considering. A: name of the adversary we are considering. November 3, / 39

34 Things to remember Things to remember What is perfect secrecy? Does OTP have perfect secrecy? How do stream ciphers work? What is a predictable PRG? What is the advantage of an adversary to break an encryption scheme? November 3, / 39

35 References: Cryptography and Network Security: Principles and practice (Chapters 2.1, 2.2, 7.1.) Introduction to Modern Cryptography, Lindell and Katz (Chapter 1.4, 2, 3.3.1) Thank you for your attention! November 3, / 39

Dan Boneh. Stream ciphers. The One Time Pad

Dan Boneh. Stream ciphers. The One Time Pad Online Cryptography Course Stream ciphers The One Time Pad Symmetric Ciphers: definition Def: a cipher defined over is a pair of efficient algs (E, D) where E is often randomized. D is always deterministic.

More information

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Solutions for week 1, Cryptography Course - TDA 352/DIT 250 Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.

More information

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern

More information

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley dbrumley@cmu.edu Carnegie Mellon University The Landscape Jargon in Cryptography 2 Good News: OTP has perfect secrecy Thm:

More information

Scribe for Lecture #5

Scribe for Lecture #5 CSA E0 235: Cryptography 28 January 2016 Scribe for Lecture #5 Instructor: Dr. Arpita Patra Submitted by: Nidhi Rathi 1 Pseudo-randomness and PRG s We saw that computational security introduces two relaxations

More information

Topics. Probability Theory. Perfect Secrecy. Information Theory

Topics. Probability Theory. Perfect Secrecy. Information Theory Topics Probability Theory Perfect Secrecy Information Theory Some Terms (P,C,K,E,D) Computational Security Computational effort required to break cryptosystem Provable Security Relative to another, difficult

More information

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08: CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande

More information

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4 CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky Lecture 4 Lecture date: January 26, 2005 Scribe: Paul Ray, Mike Welch, Fernando Pereira 1 Private Key Encryption Consider a game between

More information

Chapter 2 : Perfectly-Secret Encryption

Chapter 2 : Perfectly-Secret Encryption COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 2 : Perfectly-Secret Encryption 1 2.1 Definitions and Basic Properties We refer to probability

More information

Lecture 13: Private Key Encryption

Lecture 13: Private Key Encryption COM S 687 Introduction to Cryptography October 05, 2006 Instructor: Rafael Pass Lecture 13: Private Key Encryption Scribe: Ashwin Machanavajjhala Till this point in the course we have learnt how to define

More information

Lecture 2: Perfect Secrecy and its Limitations

Lecture 2: Perfect Secrecy and its Limitations CS 4501-6501 Topics in Cryptography 26 Jan 2018 Lecture 2: Perfect Secrecy and its Limitations Lecturer: Mohammad Mahmoody Scribe: Mohammad Mahmoody 1 Introduction Last time, we informally defined encryption

More information

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time

More information

Modern symmetric-key Encryption

Modern symmetric-key Encryption Modern symmetric-key Encryption Citation I would like to thank Claude Crepeau for allowing me to use his slide from his crypto course to mount my course. Some of these slides are taken directly from his

More information

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017 COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Takeaway: Crypto is Hard Designing crypto is hard, even experts get it wrong Just because I don t know

More information

Computational security & Private key encryption

Computational security & Private key encryption Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability

More information

Perfectly-Secret Encryption

Perfectly-Secret Encryption Perfectly-Secret Encryption CSE 5351: Introduction to Cryptography Reading assignment: Read Chapter 2 You may sip proofs, but are encouraged to read some of them. 1 Outline Definition of encryption schemes

More information

Solution of Exercise Sheet 6

Solution of Exercise Sheet 6 Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University saarland university computer science Solution of Exercise Sheet 6 1 Perfect Secrecy Answer the following

More information

Lecture 5, CPA Secure Encryption from PRFs

Lecture 5, CPA Secure Encryption from PRFs CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and

More information

CPA-Security. Definition: A private-key encryption scheme

CPA-Security. Definition: A private-key encryption scheme CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of

More information

Historical cryptography. cryptography encryption main applications: military and diplomacy

Historical cryptography. cryptography encryption main applications: military and diplomacy Historical cryptography cryptography encryption main applications: military and diplomacy ancient times world war II Historical cryptography All historical cryptosystems badly broken! No clear understanding

More information

Lecture Notes. Advanced Discrete Structures COT S

Lecture Notes. Advanced Discrete Structures COT S Lecture Notes Advanced Discrete Structures COT 4115.001 S15 2015-01-27 Recap ADFGX Cipher Block Cipher Modes of Operation Hill Cipher Inverting a Matrix (mod n) Encryption: Hill Cipher Example Multiple

More information

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1 SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2

More information

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY BURTON ROSENBERG UNIVERSITY OF MIAMI Contents 1. Perfect Secrecy 1 1.1. A Perfectly Secret Cipher 2 1.2. Odds Ratio and Bias 3 1.3. Conditions for Perfect

More information

Computer Science A Cryptography and Data Security. Claude Crépeau

Computer Science A Cryptography and Data Security. Claude Crépeau Computer Science 308-547A Cryptography and Data Security Claude Crépeau These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308-647A)

More information

2 Message authentication codes (MACs)

2 Message authentication codes (MACs) CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from

More information

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3. COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption

More information

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017 COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 27 Previously on COS 433 Security Experiment/Game (One- time setting) b m, m M c Challenger k ß K c ß Enc(k,m b ) b IND-Exp b ( )

More information

Lecture Note 3 Date:

Lecture Note 3 Date: P.Lafourcade Lecture Note 3 Date: 28.09.2009 Security models 1st Semester 2007/2008 ROUAULT Boris GABIAM Amanda ARNEDO Pedro 1 Contents 1 Perfect Encryption 3 1.1 Notations....................................

More information

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6 U.C. Berkeley CS276: Cryptography Handout N6 Luca Trevisan February 5, 2009 Notes for Lecture 6 Scribed by Ian Haken, posted February 8, 2009 Summary The encryption scheme we saw last time, based on pseudorandom

More information

5 Pseudorandom Generators

5 Pseudorandom Generators 5 Pseudorandom Generators We have already seen that randomness is essential for cryptographic security. Following Kerckhoff s principle, we assume that an adversary knows everything about our cryptographic

More information

BU CAS CS 538: Cryptography Lecture Notes. Fall itkis/538/

BU CAS CS 538: Cryptography Lecture Notes. Fall itkis/538/ BU CAS CS 538: Cryptography Lecture Notes. Fall 2005. http://www.cs.bu.edu/ itkis/538/ Gene Itkis Boston University Computer Science Dept. Notes for Lectures 3 5: Pseudo-Randomness; PRGs 1 Randomness Randomness

More information

Outline. Computer Science 418. Number of Keys in the Sum. More on Perfect Secrecy, One-Time Pad, Entropy. Mike Jacobson. Week 3

Outline. Computer Science 418. Number of Keys in the Sum. More on Perfect Secrecy, One-Time Pad, Entropy. Mike Jacobson. Week 3 Outline Computer Science 48 More on Perfect Secrecy, One-Time Pad, Mike Jacobson Department of Computer Science University of Calgary Week 3 2 3 Mike Jacobson (University of Calgary) Computer Science 48

More information

Shift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3

Shift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3 Shift Cipher For 0 i 25, the ith plaintext character is shifted by some value 0 k 25 (mod 26). E.g. k = 3 a b c d e f g h i j k l m n o p q r s t u v w x y z D E F G H I J K L M N O P Q R S T U V W X Y

More information

Chapter 2. A Look Back. 2.1 Substitution ciphers

Chapter 2. A Look Back. 2.1 Substitution ciphers Chapter 2 A Look Back In this chapter we take a quick look at some classical encryption techniques, illustrating their weakness and using these examples to initiate questions about how to define privacy.

More information

CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn

CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, 2014 Instructor: Rachel Lin 1 Recap Lecture 5: RSA OWFs Scribe: Tiawna Cayton Last class we discussed a collection of one-way functions (OWFs),

More information

Dan Boneh. Introduction. Course Overview

Dan Boneh. Introduction. Course Overview Online Cryptography Course Introduction Course Overview Welcome Course objectives: Learn how crypto primitives work Learn how to use them correctly and reason about security My recommendations: Take notes

More information

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII Codes and Cryptography MAMME, Fall 2015 PART XII Outline 1 Symmetric Encryption (II) 2 Construction Strategies Construction Strategies Stream ciphers: For arbitrarily long messages (e.g., data streams).

More information

Modern Cryptography Lecture 4

Modern Cryptography Lecture 4 Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html

More information

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

CSA E0 235: Cryptography March 16, (Extra) Lecture 3 CSA E0 235: Cryptography March 16, 2015 Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Ajith S 1 Chosen Plaintext Attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which

More information

Outline. CPSC 418/MATH 318 Introduction to Cryptography. Information Theory. Partial Information. Perfect Secrecy, One-Time Pad

Outline. CPSC 418/MATH 318 Introduction to Cryptography. Information Theory. Partial Information. Perfect Secrecy, One-Time Pad Outline CPSC 418/MATH 318 Introduction to Cryptography, One-Time Pad Renate Scheidler Department of Mathematics & Statistics Department of Computer Science University of Calgary Based in part on slides

More information

Indistinguishability and Pseudo-Randomness

Indistinguishability and Pseudo-Randomness Chapter 3 Indistinguishability and Pseudo-Randomness Recall that one main drawback of the One-time pad encryption scheme and its simple encryption operation Enc k (m) = m k is that the key k needs to be

More information

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 08 Shannon s Theory (Contd.)

More information

CS 6260 Applied Cryptography

CS 6260 Applied Cryptography CS 6260 Applied Cryptography Alexandra (Sasha) Boldyreva Symmetric encryption, encryption modes, security notions. 1 Symmetric encryption schemes A scheme is specified by a key generation algorithm K,

More information

CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions

CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions CPSC 91 Computer Security Assignment #3 Solutions 1. Show that breaking the semantic security of a scheme reduces to recovering the message. Solution: Suppose that A O( ) is a message recovery adversary

More information

1 Indistinguishability for multiple encryptions

1 Indistinguishability for multiple encryptions CSCI 5440: Cryptography Lecture 3 The Chinese University of Hong Kong 26 September 2012 1 Indistinguishability for multiple encryptions We now have a reasonable encryption scheme, which we proved is message

More information

CTR mode of operation

CTR mode of operation CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext

More information

Cryptography CS 555. Topic 2: Evolution of Classical Cryptography CS555. Topic 2 1

Cryptography CS 555. Topic 2: Evolution of Classical Cryptography CS555. Topic 2 1 Cryptography CS 555 Topic 2: Evolution of Classical Cryptography Topic 2 1 Lecture Outline Basics of probability Vigenere cipher. Attacks on Vigenere: Kasisky Test and Index of Coincidence Cipher machines:

More information

Provable security. Michel Abdalla

Provable security. Michel Abdalla Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only

More information

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08: CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande

More information

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n + Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(

More information

6.080 / Great Ideas in Theoretical Computer Science Spring 2008

6.080 / Great Ideas in Theoretical Computer Science Spring 2008 MIT OpenCourseWare http://ocw.mit.edu 6.080 / 6.089 Great Ideas in Theoretical Computer Science Spring 2008 For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms.

More information

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today: Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how

More information

Cryptographic Engineering

Cryptographic Engineering Cryptographic Engineering Clément PERNET M2 Cyber Security, UFR-IM 2 AG, Univ. Grenoble-Alpes ENSIMAG, Grenoble INP Outline Unconditional security of symmetric cryptosystem Probabilities and information

More information

Introduction to Cryptology. Lecture 2

Introduction to Cryptology. Lecture 2 Introduction to Cryptology Lecture 2 Announcements 2 nd vs. 1 st edition of textbook HW1 due Tuesday 2/9 Readings/quizzes (on Canvas) due Friday 2/12 Agenda Last time Historical ciphers and their cryptanalysis

More information

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004 CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed

More information

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m] Midterm Review Sheet The definition of a private-key encryption scheme. It s a tuple Π = ((K n,m n,c n ) n=1,gen,enc,dec) where - for each n N, K n,m n,c n are sets of bitstrings; [for a given value of

More information

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations CMSC 858K Advanced Topics in Cryptography April 20, 2004 Lecturer: Jonathan Katz Lecture 22 Scribe(s): agaraj Anthapadmanabhan, Ji Sun Shin 1 Introduction to These otes In the previous lectures, we saw

More information

Private-key Systems. Block ciphers. Stream ciphers

Private-key Systems. Block ciphers. Stream ciphers Chapter 2 Stream Ciphers Further Reading: [Sim92, Chapter 2] 21 Introduction Remember classication: Private-key Systems Block ciphers Stream ciphers Figure 21: Private-key cipher classication Block Cipher:

More information

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30 CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).

More information

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017 COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Announcements Reminder: Homework 1 due tomorrow 11:59pm Submit through Blackboard Homework 2 will hopefully be posted tonight

More information

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 23 (rev. 1) Professor M. J. Fischer November 29, 2005 1 Oblivious Transfer Lecture Notes 23 In the locked

More information

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers 1 Winter 2018 CS 485/585 Introduction to Cryptography Lecture 6 Portland State University Jan. 25, 2018 Lecturer: Fang Song Draft note. Version: February 4, 2018. Email fang.song@pdx.edu for comments and

More information

CS 6260 Applied Cryptography

CS 6260 Applied Cryptography CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space

More information

SYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:

SYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: Syntax symmetric encryption scheme = (K, E, D) consists of three algorithms: SYMMETRIC ENCRYPTION K is randomized E can be randomized or stateful D is deterministic 1/ 116 2/ 116 Correct decryption requirement

More information

Block ciphers And modes of operation. Table of contents

Block ciphers And modes of operation. Table of contents Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation

More information

Block Ciphers/Pseudorandom Permutations

Block Ciphers/Pseudorandom Permutations Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable

More information

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from

More information

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7 CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a

More information

Introduction to Cybersecurity Cryptography (Part 4)

Introduction to Cybersecurity Cryptography (Part 4) Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message

More information

Pseudorandom Generators

Pseudorandom Generators Outlines Saint Petersburg State University, Mathematics and Mechanics 2nd April 2005 Outlines Part I: Main Approach Part II: Blum-Blum-Shub Generator Part III: General Concepts of Pseudorandom Generator

More information

6.080/6.089 GITCS Apr 15, Lecture 17

6.080/6.089 GITCS Apr 15, Lecture 17 6.080/6.089 GITCS pr 15, 2008 Lecturer: Scott aronson Lecture 17 Scribe: dam Rogal 1 Recap 1.1 Pseudorandom Generators We will begin with a recap of pseudorandom generators (PRGs). s we discussed before

More information

Introduction to Cybersecurity Cryptography (Part 4)

Introduction to Cybersecurity Cryptography (Part 4) Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message

More information

Lecture 7: CPA Security, MACs, OWFs

Lecture 7: CPA Security, MACs, OWFs CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)

More information

Lectures One Way Permutations, Goldreich Levin Theorem, Commitments

Lectures One Way Permutations, Goldreich Levin Theorem, Commitments Lectures 11 12 - One Way Permutations, Goldreich Levin Theorem, Commitments Boaz Barak March 10, 2010 From time immemorial, humanity has gotten frequent, often cruel, reminders that many things are easier

More information

Circuit Complexity. Circuit complexity is based on boolean circuits instead of Turing machines.

Circuit Complexity. Circuit complexity is based on boolean circuits instead of Turing machines. Circuit Complexity Circuit complexity is based on boolean circuits instead of Turing machines. A boolean circuit with n inputs computes a boolean function of n variables. Now, identify true/1 with yes

More information

Lecture 5: Pseudorandom functions from pseudorandom generators

Lecture 5: Pseudorandom functions from pseudorandom generators Lecture 5: Pseudorandom functions from pseudorandom generators Boaz Barak We have seen that PRF s (pseudorandom functions) are extremely useful, and we ll see some more applications of them later on. But

More information

STREAM CIPHER. Chapter - 3

STREAM CIPHER. Chapter - 3 STREAM CIPHER Chapter - 3 S t r e a m C i p h e r P a g e 38 S t r e a m C i p h e r P a g e 39 STREAM CIPHERS Stream cipher is a class of symmetric key algorithm that operates on individual bits or bytes.

More information

Lecture 14: Secure Multiparty Computation

Lecture 14: Secure Multiparty Computation 600.641 Special Topics in Theoretical Cryptography 3/20/2007 Lecture 14: Secure Multiparty Computation Instructor: Susan Hohenberger Scribe: Adam McKibben 1 Overview Suppose a group of people want to determine

More information

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem

More information

Lecture 28: Public-key Cryptography. Public-key Cryptography

Lecture 28: Public-key Cryptography. Public-key Cryptography Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access

More information

Homework 7 Solutions

Homework 7 Solutions Homework 7 Solutions Due: March 22, 2018 CS 151: Intro. to Cryptography and Computer Security 1 Fun with PRFs a. F a s = F 0 k(x) F s (x) is not a PRF, for any choice of F. Consider a distinguisher D a

More information

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed Problem 1 n bits k zero bits IV Block Block Block Block removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Missing bits January 27, 2011 Practical

More information

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key

More information

Security and Cryptography 1

Security and Cryptography 1 Security and Cryptography 1 Module 5: Pseudo Random Permutations and Block Ciphers Disclaimer: large parts from Mark Manulis and Dan Boneh Dresden, WS 18 Reprise from the last modules You know CIA, perfect

More information

Chosen Plaintext Attacks (CPA)

Chosen Plaintext Attacks (CPA) Chosen Plaintext Attacks (CPA) Goals New Attacks! Chosen Plaintext Attacks (often CPA) is when Eve can choose to see some messages encoded. Formally she has Black Box for ENC k. We will: 1. Define Chosen

More information

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,

More information

Cryptography Lecture 4 Block ciphers, DES, breaking DES

Cryptography Lecture 4 Block ciphers, DES, breaking DES Cryptography Lecture 4 Block ciphers, DES, breaking DES Breaking a cipher Eavesdropper recieves n cryptograms created from n plaintexts in sequence, using the same key Redundancy exists in the messages

More information

Cryptography CS 555. Topic 4: Computational Security

Cryptography CS 555. Topic 4: Computational Security Cryptography CS 555 Topic 4: Computational Security 1 Recap Perfect Secrecy, One-time-Pads Theorem: If (Gen,Enc,Dec) is a perfectly secret encryption scheme then KK M 2 What if we want to send a longer

More information

Leftovers from Lecture 3

Leftovers from Lecture 3 Leftovers from Lecture 3 Implementing GF(2^k) Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x): (1,1,0,1,1) *(0,1,0,1,1) = (1,1,0,0,1) For small size finite

More information

William Stallings Copyright 2010

William Stallings Copyright 2010 A PPENDIX F M EASURES OF S ECRECY AND S ECURITY William Stallings Copyright 2010 F.1 PERFECT SECRECY...2! F.2 INFORMATION AND ENTROPY...8! Information...8! Entropy...10! Properties of the Entropy Function...12!

More information

Chapter 11. Asymmetric Encryption Asymmetric encryption schemes

Chapter 11. Asymmetric Encryption Asymmetric encryption schemes Chapter 11 Asymmetric Encryption The setting of public-key cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret

More information

Block encryption of quantum messages

Block encryption of quantum messages Block encryption of quantum messages Min Liang 1 and Li Yang,3 1 Data Communication Science and Technology Research Institute, Beijing 100191, China liangmin07@mails.ucas.ac.cn State Key Laboratory of

More information

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to

More information

18733: Applied Cryptography Anupam Datta (CMU) Course Overview

18733: Applied Cryptography Anupam Datta (CMU) Course Overview 18733: Applied Cryptography Anupam Datta (CMU) Course Overview Logistics Introductions Instructor: Anupam Datta Office hours: SV Bldg 23, #208 + Google Hangout (id: danupam) Office hours: Mon 1:30-2:30

More information

Private-Key Encryption

Private-Key Encryption Private-Key Encryption Ali El Kaafarani Mathematical Institute Oxford University 1 of 37 Outline 1 Pseudo-Random Generators and Stream Ciphers 2 More Security Definitions: CPA and CCA 3 Pseudo-Random Functions/Permutations

More information

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment. CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES A selection of the following questions will be chosen by the lecturer to form the Cryptology Assignment. The Cryptology Assignment is due by 5pm Sunday 1

More information

Real scripts backgrounder 3 - Polyalphabetic encipherment - XOR as a cipher - RSA algorithm. David Morgan

Real scripts backgrounder 3 - Polyalphabetic encipherment - XOR as a cipher - RSA algorithm. David Morgan Real scripts backgrounder 3 - Polyalphabetic encipherment - XOR as a cipher - RSA algorithm David Morgan XOR as a cipher Bit element encipherment elements are 0 and 1 use modulo-2 arithmetic Example: 1

More information

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor

More information

Lecture 9 - Symmetric Encryption

Lecture 9 - Symmetric Encryption 0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,

More information

Shannon s Theory of Secrecy Systems

Shannon s Theory of Secrecy Systems Shannon s Theory of Secrecy Systems See: C. E. Shannon, Communication Theory of Secrecy Systems, Bell Systems Technical Journal, Vol. 28, pp. 656 715, 1948. c Eli Biham - March 1, 2011 59 Shannon s Theory

More information